Introduction to PGP encryption

This hands-on lab session aims to introduce you to PGP (Pretty Good Privacy), widely used encryption software for securing email communication and data files. Through practical exercises, you will learn how to generate PGP key pairs, encrypt and decrypt messages, sign and verify files, and exchange encrypted emails. This lab will provide all the essential skills for using PGP for secure communication and data protection.

Objectives:

Understand the principles of PGP encryption and digital signatures.
Generate PGP key pairs for encryption and signing.
Encrypt and decrypt messages using PGP.
Sign and verify files using PGP digital signatures.
Exchange encrypted messages with classmates.

Generating PGP Key Pairs to begin GPG tool to encrypt all the communication we want.

Use your VM to install gnupg with the appropriate command (if not already installed). On Debian that is:

sudo apt-get install gnupg

First, create a keypair with the command:

gpg --generate-key

Tip: Don’t forget the passphrase, use a strong one!

You can send your public key by exporting it through the GPG application:

$ gpg --output ~/mypub.key --armor --export youremail@mail.com

You can send the key by email or any method of your choice.

How to import locally foreign public keys

We need to accept other users' public keys if we want to communicate with them. When you receive others' public keys, import them using the import parameter.

Tip: There are other options to share your public key, such as using a public key server. Here's how to verify other keys.

While it's generally safe to distribute your public keys, caution should be exercised when obtaining keys from other users. Therefore, it's crucial to verify the identity of others before importing their keys and initiating communication. A quick method to accomplish this is by comparing the fingerprints derived from those keys. Use the following command:

$ gpg --fingerprint youremail@mail.com

This will result in a more concise string of numbers, making it easier to compare. We can then verify this string either with the individual themselves or with another party who has access to the person in question.

Now sign the keys

By signing each other's keys, we essentially indicate trust in the keys we possess and confirm the identity of the individual associated with that key.

$ gpg --sign-key youremail@mail.com

To ensure that the person whose key you're signing benefits from your trusted relationship, send them back the signed key. You can accomplish this by typing:

$ gpg --output ~/signed.key --export --armor youremail@mail.com

Upon receiving this newly signed key, they can import it, incorporating the signing information you've generated into their GPG database. They can achieve this by using the import parameter.

Now that you have established a secure channel to communicate with trusted ends, you can send and receive encrypted messages with each other!

After sharing your key with the other party, you can now send and receive encrypted messages. You can encrypt your messages with the following command:

$ gpg --encrypt --sign --armor -r other_person@mail.com file_name

This command encrypts the message and signs it with your private key to ensure that the message originates from you. The output will be an encrypted file with the extension .asc. You can use the cat command to view the file.

Keep in mind that this message will be encrypted using the recipient's public key, making it unreadable to you (Unless you somehow obtain the recipient's private key!).

Tip: You can modify the command above to generate a message only you can read, using your private key. Think about how.

Decrypt received messages

Upon message receipt, you would be able to read with the gpg command and the decrypt parameter.

Tip: In case you have a raw stream text message, paste the message after typing gpg with no arguments. Then press CTRL+D to end the message.

If you've completed all the above steps correctly, you can now communicate securely with different individuals. You can send your public key to multiple recipients and import multiple keys as well. This is an essential step to keep your messages private and protect your sensitive information from eavesdropping attacks.

Import other people's public keys from a public key server

An alternative method to share your GPG keys is through a public keyserver. Anyone can upload a key to a public server, making it accessible to others who may need to communicate securely with you.

Export your public key using:

$ gpg --armor --export email

Send your public key to a public server using the --send-key parameter. By default, your key is sent to https://keys.openpgp.org/, or you can specify a different key server using the --keyserver option.

Before importing a user's key, verify its validity with the command gpg --list-sigs user_id where the user_id is for example the email address you want to communicate with. To find a key on a public keyserver, use the --search parameter.

Import the key you want with the --import parameter. You can once again verify the sender's identity using the --fingerprint parameter and checking its validity via a second channel. Then, similarly, sign the key obtained from the public key server.

Here you can find some key IDs of people you may certainly know:

413109AF27CBFBF9,
9A88F479F6D1BBBA,
1C29680110FA7E87

These keys are on the http://keyserver.ubuntu.com// public keyserver.

Use the gpg command with the --search parameter to find out, for each key, the associated email address or User ID (username).
Use the gpg command with the --recv-keys parameter if you decide to import a key into your keyring.
Use the gpg command with the --fingerprint option to verify the authenticity of the keys.
Now, can you try searching based on the email addresses?
Can you find Joseph's old expired key?

Exercises