PGP/GPG - Everything you want to know - How to be Anonymous Online: Step-by-Step Anonymity with Tor, Tails, Bitcoin and Writeprints (2016)

How to be Anonymous Online: Step-by-Step Anonymity with Tor, Tails, Bitcoin and Writeprints (2016)

Section: PGP/GPG - Everything you want to know

PGP allows you to encrypt messages. So, if you want to email a secret love note or favorite recipe without Kim Jong-Un fixing his hungry eyes upon it, type it into a little text file, encrypt it and send it.

PGP vs. GPG

PGP and GPG are pretty much the same. The difference between the two comes down to licensing and encryption algorithms that you probably will never notice. They are interoperable, so, using one will not leave you unable to communicate with someone that uses the other. Unless you are a mega uptight person, there is no need to distinguish between the two. I will refer to it all as PGP.

Quick explanation of .asc, .key, .pgp, .gpg and .sig files?

· .asc – this extension is for a public PGP key file saved using the American Standard Code for Information Interchange character-encoding scheme, abbreviated ASCII (when you import or export a public PGP key the file name will be keyname.asc)

· .key – this can be the same as a .pgp, .gpg or .asc file (since they are the same, filename.key can be renamed filename.asc)

· .pgp – this extension is for a file that has been encrypted using PGP (if you encrypt filename.txt, the new file created will be named filename.txt.pgp)

· .gpg – this extension is for a file that has been encrypted using GPG. Just consider it the same as .pgp

· .sig – this extension is for a signature file (if you sign filename.txt, a second file, filename.txt.sig, will be created)

It is common to find PGP related files with the wrong extensions. If you suspect this to be the case, open the file in your gedit program (right-click the file > Open with > gedit). The top line of the text will tell you if it is a public PGP key, private PGP key or signature file. Just rename the file as needed. If the entire text is pure chaos, including the first line, it is an encrypted file, which you can give a .pgp extension.

Create your PGP key

1. Open the Passwords and Keys program (Applications > Utilities > Passwords and Keys)

2. In the Passwords and Keys window, click File > New

3. Choose PGP key, and then continue

4. Enter a full name and email address (these do not have to be real)

5. Click 'Advanced key options'

6. Adding a Comment is optional

7. Choose RSA and set the Key Strength to “4096” bits. You do not need to set an Expiration Date

8. Click Create

9. Make a strong password and remember it (it is unrecoverable)

10. Your brand new public PGP key is visible by selecting GnuPG keys from the left column of the Passwords and Keys window

11. By right-clicking your key and selecting Properties, you can view its details, as well as change its password

Export and share your public PGP key

1. Open the Passwords and Keys program (Applications > Utilities > Passwords and Keys)

2. Select the GnuPG from the left column

3. Click your key to highlight it

4. Click File > Export

5. Select Armored PGP keys from the PGP Keys drop-box (in the bottom right corner of the Export window)

6. Give your key any Name you wish, just make sure it has the .asc extension (keyname.asc)

7. Choose a location, and then click Export

8. This file is your public PGP key. As the name suggests, it is for the public. You can share it with anyone, post it on a website, and give it to your worst enemy. It is used to 'lock' a file so that only you can 'unlock' it

9. An Extra Special Step – Go to the location that you saved your exported public PGP key and use gedit to open it (right-click the file, Open with > gedit Text Editor). The text is your actual public PGP key. You can share this text instead of sharing the file. For example, instead of attaching a public PGP key file to an email, you can paste its text into an email. Likewise, you can post the key's text on a website as opposed to the file

Copy everything, Starting with “-----BEGIN PGP PUBLIC KEY BLOCK-----

and ending with-----END PGP PUBLIC KEY BLOCK-----

Import someone else's public PGP key

1. Save their filename.asc or filename.pgp public PGP key (you can save it anywhere, this is temporary). If you only have the text of someone's public PGP key, copy the text into gedit and save it as filename.asc. The filename can be any name you choose

Copy everything, Starting with “-----BEGIN PGP PUBLIC KEY BLOCK-----

and ending with-----END PGP PUBLIC KEY BLOCK-----

2. Open the Passwords and Keys program (Applications > Utilities > Passwords and Keys)

3. In the main window, click File > Import

4. Find and open filename.asc

5. You have imported the key and can see it by selecting GnuPG keys from the left column

6. You can now delete the original filename.asc file that you used in Step 1

Import a public PGP key from a Keyserver

You can easily look up someone's public PGP key if they upload it to a keyserver. Keyservers are databases that anyone (even you) can use to share their public PGP key(s) with the world. To import someone's public PGP key from the keyservers:

1. Make sure you are connected to the internet

2. Open the Passwords and Keys program (Applications > Utilities > Passwords and Keys)

3. Select Remote > Find Remote Keys

4. Enter a search term, such as a Key ID or a Key name

5. A list of public PGP keys containing the search term will appear. To Import a key, right-click it and select Import. Once imported, you can close the window

6. The public PGP key is visible by selecting GnuPG keys from the left column

Encrypt a file with PGP

In the next steps, you are NOT using the Passwords and Encryption Keys program

1. Before you choose a file to encrypt, you must have already imported the intended recipient's public PGP key. If you do not have anyone else's public PGP key, you can use your own key and send a file to yourself. Better yet, make a second public PGP key, and then use it

2. Find the file that you want to encrypt (it can be on your desktop, in the persistent folder, or wherever) (if you need a file to test, just open gedit, write yourself a little note and save it)

3. Right-click the file and select Encrypt

4. The Choose Recipients window will open. The public PGP keys you have in your system are listed

5. Select the recipient(s) for whom you are encrypting the file. Whether or not you sign the file is up to you. If you sign it, when the recipient decrypts the file they can see it is from you. It is kind of like putting your signature on a letter

6. Click OK

7. If you do not sign the file, you will be prompted to name the file. Any name will do (filename.pgp), and then click OK

8. Only the chosen recipient(s) will be able to decrypt the file

9. You can now send the encrypted file

Sign a file using your PGP key

You can put your signature on a file, so people know it is from you, not an impostor. You can sign both encrypted and non-encrypted files.

1. Find the file that you want to sign (it can be on your desktop, in the persistent folder, or wherever) (if you need a file to test, just open gedit, write yourself a little note and save it)

2. Right-click the file and select Sign

3. Select your PGP key from the Choose signer window, and then click OK

4. If prompted, enter your key password, and then click OK

5. At the location of the original file, a second file appears. It has the same name as the original, plus '.sig' added to the end (filename.txt.sig appears after signing filename.txt)

6. The person verifying your signature needs three things, the original file you signed, the '.sig' file and your public PGP key (filename.txt, filename.txt.sig and your_public_key.asc)

Where security gets tricky

Ideally, the person verifying your signature had previously received and verified your public PGP key.

This process works like bank signatures did in the old days.

· When you opened a checking account, you would go the bank in person and sign a signature card. This way the bank had your authentic signature on file

· When a check came into the bank, they would compare the signature on the check with the authentic signature on file

· If the signatures matched, they would consider the check authenticated

Now, suppose the bank received a signature card and a signed check at the same time. Meanwhile, you were not present. Even though the signatures match, the bank cannot tell if they are authentic.

You face the same dilemma if you get a public PGP key online at the same time as a signed file. You need a way to authenticate the public PGP key before you can use it to authenticate a signed file.

Authenticating a public PGP key

There are a two ways to make sure you have someone's actual public PGP key, not a fake.

· You can check the key with the Keyservers

· You can check the key by its Fingerprint

Authenticate with the Keyservers:

If someone trusts that a public PGP key is authentic, they can sign it. When you import a particular key, you can see the keys of all the people that have chosen to sign it publicly, vouching for its authenticity. Using the terminal, you will view these signatures.

1. Open the Passwords and Keys program (Applications > Utilities > Passwords and Keys)

2. Select the GnuPG from the left column

3. Right-click an imported public PGP key, and then select Properties (as an example, select Tails Developers tails@boum.org 'offline long-term identity key')

4. Take note of the Key ID, because you will need it in a moment (in this case, 58ACD84F – as of February 6, 2016). You can leave this window open while you proceed to the next step

5. Open the Terminal program (Applications > Utilities > Terminal)

6. In the Terminal window, type “gpg --list-sigs Key_ID”. In this example, you would type gpg --list-sigs 58ACD84F

7. The terminal displays a list of signers

The more signatures that are from people you know and trust, the more trust you can have in the keys authenticity

This trust stuff is a big deal for software developers collaborating on projects and, in the case of my family, Christian missionaries spreading the word in hostile lands. For most other people, PGP is just a way of pretending to be Batman and Robin exchanging puppy memes without the Joker eavesdropping.

Authenticate with the key's Fingerprint.

To check a key's Fingerprint:

1. Open the Passwords and Keys program (Applications > Utilities > Passwords and Keys), and then import the key in question

2. Select the GnuPG from the left column

3. Right-click the key, and then select Properties

4. Under the Details tab is the key's Fingerprint (for example, the Tails developers fingerprint is A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F)

5. Compare the Fingerprint to that of others who have the same key in their possession. The more corroborating sources, the more trust you can have in the keys authenticity. If it is a popular key, an online search may provide a number of comparisons

6. If you believe the key is fake, you can delete it (right-click the key, and then select Delete)

Upload your key to the keyservers / Sync keys you have signed

You DO NOT need to upload your public PGP key to the keyservers in order to sync the other keys. However, if you want your public PGP key publicly available, use the following “sync everything” steps. If you would rather not publicly list your public PGP key, use the following “sync a particular key” steps.

To upload/sync everything...

1. Open the Passwords and Keys program (Applications > Utilities > Passwords and Keys), and then import the key in question

2. Select Remote > Sync and Publish Keys

3. Click Key Servers, and then choose a keyserver from the Publish keys to: drop-down menu and click Close

4. Click Sync

5. Your personal public PGP key will be uploaded. Also, the other keys will sync to reflect new trust signatures

Authenticate software

1. Download the following files into one folder...

· Download the program or file that you will be authenticating (filename.iso, filename.txt, etc.)

· Download the signature file (it should be filename.iso.sig, filename.txt.sig, etc. Sometimes it has a .pgp or .asc file extension - just rename/change the extension to .sig.

· If you do not already have it, download and import the signing party's public PGP key, also known as the “signing key” (usually developername.asc or developername.key)

Wait for all three files to download before preceding

2. If you need to, authenticate the imported public PGP key, aka “signing key” (get it in person, check the keyservers, fingerprint or whatever else works for you)

3. Verify the signature...

· If the signature file does not have a '.sig' extension, rename it (if it is filename.xxx.asc, rename it filename.xxx.sig) (right-click > rename).

· Right-click filename.xxx.sig and select Open with Verify Signature

· In the top-right corner, you will either see filename.xxxGood Signature, filename.xxx Untrusted Valid Signature or filename.xxxUnknown Signature

If you see filename.xxxGood Signature or filename.xxx Untrusted Valid Signature, you have authenticated the file! (‘Untrusted Valid Signature’ means that the signature matches but you have not previously established trust in the signer)

If you see filename.xxxUnknown Signature, you have not authenticated the file. Either you did not download the entire file, forgot to import the public PGP key before checking the signature, imported the wrong public PGP key, or the signature is wrong or forged.

Authenticate software (Real Life Example)

Here is a real life example using a few demonstration files from my website

1. Make sure you are connected to the internet, and then open the Tor Browser (Accessories > Internet > Tor Browser)

2. Go to https://howtobeanonymousonline.info/pgpkey/

3. Right-click 'Anna M Eydie Public PGP Key', and then select Save Link As

4. Click Save to save annameydie.asc. Any location will do

5. Now, go to https://howtobeanonymousonline.info/sigtest/

6. Right-click 'Some Random File', and then select Save Link As

7. Click Save to save some_random_file.zip. Any location will do

8. On the same web page, right-click 'Some Random File Signature', and then select Save Link As

9. Click Save to save some_random_file.zip.sig. You must save it to the same location as some_random_file.zip

10. You can close or minimize the Tor Browser

11. Using the File Manager (Applications > Accessories > Files), navigate to the location of annameydie.asc

12. Right-click annameydie.asc, and then select Open With Import Key. A 'Key Imported' message will display along the bottom of your screen

13. Now, navigate to the location of some_random_file.zip and some_random_file.zip.sig

14. Right-click some_random_file.zip.sig, and then select Open With Verify Signature

15. A 'some_random_file.zip.sig: Good Signature' message will display along the bottom of your screen