Introduction to OpenPGP for secure communication during COVID19 Pandemic

5. May 2020 | KaratekHD | CC-BY-SA-3.0

Introduction to OpenPGP for secure communication during COVID19 Pandemic

Introduction to OpenPGP for secure communication during COVID19 Pandemic

In this article, I will talk a bit about OpenPGP, and how to use it for secure document exchange during the COVID19-Pandemic.

What is PGP?

PGP (“Pretty Good Privacy”) is an encryption program. It has the abilitie to sign, encrypt and decrypt files. Unlike other encryption protocols, it uses asymmetric key algorithms, instead of symmetric ones. In a nutshell, this means the following: Instead of using the same password (or key) for encrypting and decrypting files, PGP uses two different ones. One Key is called the private key, This key should stay in your hands, as it says, it’s private. It is used for decrypting stuff for you, and for signing documents. People who want to encrypt a file for you or verify a signature use your public key. You can send your public key to everyone, for example you could upload it to a keyserver.

How we could use this at school

During the actual events, I am required to do home schooling. I sign every document I send of, so my teachers could verify it was me who send it. I uploaded my public key to IServ, it is loacted in the group folder gym/OpenPGP-keys.

Getting started

First install a PGP Programm. For Linux, I prefer KDE Kleopatra, although you could also use gpg’s command line interface. On Microsoft Windows, we are going to use GPG4Win.

Microsoft Windows

  1. Visit this site.
  2. Hit the download button
  3. Select “$0” and click “Download”
  4. Save the file somewhere on your hard disk.
  5. Execute the downloaded file.
  6. Select “Yes” when Windows asks whether it should execute the file.
  7. Hit “OK” and “Next”.
  8. Leave the defaults and click “Next” once again, then click “Install”.
  9. The needed tools will be installed.
  10. Hit “Next” and “Finish”.
  11. If Kleopatra doesn’t launch, start it from the start menu.
  12. Congrats! Kleopatra is now installed and configured correctly.

GNU/Linux

On Linux, installation is pretty easy. Just install Kleopatra with you package manager and you should be good to go.

Generating your very own PGP Key

Now, it’s time to generate our PGP Key pair.

  1. Start Kleopatra
  2. Select “New Keypair”
  3. Enter your name and your E-Mail Address (most likely IServ).
  4. Leave the default settings and continue.
  5. Enter a password for your private PGP key. It will be use for signing and decrypting your documents, so keep it secret!

Importing a PGP Key

So you received a public key. What’s next? You are required to import it in order to use it.

  1. Download my public key from IServ.
  2. Open Kleopatra
  3. Go to File -> import (Ctrl + I)
  4. Select the downloaded key file
  5. If it asks you to verify the key, hit “Yes”, then “Verify”.
  6. Unlock your secret PGP key by entering your password.
  7. That’s it! The key is imported.

Verifying a signature on a document

Alright, so you received a document which is signed. First of all, let’s talk about signed Open Office documents.

Signed .odx files

If you use OpenOffice or LibreOffice, verification of documents is super easy. Just open a signed document and you will see a little blue bar on top of it, saying “This document is digitally signed and the signature is valid.”. You can click on “Show Signatures”, and it will display more detailled information about the signature. A list view will appear, telling you who signed the document at what exact time.

Verifying a file with a .sig or .gpg file

Normally, you will receive a .sig (or .gpg) file and another file, for example, you recieve KW17-History-Task.pdf and KW17-History-Task.pdf.sig If you do so, follow these steps:

  1. Download both files (e.g. the .pdf and the .pdf.sig)
  2. Now use your file manager, right-click the .sig file and select “Decrypt/Verify file” on windows or Actions -> “Decrypt/Verify file” on Linux using KDE Dolphin.
  3. You should see something like this:
  4. If you see something else, the signature may be invalid.

Note: Everything that works with a .sig file also works with a .gpg file

Further reading

Sources

  • Title Picture: The KDE Community - kde.org

Share this post: