Many people have no problems sending sensitive data via e-mail. Most of us do not know how easy it is for anybody to read it. Just because somebody holds the title of "Systems Administrator" does not mean they can be trusted. What is stopping them from reading your e-mail? Nothing. This is where PGP comes in; it is easy-to-use encryption meant for the common person.

GnuPG is the GNU Privacy Guard. GnuPG is designed to be a free drop-in replacement for PGP (Pretty Good Privacy), created by Phil Zimmermann. PGP is the de facto standard for e-mail security and file encryption on the Internet. It uses public-key cryptography to ensure secure communication between two parties who may have never even met. GnuPG implements the OpenPGP standard as outlined in RFC 2440.

The purpose of this document is to demonstrate the steps necessary to set up GnuPG and use it with Pine, a popular mail and news client. I will not go into very much detail about the usage and responsability aspects of GnuPG (please refer to the References section for links). I will, however, go into enough detail to ensure that a reader is familiar with the relevant concepts required for sending and receiving PGP signed/encrypted e-mail.

This document also assumes that you have gpg and pinepgp installed on your machine. If you need help compiling/installing either package I would recomend visiting:

GnuPG
pinepgp

If you are using an RPM-based system, the pine RPM included with EnGarde 1.0.1 included pinegpgp. It can be found at:

To install this package, simply "rpm -Uvh <RPM>".

(Note: In all of the key generation examples I generate a new, ficitious, key. This key no longer exists and it is not valid, so please do not try to contact me using it. In the pinepgp usage examples I use my real key (0xD3292967) which can be found on the keyservers.)

Key Generation

After installing GnuPG you will need to execute the command 'gpg' one time to set up your ~/.gnupg directory:

    [ryan@mastermind ryan]$ gpg
    gpg: Warning: using insecure memory!
    gpg: /home/ryan/.gnupg: directory created
    gpg: /home/ryan/.gnupg/options: new options file created
    gpg: you have to start GnuPG again, so it can read the new options file

Now you are all set to begin key generation. To generate a new keypair, use the command 'gpg --gen-key':

    [ryan@mastermind ryan]$ gpg --gen-key
    gpg (GnuPG) 1.0.4; Copyright (C) 2000 Free Software Foundation, Inc.
    This program comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it
    under certain conditions. See the file COPYING for details.

    gpg: Warning: using insecure memory!
    gpg: /home/ryan/.gnupg/secring.gpg: keyring created
    gpg: /home/ryan/.gnupg/pubring.gpg: keyring created

Step 1: Select Key Type

The first step in GnuPG key generation is choosing exactly what type of key you want to generate. You will be presented with a screen such as this:

    Please select what kind of key you want:
       (1) DSA and ElGamal (default)
       (2) DSA (sign only)
       (4) ElGamal (sign and encrypt)
    Your selection? 1

A DSA (Digital Signature Algorithim) keypair is used only for generating digital signatures. An ElGamal (ELG-E) subordinate keypair is used for digital signatures _and_ encryption.

If you want to send somebody an e-mail and simply sign it so they can verify your identity then the DSA keypair is used. If you want to send somebody an encrypted e-mail containing sensitive information then you would sign and encrypt it. Further explination is beyond the scope of this document so if you are interested fast forward to the "References" section.

For most people the default (option '1') is fine: it will allow you to generate standalone digital signatures and encrypt sensitive documents. You should not choose another option unless you know what you are doing. For the purposes of this document we will assume the user has used the default: option '1'.

Step 2: Select Keypair Size

The next step is to choose the keysize you would like for your ELG-E keypair. Your DSA key will be 1024 bits. You will be presented with a screen such as this:

    DSA keypair will have 1024 bits.
    About to generate a new ELG-E keypair.
                  minimum keysize is  768 bits
                  default keysize is 1024 bits
        highest suggested keysize is 2048 bits
    What keysize do you want? (1024) 1024

Again, the default key size of 1024 bits is fine. Anything more is pretty much overkill unless you plan on using a very strong passphrase, which we will talk more about later.

After you choose your keysize you will see the following confirmation:

    Requested keysize is 1024 bits       

Step 3: Select Key Lifetime

Next you must choose how long you would like to key to be valid for. Normally you would want it to be valid forever and if the key is comprimised simply issue a revocation certificate, which we will discuss later. The default is to create a key that does not expire.

If you would like to create a key that does expire, you can define it's lifetime here. You will be presented with a screen such as this:

    Please specify how long the key should be valid.
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
    Key is valid for? (0) 0

After you make your selection you will be presented with a confirmation:

    Key does not expire at all
    Is this correct (y/n)? y

Step 4: Create User ID

Each key has a unique "User ID" associated with it. GnuPG will generate the User ID from your "Real Name", an optional "Comment", and your "Email Address". You will be presented with a screen such as this:

    You need a User-ID to identify your key; the software constructs the user id
    from Real Name, Comment and Email Address in this form:
        "Heinrich Heine (Der Dichter) <This email address is being protected from spambots. You need JavaScript enabled to view it.>"

    Real name: Ryan W. Maple
    Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Comment: Guardian Digital, Inc.        

After you enter in your information you will be asked to confirm it:

    You selected this USER-ID:     
        "Ryan W. Maple (Guardian Digital, Inc.) <This email address is being protected from spambots. You need JavaScript enabled to view it.>"

    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

Step 5: Select Passphrase

The final step is to choose a passphrase. This passphrase will be used to unlock your secret key whenever you want to sign or encrypt something. We can talk at length about what constitutes a "good" passphrase, but the bottom line is that most people will not choose a "good" passphrase because it will be very hard to remember. For the purposes of this document, a "good" passphrase should be a very long string consisting of lowercase letters, uppercase letters, numbers, and punctuation.

For more information on passphrases, I would recommend reading the passphrase FAQ at <https://www.stack.nl/~galactus/remailers/passphrase-faq.html>.

To enter your passphrase you will be presented with a screen such as this:

    You need a Passphrase to protect your secret key.    

    Enter passphrase: 

And you will then be asked to verify it:

    Repeat passphrase: 

The final step is handled by GnuPG. GnuPG will now attempt to generate a large amount of random bytes to assist in encrypting your private key. You will be presented with a screen such as this:

    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    <random status data>
    <random status data>

If this step hangs, then start doing "stuff" to give the pseudo random number generator some more randomness. To help it out start moving your mouse around or start banging on your keyboard. If you are generating your key on a remote system then you should re-think this. From the GnuPG FAQ:

    "4.3) And [keygen] really takes long when I work on a remote system. Why? 

     Don't do this at all! You should never create keys or even use GnuPG on a
     remote system because you normally have no physical control over your
     secret key ring (which is in most cases vulnerable to advanced dictionary
     attacks) - I strongly encourage everyone to only create keys on a local
     computer (a disconnected laptop is probably the best choice) and if you
     need it on your connected box (I know: We all do this) be sure to have a
     strong password for your account and for your secret key and that you can
     trust your system administrator."

Security is a tradeoff, so if you feel comfortable keeping your secret key on a remote system you can do something like "find / -ls" in the background. Keep in mind that find(1) is not very random. An alternative solution is to generate your keypair on your desktop and then copy your keyring onto the remote machine.

When this is all done, you will see the following success message:

    public and secret key created and signed.



Revocation Certificate

A revocation certificate is used in the event you are unable to use your private key anymore, be it because you forgot your passphrase or the key was comprimised. From the GnuPG manual:

    "If you forget your passphrase or if your private key is compromised or
     lost, this revocation certificate may be published to notify others that
     the public key should no longer be used. A revoked public key can still be
     used to verify signatures made by you in the past, but it cannot be used
     to encrypt future messages to you. It also does not affect your ability to
     decrypt messages sent to you in the past if you still do have access to
     the private key."

To create a revocation certificate, execute the command 'gpg --gen-revoke user@host' (line wrapped for readability):

    [ryan@mastermind ryan]$ gpg --gen-revoke --output revocation.asc
                                This email address is being protected from spambots. You need JavaScript enabled to view it.
    gpg: Warning: using insecure memory!

    sec  1024D/60DDF66A 2001-01-03   Ryan W. Maple (Guardian Digital, Inc.)
                                     <This email address is being protected from spambots. You need JavaScript enabled to view it.>

    Create a revocation certificate for this key? y

After this confirmation you will be asked to provide a reason for the revocation. Option '1' should almost always be chosen here. If you gave your key a lifetime during generation then you should probably choose option '2' or '3'.

    Please select the reason for the revocation:   
      1 = Key has been compromised
      2 = Key is superseded
      3 = Key is no longer used
      0 = Cancel
    (Probably you want to select 1 here)
    Your decision?  1

You may also give a description if you wish:

    Enter an optional description; end it with an empty line:
    > 

The final confirmation:

    Reason for revocation: Key has been compromised
    (No description given)
    Is this okay? y

    You need a passphrase to unlock the secret key for
    user: "Ryan W. Maple (Guardian Digital, Inc.) <This email address is being protected from spambots. You need JavaScript enabled to view it.>"
    1024-bit DSA key, ID 60DDF66A, created 2001-01-03

    Enter passphrase: 

After you enter your passphrase your revocation certificate will be stored in 'revocation.asc' and you will be presented with a friendly warning:

    ASCII armored output forced.
    Revocation certificate created.

    Please move it to a medium which you can hide away; if Mallory gets
    access to this certificate he can use it to make your key unusable.
    It is smart to print this certificate and store it away, just in case
    your media become unreadable.  But have some caution:  The print system of
    your machine might store the data and make it available to others!

This should then be put in a safe place. It should look something like this:

    [ryan@mastermind ryan]$ cat revocation.asc
    -----BEGIN PGP PUBLIC KEY BLOCK-----    Version: GnuPG v1.0.4 (GNU/Linux)
    Comment: For info see https://www.gnupg.org
    Comment: A revocation certificate should follow

    iEkEIBECAAkFAjpbhzACHQIACgkQZi8S3ZLqN2GZHgCgsWbCMQBiExcvoGDZJQfn
    iHbGOuYAoJndfnpvYloGReJZ1nTDwKGgWoN+
    =aXah
    -----END PGP PUBLIC KEY BLOCK-----

Final Steps

When the keypair and revocation certificate are generated they should be put in a safe place. I usually make a tarball of the .gnupg directory and store it on read-only media such as a CD-R. If you are super paranoid you can put this in a safe deposit box somewhere.

Assuming your revocation certificate is in the file 'revocation.asc', you can do this by executing the command:

    [ryan@mastermind ryan]$ tar -cvf gnupg-BACKUP-2001-01.tar .gnupg revocation.asc

If your key is ever comprimised, you can extract the tarball and issue your revocation certificiate. Once this tarball is created be sure to move it someplace (preferrably read-only media) and _REMOVE THE REVOCATION CERTIFICIATE AND TARBALL_. If you do not then anybody who gains access to your account will be able to issue the revocation certificate, thus making your keys null and void.

It is also adventageous to export a copy of your public key and put it on the keyservers so others can retrieve it without having to directly ask you for it. "The keyservers" are a network of machines that share public key information in a distributed fashion. After posting your public key to a keyserver it will propogate itself to the other servers rather quickly.

To export a copy of your public key to stdout, execute the command:

    [ryan@mastermind ryan]$ gpg --export --armor This email address is being protected from spambots. You need JavaScript enabled to view it.

If you would like to save it to a file, execute the command (line wrapped for readability):

    [ryan@mastermind ryan]$ gpg --output pub.asc --export
                                --armor This email address is being protected from spambots. You need JavaScript enabled to view it.

If you would like to export it directly to the keyservers, execute the command (line wrapped for readability):

    [ryan@mastermind ryan]$ gpg --keyserver wwwkeys.pgp.net
                                --send-keys This email address is being protected from spambots. You need JavaScript enabled to view it.

Your public key should look something like this:

    -----BEGIN PGP PUBLIC KEY BLOCK-----    Version: GnuPG v1.0.4 (GNU/Linux)
    Comment: For info see https://www.gnupg.org

    mQGiBDpbhJcRBACKi9jM40pX1Q8j7s9I185PcEEtB5WM5sbgK9si3vyY0nlDi5v6
    eCKpqlG7AMVgoEIz2/j9LhZs5svYyvpCQCGSX4WU1eYNRWGDyFSlQYxRh/kJEd92
    9GfGN/1b+6r5yi+GFCxr72SUyAieNhLVX1oT+I13B35dCUZjesyf989ZBwCguOBt
    u5zHCWEmuDSePOzmhQD0RPUD/R+mkECAsqeUn2RIls6AHaJKnRtHOMioBdY0LCIe
    fyrgsEHxHW84Nfy06UaOfznc19uMAmcEK1UNmQbUz82RgMFPghmTMddS2RM6lT37
    5zPSa1vcjZr/3z5fEqhrHP34PjDcF4mJqiU10LVzwX58Eax2FvN4Enj+9gvswBBt
    t6aFA/968kgJrwlxNGB+IpG3CbOTIqT8fiCD9I+fJP0VoADBlFtyHQ4Sio65E9vM
    8Z5BSPUTVrFA7xWDC4ANgpg3u0URkbg8/1El0cqHFCGpToz25j8wBlfF/FPFjEjm
    tv3G0AEVd/ww19Hk2t7V2FxTBgcfOSzSgUpGUNOdmfExXgD/cLRBUnlhbiBXLiBN
    YXBsZSAoR3VhcmRpYW4gRGlnaXRhbCwgSW5jLikgPHJ5YW5AZ3VhcmRpYW5kaWdp
    dGFsLmNvbT6IVwQTEQIAFwUCOluElwULBwoDBAMVAwIDFgIBAheAAAoJEGYvEt2S
    6jdhv6oAn0aFsZIfrFwvOfIO2+ZsubHRcDkUAJ9Z0g5BpHM4T/sYpABbvkf2a0Be
    uLkBDQQ6W4ScEAQA4yZyLQpR9BooehRsFT8ZdMd3Gy8J5bq5xTrKq4YqUD/ZOhL5
    RvpnnlRd4/H5gcL63Q3J3mFMLIWC4kl+vYj+5O7PMoVaWprb7rVi0ceAESEAEiwR
    kR8W6wu8rdKCyD6Xjq80hl6GfDNmlmjM4eg/PbpQoSJKIAGrgZa7Na776TMAAwUD
    /A0JJft0GzdTlBBrmmCSBz6IGGOp/HcRA4M5TC66NRwP1yKqOBDZ890XWtISYJfV
    Oo/YKQpZbgg/dbD7K2vyFUTU5tiRxggREe9CpirWyS15EpaWz6duHnEWc27oH+Yc
    3hYlFETaQElXiT4i+nl0ph2B4/+1FTa+oing4o23S2ibiEYEGBECAAYFAjpbhJwA
    CgkQZi8S3ZLqN2GyvQCeIZbeItr3v55zvnlpSXCpxrdXn8AAniandNPAf/0E8VtS
    IhRT5w0iuQbu
    =s7YQ
    -----END PGP PUBLIC KEY BLOCK-----

The last thing you may want to do is customize your ~/.gnupg/options file. There are several customizations that can be made but below are the only two I have changed:

    # Set this if you want to disable the copyright notice.
    no-greeting

    # Set this to the server you wish to use as a keyserver
    keyserver wwwkeys.pgp.net

If you set the 'keyserver' directive then GnuPG will attempt to import keys from the keyservers when it encounters a key that you do not have in your public keyring. This is adventageous, but not necessary. I would recommend against using the keyservers until you have a thorough knowledge of the PGP "Web of Trust".



pinepgp Configuration

Installation

Once the keypair is generated pinepgp can be configured. The beauty of pinepgp is that it will do all of the work, simply execute "pinegpg-install":

      [ryan@mastermind ryan]$ pinegpg-install

pinepgp has a very nifty feature called "encrypt to self". If you enable this feature then any time you send an encrypted email, the copy that is saved to sent-mail will be encrypted with your public key so you can read it.

Enabling this feature is recommended. If you do not enable it then you will not be able to decrypt any encrypted mail in your sent-mail folder.

To install pinepgp with the "encrypt to self" feature, execute the command:

      [ryan@mastermind ryan]$ pinegpg-install This email address is being protected from spambots. You need JavaScript enabled to view it.

replacing "This email address is being protected from spambots. You need JavaScript enabled to view it." with the e-mail address associated with the keypair you just generated.

Configuration

This script will put lines such as the following in your .pinerc:

      # This variable takes a list of programs that message text is piped into
      # after MIME decoding, prior to display.
      display-filters=_LEADING("-----BEGIN PGP MESSAGE-----")_ /usr/bin/gpg-check,
              _LEADING("-----BEGIN PGP SIGNED MESSAGE-----")_ /usr/bin/gpg-check

      # This defines a program that message text is piped into before MIME
      # encoding, prior to sending
      sending-filters=/usr/bin/gpg-sign,
              /usr/bin/gpg-encrypt _RECIPIENTS_ This email address is being protected from spambots. You need JavaScript enabled to view it.,
              /usr/bin/gpg-sign+encrypt _RECIPIENTS_ This email address is being protected from spambots. You need JavaScript enabled to view it.

Pine is now configured. There is one more option which you can set if you see fit, even though it is not necessary. Whenever you send a message you will be prompted with a confirmation such as this:

      Send message (unfiltered)?

If you want to sign/encrypt your message you need to type Control-P or Control-N to scroll to the appropriate pinepgp filter. If you wish to be offered the option to sign/encrypt e-mail first then you must set the 'compose-send-offers-first-filter' option in your 'feature-list'. This can be done one of two ways.

The first method is to launch pine and select "Setup", then select 'C' for 'Config'. The 'compose-send-offers-first-filter' option is in the "Composer Preferences" towards the top. Select this option then save your settings.

The second method is to edit your .pinerc directly. Open it up in your favorite text editor and look for the line "feature-list=". Just append 'compose-send-offers-first-filter' to this line. An example line is:

      feature-list=expunge-without-confirm-everywhere,
              expunge-without-confirm,
              quit-without-confirm,
              enable-tab-completion,
              enable-flag-cmd,
              compose-send-offers-first-filter,
              enable-full-header-cmd

pinepgp Usage

A keypair has been generated, pinepgp is setup, and pine is aware of its new filters. The next step is to test it all out by sending some e-mails to yourself or a friend who wants to play along.

Test 1: Signing an E-Mail

We start out by sending a test e-mail to ourself:

      [ryan@mastermind ryan]$ pine This email address is being protected from spambots. You need JavaScript enabled to view it.

Compose the message, then type Control-X to send it. If you did _not_ select the 'compose-send-offers-first-filter' option above then you will see:

      Send message (unfiltered)?

If you did select 'compose-send-offers-first-filter', then you will see: Send message (filtered thru "gpg-sign")?

There are many filters to choose from. I will outline them all here:

      Send message (unfiltered)?
        This method uses no filter at all and will send a 'normal' e-mail.

      Send message (filtered thru "gpg-sign+encrypt")?
        This method uses the "sign+encrypt" filter to send an email that is both
        signed and encrypted.

      Send message (filtered thru "gpg-encrypt")?
        This method uses the "encrypt" filter to send an email that is
        encrypted.  For most applications, you should use the
        "gpg-sign+encrypt" filter over this one.

      Send message (filtered thru "gpg-sign")?
        This method uses the "sign" filter to send an email that is signed.

In this example we want to sign an email, so select the "gpg-sign" filter. Hit "Control-P" until this filter is displayed, then press the 'Y' button. You will then see a screen like this:

      gpg: Warning: using insecure memory!

      You need a passphrase to unlock the secret key for
      user: "Ryan W. Maple (Guardian Digital, Inc.) <This email address is being protected from spambots. You need JavaScript enabled to view it.>"
      1024-bit DSA key, ID D3292967, created 2000-11-08

      Enter passphrase: 

Simply enter your passphrase then press "Enter" two times. If you typed it correctly then the message is signed and delivered to the recipient (in this case, you). Now go to your inbox and open up this message. If all is working correctly, you should see something like this at the bottom of your message (line wrapped for readability):

      ----------------------------------------------------------------------      gpg: Warning: using insecure memory!
      gpg: Signature made Tue Mar  6 15:42:39 2001 EST using DSA key ID D3292967
      gpg: Good signature from "Ryan W. Maple (Guardian Digital, Inc.)
                                <This email address is being protected from spambots. You need JavaScript enabled to view it.>"
      ----------------------------------------------------------------------

If all went well, then everything is set up correctly.

Test 2: Signing and Encrypting an E-Mail

We start out by sending a test e-mail to ourself, just like before:

      [ryan@mastermind ryan]$ pine This email address is being protected from spambots. You need JavaScript enabled to view it.

Compose the message, type Control-X to send it, and choose the "gpg-sign+encrypt" filter:

      Send message (filtered thru "gpg-sign+encrypt")?

You will again be dropped into a screen much like the following:

      RCPTS:  -r This email address is being protected from spambots. You need JavaScript enabled to view it. -r This email address is being protected from spambots. You need JavaScript enabled to view it.
      gpg: Warning: using insecure memory!

      You need a passphrase to unlock the secret key for
      user: "Ryan W. Maple (Guardian Digital, Inc.) <This email address is being protected from spambots. You need JavaScript enabled to view it.>"
      1024-bit DSA key, ID D3292967, created 2000-11-08

      Enter passphrase: 

Simply enter your passphrase then press "Enter" two times. If you typed it correctly then the message is signed, encrypted, and delivered to the recipient (in this case, you).

Now go to your inbox and open up this message. If all is working correctly, you will be prompted for you passphrase to access your private key to decrypt the message:

      You need a passphrase to unlock the secret key for
      user: "Ryan W. Maple (Guardian Digital, Inc.) <This email address is being protected from spambots. You need JavaScript enabled to view it.>"
      1024-bit ELG-E key, ID 108996F2, created 2000-11-08 (main key ID D3292967)

      Enter passphrase: 

If you see the message before you then everything is set up correctly. Since we chose to sign and encrypt it, you should see a signature verification message at the bottom just like in the previous example.

When encrypting e-mail, please note that you must first have the recpients public key in your keyring. If you do not have the recipients public key then pinepgp will quit with an error such as:

    gpg: This email address is being protected from spambots. You need JavaScript enabled to view it.: skipped: public key not found
    gpg: [stdin]: sign+encrypt failed: public key not found

Assuming that the public key is in the file 'publickey.asc', you would import it using this command:

    [ryan@mastermind ryan]$ gpg --import --armor < publickey.asc
    gpg: Warning: using insecure memory!
    gpg: key AB67CD5E: public key imported
    gpg: Total number processed: 1
    gpg:               imported: 1

To import a key from the keyservers you must first know the key ID. If I wanted to import the key for "Bryan G. Seitz <This email address is being protected from spambots. You need JavaScript enabled to view it.>", I would ask him for his key ID. Bryan would then tell me that it is '0xAB67CD5E' and I would import it using the command:

    [ryan@mastermind ryan]$ gpg --recv-keys 0xAB67CD5E          
    gpg: Warning: using insecure memory!
    gpg: requesting key AB67CD5E from wwwkeys.pgp.net ...
    gpg: key AB67CD5E: public key imported
    gpg: Total number processed: 1
    gpg:               imported: 1

The Aftermath

If you use Netscape or some other non PGP-compatible browser to read your e-mail, but would still like to have the option to drop into pine if you need to exchange sensitive information with somebody, there is another solution: procmail(1).

procmail, for those who do not know, is a mail processor. Simply put it can route or format incoming mail in just about any way imaginable. However it is a little bit hard to understand so I am going to offer no explination here (it has excellent man pages, 'man procmailex') and just jump right into the recipie.

This recipie will take all incoming mail which has a PGP message in it and save a copy in ~/mail/PGP, while putting the original back in your spool file. When you see that you have a PGP message you can ssh into the mail server and open up pine to decrypt the message.

The recipie is as follows, and should be put in ~/.procmailrc:

    ### File PGP messages in their own folder...
    :0 B
    * ^-----BEGIN PGP MESSAGE-----    {
      :0 c
      PGP
     
      :0 
      /var/spool/mail/ryan
    }

That's it!

References

GnuPG Homepage: The GNU Privacy Guard
GnuPG Manual: gnupg

Pine Homepage:
pinepgp Homepage:

Zimmerman Paper:
OpenPGP RFC: https://www.openpgp.net/rfc2440.txt

Keyserver FAQ:
Passphrase FAQ: https://www.stack.nl/~galactus/remailers/passphrase-faq.html