Discover LinuxSecurity Features
Using GnuPG with Pine for Secure E-Mail
Anthony Pell
11 - 21 min read
04/12/2001
Many people have no problems sending sensitive data via e-mail. Most of us do not know how easy it is for anybody to read it. Just because somebody holds the title of "Systems Administrator" does not mean they can be trusted. What is stopping them from reading your e-mail? Nothing. This is where PGP comes in; it is easy-to-use encryption meant for the common person.
GnuPG is the GNU Privacy Guard. GnuPG is designed to be a free drop-in replacement for PGP (Pretty Good Privacy), created by Phil Zimmermann. PGP is the de facto standard for e-mail security and file encryption on the Internet. It uses public-key cryptography to ensure secure communication between two parties who may have never even met. GnuPG implements the OpenPGP standard as outlined in RFC 2440.
The purpose of this document is to demonstrate the steps necessary to set up GnuPG and use it with Pine, a popular mail and news client. I will not go into very much detail about the usage and responsability aspects of GnuPG (please refer to the References section for links). I will, however, go into enough detail to ensure that a reader is familiar with the relevant concepts required for sending and receiving PGP signed/encrypted e-mail.
This document also assumes that you have gpg and pinepgp installed on your machine. If you need help compiling/installing either package I would recomend visiting:
| GnuPG | ||
| pinepgp |
If you are using an RPM-based system, the pine RPM included with EnGarde 1.0.1 included pinegpgp. It can be found at:
To install this package, simply "rpm -Uvh <RPM>".
(Note: In all of the key generation examples I generate a new, ficitious, key. This key no longer exists and it is not valid, so please do not try to contact me using it. In the pinepgp usage examples I use my real key (0xD3292967) which can be found on the keyservers.)
Key Generation
After installing GnuPG you will need to execute the command 'gpg' one time to set up your ~/.gnupg directory:
[ryan@mastermind ryan]$ gpg
gpg: Warning: using insecure memory!
gpg: /home/ryan/.gnupg: directory created
gpg: /home/ryan/.gnupg/options: new options file created
gpg: you have to start GnuPG again, so it can read the new options file
Now you are all set to begin key generation. To generate a new keypair, use the command 'gpg --gen-key':
[ryan@mastermind ryan]$ gpg --gen-key
gpg (GnuPG) 1.0.4; Copyright (C) 2000 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: Warning: using insecure memory!
gpg: /home/ryan/.gnupg/secring.gpg: keyring created
gpg: /home/ryan/.gnupg/pubring.gpg: keyring created
Step 1: Select Key Type
The first step in GnuPG key generation is choosing exactly what type of key you want to generate. You will be presented with a screen such as this:
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection? 1
A DSA (Digital Signature Algorithim) keypair is used only for generating digital signatures. An ElGamal (ELG-E) subordinate keypair is used for digital signatures _and_ encryption.
If you want to send somebody an e-mail and simply sign it so they can verify your identity then the DSA keypair is used. If you want to send somebody an encrypted e-mail containing sensitive information then you would sign and encrypt it. Further explination is beyond the scope of this document so if you are interested fast forward to the "References" section.
For most people the default (option '1') is fine: it will allow you to generate standalone digital signatures and encrypt sensitive documents. You should not choose another option unless you know what you are doing. For the purposes of this document we will assume the user has used the default: option '1'.
Step 2: Select Keypair Size
The next step is to choose the keysize you would like for your ELG-E keypair. Your DSA key will be 1024 bits. You will be presented with a screen such as this:
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024) 1024
Again, the default key size of 1024 bits is fine. Anything more is pretty much overkill unless you plan on using a very strong passphrase, which we will talk more about later.
After you choose your keysize you will see the following confirmation:
Requested keysize is 1024 bits
Step 3: Select Key Lifetime
Next you must choose how long you would like to key to be valid for. Normally you would want it to be valid forever and if the key is comprimised simply issue a revocation certificate, which we will discuss later. The default is to create a key that does not expire.
If you would like to create a key that does expire, you can define it's lifetime here. You will be presented with a screen such as this:
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
After you make your selection you will be presented with a confirmation:
Key does not expire at all
Is this correct (y/n)? y
Step 4: Create User ID
Each key has a unique "User ID" associated with it. GnuPG will generate the User ID from your "Real Name", an optional "Comment", and your "Email Address". You will be presented with a screen such as this:
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <This email address is being protected from spambots. You need JavaScript enabled to view it. >"
Real name: Ryan W. Maple
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Comment: Guardian Digital, Inc.
After you enter in your information you will be asked to confirm it:
You selected this USER-ID:
"Ryan W. Maple (Guardian Digital, Inc.) <This email address is being protected from spambots. You need JavaScript enabled to view it. >"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Step 5: Select Passphrase
The final step is to choose a passphrase. This passphrase will be used to unlock your secret key whenever you want to sign or encrypt something. We can talk at length about what constitutes a "good" passphrase, but the bottom line is that most people will not choose a "good" passphrase because it will be very hard to remember. For the purposes of this document, a "good" passphrase should be a very long string consisting of lowercase letters, uppercase letters, numbers, and punctuation.
For more information on passphrases, I would recommend reading the passphrase FAQ at <https://www.stack.nl/~galactus/remailers/passphrase-faq.html>.
To enter your passphrase you will be presented with a screen such as this:
You need a Passphrase to protect your secret key.
Enter passphrase:
And you will then be asked to verify it:
Repeat passphrase:
The final step is handled by GnuPG. GnuPG will now attempt to generate a large amount of random bytes to assist in encrypting your private key. You will be presented with a screen such as this:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
<random status data>
<random status data>
If this step hangs, then start doing "stuff" to give the pseudo random number generator some more randomness. To help it out start moving your mouse around or start banging on your keyboard. If you are generating your key on a remote system then you should re-think this. From the GnuPG FAQ:
"4.3) And [keygen] really takes long when I work on a remote system. Why?
Don't do this at all! You should never create keys or even use GnuPG on a
remote system because you normally have no physical control over your
secret key ring (which is in most cases vulnerable to advanced dictionary
attacks) - I strongly encourage everyone to only create keys on a local
computer (a disconnected laptop is probably the best choice) and if you
need it on your connected box (I know: We all do this) be sure to have a
strong password for your account and for your secret key and that you can
trust your system administrator."
Security is a tradeoff, so if you feel comfortable keeping your secret key on a remote system you can do something like "find / -ls" in the background. Keep in mind that find(1) is not very random. An alternative solution is to generate your keypair on your desktop and then copy your keyring onto the remote machine.
When this is all done, you will see the following success message:
public and secret key created and signed.
Revocation Certificate
A revocation certificate is used in the event you are unable to use your private key anymore, be it because you forgot your passphrase or the key was comprimised. From the GnuPG manual:
"If you forget your passphrase or if your private key is compromised or
lost, this revocation certificate may be published to notify others that
the public key should no longer be used. A revoked public key can still be
used to verify signatures made by you in the past, but it cannot be used
to encrypt future messages to you. It also does not affect your ability to
decrypt messages sent to you in the past if you still do have access to
the private key."
To create a revocation certificate, execute the command 'gpg --gen-revoke user@host' (line wrapped for readability):
[ryan@mastermind ryan]$ gpg --gen-revoke --output revocation.asc
This email address is being protected from spambots. You need JavaScript enabled to view it.
gpg: Warning: using insecure memory!
sec 1024D/60DDF66A 2001-01-03 Ryan W. Maple (Guardian Digital, Inc.)
<This email address is being protected from spambots. You need JavaScript enabled to view it. >
Create a revocation certificate for this key? y
After this confirmation you will be asked to provide a reason for the revocation. Option '1' should almost always be chosen here. If you gave your key a lifetime during generation then you should probably choose option '2' or '3'.
Please select the reason for the revocation:
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
0 = Cancel
(Probably you want to select 1 here)
Your decision? 1
You may also give a description if you wish:
Enter an optional description; end it with an empty line:
>
The final confirmation:
Reason for revocation: Key has been compromised
(No description given)
Is this okay? y
You need a passphrase to unlock the secret key for
user: "Ryan W. Maple (Guardian Digital, Inc.) <This email address is being protected from spambots. You need JavaScript enabled to view it. >"
1024-bit DSA key, ID 60DDF66A, created 2001-01-03
Enter passphrase:
After you enter your passphrase your revocation certificate will be stored in 'revocation.asc' and you will be presented with a friendly warning:
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
This should then be put in a safe place. It should look something like this:
[ryan@mastermind ryan]$ cat revocation.asc
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see https://www.gnupg.org
Comment: A revocation certificate should follow
iEkEIBECAAkFAjpbhzACHQIACgkQZi8S3ZLqN2GZHgCgsWbCMQBiExcvoGDZJQfn
iHbGOuYAoJndfnpvYloGReJZ1nTDwKGgWoN+
=aXah
-----END PGP PUBLIC KEY BLOCK-----
Final Steps
When the keypair and revocation certificate are generated they should be put in a safe place. I usually make a tarball of the .gnupg directory and store it on read-only media such as a CD-R. If you are super paranoid you can put this in a safe deposit box somewhere.
Assuming your revocation certificate is in the file 'revocation.asc', you can do this by executing the command:
[ryan@mastermind ryan]$ tar -cvf gnupg-BACKUP-2001-01.tar .gnupg revocation.asc
If your key is ever comprimised, you can extract the tarball and issue your revocation certificiate. Once this tarball is created be sure to move it someplace (preferrably read-only media) and _REMOVE THE REVOCATION CERTIFICIATE AND TARBALL_. If you do not then anybody who gains access to your account will be able to issue the revocation certificate, thus making your keys null and void.
It is also adventageous to export a copy of your public key and put it on the keyservers so others can retrieve it without having to directly ask you for it. "The keyservers" are a network of machines that share public key information in a distributed fashion. After posting your public key to a keyserver it will propogate itself to the other servers rather quickly.
To export a copy of your public key to stdout, execute the command:
[ryan@mastermind ryan]$ gpg --export --armorThis email address is being protected from spambots. You need JavaScript enabled to view it.
If you would like to save it to a file, execute the command (line wrapped for readability):
[ryan@mastermind ryan]$ gpg --output pub.asc --export
--armor This email address is being protected from spambots. You need JavaScript enabled to view it.
If you would like to export it directly to the keyservers, execute the command (line wrapped for readability):
[ryan@mastermind ryan]$ gpg --keyserver wwwkeys.pgp.net
--send-keys This email address is being protected from spambots. You need JavaScript enabled to view it.
Your public key should look something like this:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see https://www.gnupg.org
mQGiBDpbhJcRBACKi9jM40pX1Q8j7s9I185PcEEtB5WM5sbgK9si3vyY0nlDi5v6
eCKpqlG7AMVgoEIz2/j9LhZs5svYyvpCQCGSX4WU1eYNRWGDyFSlQYxRh/kJEd92
9GfGN/1b+6r5yi+GFCxr72SUyAieNhLVX1oT+I13B35dCUZjesyf989ZBwCguOBt
u5zHCWEmuDSePOzmhQD0RPUD/R+mkECAsqeUn2RIls6AHaJKnRtHOMioBdY0LCIe
fyrgsEHxHW84Nfy06UaOfznc19uMAmcEK1UNmQbUz82RgMFPghmTMddS2RM6lT37
5zPSa1vcjZr/3z5fEqhrHP34PjDcF4mJqiU10LVzwX58Eax2FvN4Enj+9gvswBBt
t6aFA/968kgJrwlxNGB+IpG3CbOTIqT8fiCD9I+fJP0VoADBlFtyHQ4Sio65E9vM
8Z5BSPUTVrFA7xWDC4ANgpg3u0URkbg8/1El0cqHFCGpToz25j8wBlfF/FPFjEjm
tv3G0AEVd/ww19Hk2t7V2FxTBgcfOSzSgUpGUNOdmfExXgD/cLRBUnlhbiBXLiBN
YXBsZSAoR3VhcmRpYW4gRGlnaXRhbCwgSW5jLikgPHJ5YW5AZ3VhcmRpYW5kaWdp
dGFsLmNvbT6IVwQTEQIAFwUCOluElwULBwoDBAMVAwIDFgIBAheAAAoJEGYvEt2S
6jdhv6oAn0aFsZIfrFwvOfIO2+ZsubHRcDkUAJ9Z0g5BpHM4T/sYpABbvkf2a0Be
uLkBDQQ6W4ScEAQA4yZyLQpR9BooehRsFT8ZdMd3Gy8J5bq5xTrKq4YqUD/ZOhL5
RvpnnlRd4/H5gcL63Q3J3mFMLIWC4kl+vYj+5O7PMoVaWprb7rVi0ceAESEAEiwR
kR8W6wu8rdKCyD6Xjq80hl6GfDNmlmjM4eg/PbpQoSJKIAGrgZa7Na776TMAAwUD
/A0JJft0GzdTlBBrmmCSBz6IGGOp/HcRA4M5TC66NRwP1yKqOBDZ890XWtISYJfV
Oo/YKQpZbgg/dbD7K2vyFUTU5tiRxggREe9CpirWyS15EpaWz6duHnEWc27oH+Yc
3hYlFETaQElXiT4i+nl0ph2B4/+1FTa+oing4o23S2ibiEYEGBECAAYFAjpbhJwA
CgkQZi8S3ZLqN2GyvQCeIZbeItr3v55zvnlpSXCpxrdXn8AAniandNPAf/0E8VtS
IhRT5w0iuQbu
=s7YQ
-----END PGP PUBLIC KEY BLOCK-----
The last thing you may want to do is customize your ~/.gnupg/options file. There are several customizations that can be made but below are the only two I have changed:
# Set this if you want to disable the copyright notice.
no-greeting
# Set this to the server you wish to use as a keyserver
keyserver wwwkeys.pgp.net
If you set the 'keyserver' directive then GnuPG will attempt to import keys from the keyservers when it encounters a key that you do not have in your public keyring. This is adventageous, but not necessary. I would recommend against using the keyservers until you have a thorough knowledge of the PGP "Web of Trust".
pinepgp Configuration
InstallationOnce the keypair is generated pinepgp can be configured. The beauty of pinepgp is that it will do all of the work, simply execute "pinegpg-install":
[ryan@mastermind ryan]$ pinegpg-install
pinepgp has a very nifty feature called "encrypt to self". If you enable this feature then any time you send an encrypted email, the copy that is saved to sent-mail will be encrypted with your public key so you can read it.
Enabling this feature is recommended. If you do not enable it then you will not be able to decrypt any encrypted mail in your sent-mail folder.
To install pinepgp with the "encrypt to self" feature, execute the command:
[ryan@mastermind ryan]$ pinegpg-installThis email address is being protected from spambots. You need JavaScript enabled to view it.
replacing "
Configuration
This script will put lines such as the following in your .pinerc:
# This variable takes a list of programs that message text is piped into
# after MIME decoding, prior to display.
display-filters=_LEADING("-----BEGIN PGP MESSAGE-----")_ /usr/bin/gpg-check,
_LEADING("-----BEGIN PGP SIGNED MESSAGE-----")_ /usr/bin/gpg-check
# This defines a program that message text is piped into before MIME
# encoding, prior to sending
sending-filters=/usr/bin/gpg-sign,
/usr/bin/gpg-encrypt _RECIPIENTS_ This email address is being protected from spambots. You need JavaScript enabled to view it. ,
/usr/bin/gpg-sign+encrypt _RECIPIENTS_ This email address is being protected from spambots. You need JavaScript enabled to view it.
Pine is now configured. There is one more option which you can set if you see fit, even though it is not necessary. Whenever you send a message you will be prompted with a confirmation such as this:
Send message (unfiltered)?
If you want to sign/encrypt your message you need to type Control-P or Control-N to scroll to the appropriate pinepgp filter. If you wish to be offered the option to sign/encrypt e-mail first then you must set the 'compose-send-offers-first-filter' option in your 'feature-list'. This can be done one of two ways.
The first method is to launch pine and select "Setup", then select 'C' for 'Config'. The 'compose-send-offers-first-filter' option is in the "Composer Preferences" towards the top. Select this option then save your settings.
The second method is to edit your .pinerc directly. Open it up in your favorite text editor and look for the line "feature-list=". Just append 'compose-send-offers-first-filter' to this line. An example line is:
feature-list=expunge-without-confirm-everywhere,
expunge-without-confirm,
quit-without-confirm,
enable-tab-completion,
enable-flag-cmd,
compose-send-offers-first-filter,
enable-full-header-cmd
pinepgp Usage
A keypair has been generated, pinepgp is setup, and pine is aware of its new filters. The next step is to test it all out by sending some e-mails to yourself or a friend who wants to play along.
Test 1: Signing an E-Mail
We start out by sending a test e-mail to ourself:
[ryan@mastermind ryan]$ pineThis email address is being protected from spambots. You need JavaScript enabled to view it.
Compose the message, then type Control-X to send it. If you did _not_ select the 'compose-send-offers-first-filter' option above then you will see:
Send message (unfiltered)?
If you did select 'compose-send-offers-first-filter', then you will see: Send message (filtered thru "gpg-sign")?
There are many filters to choose from. I will outline them all here:
Send message (unfiltered)?
This method uses no filter at all and will send a 'normal' e-mail.
Send message (filtered thru "gpg-sign+encrypt")?
This method uses the "sign+encrypt" filter to send an email that is both
signed and encrypted.
Send message (filtered thru "gpg-encrypt")?
This method uses the "encrypt" filter to send an email that is
encrypted. For most applications, you should use the
"gpg-sign+encrypt" filter over this one.
Send message (filtered thru "gpg-sign")?
This method uses the "sign" filter to send an email that is signed.
In this example we want to sign an email, so select the "gpg-sign" filter. Hit "Control-P" until this filter is displayed, then press the 'Y' button. You will then see a screen like this:
gpg: Warning: using insecure memory!
You need a passphrase to unlock the secret key for
user: "Ryan W. Maple (Guardian Digital, Inc.) <This email address is being protected from spambots. You need JavaScript enabled to view it. >"
1024-bit DSA key, ID D3292967, created 2000-11-08
Enter passphrase:
Simply enter your passphrase then press "Enter" two times. If you typed it correctly then the message is signed and delivered to the recipient (in this case, you). Now go to your inbox and open up this message. If all is working correctly, you should see something like this at the bottom of your message (line wrapped for readability):
---------------------------------------------------------------------- gpg: Warning: using insecure memory!
gpg: Signature made Tue Mar 6 15:42:39 2001 EST using DSA key ID D3292967
gpg: Good signature from "Ryan W. Maple (Guardian Digital, Inc.)
<This email address is being protected from spambots. You need JavaScript enabled to view it. >"
----------------------------------------------------------------------
If all went well, then everything is set up correctly.
Test 2: Signing and Encrypting an E-Mail
We start out by sending a test e-mail to ourself, just like before:
[ryan@mastermind ryan]$ pineThis email address is being protected from spambots. You need JavaScript enabled to view it.
Compose the message, type Control-X to send it, and choose the "gpg-sign+encrypt" filter:
Send message (filtered thru "gpg-sign+encrypt")?
You will again be dropped into a screen much like the following:
RCPTS: -rThis email address is being protected from spambots. You need JavaScript enabled to view it. -rThis email address is being protected from spambots. You need JavaScript enabled to view it. gpg: Warning: using insecure memory! You need a passphrase to unlock the secret key for user: "Ryan W. Maple (Guardian Digital, Inc.) <This email address is being protected from spambots. You need JavaScript enabled to view it. >" 1024-bit DSA key, ID D3292967, created 2000-11-08 Enter passphrase:
Simply enter your passphrase then press "Enter" two times. If you typed it correctly then the message is signed, encrypted, and delivered to the recipient (in this case, you).
Now go to your inbox and open up this message. If all is working correctly, you will be prompted for you passphrase to access your private key to decrypt the message:
You need a passphrase to unlock the secret key for
user: "Ryan W. Maple (Guardian Digital, Inc.) <This email address is being protected from spambots. You need JavaScript enabled to view it. >"
1024-bit ELG-E key, ID 108996F2, created 2000-11-08 (main key ID D3292967)
Enter passphrase:
If you see the message before you then everything is set up correctly. Since we chose to sign and encrypt it, you should see a signature verification message at the bottom just like in the previous example.
When encrypting e-mail, please note that you must first have the recpients public key in your keyring. If you do not have the recipients public key then pinepgp will quit with an error such as:
gpg:This email address is being protected from spambots. You need JavaScript enabled to view it. : skipped: public key not found gpg: [stdin]: sign+encrypt failed: public key not found
Assuming that the public key is in the file 'publickey.asc', you would import it using this command:
[ryan@mastermind ryan]$ gpg --import --armor < publickey.asc
gpg: Warning: using insecure memory!
gpg: key AB67CD5E: public key imported
gpg: Total number processed: 1
gpg: imported: 1
To import a key from the keyservers you must first know the key ID. If I
wanted to import the key for "Bryan G. Seitz <
[ryan@mastermind ryan]$ gpg --recv-keys 0xAB67CD5E
gpg: Warning: using insecure memory!
gpg: requesting key AB67CD5E from wwwkeys.pgp.net ...
gpg: key AB67CD5E: public key imported
gpg: Total number processed: 1
gpg: imported: 1
The Aftermath
If you use Netscape or some other non PGP-compatible browser to read your e-mail, but would still like to have the option to drop into pine if you need to exchange sensitive information with somebody, there is another solution: procmail(1).
procmail, for those who do not know, is a mail processor. Simply put it can route or format incoming mail in just about any way imaginable. However it is a little bit hard to understand so I am going to offer no explination here (it has excellent man pages, 'man procmailex') and just jump right into the recipie.
This recipie will take all incoming mail which has a PGP message in it and save a copy in ~/mail/PGP, while putting the original back in your spool file. When you see that you have a PGP message you can ssh into the mail server and open up pine to decrypt the message.
The recipie is as follows, and should be put in ~/.procmailrc:
### File PGP messages in their own folder...
:0 B
* ^-----BEGIN PGP MESSAGE----- {
:0 c
PGP
:0
/var/spool/mail/ryan
}
That's it!
References
GnuPG Homepage: The GNU Privacy Guard
GnuPG Manual: gnupg
Pine Homepage:
pinepgp Homepage:
Zimmerman Paper:
OpenPGP RFC: https://www.openpgp.net/rfc2440.txt
Keyserver FAQ:
Passphrase FAQ: https://www.stack.nl/~galactus/remailers/passphrase-faq.html
