# It's a Secret... Use GPG.

GNU Privacy Guard is an RFC-4480 compliant OpenPGP implementation. PGP was created in 1992 out of spite from what I gather by Phil Zimmerman. In 1991 Senate Bill 266 required manufacturers of secure communications equipment to insert special “trap doors” in their products, so that the government could read any encryped communications… (Sounds fairly similar to current events today).

What came from Phil Zimmerman’s head has changed history. PGP gave the world the access to an easy mechanism to keep messages confidental as well as authenticatible. Using asymetric-key cryptography as well as symetric-key, PGP can be used to encrypt and digitally sign data.

# Keys Everywhere

As mentioned above, PGP uses asymetric-key cryptography. The specification mentions several different types of key algorithms you can choose from, including RSA, DSA, etc. What all these have in common is they all consist of two distinct keys that are linked together with our good friend math. Below is a very simplified example of asymetric-key cryptography.

If you are following the above, you will notice that this is some pretty simple math. To encrypt we raise the plaintext version of what we want to encrypt with one key, and we raise the ciphertext to the other key to decrypt. This is very simple to perform, but EXTREMELY hard to figure out without the large primes P and Q because it is hard to find the common divisors.

This form of cryptography allows us to widely publish our public key, so that anyone can send us encrypted messages, and if we keep our private key completely secret, you will be the only one who can read the message. PGP uses asymetric-key encryption, but not for encrypting the message itself. PGP uses symetric key encryption for actually encrypting the message you are trying to hide, and is capable of using many different mechanisms to accomplish this, including blowfish, twofish, aes, etc. Symetric key encryption is where you share a key, such as a passphrase, and you encrypt and decrypt with the same key.

PGP is clever in that the algorithm first creates a really random session “password” which is used to encrypt the payload of the message. Then uses the recipient’s public key to asymetrically encrypt said random session password. The actual message encryption is very much stronger than the encryption of the random session password, which is a one time use password.

To start using GPG to encrypt and sign your documents install gpg. Then generate a keypair as shown below:

Then sit and wait, for a while. In order to generate such a huge random prime, your computer has to create a ton of entropy. When this is done, you should have a keypair, and be ready to start encrypting messages or documents. Below is an example of encrypting a file with gpg.

Looking at that file that was created:

After you are done encrypting files for yourself, you will likely want to start sharing with friends. PGP is based on a web of trust. So you trust someone, you sign their public key, and they become more trustworthy. You can also get keys from a keyserver, and import individual’s public keys as seen below:

Always make sure to verify the fingerprint of keys from people you know. The fingerprint is a SHA hash of the public key and is used to make sure you have their proper key.