NCEAS Computing Services Knowledge Base

1) Get GPG binary from www.gnupg.org

1. download gnupg-w32cli-1.4.3.exe (latest version of GPG as of 6/12/06)

2) Validate signature of downloaded file using “sha1sum.exe” program (“sha1sum.exe” is downloadable from the www.gnupg.org Web site as well; is command-line tool to show digital signatures of files)

• run at Command Prompt: sha1sum.exe gnupg-w32cli-1.4.3.exe
• provides digital signature which should match: abf49fa5dc71e291144780d47f2811d83ae5e1ba
• (also see signature of file on www.gnupg.org Web site since this file could be corrupted, and the digital signature provided here is only for the specific v. 1.4.3 binary listed above)

3) Install GPG by double-clicking on it

• Install using automatic installer
• Once program is installed, update the PATH environment variable (from Windows Control Panel | System | Advanced | Environmental Variables | User Variables | Path so that it includes the “gpg.exe” binaries in the PATH. The program is installed by default to: C:\Program Files\GNU\GnuPG
• The all-important Keyrings are located by default in: C:\Documents & Settings\ ~(your_user_name)\Application Data\gnupg

Note that the keyrings are installed into a subdirectory of your Windows user account by default

4) Some decent instructions can now by found in the GPG documents, particularly GnuPG.readme, and GnuPG.readme.Windows. You should read these documents.

5) Generate your own keys and keyring

 gpg --gen-key

At this time, you will be prompted to create a password for your use in encrypting and decrypting files. It will prompt you for a userid, comment, and email address…

6) Create a Public Key for sharing with others. A person can readily share this public key by exporting it to an ASCII file–

 gpg --export -a -o [[filename.asc]] [userid]  

(where userid might be your own userid, or in this case, typically your Windows account name. The output filename would be filename.asc and is an ASCII format file that contains your public key). It is a good convention to use the filename extension of “asc” to indicate it is an ASCII (plain text) file.<br> <br> A public key in ASCII format (Which might be named “jones.asc” if your account name is “jones”) looks something like this:

 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1.4.3 (MingW32)
 3IP1ihLtj5WN1wyDYzEuXka2BmAAsxUdWD83rxryp6kWgMaeNl7LdwoCDdhG2mc4
 j2HoF/tlK8HJm4NFJeKO1+szd26tNNrttrertetetewZ9AeqCxOMjA1Nqe+6oytwCgs9hM
 ZJ7e3yaqpAUiq5Wobp1nevsD/3PbayZLswite79HYq44kca0KkSdu4xX3eidCVSMVD
 klxixR9WgtO1BBht0iwJYJ9altKVpG5rte9esENFQcjUEGIIodrj+T4/CQb55wTA
 pzbnIdkwQC4kXaGP0yESODMrJ+/yHetswtKVb3pPG7B/z62vPvYR1t56DmIvQUIHa
 /hAA/95CkfskWQqp7HJPRnmZgEfertTixv62Mnpvj0WN1NhJ6wlTMACWAtW3H69Rdu
 KyqlIsN9gf6KjFI6LK5c3sFZm/h0NrtVvfRzMhCXaXfwH2V7zG6774^%zAkTAglSJ/ROz
 WLTvjFKhssUfFYi3BLTUNjvKUwE0mmyC4/lWpdqqvuXaDCA+yFfxvMWAKAuyW2hcK
 OmR5110umgfds13AfUA4CqUlp0ofLAWQkZ/ayyPeNWByzcmJ97rbZBrwiFD3rlk6b/4O
 kMZIY4hJBBgRAgAJBQJEjePdAhsMAAoJECyfSj2OwCxsbaAAn021bE16y0kyupnO
 sUISZcZ6E4l1AdsgJ9l4/AU3NlUFvrWtjJfeuyaHU8yTA =====
====== NzDLg
 -----END PGP PUBLIC KEY BLOCK-----

7) Import the keys of other people whom you trust. You must get their public-key (see step 6) for this.

Once someone has given you their GPG Public key, you must import it to your keyring:

 gpg --import [[filename]]

where filename might be something like “jones.asc”

8) Get general help with gpg options and usage

 gpg --help

9) Digitally sign a file

 gpg -s [[filename]]

Creates a GPG digitally-signed copy of that file, called filename.gpg

• To encode the file in ASCII format for attachment to email, use

 gpg -sa [[filename]]

Which creates a GPG digitally-signed copy of that file in ASCII format, called Filename.asc

10) Verifying a digitally signed file If you get a GPG digitally-signed file, and want to verify who it is from–

 gpg --verify [[filename]]

11) Encrypt and sign a file In order to both sign a file, and encrypt it so that only specified other users (for whom you have their public key) can decrypt it—

 gpg -er   [[recipients]] [filename]

creates a file called filename.gpg that is encrypted, and can be decrypted only by the person (recipient) whom you encrypted it for

 gpg -ers [[recipient]] [filename]

does the same as above, but also digitally signs it with your signature.

12) Decrypt a file If someone sends you an encrypted file, intended for decryption by you–

 gpg -o -d [[decrypted-filename]] [encrypted-filename]

where the encrypted-filename typically has a ”.gpg” extension Long format:

 gpg --output [[decrypted|-filename]] --decrypt [[encrypted-filename]] 

13. Seeing whose public keys are on your own keyring

 gpg --list-keys     (to see just the keys)

14. How to assign levels of trust to keys in your keyring

TBD

15. Migrating your keys to another machine and/or operating system

TBD