Introducción a GnuPrivacyGuard: Diferenzas entre revisións
| Sen resumo de edición | |||
| (Non se amosan 22 revisións do historial feitas polo mesmo usuario.) | |||
| Liña 1: | Liña 1: | ||
| =Introducción= | |||
| #title How to Use Gnu Privacy Guard | |||
| ''GnuPG'' utiliza cifrado de chave pública para garantizar que os usuarios podan comunicarse de xeito seguro. Nun sistema de chave pública, cada usuario ten unha parella de chaves consistente nunha chave privada e unha chave pública. A ''chave privada'' do usuario se manten en segredo, únicamente o seu propietario terá acceso a ela. A ''chave pública'' é de acceso público: calqueira que queira comunicarse pode acceder a ela. | |||
| ||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;"style="padding:0.5em;"><<TableOfContents(3)>>|| | |||
| = GnuPG, GPG, PGP e OpenPGP = | |||
| Os térmos "OpenPGP", "PGP", and "GnuPG / GPG" se utilizan comúnmente como si foran o mesmo. Pero son lixeiramente distintos: | |||
| ;'''OpenPGP''': é unha ''proposición de estándar'', sin embargo, é de uso común. | |||
| ;'''PGP e GnuPG''': Son programas que implementan o estándar ''OpenPGP''. | |||
| ;'''PGP''': Son as siglas de [[wikipedia:Pretty_Good_Privacy|Pretty Good Privacy]], un programa que proporciona privacidade e autenticación mediante cifrado. | |||
| ;'''GnuPG''': Son as siglas de [[wikipedia:Gnu_Privacy_Guard|Gnu Privacy Guard]], outro programa que tamén proporciona privacidade e autenticación mediante cifrado. | |||
| = Xerando unha Chave Privada OpenPGP = | |||
| ''"GnuPG  uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate."'' From [[http://www.gnupg.org/gph/en/manual.html|The GNU Privacy Handbook]] | |||
| O soporte de ''OpenPGP'' nos sistemas basados en Debian está no paquete '''gnupg'''.  | |||
| Existen varias aplicacións que proporcionan unha interface gráfica para ''GnuPG'': | |||
| * [https://www.enigmail.net/home/index.php Enigmail], un plugin de ''OpenPGP'' para Mozilla Thunderbird. | |||
| * [http://www.gnupg.org/gpa.html GNU Privacy Assistant] unha interface gráfica para ''GnuPG (GNU Privacy Guard)''. | |||
| * [http://seahorse.sourceforge.net/ Seahorse] é unha aplicación ''Gnome'' para manexar chaves de cifrado e contrasianis, integrándose con nautilus, gedit e outras aplicacións de ''Gnome''. | |||
| * [http://utils.kde.org/projects/kgpg/ KGPG] é un interfaz simple de ''KDE'' para ''GPG''. | |||
| * [http://pim.kde.org/ Kleopatra] é outro interfaz de ''KDE'' para ''GPG'' integrado coa suite de información persoal ''KDE PIM'' | |||
| Todas estas aplicacións permiten a xeración e xestión de chaves OpenPGP. | |||
| = GnuPG, GPG, PGP and OpenPGP = | |||
| == Utilizando GnuPG para xerar a chave privada == | |||
| The terms "OpenPGP", "PGP", and "GnuPG / GPG" are often used interchangeably. This is a common mistake, since they are distinctly different. | |||
| Podemos xerar nosa chave privada mediante a orde: | |||
|  * '''OpenPGP''' is technically a ''proposed standard'', although it is widely used. OpenPGP is not a program, and shouldn't be referred to as such. | |||
|   * PGP and GnuPG are computer programs that implement the OpenPGP standard. | |||
|  * '''PGP''' is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication.  For more information, see this [[http://en.wikipedia.org/wiki/Pretty_Good_Privacy|Wikipedia]] article. | |||
|  * '''GnuPG''' is an acronym for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication. For further information on GnuPG, see this [[http://en.wikipedia.org/wiki/GNU_Privacy_Guard|Wikipedia]] article. | |||
| <source lang='text'> | |||
| gpg --gen-key | |||
| </source> | |||
| Aparecerá unha pantalla similar á seguinte | |||
| = Generating an OpenPGP Key = | |||
|  Please select what kind of key you want: | |||
| The core package required to start using OpenPGP, {{{gnupg}}}, is installed by default on Ubuntu systems, as is seahorse, a GNOME application for managing keys. It is called "Passwords and Keys" in Ubuntu. | |||
| There are several programs which provide a graphical interface to the GnuPG system. | |||
|  * [[https://www.enigmail.net/home/index.php|Enigmail]], an OpenPGP plugin for Mozilla Thunderbird. | |||
|   * Enigmail was available in the "Main" repository through Intrepid, but can be found in the "Universe" repository since Jaunty. | |||
| sudo apt-get install enigmail | |||
|  * [[http://www.gnupg.org/gpa.html|GNU Privacy Assistant]] is a graphical user interface for the GnuPG (GNU Privacy Guard). | |||
|   * GPA is available in the "Universe" repository. See [[Repositories]] for further information on enabling repositories. | |||
| sudo apt-get install gpa | |||
|  * [[http://seahorse.sourceforge.net/|Seahorse]] is a GNOME application for managing encryption keys. It also integrates with nautilus, gedit, and in other places for encryption operations. | |||
|   * Seahorse is available in the "Main" repository. | |||
| sudo apt-get install seahorse | |||
|  * [[http://utils.kde.org/projects/kgpg/|KGPG]] is a simple, free, open source KDE frontend for gpg. | |||
|   * KGPG is available in the "Main" repository since Intrepid, or the "Universe" repository in earlier releases. | |||
| sudo apt-get install kgpg | |||
|  * [[http://pim.kde.org/| Kleopatra]] is another KDE frontend for gpg that is integrated with the KDE PIM (although you need to install it separately for now). | |||
|   * Kleopatra is available in the "Universe" repository and it includes S/MIME backend: | |||
| sudo apt-get install kleopatra | |||
| You can also generate keys using these programs. Use the section below for recommendations on settings. | |||
| == Using GnuPG to generate a key == | |||
| {{attachment:IconsPage/terminal.png}} | |||
|  * Open a [[UsingTheTerminal|terminal]] and enter: | |||
|  {{{ | |||
| gpg --gen-key | |||
| }}} | |||
|   * If you are using gnupg version 1.4.10 or newer, this will lead to a selection screen with the following options: | |||
|   {{{ | |||
| Please select what kind of key you want: | |||
|    (1) RSA and RSA (default) |    (1) RSA and RSA (default) | ||
|    (2) DSA and Elgamal |    (2) DSA and Elgamal | ||
|    (3) DSA (sign only) |    (3) DSA (sign only) | ||
|    (4) RSA (sign only) |    (4) RSA (sign only) | ||
| }}} | |||
|   *Select (1), which will enable both encryption and signing. | |||
| Elexindo a opción (1) poderemos firmar e cifrar mensaxes. A continuación nos preguntará polo tamaño de chave. O valor de 2048 que toma por defecto é unha boa elección.  | |||
|   *If you are using an older version, the selection screen will have the following options: | |||
|   {{{ | |||
| O periodo de validez da chave toma por defecto o valor de validez perpetua. Si eleximos esta opción, debemos revocar a chave cando xa non a precisemos.  | |||
| Please select what kind of key you want: | |||
|    (1) DSA and Elgamal (default) | |||
| A pantalla seguinte nos solicitará a información necesaria para construír a chave: | |||
|    (2) DSA (sign only) | |||
|    (5) RSA (sign only) | |||
| }}} | |||
|   * We suggest you select (5). We will generate an encryption subkey later. | |||
|  {{{ | |||
| What keysize do you want? (2048) | |||
| }}} | |||
|  * A keysize of 2048 (which is the default) is also a good choice. | |||
|  {{{ | |||
| Key is valid for? (0) | |||
| }}} | |||
|  * Most people make their keys valid until infinity, which is the default option. If you do this don't forget to revoke the key when you no longer use it (see below). | |||
|  * Hit {{{Y}}} and proceed. | |||
|   You need a user ID to identify your key; the software constructs the user ID | |||
|  {{{ | |||
|   from the Real Name, Comment and Email Address in this form: | |||
| You need a user ID to identify your key; the software constructs the user ID | |||
| from the Real Name, Comment and Email Address in this form: | |||
|     "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" |     "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" | ||
| Real name:  |   Real name: Nome do Usuario | ||
| Email address:  |   Email address: direcciondousuario@dominio.net | ||
| Comment:  |   Comment: Comentario | ||
| You selected this USER-ID: |   You selected this USER-ID: | ||
|     " |       "Nome do Usuario (Comentario) <direcciondousuario@dominio.net>" | ||
| }}} | |||
| Debemos asegurarnos que o nome da chave (''Real name'') coincide co nome real, a poder ser tal e como aparece nas identificacións oficiais como o DNI. É posible engadir máis direccións de correo posteriormente. | |||
|  * Make sure that the name on the key is not a pseudonym, and that it matches the name in your passport, or other government issued photo-identification! You can add extra e-mail addresses to the key later. | |||
| No momento de crear a chave, se preguntará pola password de protección. O sistema combinará información aleatoria do sistema coa password para xerar a chave privada de usuario. | |||
|  * Type {{{O}}} to create your key. | |||
|  {{{ | |||
| You need a Passphrase to protect your secret key. | |||
| }}} | |||
|  * You will be asked for your passphrase twice. Usually, a short sentence or phrase that isn't easy to guess can be used. You would be asked to tap on the keyboard or do any of the things you normally do in order for randomization to take place. This is done so that the encryption algorithm has more human-entered elements, which, combined with the passphrase entered above, will result in the user's private key. | |||
| {{boxinfo|Si se olvida a password da chave privada, ésta se volverá inútil. Debemos ter especial coidado en non olvidala. Poderemos cambiar a ''password'' da chave privada mediante o comando '''gpg --edit-key userid'''}} | |||
| || {{attachment:IconsPage/important.png}} Forgetting your passphrase will result in your key being useless. Carefully memorize your passphrase. || | |||
| Unha vez xerada a chave privada observaremos unha pantalla similar á seguinte: | |||
|  * After you type your passphrase twice, the key will be generated. Please follow the instructions on the screen till you reach a screen similar to the one below. | |||
|  {{{ | |||
| gpg: key D8FC66D2 marked as ultimately trusted | |||
| public and secret key created and signed. | |||
|   gpg: key D8FC66D2 marked as ultimately trusted | |||
|   public and secret key created and signed. | |||
|       Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2 | |||
| uid                  Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net> | |||
| sub   2048g/389AA63E 2005-09-08 | |||
| }}} | |||
| The key-id is {{{D8FC66D2}}} (yours will be different). | |||
|   pub   1024D/D8FC66D2 2005-09-08 | |||
| || {{attachment:IconsPage/tip.png}} It is probably a good idea to set this key as default in your ''.bashrc''. Doing this will allow applications using GPG to automatically use your key. || | |||
|         Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2 | |||
|   uid                  Nome do Usuario (Comentario) <direcciondousuario@dominio.net> | |||
|   sub   2048g/389AA63E 2005-09-08 | |||
| O '''KEY-ID''' da chave xerada será a que se observa despois de ''pub  1024D/'', neste caso ''D8FC66D2''. Si queremos que as aplicacións que utilizan ''GPG'' fagan uso automáticamente desta chave podemos exportar o seu ID na variable de entorno '''GPGKEY''' incluíndo en ''.bashrc'' '''export GPGKEY=D8FC66D2'''. | |||
|  * Set your key as the default key by entering this line in your ''~/.bashrc''. {{{ | |||
| export GPGKEY=D8FC66D2 | |||
| }}} | |||
| Si queremos que este cambio faga efecto antes do seguinte inicio de sesión, podemos facer: | |||
|   * Please note that will be sourced only during your next session, unless you source it manually. | |||
| <source lang='text'> | |||
|  * Now restart the gpg-agent and source your .bashrc again: | |||
|   killall -q gpg-agent | |||
|  {{{ | |||
|   eval $(gpg-agent --daemon) | |||
|   source ~/.bashrc | |||
| eval $(gpg-agent --daemon) | |||
| </source> | |||
| source ~/.bashrc | |||
| }}} | |||
| ===  | === Cifrado === | ||
| Si no momento de crear a chave privada, xeramos unha chave únicamente de firma como ''RSA (sign only)'' podemos engadirlle capacidade de cifrado: | |||
|  * If you created an "RSA (sign only)" earlier, you will probably want to add encryption capabilities. Assuming you edited ''~/.bashrc'' as above, open a terminal again and enter: | |||
|  {{{ | |||
| <source lang='text'> | |||
| gpg --cert-digest-algo=SHA256 --edit-key $GPGKEY | gpg --cert-digest-algo=SHA256 --edit-key $GPGKEY | ||
| </source> | |||
| }}} | |||
|  * This will present a dialog like the following: | |||
|  {{{ | |||
| Secret key is available. | |||
| Sendo ''$GPGKEY'' o '''KEY-ID''' da chave. Veremos unha pantalla co seguinte: | |||
| pub   2048R/D8FC66D2  created: 2005-09-08  expires: never       usage: SC   | |||
|                      trust: ultimate      validity: ultimate | |||
| [ultimate] (1). Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net> | |||
|   Secret key is available. | |||
| Command> }}} | |||
|   pub   2048R/D8FC66D2  created: 2005-09-08  expires: never       usage: SC   | |||
|  * To create a subkey, enter 'addkey'. You will have to enter your key's passphrase, and then you'll see a somewhat familiar series of dialogues: | |||
|  {{{ | |||
| Please select what kind of key you want: | |||
|    (2) DSA (sign only) | |||
|    (4) Elgamal (encrypt only) | |||
|    (5) RSA (sign only) | |||
|    (6) RSA (encrypt only) | |||
| }}} | |||
|  * Choose 6. | |||
|  {{{ | |||
| What keysize do you want? (2048) | |||
| }}} | |||
|  * Again, 2048 is a sensible default. | |||
|  {{{ | |||
| Key is valid for? (0) | |||
| }}} | |||
|  * Choose whether this encryption subkey is set to expire (default: it doesn't). Then confirm that you want to make this subkey. | |||
|  {{{ | |||
| pub   2048R/D8FC66D2  created: 2005-09-08  expires: never       usage: SC   | |||
|                      trust: ultimate      validity: ultimate |                      trust: ultimate      validity: ultimate | ||
|   [ultimate] (1). Nome do Usuario (Comentario) <direcciondousuario@dominio.net> | |||
| sub   2048R/389AA63E created: 2005-09-08  expires: never       usage: E    | |||
|   Command>  | |||
| [ultimate] (1). Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net> | |||
| Command>  | |||
| }}} | |||
|  * Enter 'save', then 'quit.' Your key is now capable of encryption. | |||
| Introduciremos o comando ''addkey'', se nos solicitará a ''password'' da nosa chave privada e veremos algo como esto: | |||
| === Creating a revocation key/certificate === | |||
|   Please select what kind of key you want: | |||
|     (2) DSA (sign only) | |||
|     (4) Elgamal (encrypt only) | |||
|     (5) RSA (sign only) | |||
|     (6) RSA (encrypt only) | |||
| A mellor opción á a '''6''' cun tamaño de chave de '''2048'''. Tamén se preguntará, de modo similar á creación da chave privada, polo tempo de validez. Veremos unha pantalla similar a seguinte: | |||
|  * A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way. | |||
|   pub   2048R/D8FC66D2  created: 2005-09-08  expires: never       usage: SC   | |||
|  * It is recommended to create a revocation certificate when you create your key. Keep your revocation certificate on a medium that you can safely secure, like a thumb drive in a locked box. | |||
|                      trust: ultimate      validity: ultimate | |||
|   sub   2048R/389AA63E created: 2005-09-08  expires: never       usage: E    | |||
|   [ultimate] (1). Nome do Usuario (Comentario) <direcciondousuario@dominio.net> | |||
|   Command>  | |||
| e Introduciremos os comandos '''save''' e '''quit'''. | |||
|  * You can create a revocation certificate by : | |||
|   {{{ | |||
| === Creación da Chave de Revocación === | |||
| Si a chave privada se vera comprometida (alguén consigue acceso a ela) ou xa non queremos que continúe sendo válida, necesitaremos revocar a súa validez. Para eso necesitaremos un certificado de revocación. Se recomenda crear un certificado de revocación no momento de xerar a chave privada e mantelo en lugar seguro. | |||
| Podemos xerar un certificado de revocación mediante: | |||
| <source lang='text'> | |||
| gpg --output revoke.asc --gen-revoke $GPGKEY | gpg --output revoke.asc --gen-revoke $GPGKEY | ||
| </source> | |||
| }}} | |||
| Este certificado pode imprimirse ou almacenarse nun ficheiro.  | |||
| {{boxinfo|Calqueira que teña acceso ao certificado de revocación pode cancelar a validez da chave privada}} | |||
| === Creación dunha versión ASCII da chave pública === | |||
|  * The revocation key may be printed and/or stored as a file. Take care to safeguard your revocation key. | |||
| Existen varios sitios que permiten pegar a versión ASCII dunha chave pública para importala. E tamén de uso común incluír a chave pública como parte dunha mensaxe de e-mail en forma de un ''attach'' ASCII. Para obter a versión ASCII da nosa chave pública utilizaremos o seguinte comando: | |||
| <source lang='text'> | |||
| ||{{attachment:IconsPage/warning.png}} '''Anybody having access to your revocation certificate can revoke your key, rendering it useless.''' || | |||
| === Making an ASCII armored version your public key === | |||
| There are several sites out there that also allow you to paste an ASCII armored version your public key to import it. This method is often preferred, because the key comes directly from the user. The reasoning behind this preference is that a key on a keyserver may be corrupted, or the keyserver unavailable. | |||
|  * Create an ASCII armored version of your public key using GnuPG by using this command: | |||
|   *{{{ | |||
| gpg --output mykey.asc --export -a $GPGKEY | gpg --output mykey.asc --export -a $GPGKEY | ||
| </source> | |||
| }}} | |||
|   * {{attachment:IconsPage/example.png}} This is the command using our example: {{{ | |||
| = Subir a chave pública a un servidor público de chaves = | |||
| gpg --output mykey.asc --export -a D8FC66D2 | |||
| Si queremos que calqueira poda acceder a nosa chave pública cando a necesite, a mellor opción e o uso dun servidor de chave pública. Existen numerosos servidores públicos de chaves PGP e a maior parte deles ofrecen unha interface web na que podemos pegar a versión ASCII da nosa chave. | |||
| }}} | |||
| Unha vez que subamos a chave a un servidor de chaves, se propagará a outros de xeito que a maior parte dos servidores terán unha versión da mesma. Se pode acelerar a propagación enviando a chave a varios servidores. | |||
| = Uploading the key to Ubuntu keyserver = | |||
| This section explains how to upload your '''public''' key to a keyserver so that anyone can download it. Once you have uploaded it to one keyserver, it will propagate to the other keyservers. Eventually most of the keyservers will have a copy of your key. You can accelerate the process by sending your key to several keyservers. | |||
| Por exemplo, para enviar a nosa chave ao servidor de chaves público de Ubuntu, faríamos: | |||
|  * Using GnuPG: | |||
| <source lang='text'> | |||
|  {{{ | |||
| gpg --send-keys --keyserver keyserver.ubuntu.com $GPGKEY | gpg --send-keys --keyserver keyserver.ubuntu.com $GPGKEY | ||
| </source> | |||
| }}} | |||
|   * {{attachment:IconsPage/example.png}} Using our example, the command would be:{{{ | |||
| gpg --send-keys --keyserver keyserver.ubuntu.com D8FC66D2 | |||
| }}} | |||
| Ou ben pegando a versión ASCII da chave en http://keyserver.ubuntu.com | |||
|  * Using a web browser to submit to Ubuntu key server: | |||
| = Utilizando OpenPGP co E-mail = | |||
|   * Export your key by issuing this command: {{{ | |||
| As chaves ''OpenPGP'' poden utilizarse para firmar, cifrar e descifrar mensaxes de e-mail, ofrecendo gran seguridade. Moitos clientes de correo electrónico ofrecen soporte de cifrado/descifrado e firma/verificación mediante OpenPGP. | |||
| gpg --export -a "Key-ID" > mykey.asc}}} | |||
|   * Copy the content of ''mykey.asc'': | |||
|   * Open http://keyserver.ubuntu.com/ in a browser window. | |||
|   * Paste the copied content in the box under the label, {{{Submit a key}}} | |||
|   * Click on {{{Submit this key to the keyserver!}}} | |||
| = Firmado de Chaves = | |||
| Note that keyserver.ubuntu.com is only reachable via IPv4. | |||
| O firmado de chaves pretende crar unha ''rede de confianza''. Firmando a chave pública de outra persoa, estamos afirmando que estamos completamente seguros que unha persoa en concreto utiliza determinada parella de chaves, que é quen dice ser e que dispón da chave privada correspondente. Deste xeito se pode crear unha completa rede de confianza na que un confía en outro. | |||
| Para o firmado de chaves normalmente se necesita unha identificación (como o DNI) e os oito últimos díxitos da ''marca'' da chave OpenGPG obtida con: | |||
| = Reading OpenPGP E-mail = | |||
| <source lang='text'> | |||
| gpg --fingerprint $GPGKEY | |||
| </source> | |||
| Como a firma significa que se verificou que determiñada chave pública pertence á persoa que dispon da correspondente chave privada, se deberían seguir as seguintes normas a hora de firmar: | |||
| OpenPGP implementations can be used to digitally sign, encrypt, and decrypt email messages for heightened security. You can register your own personal OpenPGP keys with Launchpad, and under some situations, Launchpad will send you signed or encrypted email. You would then use OpenPGP support in your mail reader to decrypt these messages or verify a message's digital signature. Of course, you can also use the OpenPGP support in your mail reader to trade encrypted messages with your colleagues, or sign your own messages so that others can have better assurances that the email that appears to come from you actually does come from you. | |||
| === Antes do Proceso de Firma === | |||
| The instructions below are not intended to provide you with detailed information on OpenPGP, its various implementations, or its use. These instructions simply provide links that can help you set up your mail reader to be compatible with OpenPGP signed and/or encrypted email. | |||
| #O firmado sempre se realiza despois dun encontro persoal co propietario da chave | |||
| #Neste encontro se interambian as ''marcas'' das chaves OpenPGP e se verifican os documentos de identidade. As marcas se crean normalmente mediante scripts como '''gpg-key2ps'' do paquete '''signing-party'''. | |||
| #Debemos comprobar que o nome da chave corresponde co nome do documento de identidade, de xeito que a persoa é quen dice ser. | |||
| === Despois do Encontro === | |||
| We need your help to flesh out these instructions! | |||
| Dispoñeremos da información da chave pública dos outros participantes en forma impresa. Exemplos podrían ser ''E4758D1D'', ''C27659A2'', e ''09026E7B''. Firmaremos estas chaves, e todos eles firmarán a nosa (''01234567'') .Debemos: | |||
| :1.- recuperar as chaves | |||
| == Linux mail readers == | |||
|   gpg --recv-keys E4758D1D C27659A2 09026E7B | |||
| This section is not all inclusive. Please feel free to add additional mail clients. | |||
| :2.- Firmar as chaves | |||
| === Evolution === | |||
| Evolution has built-in support for OpenPGP. Look under the Security tab when you edit accounts. | |||
|  * Open Evolution and go to '''Edit->Preferences'''. | |||
|   * Choose your email account, click on it, and then click '''Edit'''. | |||
|   * Click on the '''security''' tab. | |||
|   * In the '''PGP/GPG Key ID''': box, paste your '''KEY-ID'''. | |||
|   * Click '''OK'''. Click '''Close'''. | |||
|  * If you want to use your key in any new email, simply click on the '''Security''' menu item in your new mail message, and then click on '''PGP Sign'''. | |||
| === KMail === | |||
| Kmail / Kontact has built-in support  For Gutsy, and later releases, everything required is installed by default.  See the [[https://help.ubuntu.com/community/KMailGPGAgent|Kmail]] GPG page for details. | |||
| === Claws Mail === | |||
| Claws Mail supports OpenPGP through the plugin {{{claws-mail-pgpinline}}} | |||
|   * {{{claws-mail-pgpinline}}} is available in the "Universe" repository. | |||
|   * {{{ | |||
| sudo apt-get install claws-mail-pgpinline | |||
| }}} | |||
|   * The plugin may have to be loaded manually after installing it.  Open Claws Mail and select '''Configuration -> Plugins''' | |||
|    * If '''PGP/Core''' and '''PGP/inline''' are in the Plugins dialogue box, the plugins are loaded correctly. | |||
|    * Otherwise, click on the '''Load Plugin''' button towards the bottom of the window.  In the file selection dialogue, select ''pgpinline.so'' and click the '''Open''' button. | |||
|   * When Claws Mail tries to open encrypted e-mail, the program will prompt for your key's passphrase and then show the e-mail with the decrypted message. | |||
| === Thunderbird === | |||
|   * Thunderbird supports OpenPGP through the enigmail plugin. | |||
|   * Enigmail is available in the "Main" repository. | |||
|   * {{{ | |||
| sudo apt-get install enigmail}}} | |||
|   * Configure OpenPGP support in Thunderbird under '''Enigmail->Preferences''' and add under '''GnuPG executable path'''. The path for GnuPG is ''/usr/bin/gpg''. | |||
| === GMail === | |||
|   * You can setup FireGPG (http://getfiregpg.org/s/install) in order to sign, decrypt, encrypt, etc straight from any website. This is quite useful when using gmail, where one only has to go to the Tools menu in Firefox and choose the relevant option under FireGPG. '''''(FireGPG project is discontinued. For details click [[http://blog.getfiregpg.org/2010/06/07/firegpg-discontinued/|here]])''''' | |||
| === Mutt === | |||
|  * Create a ''~/.mutt'' directory and copy this file into it: ''/usr/share/doc/mutt/examples/gpg.rc'' | |||
|  * Append this line to the muttrc configuration file.{{{ | |||
| source ~/.mutt/gpg.rc                           # Use GPG | |||
| }}} | |||
|  * If you're using Mutt 1.5.13, you'll need to fix the paths to pgpewrap as detailed in [[http://ubuntuforums.org/showthread.php?t=522646|this post]] | |||
| == Miscellaneous/all platforms (web mail) == | |||
| This section in need of expansion. Please feel free to add any additional plugins for Firefox or other browsers. | |||
| === It's All Text! === | |||
|   * [[https://addons.mozilla.org/en-US/firefox/addon/its-all-text/|It's All Text!]] is a '''''Firefox''''' extension which allows you to edit your mail in your preferred local text editor. | |||
|   * If your editor supports it, this can make handling of encrypted mail easier. | |||
|   * For example, you could use [[http://www.vim.org/scripts/script.php?script_id=3645|gnupg.vim]] and a local Vim instance. | |||
| === FireGPG (Discontinued) === | |||
|   * [[http://getfiregpg.org/|FireGPG]] is a '''''Firefox''''' extension which brings an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG. | |||
|   * FireGPG integrates with the Google web mail interface, bringing OpenPGP functionality to Gmail. | |||
|   * Support for other web mail providers is planned. | |||
| = Validation on Launchpad = | |||
| You need to tell Launchpad about your OpenPGP key(s) to be able to sign the Ubuntu Code of Conduct (and thus become an Ubuntero) and to build packages using HCT. | |||
| == OpenPGP keys and Launchpad == | |||
|  * Visit the OpenPGP Keys page once logged into Launchpad.  Paste your key fingerprint into the textbox:{{{ | |||
| gpg --fingerprint}}} | |||
|   * {{attachment:IconsPage/example.png}} The key fingerprint would be something like: {{{ | |||
| 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2}}} | |||
|   Launchpad will send you an email which you will have to decrypt.  You can save the text to a file: | |||
|   (Sample message- make sure not to alter format) | |||
|   {{{ | |||
| -----BEGIN PGP MESSAGE----- | |||
| Version: GnuPG v1.4.3 (GNU/Linux) | |||
| hQIOA0THhKozD+K5EAf9F3PcOL2iU6onH2YsvB6IKDXNxbK0NBVy6ppxcNq8hoTe | |||
| cuHvzWLFfh1ehhSNe1V6xpuFnt5sJoeA4qEEOxez3HmY80tKIKMPLyhC/8JiSIW9 | |||
| fwuxj4C0F6pdyrpvGbQAzfPEFk/P1AtIHXm4WLXduhBT7YEpmUk/I4A/KlSrKoiP | |||
| J5vBtbroUyp2jvIhDUmY7ToU+ifrDe3+VP1ZzSEJzOOXec9oPbcbvf5NptXA7Hbp | |||
| S0ElBAcLjKpAu7VKotCwFZIsVXDHT/mxf2qm88bGIrlXS5uTzvmyhQps1KmyNiCz | |||
| I0i5kSVvHZWyVZ+8FrROLqYAqqnEIMg9hUnbFAervgf/YiYs0xxWLYf9e14eoMZA | |||
| ranGT72q/JHmBNBYenOijaquFNi1TH5J8Udtt2RfdyRUlmGilxRvtIYL8gpnuNpS | |||
| +GHOoBWUN2f4nawaDeqgrf6Nt3qQWWLO4iJPgieejFP2FP6zkLme1t7dXo+z1ary | |||
| EZuxSLtKIWkOFEZ8Gcn02hBgOhJZucnkF6BmVW9dr1C4QEAmGM631uqfsp5PapAn | |||
| yjHbEU1L2R9i7vPtJNRr6ubFLWg1Yhfv63ByxSx/WQHMMqlrbL+moXBGED3L2hM8 | |||
| 7FP9eapBRgmS+Bda9ArcGMUElTOkWoUYIOPyLOYmo15LvbxHOVaXjn7+fDgr2S1J | |||
| R9LArwHycmdKKelRww+ZvylHIfq8xy10atRQIYawchh9A1myXD1TlWbrrIkodQJF | |||
| iEpO2i1LKvqwZHOx3szT4hF+44tNFzQIL1j+zF5Hrt2WOTnS5WXGgGRtfEd8F7fN | |||
| khQZOAdhwrnlY+yknruC8Y8Jm8vM57+KnPgBfvxuxzLX1XFTfTZCHXeUmwwu3mga | |||
| m+6WzckeBGBDHKK6GqwFoOAykTwjyqOZaty7DPHeoINc0tLMVr9Ks64DScf8bgh4 | |||
| MkNonA0YhMQbkmwRc33APw441+/iLw5gqndQdX44kKqC71dG6LqanAOjD29Xj3JV | |||
| ZBsjg95Jrx7Sx+i/V0PUeaU9QjCT0Q1jEy1Bcs8NYtTJnpG+4oHYJ0pyiGxIquQH | |||
| V9E+hW6Qehx5DbsIXEvfeaBBHOfAHHOhUH14WK4bsJWm8wZ50XiYBZrNFOqzsm13 | |||
| 2STcY4VIoJp3Uw2qNyvZXQUhpndlfgQGO14CMSadzDn6Vts= | |||
| =hTe6 | |||
| -----END PGP MESSAGE-----}}} | |||
|  * Now run:{{{ | |||
| gpg --decrypt file.txt}}} | |||
|   * You will need to enter your passphrase. | |||
|  * The message will be displayed along with the link you must follow to confirm your key in Launchpad. | |||
|  * Follow the link, enter your Launchpad password as asked, and you are done! | |||
| === Validating using Firefox and FireGPG === | |||
|  * If you are on gmail, using the FireGPG addon, simply scroll down and click "decrypt this mail". You will now see the decrypted message with a link and a token. Copy that URL: | |||
|  {{{https://launchpad.net/token/somealphanumerictoken}}} | |||
|   * Follow the link and click on "Confirm". Please note that validation does take some time. If you run into an internal 500 server, simply try again with the same token. | |||
|  * A confirming page should appear once the validation is successfully completed. | |||
| = Signing Data = | |||
| Signing data is helpful in verifying if the data from a person is indeed from that person. A typical scenario is described below. | |||
| == Launchpad Key Signing == | |||
| When you've set up GnuPG and have a key in the strong set, it is time to sign the Ubuntu Code Of Conduct if you want to become an Ubuntu member or Ubuntero. Signing is done in 3 easy steps: | |||
|  1. Download the code of conduct from https://launchpad.net/codeofconduct/2.0/+download. | |||
|  1. Run the command {{{ | |||
| gpg --clearsign UbuntuCodeofConduct-2.0.txt}}} | |||
|  1. Upload the contents of Ubuntu``Codeof``Conduct-2.0.txt.asc on https://launchpad.net/codeofconduct/2.0/+sign | |||
| = Getting your key signed = | |||
| The whole point of all this is to create a web of trust. By signing someone's public key, you state that you have checked that the person that uses a certain keypair, is who he says he is and really is in control of the private key. This way a complete network of people who trust each other can be created. This network is called the ''Strongly connected set''. Information about it can be found at http://pgp.cs.uu.nl/ | |||
| In summary, | |||
|  1. Locate someone that lives near you and can meet with you to verify your ID. Sites like http://www.biglumber.com/ are useful for this purpose | |||
|  1. Arrange for a meeting. Bring at least one ID with photo and printed fingerprint of your OpenPGP key, ask the same from the person you will be meeting with. | |||
|  1. Print copies of your public key | |||
|   * get the last eight digits of your fingerprint: 0995 ECD6 3843 CBB3 C050  28CA E103 6EED '''0123 4567''' | |||
|   * terminal: gpg --fingerprint 01234567 >> key.txt | |||
|   * print the resulting key.txt file and bring as many copies to the meeting as you expect to have people sign | |||
|  1. Meet, verify your IDs and exchange OpenPGP key fingerprints | |||
|  1. Sign the key of the person you've just met. Send him/her the key you've just signed. | |||
|  1. Update your keys on the keyserver, the signature you've just created will be uploaded. | |||
| == Keysigning Guidelines == | |||
| Since a signature means that you checked and verified that a certain public key belongs to a certain person who is in control of the accompanying private key, you need to follow these guidelines when signing peoples keys: | |||
| === During the Event === | |||
|  1. Keysigning is always done after meeting in person | |||
|  1. During this meeting you hand each other your OpenPGP key fingerprint and at least one government issued ID '''with a photograph'''. These key fingerprints are usually distributed as key fingerprint slips, created by a script such as gpg-key2ps (package: signing-party) | |||
|  1. You check whether the name on the key corresponds with the name on the ID and whether the person in front of you is indeed who he says he is. | |||
| === After the Event === | |||
| You now have the printed public key information from the other participants. | |||
| Example key IDs for the other participants will be E4758D1D, C27659A2, and 09026E7B. Replace these IDs with the key IDs you received from the other participants. | |||
|  1. retrieve the keys: | |||
|   * gpg --recv-keys E4758D1D C27659A2 09026E7B | |||
|  1. sign the keys: | |||
|   * gpg --sign-key E4758D1D |   * gpg --sign-key E4758D1D | ||
|   * gpg --sign-key C27659A2 |   * gpg --sign-key C27659A2 | ||
|   * gpg --sign-key 09026E7B |   * gpg --sign-key 09026E7B | ||
| :3.- Exportar as chaves | |||
|  1. export the keys | |||
|   * gpg --armor --export E4758D1D --output E4758D1D.signed-by.01234567.asc |   * gpg --armor --export E4758D1D --output E4758D1D.signed-by.01234567.asc | ||
|   * gpg --armor --export C27659A2 --output C27659A2.signed-by.01234567.asc |   * gpg --armor --export C27659A2 --output C27659A2.signed-by.01234567.asc | ||
|   * gpg --armor --export 09026E7B --output 09026E7B.signed-by.01234567.asc |   * gpg --armor --export 09026E7B --output 09026E7B.signed-by.01234567.asc | ||
| :4.- Enviarlle un correo aos usuarios das chaves (a dirección do correo está no ID de usuario da chave) engadindo o ficheiro de firma, ou/e enviar a chave firmada oa servidor de chaves: | |||
|  1. Email the key users (use the email address that was part of the key's user ID) and attach the corresponding signature file - or  - send their signed key to the key server: | |||
|   * gpg --send-keys --keyserver keyserver.ubuntu.com E4758D1D |   * gpg --send-keys --keyserver keyserver.ubuntu.com E4758D1D | ||
| :5.- Cando recibamos a nosa chave firmada, importala ao noso anel de chaves | |||
|  1. Once you receive your signed key import them to your keyring: | |||
|   * gpg --import 01234567.signed-by.E4758D1D.asc |   * gpg --import 01234567.signed-by.E4758D1D.asc | ||
|   * gpg --import 01234567.signed-by.C27659A2.asc |   * gpg --import 01234567.signed-by.C27659A2.asc | ||
|   * gpg --import 01234567.signed-by.09026E7B.asc |   * gpg --import 01234567.signed-by.09026E7B.asc | ||
| :6.- Podemos ver as firmas da nosa chave | |||
|  1. You should see your keys: | |||
|   * gpg --list-sigs 01234567 |   * gpg --list-sigs 01234567 | ||
| :7.- Enviamos a nosa chave ao servidor de chaves. | |||
|  1. Send your keys to the keyserver: | |||
|   * gpg --send-keys 01234567 |   * gpg --send-keys 01234567 | ||
| Agora xa formamos parte dunha rede de confianza ou ampliamos unha existente. | |||
| Congrats you have now entered a web of trust or enlarged an existing one. | |||
| = Backing up and restoring your key pair = | = Backing up and restoring your key pair = | ||
| Liña 406: | Liña 188: | ||
| ==  | == Copia de Seguridade das Chaves == | ||
| === Copia === | |||
|  * List your public keys:{{{ | |||
|  <source lang='text'> | |||
| gpg --list-keys | |||
|    gpg --list-keys | |||
| }}} | |||
|    gpg -ao _something_-public.key --export key_id | |||
|    gpg --list-secret-keys | |||
|    gpg -ao _something_-private.key --export-secret-keys key_id | |||
|  </source> | |||
| === Restauración === | |||
|  <source lang='text'> | |||
|    gpg --import _something_-public.key | |||
|    gpg --import _something_-private.key | |||
|  </source> | |||
| = Revocación de Chaves = | |||
|  * Look for the line that starts something like "pub 1024D/".  The part after the 1024D is the key_id.  To export the key:{{{ | |||
| A revocación de chaves indicará aos demáis que a chave xa non é fiable. Para revocar unha chave é necesaria unha ''chave de revocación''. | |||
| gpg -ao _something_-public.key --export key_id | |||
| }}} | |||
| <source lang='text'> | |||
| == Backing up your private key == | |||
|  * List your secret keys:{{{ | |||
| gpg --list-secret-keys | |||
| }}} | |||
|  * Look for the line that starts something like "sec 1024D/".  The part after the 1024D is the key_id.  To export the secret key:{{{ | |||
| gpg -ao _something_-private.key --export-secret-keys key_id | |||
| }}} | |||
| == Restoring your keys == | |||
|  * To restore your keys - copy the two files created above to the machine and type: {{{ | |||
| gpg --import _something_-public.key | |||
| gpg --import _something_-private.key | |||
| }}} | |||
| Make sure you protect these files! | |||
| = Revoking a keypair = | |||
| In the event your keys are lost or compromised, you should revoke your keypair. This tells other users that your key is no longer reliable. | |||
| ||{{attachment:IconsPage/warning.png}} For security purposes, there is no mechanism in place to revoke a key without a revocation key. As much as you might want to revoke a key, the revocation key prevents malicious revocations. Guard your revocation key with the same care you would use for your private key. || | |||
|  * To revoke your key you need to first create a revocation key with the command: | |||
| {{{ | |||
| gpg --gen-revoke | gpg --gen-revoke | ||
| }}} | |||
|   * Import your revocation key, which would be stored to the file revoke.asc by default: | |||
| {{{ | |||
| gpg --import revoke.asc | gpg --import revoke.asc | ||
| }}} | |||
|   * Upload the revocation key to your keyserver of choice, in the following example the key will be send to ubuntus keyserver: | |||
| {{{ | |||
| gpg --keyserver keyserver.ubuntu.com --send-key 6382285E | gpg --keyserver keyserver.ubuntu.com --send-key 6382285E | ||
| </source> | |||
| }}} | |||
| == Un-revoking a keypair == | |||
| If you unintentionally revoke a key, or find that your key has in fact not been lost or compromised, it is possible to un-revoke your key. First and foremost, ensure that you do not distribute the key, or send it to the keyserver. | |||
|   * Export the key | |||
| {{{ | |||
| gpg --export <key> > key.gpg | |||
| }}} | |||
|   * Split the key into multiple parts. This breaks the key down into multiple parts. | |||
| {{{ | |||
| gpgsplit key.gpg | |||
| }}} | |||
|   * Find which file contains the revocation key. In most cases, it is 000002-002.sig, however you should make sure by using the following. If the sigclass is 0x20, you have the right file. Delete it. | |||
| {{{ | |||
| gpg --list-packets 000002-002.sig | |||
| }}} | |||
|   * Put the key back together | |||
| {{{ | |||
| cat 0000* > fixedkey.gpg | |||
| }}} | |||
|   * Remove the old key | |||
| {{{ | |||
| gpg --expert --delete-key <key> | |||
| }}} | |||
|   * Import the new key | |||
| {{{ | |||
| gpg --import fixedkey.gpg | |||
| }}} | |||
| == GPG 2.0 == | |||
| ||{{attachment:IconsPage/info.png}} GPG 2.0 is not installed as a default application on Ubuntu.|| | |||
| GPG 2.0 is the new kid on the block. GPG 2.0 is aimed or done for the desktops rather than embedded or server applications.  | |||
|  * GnuPG2 is available in the "Main" repository since Intrepid, or in the "Universe" repository in earlier releases. | |||
|   * If you want to use gnupg2 with the '''firegpg''' firefox extension, you need to install gnupg2 first.    | |||
|  * More information of GnuPG2 can be found [[http://manpages.ubuntu.com/manpages/lucid/man1/gpg2.1.html|here]]  | |||
|  * If you are going to use gpg2 for the same purposes as outlined above then you just need to add `2` to the gpg command. | |||
|  {{attachment:IconsPage/example.png}} {{{ | |||
| gpg2 --gen-key }}} | |||
| = Tips and Tricks = | |||
|  * Add your key to ''~/.bashrc'' by adding a line similiar to {{{export GPGKEY=YOUR-KEY-ID}}} | |||
|  * gnupg-agent and pinentry-gtk2 are packages that facilitate not having to enter the password for your key every time you want to use it. Open the file {{{~/.gnupg/gpg.conf}}} in your favorite editor. Browse through it and change what you like. A few useful things to change are: | |||
|     * keyserver-options auto-key-retrieve | |||
|     * use-agent (the Ubuntu default for Gutsy and later releases.) | |||
| The former makes gpg automatically retrieve gpg keys when verifying signatures. The latter makes you use gpg-agent, which is very useful if you use gpg a lot but don't like typing your password all the time.  It is also required for some programs (such a Kmail) to sign or encrypt messages).  Gnupg-agent and pinentry are in Main for Gutsy and automatically installed/configured in Kubuntu.  If you are upgrading from Ubuntu 7.04 (Fiesty), the file ~/.gnupg/gpg.conf may have failed to be created by default in your home directory due to a bug in the gnupg package. In that case, GPG agent integration will not be enabled by default. If you have not created your own gpg.conf, you can correct this issue by running {{{cp /usr/share/gnupg/options.skel ~/.gnupg/gpg.conf}}}. If you do have a gpg.conf and are affected by this issue, that command would overwrite it with Ubuntu's default options and wipe any customizations you have made; you can still correct the issue by running {{{echo use-agent >> ~/.gnupg/gpg.conf}}} instead. | |||
| Now create the file ~/.gnupg/gpg-agent.conf with the following content: | |||
| {{{ | |||
| pinentry-program /usr/bin/pinentry-gtk-2 | |||
| default-cache-ttl 86400 | |||
| max-cache-ttl 86400}}} | |||
| This will make gpg-agent use pinentry-gtk2 and it will remember your password for 24 hours (please consider the security implications for doing this - anyone gaining access to your computer for 24 hours would then be able to sign anything with your key).  For Kubuntu, use pinentry-qt4 instead. | |||
| * Changing your password. If you wish to change the password of a key, you can use | |||
|  {{{  | |||
| gpg --edit-key userid | |||
| }}} | |||
| (the 'real name' part of the userid suffices). Choose {{{ passwd }}} in the menu and enter the new password twice. You can leave the menu using {{{ quit }}}. | |||
| Este documento é unha traducción e adaptación da documentación de Ubuntu con licencia [https://help.ubuntu.com/community/License Creative Commons] | Este documento é unha traducción e adaptación da [https://help.ubuntu.com/community/GnuPrivacyGuardHowto documentación de Ubuntu] con licencia [https://help.ubuntu.com/community/License Creative Commons] | ||
Revisión actual feita o 4 de marzo de 2014 ás 23:23
Introducción
GnuPG utiliza cifrado de chave pública para garantizar que os usuarios podan comunicarse de xeito seguro. Nun sistema de chave pública, cada usuario ten unha parella de chaves consistente nunha chave privada e unha chave pública. A chave privada do usuario se manten en segredo, únicamente o seu propietario terá acceso a ela. A chave pública é de acceso público: calqueira que queira comunicarse pode acceder a ela.
GnuPG, GPG, PGP e OpenPGP
Os térmos "OpenPGP", "PGP", and "GnuPG / GPG" se utilizan comúnmente como si foran o mesmo. Pero son lixeiramente distintos:
- OpenPGP
- é unha proposición de estándar, sin embargo, é de uso común.
- PGP e GnuPG
- Son programas que implementan o estándar OpenPGP.
- PGP
- Son as siglas de Pretty Good Privacy, un programa que proporciona privacidade e autenticación mediante cifrado.
- GnuPG
- Son as siglas de Gnu Privacy Guard, outro programa que tamén proporciona privacidade e autenticación mediante cifrado.
Xerando unha Chave Privada OpenPGP
O soporte de OpenPGP nos sistemas basados en Debian está no paquete gnupg.
Existen varias aplicacións que proporcionan unha interface gráfica para GnuPG:
- Enigmail, un plugin de OpenPGP para Mozilla Thunderbird.
- GNU Privacy Assistant unha interface gráfica para GnuPG (GNU Privacy Guard).
- Seahorse é unha aplicación Gnome para manexar chaves de cifrado e contrasianis, integrándose con nautilus, gedit e outras aplicacións de Gnome.
- KGPG é un interfaz simple de KDE para GPG.
- Kleopatra é outro interfaz de KDE para GPG integrado coa suite de información persoal KDE PIM
Todas estas aplicacións permiten a xeración e xestión de chaves OpenPGP.
Utilizando GnuPG para xerar a chave privada
Podemos xerar nosa chave privada mediante a orde:
gpg --gen-key
Aparecerá unha pantalla similar á seguinte
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only)
Elexindo a opción (1) poderemos firmar e cifrar mensaxes. A continuación nos preguntará polo tamaño de chave. O valor de 2048 que toma por defecto é unha boa elección.
O periodo de validez da chave toma por defecto o valor de validez perpetua. Si eleximos esta opción, debemos revocar a chave cando xa non a precisemos.
A pantalla seguinte nos solicitará a información necesaria para construír a chave:
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
 Real name: Nome do Usuario
 Email address: direcciondousuario@dominio.net
 Comment: Comentario
 You selected this USER-ID:
     "Nome do Usuario (Comentario) <direcciondousuario@dominio.net>"
Debemos asegurarnos que o nome da chave (Real name) coincide co nome real, a poder ser tal e como aparece nas identificacións oficiais como o DNI. É posible engadir máis direccións de correo posteriormente.
No momento de crear a chave, se preguntará pola password de protección. O sistema combinará información aleatoria do sistema coa password para xerar a chave privada de usuario.
Unha vez xerada a chave privada observaremos unha pantalla similar á seguinte:
gpg: key D8FC66D2 marked as ultimately trusted public and secret key created and signed.
 pub   1024D/D8FC66D2 2005-09-08
       Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2
 uid                  Nome do Usuario (Comentario) <direcciondousuario@dominio.net>
 sub   2048g/389AA63E 2005-09-08
O KEY-ID da chave xerada será a que se observa despois de pub 1024D/, neste caso D8FC66D2. Si queremos que as aplicacións que utilizan GPG fagan uso automáticamente desta chave podemos exportar o seu ID na variable de entorno GPGKEY incluíndo en .bashrc export GPGKEY=D8FC66D2.
Si queremos que este cambio faga efecto antes do seguinte inicio de sesión, podemos facer:
  killall -q gpg-agent
  eval $(gpg-agent --daemon)
  source ~/.bashrc
Cifrado
Si no momento de crear a chave privada, xeramos unha chave únicamente de firma como RSA (sign only) podemos engadirlle capacidade de cifrado:
gpg --cert-digest-algo=SHA256 --edit-key $GPGKEY
Sendo $GPGKEY o KEY-ID da chave. Veremos unha pantalla co seguinte:
 Secret key is available.
 pub   2048R/D8FC66D2  created: 2005-09-08  expires: never       usage: SC  
                    trust: ultimate      validity: ultimate
 [ultimate] (1). Nome do Usuario (Comentario) <direcciondousuario@dominio.net>
 Command> 
Introduciremos o comando addkey, se nos solicitará a password da nosa chave privada e veremos algo como esto:
Please select what kind of key you want: (2) DSA (sign only) (4) Elgamal (encrypt only) (5) RSA (sign only) (6) RSA (encrypt only)
A mellor opción á a 6 cun tamaño de chave de 2048. Tamén se preguntará, de modo similar á creación da chave privada, polo tempo de validez. Veremos unha pantalla similar a seguinte:
 pub   2048R/D8FC66D2  created: 2005-09-08  expires: never       usage: SC  
                    trust: ultimate      validity: ultimate
 sub   2048R/389AA63E created: 2005-09-08  expires: never       usage: E   
 [ultimate] (1). Nome do Usuario (Comentario) <direcciondousuario@dominio.net>
 Command> 
e Introduciremos os comandos save e quit.
Creación da Chave de Revocación
Si a chave privada se vera comprometida (alguén consigue acceso a ela) ou xa non queremos que continúe sendo válida, necesitaremos revocar a súa validez. Para eso necesitaremos un certificado de revocación. Se recomenda crear un certificado de revocación no momento de xerar a chave privada e mantelo en lugar seguro. Podemos xerar un certificado de revocación mediante:
gpg --output revoke.asc --gen-revoke $GPGKEY
Este certificado pode imprimirse ou almacenarse nun ficheiro.
Creación dunha versión ASCII da chave pública
Existen varios sitios que permiten pegar a versión ASCII dunha chave pública para importala. E tamén de uso común incluír a chave pública como parte dunha mensaxe de e-mail en forma de un attach ASCII. Para obter a versión ASCII da nosa chave pública utilizaremos o seguinte comando:
gpg --output mykey.asc --export -a $GPGKEY
Subir a chave pública a un servidor público de chaves
Si queremos que calqueira poda acceder a nosa chave pública cando a necesite, a mellor opción e o uso dun servidor de chave pública. Existen numerosos servidores públicos de chaves PGP e a maior parte deles ofrecen unha interface web na que podemos pegar a versión ASCII da nosa chave. Unha vez que subamos a chave a un servidor de chaves, se propagará a outros de xeito que a maior parte dos servidores terán unha versión da mesma. Se pode acelerar a propagación enviando a chave a varios servidores.
Por exemplo, para enviar a nosa chave ao servidor de chaves público de Ubuntu, faríamos:
gpg --send-keys --keyserver keyserver.ubuntu.com $GPGKEY
Ou ben pegando a versión ASCII da chave en http://keyserver.ubuntu.com
Utilizando OpenPGP co E-mail
As chaves OpenPGP poden utilizarse para firmar, cifrar e descifrar mensaxes de e-mail, ofrecendo gran seguridade. Moitos clientes de correo electrónico ofrecen soporte de cifrado/descifrado e firma/verificación mediante OpenPGP.
Firmado de Chaves
O firmado de chaves pretende crar unha rede de confianza. Firmando a chave pública de outra persoa, estamos afirmando que estamos completamente seguros que unha persoa en concreto utiliza determinada parella de chaves, que é quen dice ser e que dispón da chave privada correspondente. Deste xeito se pode crear unha completa rede de confianza na que un confía en outro.
Para o firmado de chaves normalmente se necesita unha identificación (como o DNI) e os oito últimos díxitos da marca da chave OpenGPG obtida con:
gpg --fingerprint $GPGKEY
Como a firma significa que se verificou que determiñada chave pública pertence á persoa que dispon da correspondente chave privada, se deberían seguir as seguintes normas a hora de firmar:
Antes do Proceso de Firma
- O firmado sempre se realiza despois dun encontro persoal co propietario da chave
- Neste encontro se interambian as marcas das chaves OpenPGP e se verifican os documentos de identidade. As marcas se crean normalmente mediante scripts como gpg-key2ps do paquete signing-party'.
- Debemos comprobar que o nome da chave corresponde co nome do documento de identidade, de xeito que a persoa é quen dice ser.
Despois do Encontro
Dispoñeremos da información da chave pública dos outros participantes en forma impresa. Exemplos podrían ser E4758D1D, C27659A2, e 09026E7B. Firmaremos estas chaves, e todos eles firmarán a nosa (01234567) .Debemos:
- 1.- recuperar as chaves
gpg --recv-keys E4758D1D C27659A2 09026E7B
- 2.- Firmar as chaves
* gpg --sign-key E4758D1D * gpg --sign-key C27659A2 * gpg --sign-key 09026E7B
- 3.- Exportar as chaves
* gpg --armor --export E4758D1D --output E4758D1D.signed-by.01234567.asc * gpg --armor --export C27659A2 --output C27659A2.signed-by.01234567.asc * gpg --armor --export 09026E7B --output 09026E7B.signed-by.01234567.asc
- 4.- Enviarlle un correo aos usuarios das chaves (a dirección do correo está no ID de usuario da chave) engadindo o ficheiro de firma, ou/e enviar a chave firmada oa servidor de chaves:
* gpg --send-keys --keyserver keyserver.ubuntu.com E4758D1D
- 5.- Cando recibamos a nosa chave firmada, importala ao noso anel de chaves
* gpg --import 01234567.signed-by.E4758D1D.asc * gpg --import 01234567.signed-by.C27659A2.asc * gpg --import 01234567.signed-by.09026E7B.asc
- 6.- Podemos ver as firmas da nosa chave
* gpg --list-sigs 01234567
- 7.- Enviamos a nosa chave ao servidor de chaves.
* gpg --send-keys 01234567
Agora xa formamos parte dunha rede de confianza ou ampliamos unha existente.
Backing up and restoring your key pair
Why should you back up your key pair? If you lose your key pair:
* Any files encrypted with the lost key pair will be unrecoverable. * You will not be able to decrypt mails sent to you. * Decrypting emails sent to you requires your private key, this key is not stored on the keyservers.
If you lose your keypair you should revoke your key. This cannot be done without a revocation key.
Copia de Seguridade das Chaves
Copia
   gpg --list-keys
   gpg -ao _something_-public.key --export key_id
   gpg --list-secret-keys
   gpg -ao _something_-private.key --export-secret-keys key_id
Restauración
   gpg --import _something_-public.key
   gpg --import _something_-private.key
Revocación de Chaves
A revocación de chaves indicará aos demáis que a chave xa non é fiable. Para revocar unha chave é necesaria unha chave de revocación.
gpg --gen-revoke
gpg --import revoke.asc
gpg --keyserver keyserver.ubuntu.com --send-key 6382285E
Este documento é unha traducción e adaptación da documentación de Ubuntu con licencia Creative Commons
