PGP Information

PGP(tm), Philip Zimmermann's Pretty Good Privacy package, has been installed on all CS systems. It is used to make electronic communication more secure. Although there is no such thing as aboslute security, (Want to know why? Read the PGP documents.) this is a "pretty good" attempt. Here is a paragraph taken from the extended documentation.

Synopsis: PGP(tm) uses public-key encryption to protect E-mail and data files. Communicate securely with people you've never met, with no secure channels needed for prior exchange of keys. PGP is well featured and fast, with sophisticated key management, digital signatures, data compression, and good ergonomic design.

Before you use pgp, you really should look over the documentation. It is a pair of 40+ page documents. Parts of it are even intersting. Click here for the first part and here for the second part. If you insist on getting started right away and refuse to read the documentation, look at the man page and the remainder of this page.

What is PGP?

PGP is a public key cryptosystem. That means to encrypt a file or mail message you must know the recipient's public key. The encrypted file or message can only be decrypted using the recipient's private key and a pass phrase. This is analogous to a pass word but may include multiple words, special characters, spaces, etc. Before starting the setup process, think of a good pass phrase.

Setting up PGP

If you already use PGP, read the manual to find out how to upgrade to the new version (you may not need to do anything at all). It is available in both mosaic/netscape and gopher formats.
Create the directory for the new pgp.
mkdir ~/.pgp
Tell PGP to generate your key set then follow the instructions.
pgp -kg
Add your name to the list of verified keys.
pgp +verbose=0 +force=on -ks "" -u ""
Extract a plain text copy of your public key to include in your email messages.
pgp -kxa username tempfilename
Add this to the end of your signature file if you want it included on all signed email messages. You may instead want to add it to the end of your plan file so anybody that fingers you can get your key. Finger (with the -l option) dennis@cs.wm.edu for an example.
cat tempfilename.asc >>! ~/.plan cat tempfilename.asc >>! ~/.signature

Now you, too, can send secret spy mail ... just like the professionals.

Using PGP in exmh

PGP can be used both at the command prompt and through the exmh mail facility. If you do not use exmh, try it. If you still prefer another mailer, see the techie. Within exmh, here are a few things to note:

If you add your signature (using the Sign button) to your outgoing mail before sending it, your public key will be added along with the rest of your signature to your mail.
Upon receipt of mail with a public signature attached, you can extract the key and add it to your public key ring with the More... , old PGP, PGP Extract keys menu selection.
In the Preferences section, set up the PGP interface to reflect your preferences.
When you send a message, you probably want to choose Encrypt & sign from the PGP... menu. Make sure the originator is you and the recipient list is correct. If not, you may have an alias problem. Ask the techies for help.
Remember, you must have someone's public key before you can send encrypted mail to them and they must have your public key before they can send encrypted mail to you.
If you have problems, send unencrypted mail to techie@cs.wm.edu explaining the problem or stop by the techie office in THall 004.

PGP Quick Reference

Each of the following options to pgp are explained in great detail in both the man page and the online documentation. This list was extracted using the pgp -h option at the command prompt.

To encrypt a plaintext file with the recipient's public key:: pgp -e textfile her_userid
To sign a plaintext file with your secret key:: pgp -s textfile [-u your_userid]
To sign a plaintext ASCII text file with your secret key, producing a signed plaintext message suitable for sending via E-mail:: pgp -sta textfile [-u your_userid]
To sign a plaintext file with your secret key, and then encrypt it with the recipient's public key:: pgp -es textfile her_userid [-u your_userid]
To encrypt a plaintext file with just conventional cryptography, type:: pgp -c textfile
To decrypt an encrypted file, or to check the signature integrity of a signed file:: pgp ciphertextfile [-o plaintextfile]
To encrypt a message for any number of multiple recipients:: pgp -e textfile userid1 userid2 userid3

Key management commands:

To generate your own unique public/secret key pair:: pgp -kg
To add a public or secret key file's contents to your public or secret key ring:: pgp -ka keyfile [keyring]
To extract (copy) a key from your public or secret key ring do either:: pgp -kx userid keyfile [keyring]; pgp -kxa userid keyfile [keyring]
To view the contents of your public key ring:: pgp -kv[v] [userid] [keyring]
To view the "fingerprint" of a public key, to help verify it over the telephone with its owner:: pgp -kvc [userid] [keyring]
To view the contents and check the certifying signatures of your public key ring:: pgp -kc [userid] [keyring]
To edit the userid or pass phrase for your secret key:: pgp -ke userid [keyring]
To edit the trust parameters for a public key:: pgp -ke userid [keyring]
To remove a key or just a userid from your public key ring:: pgp -kr userid [keyring]
To sign and certify someone else's public key on your public key ring:: pgp -ks her_userid [-u your_userid] [keyring]
To remove selected signatures from a userid on a keyring:: pgp -krs userid [keyring]
To permanently revoke your own key, issuing a key compromise certificate:: pgp -kd your_userid
To disable or reenable a public key on your own public key ring:: pgp -kd userid

Esoteric commands:

To decrypt a message and leave the signature on it intact:: pgp -d ciphertextfile
To create a signature certificate that is detached from the document:: pgp -sb textfile [-u your_userid]
To detach a signature certificate from a signed message:: pgp -b ciphertextfile

Command options that can be used in combination with other command options (sometimes even spelling interesting words!):

To produce a ciphertext file in ASCII radix-64 format, just add the -a option when encrypting or signing a message or extracting a key use either:: pgp -sea textfile her_userid; pgp -kxa userid keyfile [keyring]
To wipe out the plaintext file after producing the ciphertext file, just add the -w (wipe) option when encrypting or signing a message:: pgp -sew message.txt her_userid
To specify that a plaintext file contains ASCII text, not binary, and should be converted to recipient's local text line conventions, add the -t (text) option to other options:: pgp -seat message.txt her_userid
To view the decrypted plaintext output on your screen (like the Unix-style "more" command), without writing it to a file, use the -m (more) option while decrypting:: pgp -m ciphertextfile
To specify that the recipient's decrypted plaintext will be shown ONLY on her screen and cannot be saved to disk, add the -m option:: pgp -steam message.txt her_userid
To recover the original plaintext filename while decrypting, add the -p option:: pgp -p ciphertextfile
To use a Unix-style filter mode, reading from standard input and writing to standard output, add the -f option:: pgp -feast her_userid < inputfile > outputfile