PGP for the first-timer

Who this is for

Right, it "should" be "whom". Oh, well. Anyway, this GPG guide is for users of a Unix or Unix-like system on which GPG, the GNU privacy guard, is installed. The WAM and Glue networks at the University of Maryland meet these criteria, and are the main target of this HOW-TO. It is assumed that the user has never used PGP or GPG in his life, and that the user for the time being only wants to immediately send me an encrypted message.

PGP or GPG?

PGP stands for Pretty Good Privacy, and is the original program that allows the types of encryption that I am discussing. GPG stands for GNU Privacy Guard, which is a free, open-source implementation that is mostly compatible with PGP. I happen to have used GPG to generate my public/private key pair, so using GPG is probably your best bet for doing this. Plus I find it a bit easier to use, but maybe that's just because of the warm-and-fuzzy feeling that using Free Software gives me. The instructions on this Web page cover how to do it using GPG.

The Steps

  1. Get my GPG public key from the Web. You can right-click on the link and choose "Save Link As" to save it, or visit the page and save it. I assume you will leave the name as gpg_key.html, but you can call it anything you like. 
  2. gpg --import gpg_key.html
    (or whatever name you gave the file). The steps up to this point only need to be done once, unless and until I decide to change my key.
  3. Type up the message you want to send to me, and save it as a file. The file can actually be any sort of file -- an image, an MP3, or a plain text file, for example. If it is an MS Office document, however, I may not be able to read it on the computers I normally use, because Microsoft has not produced a version of Office for those platforms. Note this has nothing to do with PGP compatibility; a file is still a file. Let's say you named the file you wanted to send me "filetosend.txt". 
  4. gpg -r rschmertz --armor --encrypt filetosend.txt
    Don't worry too much if you see warnings like: 
    gpg: Warning: using insecure memory!
    or 
    No path leading to one of our keys found.
    I don't know how to solve the first problem, and the second problem is a result of the fact that you have never used GPG or PGP before. This should produce an ASCII text file called filetosend.txt.asc.
  5. Insert the entire contents of filetosend.txt.asc into the body of your message. Make sure your email application is not sending me an HTML-formatted message; I may have difficulty extracting the encrypted message from an HTML-formatted e-mail. If you are using Pine, you should be OK. You may also send the filetosend.txt.asc as an attachment, though putting it in the body is preferable.
  6. Put whatever unencrypted text you want in the body, above the line that says 
    -----BEGIN PGP MESSAGE-----
  7. Send me the message.

The Real Deal

As I said, this is a quick-and-dirty way for someone to send me some sensitive information, such as a password or an SSN, if they have never used PGP before. There are more formalities one should go through in order to establish a "Web of trust", so that you can be sure that the public key you are using does in fact belong to me, that it has not been compromised, etc. However, it is obviously not always possible to do this.

Also, you may notice that nothing you have done here, if you have followed these instructions, allows me to send you an encrypted message. To do that, I have to use your public key; therefore you must create a public-private key pair for yourself. This is not terribly hard with GPG, but I won't get into it here.

Robert G. Schmertz
Last modified: Jan 29 2002 1