GnuPG (GNU Privacy Guard) is an open source implementation of PGP (Pretty Good Privacy). It lets you do all the important stuff: signing, encrypting, and key management. This is a quick overview of the theory and usage. For a much deeper look, read the GNU Privacy Handbook.


Each person has a public key and a private key (also known as a secret key). The public key is published far and wide, generally using a keyserver. The private key is kept secret.


For example, let's take Alice, Bob, and Eve. Alice wants to send a message to Bob, and doesn't want anyone (especially Eve) to find out the contents. So, she takes the message, and encrypts it using Bob's public key. After it's encrypted with Bob's public key, the only way to get the cleartext again is to decrypt it with Bob's private key. So, as long as only Bob has his private key, only Bob can read the message.


Signing is like encryption in reverse. When Alice sends Bob a message, she encrypts it with her own private key. Since it was encrypted with a private key, anyone who has the public key can decrypt it. This may sound useless: if anyone can decrypt it, what's the point? The interesting thing is, only Alice's private key could have encrypted the message so that her public key would decrypt it. So, this lets Alice "sign" a message, proving she sent it.

Key distribution

The most complicated part of PGP is proving that Alice's key actually belongs to Alice, and not, say, Eve. For instance, without a good distribution system, Eve could publish a key labeled "Alice". Then, when Bob tried to send Alice a message, and used the imposter key, Eve could intercept the message and read it. A simple solution is just for Bob and Alice to meet in person beforehand and exchange keys. This works fine for two people who know each other, but for larger groups where it's not feasible, a bigger solution is needed: The web of trust. When Alice and Bob exchange keys, they also verify each other's identity (For instance, checking a photo ID). Then, they sign each other's public keys. Signing a public key is an assertion that the key belongs to the person it claims to belong to. So, if Alice and Bob have exchanged keys, and Bob and Carol have exchanged keys, Carol can verify that Alice's key belongs to her because Bob says it does.


Keys can be identified by a substring of the identity in most contexts. For instance, the email address, or last name.

Key exchanges

When you want to sign someone's key:

  1. Verify their identity. A drivers licence is generally sufficient.
  2. Get their key fingerprint. To get this, they run:

    other-person $ gpg --fingerprint <key-id>
    on their own computer.
  3. Make sure their key is uploaded to the server:

    other-person $ gpg --send-keys <key-id>

    (again on their computer) If it says something about a server other than, or complains about needing to set a keyserver, use:

    other-person $ gpg --keyserver --send-keys <key-id>

    or put the line

    into ~/.gnupg/pgp.conf
  4. Import their key to your keyring:

    me $ gpg --recv-keys <strict-key-id>
    Here you need to use the last 8 digits of their fingerprint to identify the key.
  5. Sign their key:

    me $ gpg --sign-key <strict-key-id>
    When it shows the key fingerprint, be SURE to make sure that it is the same as the fingerprint they gave you. If it asks, you want to sign all identities, and not answer about how strict your checking was.
  6. Upload the newly signed key back to the keyserver. This will update the copy in the keyserver to have the extra signature on it.

    me $ gpg --send-keys <strict-key-id>
    The same comment about keyservers as above applies here.
  7. They then download their own key, with the added signature:

    other-person $ gpg --recv-keys <strict-key-id>

And that's it! Repeat with 'you' and 'them' switched, and you're done.


In order to get the full benefit of the web-of-trust, you need to trust some people to sign keys. By trusting someone, you are accepting their signatures as assertions that the key belongs to the person it says it does. There are 3 trust levels to assign to someone: not trusted, marginally trusted, or fully trusted. In order to accept a key as legitimate, it needs either 3 marginally trusted signatures or one fully trusted signature. To assign a level of trust to a key, run:

$ gpg --edit-key <key>
Command> trust


PGP/GPG is mostly used for signing and encrypting email, and so its configuration is somewhat client-specific. If you know how to make it work with another mail client, please add it!


Gnus uses the pgg module by default for gpg access. Most of the defaults are fine, I have the following lines in my .gnus:

(setq mm-verify-option 'always)
(setq mm-decrypt-option 'always)
(setq gnus-buttonized-mime-types '("multipart/encrypted" "multipart/signed"))

I also have the variable pgg-default-user-id customized to my key id.

To sign a message, run C-c RET s o to add a message command to sign. To encrypt and sign, C-c RET c o.


To use gpg with thunderbird, you need to install an extension. I forget which one right now. Someone please fix this section.

GpgSigning (last edited 2007-11-23 18:02:20 by localhost)