The GNU Privacy Guard (GnuPG) allows you to encrypt, decrypt, sign, and verify communications and data, as well as create and manage the keys needed for these tasks. It is a full, open source implementation of the OpenPGP Standard (RFC2440) and is integrated into many Linux applications ranging from clipboard applets to instant messaging clients. These applications make it easy to use GnuPG for digital security in the GNOME desktop environment.
The applications we introduce in this article use GnuPG almost transparently, and you can get by without knowing too much about encryption or digital security. For the sake of the security of your data, though, you should make yourself familiar with these topics. Some good starting points include:
- The GNU Privacy Handbook
- The GNU Privacy Guard (GnuPG) Mini Howto
- The Case For Email Security
- A Lesson in Encryption, Part 1
- A Lesson in Encryption, Part 2
- A Lesson in Encryption, Part 3
The first thing you need to do to prepare to use GnuPG for digital security is to set up GnuPG keys. Once you've done this you can use them in the GNOME desktop applications that support GnuPG for secure messaging, email, text and files.
Let's start with Seahorse, a GnuGP GUI written for GNOME that you can use to set up and manage your GnuPG keys. Most Linux distributions include it in their repositories, so installation is as simple as selecting and installing it. During installation it adds plugins for gEdit, Nautilus, and the Epiphany Web browser as well as a panel applet.
To run Seahorse, look in your Applications menu for Passwords and Encryption Keys. Click on the Key -> Create New Key menu and select the option to create a new PGP Key. Enter your name and email address at a minimum. The default settings Seahorse provides for other options during key creation are usually OK for most people. You will be prompted for a passphrase for your private key during this process. Choose a secure passphrase, and do not forget it! If you lose your passphrase you won't be able to use your private key to decrypt or sign data. Once you have entered your passphrase, click OK and your key pair will be generated for you.
Once you have a key pair you can share your public key with your friends by including it in your email signature or placing it on your Web site or blog. Get your public key signed by your friends, and sign theirs, in order to build a web of trust.
At some stage you will want to publish your public key to a key server. To do so from Seahorse, choose Remote -> Sync and Publish Keys.
Once you've set up your GnuPG keys, your GNOME desktop is ready to become your digital security workstation. To use GnuPG with the applications listed below, the process is generally as follows:
- Select the data you want to sign, encrypt, verify, or decrypt.
- Choose the key or keys you wish to use for the process.
- If you're using your private key, supply your passphrase.
Seahorse installs a plugin for gEdit that allows you to encrypt, decrypt, sign, and verify plain text. To enable the GnuGP plugin for gEdit, choose Preferences from the Edit menu. Go to the Plugins tab, select the Text Encryption plugin, and click OK. Then you can select the text you want to encrypt, decrypt, or sign and choose from the encryption options under the Edit menu. Once done, you can copy and paste your encrypted or signed text to other applications.
Clipboard encryption panel applet
Seahorse also installs a Clipboard Text Encryption applet that you can add to your panel to allow you to copy text to the clipboard, encrypt it, and paste it into another application. This is one way to use encryption with Web-based email clients. To enable it, right-click on a panel and click Add to Panel. Select the Clipboard Text Encryption applet and click Add. After that, whenever you cut or copy text, you can click on the applet and encrypt or sign the text in the clipboard. If it is already encrypted or signed, clicking on the applet allows you to decrypt or verify the text.
You can add menu items for encrypting and signing data to the Nautilus File Manager by using another plugin provided by Seahorse. These menu items can be found both under the Nautilus Edit menu and in the context menu when you right-click on a file or folder. To use them, select the files or folders you want to operate on and select Edit -> Encrypt or Edit -> Sign. GnuPG will create a new file with a .pgp extension for any files you encrypt, and with a .sig extension for any files you sign. Your original, unencrypted file will remain unencrypted.
To verify the signature on a file with a .sig extension, right-click and select Open with Verify Signature. To decrypt a file with a .pgp extension, right-click on it and select Open with Decrypt File. On older versions of the Nautilus plugin, you may not automatically see this last option. If you don't, select Open With -> Open with Other Application, and click the Open with Custom Command option, entering
seahorse-tool -d in the text field that appears. After you have done this you should see Open with seahorse-tool when you right-click on an encrypted file, and clicking on this option will decrypt the file for you.
The Epiphany Web browser benefits from yet another GnuPG plugin provided by Seahorse. With it you can encrypt and sign text in text fields on Web pages. You need to have epiphany-extensions installed so that you can enable the Seahorse extension for use from the Tools -> Extensions menu. This will enable right-click context menu encryption options when you are within a text field. You can also directly encrypt and sign text fields within Web pages using Firefox with the FireGPG add-on. To use it, right-click on a text field and select from the encryption options available under the FireGPG submenu. These tools make it easy to use GnuPG with Web-based email applications such a Gmail or Yahoo! Mail.
Evolution comes with support for GnuPG built-in. Thunderbird supports GnuPG through the Enigmail add-on, which is a comprehensive front end to GnuPG in its own right. The Balsa and Claws email applications also support GnuPG.
Psi is a cross-platform Jabber client that supports encrypted communications using GnuPG. Gabber, another Jabber client, also uses GnuPG. Pidgin (formerly Gaim) also has an encryption plugin and the OTR plugin, which also encrypts instant messaging communications, but neither uses GnuPG.
GnuPG on other platforms
When sharing your signed or encrypted data, you may be sharing it with people who do not use Linux as their principal operating system. Fortunately, GnuPG is implemented on Windows and Mac OS X too, and there are a number of applications and plugins which allow people on those platforms to use GnuPG and its data protection capabilities on their desktops.
The GNOME desktop provides a number of useful applications which have built-in or plug-in support for GnuPG, making the job of applying digital security to desktop tasks easy. What's more, most of the GnuPG-enabled applications listed above have equivalents in KDE which offer the same or similar functionality. The Linux desktop is well placed to provide the tools required for securing data and communications in the digital world.