PGP quick start

PGP is a public key encryption program created by Philip R. Zimmermann. It allows users to perform several useful functions:

Sign a plaintext message so that someone will be sure it came from you.
Encrypt a message so that only one user (or a list of users) can decrypt it.
Sign and encrypt a message so that it can only have come from you and can only be decrypted one user (or a list of users).

And once you're set up, other users will be able to do the same to you. It is remarkably easy to use once you get over the initial learning curve. The purpose of this page is just to be a cookbook to get you over that hump.

Getting started

Key pair generation

The first thing you must do is generate your pgp key pair. You will be asked for user ID which should usually be your full name and email address, and a "pass phrase" which proves to PGP you are allowed to use your secret key to sign or decrypt messages.

    pgp -kg

Key extraction

The next thing you need to do is to extract you public key so that you can distribute it to others with whom you communicate.

    pgp -kxa

You can mail the file you generate to those who will need it or publicize it in other ways (like this).

Note: It is adviable to certify your own public PGP key before actually distributing it. It prevents tampering with your key's user ID (which is a source of a "denial of service" attack against PGP users).

Key additions

Also, you will need to add other people's public keys to your own public key file (called a "keyring") for anyone whose signature you will need to validate, or to whom you will need to send an encrypted message. Put their public key (much like the one you extracted above) into a temporary text file, keyfile. You can get their public key through email, from their finger information or web page, through a public key server, or however they wish to publicize it.

    pgp -ka keyfile

Simple usage

Signing a plaintext message

You can certify that you alone sent a plain text message. This is useful for news postings or email where secrecy isn't wanted.

    pgp -sat filename

Sending an encrypted message

You can encrypt a message such that it can only be decrypted by a single user (or a list of users).

    pgp -eat filename userid [userid2 userid3]

More than one destination user key can be specified. userid actually only needs to be a unique substring (case-insensitive) of the full user ID associated with the key. The example shows what happens if you try to use an uncertified public key.

Sending a signed, encrypted message

A signed, encrypted message can only be decrypted by the specified user(s) and can only have been generated by you.

    pgp -seat filename userid [userid2 userid3]

Reading PGP encrypted and/or signed messages

Reading PGP messages is actually the easiest part of all this. Just dump the message to a file and run PGP over it. You needn't bother editing the message. PGP can find the PGP-relevant part by looking at the headers it puts in.

    pgp filename

If you don't want to save the decrypted message to a file, you can have it typed on your screen. (PGP will offer to save it after you've seen it.)

    pgp -m filename

Getting quick help

If you need a quick clue with PGP commands, it will give you a summary of the most frequently used ones online.

    pgp -h

Extra topics

Key certification

PGP won't do you much good if the public keys you have on your keyring don't belong to the people you think they do. That's what key certification is all about. You can either certify a key yourself when you add it, or do it later, after validating it with the user via another channel. The most straightforward way is to talk to the person on the phone (if you recognize his or her voice) and verify the fingerprint they get is the same as the one you get. Then you can certify the public key yourself.

    pgp -ks userid

At the same time, you will be asked to certify this person as an "introducer" of other keys to you. You should read the PGP manual to understand what that means. It's probably better to err on the conservative side here until you get a good feel for things.

Viewing a PGP key fingerprint

If someone else wants to certify your public key on their ring, you can read the PGP fingerprint of your own key to them over the phone.

    pgp -kvc your-userid

Key file security

From the PGP man page:

It is impossible to overemphasize the importance of protecting your secret key. Anyone gaining access to it can forge messages from you or read mail addressed to you. Be very cautious in using PGP on any multi-user unix system. [emphasis added]

That said, probably a good number of PGP users here will only have access to it in a multi-user environment. This does not mean that you should not bother with PGP. If you're already storing the information online (perhaps with some other form of encryption), PGP should only increase your security level.

The PGP manual, Volume I, should be read by all PGP users. Volume II should be read by more serious users. If your (or someone else's) life would be seriously disrupted by public disclosure of the information you are using PGP to protect, you should read both volumes of the manual, and you should be running it on a single user machine you control yourself.

Some obvious caveats when using PGP in a multi-user environment:

Your .pgp directory should be protected so that no one but you can read/write it.
You should never use PGPPASS environment variable.
Don't write your pass phrase down or store it online anywhere.

When you get the basic hang of it, you should then do some further reading on PGP, especially the PGP Manual: Volume I, which is required reading for all responsible PGP users.

This page last updated December 19, 1996.