gnuPGP Setup

Simon Richter Simon.Richter at hogyros.de
Fri Aug 20 15:09:53 CEST 2010 

Hi,

On Thu, Aug 19, 2010 at 02:26:07PM -0700, BernePGP wrote:

> After the recipient has loaded the programe he generates a personal key but
> does he do as I have done and copy out his public key in a wordfile and send
> it to me?

Essentially, yes.

It is usually advisable to use plain text files (i.e. files containing
just the raw text, without any formatting), as these can be used from
gpg directly.

If you use gpg on the command line, the easiest way is to use the
"--output" (or "-o") option, e.g. in order to export a key:

  gpg --output mykey.txt --export --armor 12345678

where you replace "mykey.txt" with the name of the file you wish to
contain a copy of your public key, and 12345678 with the ID for your
key.

You can import such a file using

  gpg --import mykey.txt

(again, replacing the file name).

> In other words when the recipient got my email with my public key encrypted
> in a wordfile , what does he then do?  Does he copy and paste my public key
> somewhere in his gnupgp programe?

He needs to import the key using --import. For this it is vital that the
key be available as plain text. If you have a Word file, you should
copy and paste the text into Notepad, and import from there.

Note that the communication channel you used to transfer the public key
is not secure -- while an attacker could not use the key data for
anything other than sending you an encrypted message, a man in the
middle could swap the key for another one. Therefore, it is recommended
that after importing, you list the contents of the keyring using the
command

  gpg --fingerprint

which will then show you one block for each known key, starting with
"pub" then followed by a number and letter, a slash, then the key id and
creation date, then in the next line listing a string of numbers. You
should verify that these two lines are the same for both you and the
recipient, if they are, then the key has not been tampered with in
transit.

You can then use

  gpg --sign-key 23456789

(replacing 23456789 with the other's key id), and follow the
instructions there to sign their key using yours; with this, you amend
the other's key with a signed note saying that you have verified their
identity, as the note is signed it cannot be forged, and your local copy
of gpg will then know that it is safe to use this key (otherwise it'll
warn that the key is "untrusted" whenever it is used).

> In what form should I expect to recieve the senders public key?  Will it
> arrive already encrypted in a word file and if so what do I do with that enc
> public key in regard to my gnuPGP programe?

The same thing as your party does with your key.

   Simon

More information about the Gnupg-users mailing list