Using GnuPG with Pine for Secure E-Mail
8 - 15 min read
Apr 12, 2001
Sending sensitive data through email has become a frequent practice among online workers. However, not all sources you send can be trusted entirely, as someone could be hacked or want to use your information for malicious intent. GnuPG, an easy-to-use encryption service, can help you ensure data and network security so only those who need access can see the information being sent.
GnuPG, or the GNU Privacy Guard, is a free drop-in replacement for PGP, Pretty Good Privacy. PGP is a standard file encryption and security service that utilizes public key cryptography cyber security to protect the communication between two parties. GnuPG implements the OpenPGP standard as outlined in RFC 2440. Pine is a popular mail and news client that can prioritize using GnuPG to improve security posture within a company. This article will discuss how GnuPG and Pine can work as a secure email system, ensuring data and network security.
As we continue the article, GnuPG and Pine will be discussed, assuming both are installed on your device. If not, consider downloading them to follow along as you read. If you use an RPM-based system, the EnGarde 1.0.1 system already includes “pinegpgp.” To install it, implement "rpm -Uvh <RPM>." Throughout this article, all key examples are fictitious, nonexistent, and invalid. The pinepgpg examples use a valid code (0xD3292967), which can be found on the keyservers.
What is GnuPG Encryption? How Is It Different from PGP?
GnuPG encryption is a free network security toolkit that can be implemented quickly for beginning email security clients. This software encrypts messages and files sent between two parties, which involves scrambling the data to prevent outsiders from accessing what is written. Regarding differences, GnuPG is open-source material available to the public, while PGP is not. Though developed over twenty years ago, GnuPG is still a very helpful and secure software company that can rely on to guarantee data and network security.
Can I Use GnuPG on a Remote System?
Avoid doing this at all costs, as you will never have physical control over a secret key ring. Local computers should be utilized in all steps of the encryption process to avoid opportunities for cybersecurity vulnerabilities to be exploited. If you use a connected server, have a strong password that will protect your key, and make sure to have a trusted system administrator. If you must use a remote system, consider generating the keypair on a desktop and copying the keyring to the machine to ensure protection and safety.
How Can I Encrypt and Sign Messages with GnuPG Commands?
Here are the steps you need to take to generate keys to join everyone else with these cyber security trends that will promise your company protection. You will first need to execute the command “gpg” to set up your ~/.gnupg directory:
|
[ryan@mastermind ryan]$ gpg gpg: Warning: using insecure memory! gpg: /home/ryan/.gnupg: directory created gpg: /home/ryan/.gnupg/options: new options file created gpg: you have to start GnuPG again so that it can read the new options file |
You are now set up for key generation. Start with the command “gpg --gen-key”
|
[ryan@mastermind ryan]$ gpg --gen-key gpg (GnuPG) 1.0.4; Copyright (C) 2000 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you can redistribute it under certain conditions. See the file COPYING for details. |
|
gpg: Warning: using insecure memory! gpg: /home/ryan/.gnupg/secring.gpg: keyring created gpg: /home/ryan/.gnupg/pubring.gpg: keyring created |
Step 1: Select Key Type
The first step in GnuPG key generation is choosing exactly what type of key you want. You will see the screen below, where you will be asked to select that key.
|
Please select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) ElGamal (sign and encrypt) Your selection? 1 |
A Digital Signature Algorithm (DSA) generates digital signatures. An ElGamal (ELG-E) does both digital signatures and encryption. If you are mainly focused on identity verifications, then DSA keys are best. If you also want to send encrypted emails with sensitive information, then using EIGamal is a good idea. As a result, most people prefer to use the default option since you can perform all of the actions whenever needed. In the following steps, we will assume the user selected option 1.
Step 2: Select Keypair Size
You will need to determine the ELG-E keypair size in the next step.
|
DSA keypair will have 1024 bits. About to generate a new ELG-E keypair. (1) minimum keysize is768 bits (2) default keysize is 1024 bits Highest suggested keysize is 2048 bits What keysize do you want? (1024) 1024 |
The default size, 1024, is the best choice, as more is unnecessary. You will then receive a confirmation on screen.
|
Requested keysize is 1024 bits |
Step 3: Select Key Lifetime
Choose how long the key will be valid. Typically, you will want it to be forever, and the default assumes you want a key that does not expire. If you wish to an end date, this screen is where you can make adjustments:
|
Please specify how long the key should be valid. 0 = key does not expire <n>= key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 |
You will then be presented with a confirmation:
|
Key does not expire at all Is this correct (y/n)? y |
Step 4: Create User ID
GnuPG will generate a User ID for you that is unique to the key and derives from your name, email address, and any comments you make:
|
You need a User-ID to identify your key; the software constructs the user id from Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) < Real name: Ryan W. Maple Email address: Comment: Guardian Digital, Inc. |
You will then need to confirm the information.
|
You selected this USER-ID: "Ryan W. Maple (Guardian Digital, Inc.) < Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O |
Step 5: Select Passphrase
When signing or encrypting something, you will need a passphrase to unlock your secret key. A good passphrase requires a long combination of lowercase and uppercase letters, numbers, and punctuation. When entering your passphrase, this is what your screen will look like:
|
You need a Passphrase to protect your secret key. Enter passphrase: Repeat passphrase: |
Finally, GnuPG attempts to generate many random bytes to encrypt your private key. This will be your screen:
|
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. <random status data> <random status data> |
Start doing the “other action” recommended to help the GnuPG generate the random numbers needed for your key. Then you will see a success message:
|
public and secret key created and signed. |
What is a Revocation Certificate?
You will need a revocation certificate if you forget your passphrase or the key is compromised. The GnuPG manual explains that should this take place, you must immediately notify others of the cloud security breach or network security issues. You can still verify past documents with the signature, but you should not generate more encryptions with that passphrase. To create a revocation certificate, execute the command “gpg --gen-revoke user@host”:
|
[ryan@mastermind ryan]$ gpg --gen-revoke --output revocation.asc gpg: Warning: using insecure memory! sec1024D/60DDF66A 2001-01-03Ryan W. Maple (Guardian Digital, Inc.) < Create a revocation certificate for this key? y |
Afterward, you will need to provide the reason for revocation. Option 1 is most common, but options 2 and 3 result from choosing a shorter time span on your key pair:
|
Please select the reason for the revocation: 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used 0 = Cancel Your decision? 1 |
|
Enter an optional description; end it with an empty line: > |
|
Reason for revocation: Key has been compromised (No description given) Is this okay? Y You need a passphrase to unlock the secret key for user: "Ryan W. Maple (Guardian Digital, Inc.) < 1024-bit DSA key, ID 60DDF66A, created 2001-01-03 Enter passphrase: |
Following this, your revocation certificate will be stored, and you will receive a warning:
|
ASCII armored output forced. Revocation certificate created. Please move it to a medium you can hide away; if Mallory gets access to this certificate, he can use it to make your key unusable. Printing this certificate and storing it in case your media becomes unreadable is smart. But be cautious: Your machine's print system might store the data and make it available to others! |
Keep this certificate in a safe place:
|
[ryan@mastermind ryan]$ cat revocation.asc -----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see https://www.gnupg.org Comment: A revocation certificate should follow iEkEIBECAAkFAjpbhzACHQIACgkQZi8S3ZLqN2GZHgCgsWbCMQBiExcvoGDZJQfniHbGOuYAoJndfnpvYloGReJZ1nTDwKGgWoN+=aXah -----END PGP PUBLIC KEY BLOCK----- |
Final Details for Revocation Certificate
Keep the keypair and revocation certificate in a safe place, such as storing it on a read-only media, in a tarball, or a safe deposit box by executing the following command (as long as your file is a “revocation.asc”):
|
[ryan@mastermind ryan]$ tar -cvf gnupg-BACKUP-2001-01.tar .gnupg revocation.asc |
If your key gets compromised, you can issue your certificate to make your keys null and void, protecting yourself and your company. Also, consider exporting a copy of your public key to keyservers so others can retrieve it if needed. Keyservers share public key information in a distributed fashion so that other servers can reach it quickly should any network security issues arise. To export a copy of your public key to stdout, execute the command:
|
[ryan@mastermind ryan]$ gpg --export --armor |
To save the file, execute the command:
|
[ryan@mastermind ryan]$ gpg --output pub.asc --export--armor |
To export it directly to the keyservers, execute the command:
|
[ryan@mastermind ryan]$ gpg --keyserver wwwkeys.pgp.net --send-keys |
Your public key will then have a long combination of letters, numbers, and punctuation that will ensure your key is protected. You may want to customize your “~/.gnupg/options” file as well:
|
# Set this if you want to disable the copyright notice. no-greeting |
|
# Set this to the server you wish to use as a keyserver keyserver wwwkeys.pgp.net |
Setting the keyserver directive will result in GnuPG attempting to import keys you do not have within your public keyring, which is unnecessary.
“pinepgp” Configuration and Installation
Once you have generated a key pair, you can install pinepgpg quite easily with "pinegpg-install":
|
[ryan@mastermind ryan]$ pinegpg-install |
pinepgp has a feature called "encrypt to self" that saves copies of your sent emails encrypted with your public key so you can view it. This is a helpful part of this network security toolkit that should be utilized, as you cannot decrypt mail in that folder if you do not have the feature enabled. Execute the command:
|
[ryan@mastermind ryan]$ pinegpg-install |
You will then see this in your .pinerc:
|
# This variable takes a list of programs that message text is piped into # after MIME decoding, before display. display-filters=_LEADING("-----BEGIN PGP MESSAGE-----")_ /usr/bin/gpg-check, _LEADING("-----BEGIN PGP SIGNED MESSAGE-----")_ /usr/bin/gpg-check # This defines a program that message text is piped into before MIME # encoding, before sending sending-filters=/usr/bin/gpg-sign, /usr/bin/gpg-encrypt _RECIPIENTS_ /usr/bin/gpg-sign+encrypt _RECIPIENTS_ |
Pine is now configured. You may also consider configuring messages following this pop-up:
|
Send message (unfiltered)? |
To sign/encrypt your message, you must type Control-P or Control-N to scroll to the correct filer. If you want to be offered the option to sign or encrypt emails, set the “compose-send-offers-first-filter” option in your feature list. You can do this in two ways:
- You can launch Pine, select “Setup” and then “C” for configuration, choosing “Composer Preferences” at the top and saving.
- You can edit the Pine directly by opening your text editor and adding “compose-send-offers-first-filter” to the “feature-list” line:
|
feature-list=expunge-without-confirm-everywhere, expunge-without-confirm, quit-without-confirm, enable-tab-completion, enable-flag-cmd, compose-send-offers-first-filter, enable-full-header-cmd |
How to Test Your pinepgp
Now that everything has been configured, you need to test it out by sending emails to a trusted source so you can make sure the services are working the way you want.
Test 1: Signing an email
Send an email to yourself. Compose it and then hit Control-X to send. If “compose-send-offers-first” was selected, you will see: “Send message (filtered thru “gpg-sign”)?” If not, you will see: “Send message (unfiltered)?”
Here are some other possible filters to use:
- Send message (unfiltered)?: no filter at all; will send a 'normal' email.
- Send message (filtered thru "gpg-sign+encrypt")?: uses the "sign+encrypt" filter to send an email that is both signed and encrypted.
- Send message (filtered thru "gpg-encrypt")?: uses the "encrypt" filter to send an email that is encrypted. For most applications, you should use the "gpg-sign+encrypt" filter over this one.
- Send message (filtered thru "gpg-sign")?: uses the "sign" filter to send an email that is signed.
After you have decided on the filter and entered the passphrase, hit “Enter” twice. The message will be signed and delivered to the recipient if you type it correctly. If you sent it to yourself, look at the received message, and you should see something like this at the bottom if everything has gone according to plan:
|
gpg: Warning: using insecure memory! gpg: Signature made Tue Mar6 15:42:39 2001 EST using DSA key ID D3292967 gpg: Good signature from "Ryan W. Maple (Guardian Digital, Inc.) < |
Test 2: Signing and Encrypting an email
Send an email to yourself again and choose the "gpg-sign+encrypt" filter:
|
Send message (filtered thru "gpg-sign+encrypt")? |
A screen like this will show up:
|
RCPTS:-r gpg: Warning: using insecure memory! You need a passphrase to unlock the secret key for the user: "Ryan W. Maple (Guardian Digital, Inc.) < 1024-bit DSA key, ID D3292967, created 2000-11-08 Enter passphrase: |
Enter your passphrase, then press "Enter" two times. If you typed it correctly, then the message is signed, encrypted, and delivered to the recipient, you. The recipient will be prompted to enter the passphrase to access your private key and decrypt the message.
|
You need a passphrase to unlock the secret key for user: "Ryan W. Maple (Guardian Digital, Inc.) < 1024-bit ELG-E key, ID 108996F2, created 2000-11-08 (main key ID D3292967) Enter passphrase: |
You need the recipient’s public key in your keyring to send them an encrypted message, or else pinepgp will cancel the message. Assuming that the public key is in the file publickey.asc, you would import it using this command:
|
[ryan@mastermind ryan]$ gpg --import --armor < publickey.asc gpg: Warning: using insecure memory! gpg: key AB67CD5E: public key imported gpg: Total number processed: 1 gpg:imported: 1 |
To import a key from the keyservers you must first know the key ID. If I wanted to import the key for Bryan G. Seitz,
|
[ryan@mastermind ryan]$ gpg --recv-keys 0xAB67CD5E gpg: Warning: using insecure memory! gpg: requesting key AB67CD5E from wwwkeys.pgp.net ... gpg: key AB67CD5E: public key imported gpg: Total number processed: 1 gpg:imported: 1 |
Another Option for Email Encryption
If you use Netscape or another browser that is not compatible with GnuPG or PGP, you can use procmail, which is a mail processor that formats incoming mail in any way imaginable. A copy of a message will be saved to your ~/mail/PGP, and the original will be placed in your spool file, where you will need to open Pine to decrypt the message. Regardless of your chosen method, email encryption is essential to protect your company and keep your data and network security as safe as possible.
Final Thoughts on Email Encryption
Most network security issues companies face result from improperly protecting sensitive information when sending it to others. Therefore, it is incredibly valuable to incorporate some email encryption service into your work to guarantee that all data you have is kept safe. Consider utilizing GnuPG and Pine if you can, as they are easy to access and set up and can ensure data and network security for anyone who needs them. These services are excellent in helping your company to improve its security posture.
