Chapter 10. Encryption with KGpg

Chapter 10. Encryption with KGpg¶

Contents

10.1. Why Signing and Encrypting?
10.2. Generating a New Key Pair
10.3. Exporting the Public Key
10.4. Importing Keys
10.5. The Key Server Dialog
10.6. Text and File Encryption
10.7. For More Information

KGpg is an important component of the encryption infrastructure on your system. This program helps you to generate and manage all needed keys. Use its editor function for the quick creation and encryption of files or use the applet in your panel to encrypt or decrypt by dragging and dropping. Other programs, such as your mail program (Kontact or Evolution), access the key data to process signed or encrypted contents. This chapter covers the basic functions needed for daily work with encrypted files.

10.1. Why Signing and Encrypting?¶

Signing

Signing means attaching electronic signatures to mails or even software to prove its correct derivation. To avoid that someone writes mails using your name and to protect both you and the people you send them to, you should sign your mails. Signatures help you to easily check the sender of the mails you receive and to distinguish good-natured mails from malicious.

Software developers sign their software so you are able to check its integrity. Even if you have the software from an unofficial server, you can verify the package with the signature.

Encrypting: You might have sensitive information you want to protect from other parties. Encrypting helps you to transform data and make it unreadable for others. This is especially important for companies who must protect internal information as well as the employees' privacy.

10.2. Generating a New Key Pair¶

To be able to exchange encrypted messages with other users, first generate your own key pair. One part of it—the public key—is distributed to your communication partners, who can use it to encrypt the files or e-mail messages they send. The other part of the key pair—the private key—is used to decrypt the encrypted contents.

	Private Key versus Public Key
The public key is intended for the public and should be distributed to all your communication partners. However, only you should have access to the private key. Do not grant other users access to this data.

Start KGpg from the main menu or press Alt+F2 and enter kgpg. When you start the program for the first time, an assistant appears to guide you through the configuration. Follow the instructions up to the point where you are prompted to create a key. Enter a name, an e-mail address, and, optionally, a comment. If you do not like the default settings provided, also set the expiration time for the key, the key size, and the encryption algorithm used. See Figure 10.1, “KGpg: Creating a Key”.

When you start KGpg in later sessions, only a small icon with a padlock appears in the system tray. Click that icon to display the main KGpg window on your desktop.

Figure 10.1. KGpg: Creating a Key¶

Confirm your settings with OK. The next dialog prompts you to enter a password twice. The relative strength of your chosen password is measured and displayed by the Password strength meter. The program then generates the key pair and displays a summary. It is a good idea to save or print a revocation certificate right away. Such a certificate is needed if you forget the password for your private key so need to revoke it. After you confirm with OK, KGpg displays its main window. See Figure 10.2, “The Key Manager”.

Figure 10.2. The Key Manager¶

10.3. Exporting the Public Key¶

After generating your key pair, make the public key available to other users. This enables them to use it to encrypt or sign the messages or files they send you. To make the public key available for others, select Keys+Export Public Key(s). The dialog that opens offers four options:

Email: Your public key is sent to a recipient of your choice by e-mail. If you activate this option and confirm with OK, the dialog for creating a new e-mail message with KMail appears. Enter the recipient and click Send. The recipient receives your key and can then send you encrypted contents.
Clipboard: You can place your public key here before continuing to process it.
Default Key Server: To make your public key available to a wide audience, export it to one of the key servers on the Internet. For more information, refer to Section 10.5, “The Key Server Dialog”.
File: If you prefer to distribute your key as a file on a data medium instead of sending it by e-mail, click this option, confirm or change the file path and name, and click OK.

10.4. Importing Keys¶

If you receive a key in a file (for example, as an e-mail attachment), integrate it in your key ring with Import Key and use it for encrypted communication with the sender. The procedure is similar to the procedure for exporting keys already described.

10.4.1. Signing Keys¶

Keys can be signed like every other file to guarantee their authenticity and integrity. If you are absolutely sure an imported key belongs to the individual specified as the owner, express your trust in the authenticity of the key with your signature.

	Establishing a Web of Trust
Encrypted communication is only secure to the extent that you can positively associate public keys in circulation with the specified user. By cross-checking and signing these keys, you contribute to the establishment of a Web of Trust. For these reasons, make really sure you only sign keys you personally checked.

Select the key to sign in the key list. Select Keys+Sign Keys. In the following dialog, designate the private key to use for the signature. An alert reminds you to check the authenticity of this key before signing it. If you have performed this check, click Continue and enter the password for the selected private key in the next step. Other users can now check the signature by means of your public key.

10.4.2. Trusting Keys¶

Normally, you are asked by the corresponding program whether you trust the key, or rather, whether you assume it is really used by its authorized owner. This happens each time a message needs to be decrypted or a signature must be checked. To avoid this, edit the trust level of the newly imported key. By default, the newly imported key is listed with a white box, meaning that no concrete value has been assigned for the trust level. To trust a key, do the following:

Right-click the newly imported key to access a small context menu for the key management.
Select Sign Keys. KGpg opens a dialog that asks the user to recheck the fingerprint of the key.
Use Continue to access the key signing dialog.
Select your trust level, for example, select I Have Done Very Careful Checking. Finish this dialog.
Enter your passphrase to finish the key signing process. The imported key now appears green in the trust column.

The lower the trust level is, the less you trust the signer of the key to have checked the true identity of the keys signed. You may be entirely sure about the signer's identity, but he may not check other people's identities properly before signing their keys. Therefore, you could still trust him and his own key, but assign lower trust levels to the keys signed by him. Notice that the trust level does not trigger any automatic actions by KGpg.

10.5. The Key Server Dialog¶

Several Internet-based key servers offer the public keys of many users. To engage in encrypted communication with a large number of users, use these servers to distribute your public key. For this purpose, export your public key to one of these servers. Similarly, KGpg enables you to search one of these servers for the keys of certain people and import their public keys from the server. Open the key server dialog with File+Key Server Dialog.

10.5.1. Importing a Key from a Key Server¶

By means of the Import tab in the key server dialog, import public keys from one of the Internet-based key servers. Select one of the preconfigured key servers and enter a search string (e-mail address of the communication partner) or the ID of the key to find. When you click Search, your system connects to the Internet and searches the specified key server for a key that matches your specifications. Refer to Figure 10.3, “Search Screen for Importing a Key”.

Figure 10.3. Search Screen for Importing a Key¶

If your search on the key server is successful, a list of all retrieved server entries is displayed in a new window. Select the key to include in your key ring and click Import. See Figure 10.4, “Hits and Import”. Confirm the following message with OK then exit the key server dialog with Close. The imported key then appears in the main overview of the key manager and is ready for use.

Figure 10.4. Hits and Import¶

10.5.2. Exporting Your Keys to a Key Server¶

To export your key to one of the freely accessible key servers on the Internet, select the Export tab in the key server dialog. Designate the target server and the key to export by means of two drop-down menus. Then start the export with Export.

Figure 10.5. Exporting a Key to a Key Server¶

10.6. Text and File Encryption¶

KGpg also offers the possibility to encrypt text or clipboard contents. Right-click the padlock icon and find the options Encrypt clipboard and Decrypt clipboard as well as the option for opening the integrated editor.

10.6.1. Encrypting and Decrypting the Clipboard¶

Files copied to the clipboard can easily be encrypted with a few clicks. Open the function overview by right-clicking the KGpg padlock icon. Select Encrypt Clipboard and designate the key to use. A status message about the encryption procedure is displayed on the desktop. The encrypted contents can now be processed from the clipboard as needed. The decryption of clipboard contents is just as easy. Simply open the menu on the panel, select Decrypt Clipboard, and enter the password associated with your private key. The decrypted version is now available for processing in the clipboard and in the KGpg editor.

10.6.2. Encrypting and Decrypting by Dragging and Dropping¶

To encrypt or decrypt files, click the icons on the desktop or in the file manager, drag them to the padlock in the panel, and drop them there. If the file is not encrypted, KGpg asks for the key to use. As soon as you select a key, the file is encrypted without any further messages. In the file manager, encrypted files are designated with the suffix .asc and the padlock icon. These files can be decrypted by clicking the file icon, dragging it to the KGpg symbol in the panel, and dropping it there. If the original filename already exists, a dialog opens that asks how to name the file or if it should be overwritten.

10.6.3. The KGpg Editor¶

Instead of creating contents for encryption in an external editor then encrypting the file with one of the methods described above, you can use the integrated editor of KGpg to create the file. Open the editor (Open Editor from the context menu), enter the desired text, and click Encrypt. Then select the key to use and complete the encryption procedure. To decrypt files, use Decrypt and enter the password associated with the key.

Generating and checking signatures on documents is just as easy as encrypting directly from the editor. Select a file in the file manager and copy it to the clipboard. Right-click the padlock icon in the panel and select Sign/Verify Clipboard. Then choose the private key to use and enter the associated password. KGpg informs about the successful generation of the signature. Files can also be signed from the editor by simply clicking Sign/Verify. To check a signed file, go to File+Open Editor, load the file to check in the editor, and click Sign/Verify.

10.7. For More Information¶

For theoretical background information about the encryption method, refer to the brief and clear introduction on the GnuPG project pages at http://www.gnupg.org/documentation/howtos.html.en. This document also provides a list of further information sources.