Let's go further. You will encrypt your mail. It was the first objective of this article series. Yet, there is more to come !
Did you followed the previous steps ?
- Why you should use GPG ?
- Part 1 : Is there any other way than using GPG ?
- Part 2 : Softwares installation
- Part 3 : a slice of theory and logical
- Part 4 : Create and export your keys
- Part 5 : Sign your mail
- Part 6 : Read and write encrypted mail
- Part 7 : Sign keys
- Part 8 : Sign files
- Part 9 : Encrypt files
- Part 10 : GPG Conf’
So, I must have sent you a mail. It is encrypted and you are the only one able to read it.
What did I do ?
When I received your public key, I imported it in my keyring.
It allowed me to analyze it and mail you back this answer: yes, your key is fine.
As I received your public key, I can now send you encrypted mail.
If you received an encrypted mail, you are normally the only person able to read it. But it does not tell you about the sender.
But if I sign it, you can't check the signature, as you need my public key to do so, and I have not yet told you how to do it.
Signing a mail means that I am the true sender of it.
This is the reason your mail software says that this mail is signed with gpg, but it can't check the signature.
Some little caution
Be cautious. Only the main body of the mail is encrypted. The header, subject and other meta-datas (who sent the mail, to whom…) are clair and readable text. It is hard or even impossible to do in another way: how mail servers could know whose mail it is and who to give it if destination is not available ?
Thus, it is good practice to set a neuter subject if you want to insure good confidentiality.
Something like «a good plan» rather than «the great plan to world's domination !» or «last production figures» rather than «prod’ figures rising by 50 %: everything is good baby !»
How to get the public key ?
I could have send you the public key by mail in the same way as you did.
But this is not safe: a malicious person could have hijacked your mail and replaced your key by another.
This is the kind of thoughts I would like you to have: safety on internet is a process, a way of thinking.
On the web
You can place your key on a webpage if you have one. In that case, it is good policy to indicate the fingerprint.
A key fingerprint is a series of numbers and characters unique to the key. It allows to identify (quite safely) a key and same time insure it of its integrity.
Your keys manager can give you this fingerprint. It looks like this :
30CF 1DA5 7E87 6BAA 730D E561 42E0 A02E F1C9 35A4
This fingerprint is the one of Tuto-gpg @ 22decembre.eu GPG key.
Same principle as MD5 sums for downloaded files other the net - Linux distribution iso image for example.
Some persons also set their key fingerprint on their business card, easier to give them.
On the keys servers
Knowing a key fingerprint, it is also possible to find it on the internet ! Actually, on such servers called «keys servers» or «gpg servers».
Here are some servers:
- hkp://pool.sks-servers.net/ NB : you will certainly visit their website.
You can tell gpg which server to use first with your keys manager settings.
The S indicate that you use the server with a secure TLS connexion. This way, if you're a paranoiac, no one knows which keys you are searching.
These servers allow you to make your key public, find keys of people you don't know, and finally check their mails signatures.
The exercise today is to find the tutorial key and send me an encrypted mail.
Find the key
As you understood it, the aim is to make you understand the way keys servers work.
Open your keys manager, and then the dialog box to servers. It will ask you for a string to search, meaning a fingerprint or a mail address.
You can copy-paste the key fingerprint or the mail address (both written above).
Your keys manager will then show you some keys to download.
Either you wrote the mail address, and shall check the fingerprint, or opposite, copied the fingerprint and shall check the address. I actually created several keys, not to screw you but to make you think and work your logic.
This tutorial aims at teach you to use GPG. So you have to use it and confront it.
By the way, please note that these persons signed the key:
They helped me in some ways, because I could use their texts, or they encouraged me to write this tutorial.
These other persons also helped me:
I wish to thank them all. If you want to thank me as well, feel free to give a nice word in your mail, or some little money on the flattr button in the left column.
Now, look at the mail I send you: your mail software might have change its announcement!
Write an encrypted mail
You have to write me an encrypted mail. You can also sign it, but it is not the aim of this part. Do as you want.
Just before sending it, select the Encrypt option or button. Here it is !
Maybe your mail software even proposed you to encrypt the mail while writing it because you now have the needed key.
Isn't it beautiful?
Hey, come to read the last one!