Sorry for the delay in sending this, I had a few more commitments before I had the luxury of getting back to the fun stuff.
One item I left out is that there are two versions of GPG currently in use. This is taken from the GnuPG page:
"GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth
of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME.
GnuPG comes in two flavours: 1.4.12 is the well known and portable standalone version, whereas 2.0.19 is the enhanced
and somewhat harder to build version."
It doesn't really matter which version you are using.
Something else that cropped up is that the order of arguments seems to matter at least for some versions. I've noticed that if they are in the wrong order, either they are ignored or it provides a message that almost tells you what is wrong. Your mileage may vary.
As I said in the talk, there are a couple of commands that you need to know:
1) Uploading a key to a server:
gpg --keyserver pgpkeys.mit.edu --send-keys HEXKEYID
2) searching and importing a key:
$ gpg --keyserver pgpkeys.mit.edu --search-keys <user@domain | HEXKEYID>
3) signing a key. If you have one key:
gpg --sign-key HEXKEYID
if you have multiple keys, you need to indicate which key you are signing with:
gpg -u MYKEY --sign-key HEXKEYID
4) exporting a key to send via email
gpg --armor --output HEXKEYID.gpgkey --export HEXKEYID
I also siad I'd send some links to tutorials on using gpg.
Here are some beginner ones:
- Ubuntu based and includes a gui - http://ubuntuforums.org/showthread.php?t=680292
- Beginners guide from Nat Queen - http://www.queen.clara.net/pgp/art3.html
- GPG/PGP Basics - http://aplawrence.com/Basics/gpg.html
I was also asked about a list of gpg commands. You can type --help after the gpg and you will get a list of commands, but not a whole lot of detail on how to use them. The following pages have some good examples:
- The official Commands section of the GPG manual - http://www.gnupg.org/documentation/manuals/gnupg/GPG-Commands.html#GPG-Commands
- This one is fairly old, but most (if not all) is still valid - http://www.spywarewarrior.com/uiuc/gpg/gpg-com-0.htm
- The GNU Privacy Handbook - http://www.gnupg.org/gph/en/manual/c14.html
- The GnuPG Documentation page - http://www.gnupg.org/documentation/index.en.html
- The Debian Project has a discussion on keyrings - http://keyring.debian.org/
A quick tutorial on key revocation:
- http://www.hackdiary.com/2004/01/18/revoking-a-gpg-key/
A fundamental security concepts tutorial:
- http://gdp.globus.org/gt4-tutorial/multiplehtml/ch09.html
Last but not least:
- The diceware page - http://world.std.com/~reinhold/diceware.html
- The diceware Security Blog - http://diceware.blogspot.ca/
- I mentioned TrueCrypt - http://www.truecrypt.org/
--
Scott Murphy, CISSP
Owner & Consultant | Arrow-Eye Consulting Inc.
112 Springcreek Cres. | Kanata | ON | K2M 2K8 | Canada
O: 613-270-1387 | C: 613-769-9363
email: scott [ dot ] murphy [ at ] arrow-eye [ dot ] com | web: http://www.arrow-eye.com