Using GPG

This page describes how to encrypt/decrypt files for/from Michael using the command line GNU Privacy Guard program gpg. If you are using a GPG desktop application such as Kleopatra (via Gpg4win on Windows) or GPG Services (via GPG Suite on MacOS), then you should consult the documentation for that application. A link to Michael's public key is available on the contact page. documentation .

Import Public Key

Assuming you have gpg, here is the command to import Michael's public key from pgp.mit.edu:

$ gpg --keyserver pgp.mit.edu --recv-keys 55D897A5

Sign & Encrypt File

Assuming you have gpg and your own key, here is the command to sign and encrypt a file called filename that you want to send to Michael (55D897A5):

$ gpg --armor --sign --encrypt --recipient 55D897A5 filename

This will produce a file called filename.asc that you can safely email as an attachment or by copying its contents directly into the email. Here is a rundown of the options passed to gpg:

  • --armor will create ASCII armored output
  • --sign will sign the input file
  • --encrypt will encrypt the signed input
  • --recipient 55D897A5 specifies that Michael is the recipient

Do not trust me on this! Consult the manual page for gpg for details about the options above.

Email using Mutt

If you have mutt, then you can email filename.asc, as an attachment, directly to Michael using the following command:

$ mutt -s "subject here" -a filename.asc -- EMAIL_ADDRESS

For school related emails, please replace EMAIL_ADDRESS with mepcott@uga.edu. For all other emails, please replace EMAIL_ADDRESS with mepcotterell@gmail.com. If you have multiple files, then you send multiple attachments using something like the following command:

$ mutt -s "subject here" -a filename1.asc -a filename2.asc -- EMAIL_ADDRESS

Verify Signed File

Let's assume you have gpg and a signed file filename.asc that you think you got from Michael. You can tell if filename.asc is only signed (and not encrypted) if it contains BEGIN PGP SIGNED MESSAGE near the head of the file. This also means that you can go ahead and read the message. The next step is to verify that the message came from Michael. Here is the command to verify the signature:

$ gpg --verify filename.asc

If gpg is able to verify the signature, then it will display something like the following:

gpg: Signature made Sun Oct 22 14:43:24 2017 EDT
gpg:                using RSA key B802A237CF54C469A856ADBD8D6FBDFF55D897A5
gpg: Good signature from "Michael E. Cotterell (Supa' Mike) <mepcotterell@gmail.com>"

Do not trust this just because it says "Good signature" and has Michael's name and email address. You should verify the fingerprint for the key (i.e., the long hexadecimal number on the second line) with the fingerprint provided on the contact page.

Here is a sample signed message from Michael that you can verify:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

pgp and gpg are cool
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEuAKiN89UxGmoVq29jW+9/1XYl6UFAlntA3gACgkQjW+9/1XY
l6XHuAgAiT3zVkllHG/SszliV3t4/zS+Cg4cEshsiR196KJrcHFdG2MAnabaaOWf
jAJbPwrYGRKon7NaWSRMREaKte6i6R/aUaBS4pV55rFZv/EaOrDlkwD4z6n1nwSG
sYiXaVeSrECcicqSrQME8WzZk46cRYfq36YyxMPDbnQtD6YYKbDwEMVM42CyI232
pOmOJwa8IfpvwzkyysvnfsT5a6F0atsvF3LgPwloqgQti6V/8ks2dKQQW2YBFG8v
JUgFjX2Df1wUzWCjy7PqUVt5JXj9w0winaUYshuPNUyIWL/h9djqMAOUoRYzzcuK
26UCfzWZtXQfwj5WfFlqC+wg9gM5rA==
=saFw
-----END PGP SIGNATURE-----

Decrypt Encrypted File

Let's assume you have gpg and a signed and encrypted file filename.asc that you think you got from Michael. You can tell if filename.asc is signed and encrypted if it contains BEGIN PGP MESSAGE near the head of the file. This also means that you cannot read the message until it's been decryped. Here is the command to verify the signature and decrypt the file:

$ gpg --decrypt filename.asc

If gpg is able to decrypt and verify the file, then it will display something like the following:

gpg: encrypted with 2048-bit RSA key, ID A0C7943BDED0988D, created 2017-10-22
      "Michael E. Cotterell (Supa' Mike) <mepcotterell@gmail.com>"
message contents here
gpg: Signature made Sun Oct 22 14:16:10 2017 EDT
gpg:                using RSA key 8D6FBDFF55D897A5
gpg: Good signature from "Michael E. Cotterell (Supa' Mike) <mepcotterell@gmail.com>"

Do not trust this just because it says "Good signature" and has Michael's name and email address. You should verify the fingerprint for the key (i.e., the long hexadecimal number on the second line) with the fingerprint provided on the contact page.