By Weldon Whipple <email@example.com>
This document tells what I have encountered (so far) in getting Philip Zimmermann's Pretty Good Privacy (PGP) to encrypt and sign (and decrypt and verify) e-mail. (I hope to update it as I learn more about PGP)
2 November 2006 update: Two years after writing the first version of this document (after I had "moved on" from PGP), I received a note from Paul Henrichsen, in which he updated the information from the original version. (Thanks, Paul!)
PGP has been around since the early or mid-1990s. During that time quite a few flavors have appeared. Some that appear in the FreeBSD ports collection (/usr/ports/security) include
The most recent Windows version is version 9.5. There is also a version for the Mac.
Note: After learning PGP the wrong way--using documentation from 1995, which was of no help in sorting out the versions that are around in 2003--I discovered David Wood's 1999 book entitled Programming Internet Mail (O'Reilly), which describes the PGP landscape in 1999. According to Wood, RFCs 1991 ("PGP Message Exchange Formats") and 2015 ("MIME Security with Pretty Good Privacy") described a PGP that had few prospects of ever becoming an Internet standard, because it used proprietary RSA (for key exchange) and IDEA (for encryption). The newer RFC 2440 describes a non-proprietary OpenSSL, which retains the message structures of RFC 2015 but eliminates the proprietary technologies of earlier PGPs. PGP's version 5 was the first to implement OpenPGP. GnuPG isn't mentioned in Wood's book. It appears that it might be the PGP of choice for Open Source fans. Others might want to use PGP version 5 or later?
Seeing no reason not to, I first installed pgp version 2--the one named "pgp" in the FreeBSD ports tree. As root, I entered the commands:
# cd /usr/ports/security/pgp # make # make install # make clean
Then, when I typed "pgp", the following appeared:
Pretty Good Privacy(tm) 2.6.3ia - Public-key encryption for the masses. (c) 1990-96 Philip Zimmermann, Phil's Pretty Good Software. 1996-03-04 International version - not for use in the USA. Does not use RSAREF. Current time: 2003/06/17 23:37 GMT For details on licensing and distribution, see the PGP User's Guide. For other cryptography products and custom development services, contact: Philip Zimmermann, 3021 11th St, Boulder CO 80304 USA, phone +1 303 541-0140 For a usage summary, type: pgp -h
I generated a key pair for "Weldon Whipple <firstname.lastname@example.org>", placed it/them in my public and private key rings, and proceeded to look for a way to integrate PGP with e-mail clients. (I use several, on several platforms.)
"Googling," I found many PGP tutorials and howto's, including one for integrating PGP with pine (University of Washington's e-mail client). Since I sometimes use pine, I decided to start there. The instructions mentioned commands like pgpe, pgpv, pgpk, etc.--which didn't exist on my FreeBSD box.
Returning to FreeBSD's ports, I found /usr/ports/security/pgp5. Thinking that I might need a more current version, I installed that version. Sure enough, it had the commands I wanted. I proceeded to integrate pine with pgp version 5.
I noticed that versions 2 and 5 of PGP are able to coexist on the same box!
The instructions I found for integrating PGP and pine worked for only version 5 of PGP. Looking further on Google, I found pgp4pine. I located pgp4ping in the FreeBSD ports tree and installed it. By following its instructions, I got PGP version 2 to work. With a little more effort I was able to get pgp4pine to support both versions 2 and 5.
With two different versions of PGP coexisting on one machine, I decided to try version 6 from /usr/ports/securigy/pgp6. It installed with little effort. When I tried to send mail with version 6, however, I saw a message implying that it was still under development and possibly not quite stable. Sure enough, it failed to work for me. I subsequently deinstalled pgp6 and reinstalled pgp (i.e. pgp version 2).
Still hopeful that I might be able to get other PGP variants to coexist with PGP versions 2 and 5, I browsed /usr/ports/security and found the gnupg (GnuPG--GNU Privacy Guard) port. Its installation was uneventful, and I was able to incorporate it as a third PGP flavor in my .pgp4pinerc configuration file.
The portable Thunderbird with enigmail and gnupg plugins is highly recommended as a pgp client for Windows. -- P. Henrichsen
With each of the three PGP versions I installed, I initially created (different) public/secret key pairs--using each version's own syntax for creating keys. I eventually decided this was a bad idea, so I deleted the keys from PGP 5 and GnuPG. Then I exported the original PGP 2 keys (using PGP v2 commands) and imported them into my PGP 5 and GnuPG key rings.
% pgp -kxa 'Weldon Whipple <email@example.com>' ~/weldon-pub.asc pubring % pgp -kxa 'Weldon Whipple <firstname.lastname@example.org>' ~/weldon-sec.asc secring
% pgpk -a ~/weldon-pub.asc % pgpk -a ~/weldon-sec.asc
I verified the import with the command:
% pgpk -l
% gpg --import ~/weldon-pub.asc ~/weldon-sec.asc
I verified the import with the command:
% gpg --list-keys
After I felt comfortable with PGP, I submitted my public key to a key server, so that others can send me secure mail. I visited http://pgpkeys.mit.edu:11371 to share my key.
I'll continue to explore PGP, but also want to investigate S/MIME, which uses SSL/TLS certificates and is more recent than PGP (and accomplishes similar things). Unless S/MIME is totally obvious, I might document what I learn about S/MIME.