Below is the public PGP encryption key for Alan Eliasen, (email@example.com) in armored OpenPGP format.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.12 (GNU/Linux) mQGiBD0ZXm4RBADS59M4Dy4aOBUA59mKkNg+bWqeKenYs+zTk7O8QKfqgKxLBNya R9x1ZJ0WARCzjM6wbFvg/2cZyLEvGFqXdVXPuKlB9jR1cgKH+KClOLFWdIJng6B+ lwxw9ho7uE2Gf+faBOktvGaUWk5E8rAwdBkIuvYqDc1YwYcG3iN5zAdNpwCg2JS5 NUqwRMKEVd1q0qUGKuni9ykD/17kSo6XSnirbLE8I4hKt76G09XYaIGioCzyMAv6 kcHJ47yxVRpzTXH5K1Wq09HhHUnW1oZ1tRA0YxwrEESW/fns/U7IU4BgilXKF81m 0fo/NAHVrkgas5MuA0Tb5wR6KrJwvYrVF1JqKFjeswan+SfWsQ440R8xhnyNlUTN DICgBACcth1uXuUo5rciL7kETZ2ge+aK64SpEJzwhBZFgPsrNjLOGmIP9O3A9eWR fM/kghpBP0cBxryyojYTh9E+vqEsFFxPhNtqo7hMd7NDdHLqn4y1FbgbugpdZhpE h/L93EZzj9qRFRL4a8hsouroBw5IeTdg8cDwl49SqP4BilzVqLREQWxhbiBFbGlh c2VuIChodHRwOi8vZnV0dXJlYm95LmhvbWVpcC5uZXQvKSA8ZWxpYXNlbkBtaW5k c3ByaW5nLmNvbT6IVwQTEQIAFwUCPRlebgULBwoDBAMVAwIDFgIBAheAAAoJEOSB hLWwVnaxgnsAn1vhCRNK/4Qfb0OXfqy7JylWxWgbAJ42lrhz8XK5NOS7t29BDwem 0D+CfohFBBARAgAGBQI+I5z4AAoJEBQ6+k4y8bDkbEsAmOhZGZbyblTfYc//JyU/ 5GJxYdAAnjU1x/LPJ5o3HPnM63rvFnBS7SW9iEYEEhECAAYFAj7BwZ0ACgkQnN+4 1NpzKvdfGQCeME6xs7y4NR19xsrGuOTC7KDIkwUAn0A8JZR4s/HhbegcqWuQKBP4 uo88iEYEExECAAYFAkR+J1YACgkQ370QvkqtFkw+OQCfdrYDIBU0qD40LTNfOIbz pVb5jDYAnil88lTfVnriKsYUKHjhQ4uPWRPCuQENBD0ZXnEQBACrfxe432NVrvgV Yjas8SWLGEfBUeMqrIytcfm7TP6YNRyyzUufL2lnFpaREkO/mLN61bMfQSrmzaR1 wk/KNnwWTIp9UdVVxLhfQWJpG2b1GlwlHVEwEG8Dw2lxinPU7mg1OkceyizPjeRV hoxB9NCpV0L3aFb3+GQku4ZzMsDJBwAECwP+LVkqEJgPwz+AmhqveFVSbsy5yDBr oP814XMbNaw3IILQaBPwPKHa3xmOB16pb2MIzy0m3Vxq2qOITs6LAeUvtRS9ERI1 hJSchncL6Kl1D6eplVuoU5lIA1jfYmjGHrVNUkyjoPU+dLb0BJZ2PGLGxH0DwWIY gKaQz2CDCh/11WaIRgQYEQIABgUCPRlecQAKCRDkgYS1sFZ2sXzTAJ4ks2Z4eVtZ vDZvz3jlgBYAQFBx0gCgmINosOaFJGJlTwsALWhJGmXls3k= =MNy0 -----END PGP PUBLIC KEY BLOCK-----
This is also available in a plaintext file.
The simplest way from an e-mail client (like Enigmail) is to simply e-mail the plaintext version of my key to your own e-mail address and choose the option like "Import PGP Key." My key is also available from pgp.mit.edu (interactively.)
If your e-mail client doesn't allow automatic import of keys from an e-mail message, you will need to save the plaintext file listed above key to a file, then import the key manually. From GNU Privacy Guard, this is:
gpg --import [filename]
A more general approach (that works for other people too) is to import
their keys from a keyserver. My key is available from
pgp.mit.edu (all the major keyservers mirror each other, so
you could probably get it from the keyserver of your choice, but this one
seems to be pretty reliable.) From GNU Privacy Guard, you can import my
gpg --keyserver pgp.mit.edu --search-keys firstname.lastname@example.org
Or, even more directly, my public key id is B05676B1, so the following would import it directly from a keyserver:
gpg --keyserver pgp.mit.edu --recv-keys B05676B1
Read on, though, and see why just importing some key off a keyserver isn't enough to be sure that you're talking with me.
Big Brother monitors the status of keyservers in real-time. If you're having trouble importing signatures from a specific keyserver, or want a list of available keyservers, you might want to look there.
I accept and transmit all messages using the OpenPGP format, which is an open standard, and the most widely used standard for public encryption, so communiciation should work with any OpenPGP-compatible mail client.
For encryption and signing of e-mail (on both Windows and Linux,) I use a combination of:
In Enigmail, I've had the best luck setting the keyserver to default to
The Gnu Privacy Guard FAQ, question 4.15 lists some of the other e-mail programs compatible with GPG.
Alternately, I sometimes use the
pgg package in Emacs/XEmacs
which is a wrapper around the
gpg executable's functions. For
encrypting files, or doing anything more interesting, I just use the
gpg program on the command-line. If you're security-paranoid,
the fewer executables, the better.
If you're on Fedora, you will have better luck installing Enigmail from the Fedora distribution rather than obtaining it elsewhere. Install it by doing the following as root:
yum install thunderbird-enigmail
Or, to install all required packages at once:
yum install gnupg thunderbird thunderbird-enigmail
After installing or updating in Fedora, you may not see the OpenPGP menus
in Thunderbird until going to
Tools | Add-ons and then
disabling Enigmail, restarting Thunderbird, re-enabling Enigmail, and
I'm not going to give an overly-simplified "Getting Started" section here because that may falsely lead you to believe that you're being secure. The best way to get started with encryption is to go to the home site for GNU Privacy Guard and read the "GNU Privacy Handbook" (available in lots of formats and languages) under the "Guides" section. This will quickly walk you through setting up GPG on your system, including creating your secret keys. Hint: It'll likely start with:
which should be followed closely by:
The latter generates a revocation certificate which can be used to revoke your key if it is ever lost or compromised. Print it out, save it on a diskette, and store it safely.
If you have multiple unrevoked public keys and you have messages that say something like "I lost that one, this new key supersedes the other ones," (and I've seen this from people who like to claim crypto experience) then I know instantly that I can't trust you to follow good practice and maintain your secret information, and that I shouldn't trust you with my secrets. So protect your revocation key like you protect your secret keys. Read on to see why the "this key is my new key, ignore the others" excuse is an immediate "red flag" that should make you suspect either cryptographical incompetence or warn you that the person's being impersonated.
Now, since you have my public key, are we secure? Well, no, not at all. Lots of people just getting started with cryptography don't realize that they have to somehow verify that this key belongs to me. To me, Alan Eliasen. The one who wrote this message. How do you know that the public key posted above is the one I posted? After all, the bad guys could have replaced it somehow.
Listen carefully. This is important. Anyone can generate a public key for any e-mail address. Anyone can post that key to any key server. Only by verifying that the key really belongs to the person you think it does does it give you any security. Without this crucial verification, all that your cryptographic software does is ensures that bits weren't corrupted during transmission, and prevents casual observers from reading the message. It does not mean that you're talking to who you think you are. You could be talking to someone else entirely (a bad guy,) or you could be subject to a man-in-the-middle attack.
Still, if you want to send me encrypted e-mail, that may prevent others than you and I from reading it. That's good, and sometimes that's all you need. Just understand why I don't have any reason to trust that you're who you say you are, and you don't have any reason to trust that you're really talking to me unless you've verified my key with me. Before I trust you with any secrets, I'll validate your identity.
A key could be verified in many ways (such as, I could read you my whole public key, which is really time-consuming and error-prone. It's also bad because the key you see above can get longer and longer as other people sign it.) The usual alternative is to compare the fingerprint of what you think my public key is with the fingerprint of what I know my public key is.
A fingerprint is a shorter number (usually expressed in hexadecimal) that contains a cryptographically strong hash of my public key. It's shorter than my full key, so it's not an unfoolable test, but the probability of finding another key with this fingerprint is very small indeed. Infinitesimally small. So small you don't have to worry about it. If someone else can find a matching fingerprint, they have enough power and money that they could make you vanish from the face of the earth. So, after you've imported my key, type:
gpg --fingerprint email@example.com
Then, you need to verify this fingerprint with me. It's best to do it face-to-face, but if it's someone you know by voice, you can do it on the phone. If you don't know the person, check their driver's license. Ask other people (that you trust) who know them. Even if you don't know them, at least you're verifying that the key belongs to the person you're talking to.
The other person will need to verify that their (unverified) copy of your public key matches what you know your public key to be. So bring a copy of your own fingerprint to the exchange:
gpg --fingerprint firstname.lastname@example.org
Of course, change the e-mail address above to your e-mail address.
Corollary: Anyone who puts the fingerprint of their key in their e-mail signature, or in a web page obviously doesn't understand cryptography and the need for proper verification. Don't trust them with your big secrets. Think about it. If someone's pretending to be you, and forging your e-mail or your web site, they'd certainly replace the fingerprint too. It's utterly silly to rely on. If you see someone with their key fingerprint in their e-mail signature, it's a 100% reliable sign that they don't understand cryptography and the process of being secure.
If you wish to verify this key, please contact me and I will verify its fingerprint in a public meeting-place. I will be wearing a trenchcoat and a navy blue ascot. You must wear or carry a yellow tulip. Any other flower signifies that contact should be aborted, even if the exchange below is executed correctly. I must not underestimate the necessity of having an adequate stock of proper yellow tulips on hand for this purpose.
I will say "The adobe is filled with an excess of straw this season."
You must reply "The straw is for the young lambs which roam the heaths near Glasgow in the green, green spring."
If I am satisfied with your response, I will reply "The greens at Saint Andrew's are boiled with ham and contain an excess of bitter kale."
Do not make eye contact or show signs of recognition. If necessary, I will read the hexadecimal digits of the fingerprint while feigning a book order on my cell phone.
If you have verified my key, and trust me (and trust your own verification,) be sure to sign it.
Now that you've verified my identity, and my public key, you need to tell your cryptographical software that you trust my key. Otherwise, your cryptographical software should do the right thing and warn you that you're communicating with someone that you haven't verified. It's telling you that it has no reason to believe that the key you're using is the one that actually belongs to that person. So, to sign my key, you'll do something like:
gpg --sign-key email@example.com
This will give you some options for signing the key. Even better would be to edit your signature and trust settings for this user using the interactive menu:
gpg --interactive --edit-key firstname.lastname@example.org
Hint: Type "help" for the interactive commands. The commands "sign" and "trust" are the ones you're looking for. These allow you to both sign a key and indicate how much you trust me to verify other peoples' keys. If you think I'm stupid and lax when verifying and signing other peoples' keys, you'd assign me a low trust rating.
After you've signed someone's key, you should send it back to them so they can show other people that you've signed it. You can export this using:
gpg --export --armor email@example.com
and then sending that output to them. They can then import the changes using
You can also upload that signature to a keyserver, which makes that
signature available to the world. See the
which requires you to know the key ID.
If you're really not sure about my identity, and don't want to vouch for me publically, you can locally sign my key, which means that you trust it for your own use only:
gpg --lsign-key firstname.lastname@example.org
Hint: If you publically sign my key without actually verifying it with me, I'm going to assign you a very low trust rating.
Please send comments or questions to Alan Eliasen.
Back to Alan's Home Server