Appendix B. Getting Started with Gnu Privacy Guard

Have you ever wondered if your email can be read during its transmission from you to other people, or from other people to you? Unfortunately, complete strangers could conceivably intercept or even tamper with your email.

In traditional (also known as "snail") mail, letters are usually sealed within envelopes, stamped and delivered from post office branch to branch until they reach their destination. But sending mail through the Internet is much less secure; email is usually transmitted as unencrypted text from server to server. No special steps are taken to protect your correspondence from being seen or tampered with by other people.

To help you protect your privacy, Red Hat Enterprise Linux 4 includes GnuPG, the GNU Privacy Guard, which is installed by default during a typical Red Hat Enterprise Linux installation. It is also referred to as GPG.

GnuPG is a tool for secure communication; it is a complete and free replacement for the encryption technology of PGP (Pretty Good Privacy, a widely popular encryption application). Using GnuPG, you can encrypt your data and correspondence as well as authenticate your correspondence by digitally signing your work. GnuPG is also capable of decrypting and verifying PGP 5.x.

Because GnuPG is compatible with other encryption standards, your secure correspondence is probably compatible with email applications on other operating systems, such as Windows and Macintosh.

GnuPG uses public key cryptography to provide users with a secure exchange of data. In a public key cryptography scheme, you generate two keys: a public key and a private key. You exchange your public key with correspondents or with a keyserver; you should never reveal your private key.

Encryption depends upon the use of keys. In conventional or symmetric cryptography, both ends of the transaction have the same key, which they use to decode each other's transmissions. In public key cryptography, two keys co-exist: a public key and a private key. A person or an organization keeps their private key a secret, and publishes their public key. Data encoded with the public key can only be decoded with the private key; data encoded with the private key can only be decoded with the public key.


Remember that your public key can be given to anyone with whom you want to communicate securely, but you must never give away your private key.

For the most part, cryptography is beyond the scope of this publication; volumes have been written about the subject. In this chapter, however, we hope you gain enough understanding about GnuPG to begin using cryptography in your own correspondence. If you want to learn more about GnuPG, PGP and encryption technology, see Section B.8 Additional Resources.

B.1. Configuration File

The first time you run a GnuPG command, a .gnupg directory is created in your home directory. Starting with version 1.2, the configuration filename has change from .gnupg/options to .gnupg/gpg.conf. If .gnupg/gpg.conf is not found in your home directory, .gnupg/options is used. If you only use version 1.2 or higher, it is recommended that you rename your configuration file with the following command:

mv ~/.gnupg/options ~/.gnupg/gpg.conf

If you are upgrading from a version prior to 1.0.7, you can create signature caches in your keyring to decrease the keyring access time. To perform this operation, execute the following command once:

gpg --rebuild-keydb-caches