Mac GNU Privacy Guard is the Mac OS X port of the popular security utility. I have been using GnuPG for more than 5 years now and it is the best available open source solution for various encryption purposes. This article guides the reader through Mac GNU Privacy Guard installation, as well as its basic functions.
As with all the software downloads and especially the ones that are connected to your security or privacy, you should check the file integrity. By doing this, users can verify the authenticity of files, since if a file was changed (say, with the addition of malicious code) the hash fingerprint of the file would change. Many software packages available for download have a check file or an MD5 hash that allows users to verify the file. In this case, GNU Privacy Guard 1.4.1 has the following MD5 hash: f4eb3c7d233e18fd1bf56d6bb576bbd9 (btw this hash is mentioned on the download page).
To check the MD5 hash, go to the folder where you downloaded GNU Privacy Guard and do the following:
mini-mac:~/Desktop bk$ md5 GnuPG1.4.1.dmg
MD5 (GnuPG1.4.1.dmg) = f4eb3c7d233e18fd1bf56d6bb576bbd9
As you can see, the "fingerprint" mentioned on the product homepage and the one of the downloaded file are the same. This gives you a green light for starting the installation process. The installation is pretty straight-forward and it needs just a couple of clicks.
After installing GnuPG, you need is to generate your personal set of keys:
iBook-Bonanza:~ Berislav$ gpg --gen-key
gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Now you should choose the type of the key to use. DSA is a public key algorithm used for creating digital signatures. The key size in DSA is 512 to 1024 bits. ElGamal is a cryptosystem that consists of both signature and encryption variants. The default option is DSA and ElGamal.
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
As regarding the key size in this case, the default option is 2048, so do carry on with it.
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
In some specific cases people want their keys to expire after a period of time. I usually use "key does not expire" and I recommend this to averge users.
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
The following is pretty self-explanatory.
Key does not expire at all
Is this correct? (y/N) y
Now it is time to setup your personal information. While you can use a bogus name or e-mail address, it is recommended to use the right credentials. Try filling in the e-mail address you will actually use, as it will be easier to integrate GnuPG functionality with your e-mail client.
You need a user ID to identify your key; the software
constructs the user ID from the Real Name, Comment and Email
Address in this form:
"Heinrich Heine (Der Dichter) "
Real name: Berislav NonStopMac
Email address: email@example.com
Comment: NonStopMac Test key
You selected this USER-ID:
Berislav NonStopMac (NonStopMac Test key)
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
After this step you need to enter a password to use for your private key. Make sure the password is well constructed.
You need a Passphrase to protect your secret key.
The last part of the setup procedure needs some interaction. Because of the randomization purposes, do use your keyboard and mouse while this process is running.
We need to generate a lot of random bytes. It is a good
idea to perform some other action (type on the keyboard, move
the mouse, utilize the disks) during the prime generation;
this gives the random number generator a better chance to gain
generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse,
utilize the disks) during the prime generation; this gives the
generator a better chance to gain enough entropy.
90 .n df.gsdfsd.fsdf.sdf...i.i.perwe.krmalkermwe.rfmncvb.xfd
...G.ENE.RAT.e....bla.h.bla.h.......ran.donm. ..bla.h .bla.h
dfsdf .sdfo.fojkwefj.lkvfg,. u.w4857w5.724234
.2dss.sdplknjkk+anmdas da czx cdsf++no+^nstopma
c.comnonstopmac^nonstopmac mac mac app^le iboo^
The following shows that your setup was successful and you are currently a proud owner of brand new set of GnuPG keys.
gpg: /Users/test-Berislav/.gnupg/trustdb.gpg: trustdb
gpg: key B41C636A marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n,
0m, 0f, 1u
pub 1024D/B41C636A 2005-11-14
Key fingerprint =
4697 6243 6B14 DF8C F2C5 1DF2 0254 5F46 B714 626B
uid Berislav NonStopMac (NonStopMac Test key)
sub 2048g/363606A8 2005-11-14
GNU Privacy Guard can be used for multiple security functions, I will cover two most common ones - file encryption and person-to-person communication. They have one thing in common - encryption of files or text, but the difference is that for private communication you need to do a public key exchange. Did you ever hear of PKI (public key infrastructure)? It may sound complicated, but with using GnuPG you are actually working in the PKI waters.
PKI enables users of a basically insecure public network to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority or by direct exchange.
Let's say that we need to encrypt a textual file and send it to a colleague of ours. The first thing we need to do is to exchange public keys. This is done because we encrypt the file for our peer by using his public key. On this way, we are sure that the file we are encrypting is aimed specifically toward our colleague.
Exporting the public key can be done on two ways. This command will basically spill out the public key into the terminal, so you can easily copy it to the clipboard.
mini-mac:~/Desktop bk$ gpg --export -a "Berislav NonStopMac"
The following command automatically exports and saves your file into a specific file. Just a note, this command should go into one line, I just divided it into two lines for easier reading.
mini-mac:~/Desktop bk$ gpg --export -a "Berislav NonStopMac" >
After you and your colleague exported keys and exchanged them, each of you needs to import other ones public key:
mini-mac:~/Desktop bk$ gpg --import /tmp/colleague.key
To check out if everything went fine, you can use gpg executable to list the keys in your database.
mini-mac:~/Desktop bk$ gpg --list-keys
pub 1024D/B71C626B 2005-11-14
uid Berislav NonStopMac (NonStopMac Test key)
sub 2048g/363606A8 2005-11-14
pub 1024D/A32A628B 2005-11-14
uid Mike Jones (My business key)
sub 2048g/443626A3 2005-11-14
Mike Jones' key was successfully imported. Now lets encrypt a specific file. You need to use the -r switch for entering the recipientâs name. Btw from the output above, Mike Jones is the name and (My business key) is the key description.
mini-mac:~/Desktop bk$ gpg --encrypt -r "Mike Jones" secret.txt
While doing this the software might ask you to confirm if the key you have for Mike Jones is certainly the one you want to use. If you come across this, just hit "Y" for yes (note: in some specific cases, where you would have two keys from the same person, you should double check before clicking yes). Now you just created an encrypted file. Check this out by trying:
mini-mac:~/Desktop bk$ ls -al secret*
-rw-r--r-- 1 bk bk 303 14 Nov 2005 secret.txt
-rw-r--r-- 1 bk bk 303 14 Nov 2005 secret.txt.gpg
As you can probably see, the newly created *.gpg file is the encrypted version of secret.txt. By opening the encrypted file in any text editor, you will just see a lot of random strange characters.
The final thing you will need is the information on decrypting the encrypted files. The following command decrypts the content of encrypted secret.txt file and saves it into newly created file.txt.
mini-mac:~/Desktop bk$ gpg -d secret.txt.gpg > file.txt
For more information on GnuPG usage, please do check the manual or search Google. Also, Non Stop mac will soon publish more articles on specific usage of GNU Privacy Guard, so do check us out periodically.
+ WikiPedia - File Verification
+ Mac GNU Privacy Guard Homepage
+ Primode.com Glossary pages
+ LinuxChick GPG article, page 5
+ Creating Secure Backups With GnuPG