This is an old revision of the document!


PGP and GPG

I will talk on this page of everything related to security and authentication on the Internet.

Personal use

PGP and GPG are two compatible asymmetric encryption and signing software. Their features are:

  • encrypting emails or files: you use the public key of the receiver to encrypt the message so that only the receiver can decrypt it (using his associated private key).
    gpg --recipient <user-id> --encrypt <file>
    gpg --decrypt <file>.gpg
  • signing emails or files: you use your own private key to sign the message so that anyone can verify with you public key that you are the author of the message, and that the message was not altered.
    gpg --detached-sign --armor <file>
    gpg --verify <file>.asc

For emails, you should use some software to automatically manage your keyring and sign, verify signatures, encrypt and decrypt messages, like the Enigmail addon with Thunderbird.

Trusted timestamping

If a trusted third party signs with its private key a document of yours, then it will prove the integrity and the timestamp of your document.

There are a few easy enough to use services for individuals:

You can also use a software client to use the RFC 3161 protocol, with a server providing the service:

File size problem

One problem I encountered with all providers I tried is that they limit the file size (at least for free services), around 1 MB.

So what I do is that I sign the large file with my own PGP key, then I officially timestamp my signature. My PGP key doesn't need to be reliable, only the algorithm used to sign with it needs to be reliable in order to prove that the file was not modified. But of course it is better to directly timestamp your file if you can do so. Maybe encrypt it before as you have to send it over the Internet.

software/pgp.1297763228.txt.gz · Last modified: 2013/09/19 16:43 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0