Use GPG mail signing and encryption with openSuse 10.3

Just started playing around with mail signing and encryption. Main problem was, to make gpg-agent work in a vnc session.

How I did it

1. create key pair with kgpg
   • type pgp+elGamal, 1024 or 2048bit
   • Give a good passphrase for the private key
   • use an expiry date (1-5 years)
   • generate a revocation cert
2. make key the standard key
3. set to ultimate trust (you trust yourself, do you?)
4. upload public key to a keyserver

What you get

• kmail can use the private key for signing
• you must sign public keys of recipients and mark them trusted to use them for encryption

Hints and probable problems

• gpg-agent is started by sys.xinitrc (copy to ~/.vnc/xstartup for vnc sessions)
• usage of gpg-agent by kgpg was already enabled (options menu or ~/.gpg/options)
• With gpg-agent you have to enter your private key passphrase less often
• To use the private key elsewhere, just export the private key to a file (the key is still protected by the passphrase). Some even upload it to the key server.

Concerns

• protect the private key! Anyone with the key and the passphrase can read your recieved encrypted mails and sign mails to make them look like coming from you.
• revocation cert is used (e.g. if you loose your private key) to make the public key invalid.
  • To make a revocation cert, you need the private key, so do it now :-)
  • Save it somewhere, where you cant loose it and noone can use it to invalidate your key.
• check the fingerprint of foreign keys you sign (to use them for encryption) via trustworthy channels.