/------------------------------------------------------------------------/
PGP 2.6.2i Easy Help - by Polarsun
/------------------------------------------------------------------------/
This file is supposed to be a useful guide for:
- installing PGP software
- use PGP in the most common ways
read properly every section of my guide and you'll be able to properly
configure and use PGP
/------------------------------------------------------------------------/
PGP was created by Philip Zimmermann
Pretty Good Privacy (PGP) is a double-key encryption software
This means you have two keys:
- a PUBLIC KEY which you can give to everyone
- a PRIVATE KEY (SECRET KEY) which you have to protect from others, since
it unlocks all what is encrypted with your public key
When you create your key-pair (both public and private key) you'll have
3 new files:
- randseed.bin
- pubring.pgp
- secring.pgp
RANDSEED.BIN contains the random data useful for your PGP operations
PUBRING.PGP is a public keys' container; initially there is just your one
SECRING.PGP is a secret keys' container; generally you'll not have a
secret key other than your one
If you want to give your public key to others you'll find in this file how
to do it with the "pgp -kx[a]" command
PGP lets you to:
- encrypt a file (you need a PUBLIC KEY)
- the file can be decrypted with the corresponding PRIVATE KEY
- sign a file (you need a key-pair: both PUBLIC KEY and SECRET KEY)
- the signature of file can be checked with the PUBLIC KEY used to sign
when a file is signed everyone who has your public key can check the file
you signed - and if the file is modified, the check will tell it
/------------------------------------------------------------------------/
Configuration and use of PGP software:
/------------------------------------------------------------------------/
1) Type in the beginning of your AUTOEXEC.BAT file "SET PGPPATH=<PGPPATH>"
If you installed PGP in "C:\PGP" then the setting will
be "SET PGPPATH=C:\PGP"
2) Add in your AUTOEXEC.BAT file the path of where you installed PGP
to the PATH environment variable
3) Set in your AUTOEXEC.BAT file environment variable TZ=<TZ_setting>
About the <TZ_setting>
TZ is the TimeZone variable; PGP uses it in order to get the GMT time
without putting TZ PGP will work, but will generate an error and,
especially, will use a wrong TimeZone; setting "TZ=0" PGP will use the
GMT setting of your computer (your system the GMT time); on my
computer this works, but...
[ <<< taken from a DOC of PGP >>> ]
PGP provides timestamps for keys and signature certificates in
Greenwich Mean Time (GMT), or Coordinated Universal Time (UTC), which
means the same thing for our purposes. When PGP asks the system for
the time of day, the system is supposed to provide it in GMT.
But sometimes, because of improperly configured MSDOS systems, the
system time is returned in US Pacific Standard Time time plus 8
hours. Sounds weird, doesn't it? Perhaps because of some sort of US
west-coast jingoism, MSDOS presumes local time is US Pacific time,
and pre-corrects Pacific time to GMT. This adversely affects the
behavior of the internal MSDOS GMT time function that PGP calls.
However, if your MSDOS environmental variable TZ is already properly
defined for your timezone, this corrects the misconception MSDOS has
that the whole world lives on the US west coast.
[ <<< end of block text >>> ]
I'm going to tell you what to do:
first: be sure to know how you are far from GMT TimeZone [if you use
Win95 just double click on the time (in the bottom-right corner)
and see in TimeZone section if you're GMT=+1, +2, ecc.]
then: [a] if you're under DOS that's ok
[b] if you're under WINDOWS 3.x go back in DOS (exit WINDOWS)
[c] if you're under WIN95 Execute "command" (DOS prompt)
so:
1) go to PGP directory
2) type "SET TZ=0"
3) check the time on your system (just type "time" and press Enter two
times)
4) type "PGP -GMT" [the command doesn't exist, but you can read GMT time:
you'll see written: "Current time: ... GMT"]
5) check if the GMT time is ok
6) if GMT time is not ok try to set TZ to:
[ <<< taken from a DOC of PGP >>> ]
For Los Angeles: SET TZ=PST8PDT
For Denver: SET TZ=MST7MDT
For Arizona: SET TZ=MST7
(Arizona never uses daylight savings time)
For Chicago: SET TZ=CST6CDT
For New York: SET TZ=EST5EDT
For London: SET TZ=GMT0BST
For Amsterdam: SET TZ=MET-1DST
For Moscow: SET TZ=MSK-3MSD
For Aukland: SET TZ=NZT-13
[ <<< end of block text >>> ]
Warning: on my computer TZ=0 works, but (I'm GMT +1) if I use Amsterdam TZ
the GMT is calculated as if I was in London; so I just hope that
TZ=0 works on your computer too
example:
step 3) my system time is 14:23
step 4) I read "Current time: 1997/08/28 13:23 GMT"
step 5) on my computer TZ=0 works, since I'm GMT +1
step 6) I don't need this step since TZ=0 works
Now two things are possible:
1) "TZ=0" or some other TZ value works on your computer (so PGP with that
value can get a correct GMT time)
2) no TZ value allows to get a correct GMT time
in case 1) just type in the beginning of your AUTOEXEC.BAT file:
"SET TZ=<the value you know>"
in case 2) just type in the beginning of your AUTOEXEC.BAT file:
"SET TZ=0"
in this second case, using PGP on your PGP files, if there is a time in it
it'll be not correct... however for common use it's important to check a
signature or decrypt a PGP file, not so much to know the GMT time that
could eventually be in the PGP file
/------------------------------------------------------------------------/
Before using PGP commands, restart your computer, since you changed the
AUTOEXEC.BAT file
/------------------------------------------------------------------------/
Commands:
/------------------------------------------------------------------------/
Generate your key-pair:
pgp -kg
- the software asks you:
- to type the protection level you prefer
- to type an ID which will tell people who are you:
use a name or an alias and then the E-mail between <>
ex. mine is: Allan <polar_sun@usa.net>
- to type a password (which you'll be asked to type every time PGP
will need to use the secret keys ring file)
/------------------------------------------------------------------------/
Check your key-pair:
pgp -kc pubring.pgp
check if under "Trust" you see "ultimate"
check if under "Validity" you see "complete"
/------------------------------------------------------------------------/
Encrypt a file:
pgp -e <file> <ID1> [<ID2>...]
Important: you don't have to type the part of ID between <>:
if I want to encrypt something with my ID, that is:
Allan <polar_sun@usa.net>
I put as ID1: Allan
if you type more IDs, you'll let the owners of those IDs to decrypt
what you are encrypting
PGP looks in pubring.pgp and takes the public keys with the ID/IDs you
typed in order to encrypt
a <file_name>.pgp file is generated
/------------------------------------------------------------------------/
Sign a file:
pgp -s <file> -u <ID>
PGP looks in secring.pgp and uses the secret key with the ID you typed
in order to sign the file
(secring.pgp file is used - so you'll have to type secret key password)
a <file_name>.pgp file is generated
/------------------------------------------------------------------------/
Encrypt and Sign a file:
pgp -se <file> <encrypt_ID1> [<encrypt_ID2>...] -u <sign_ID>
or
pgp -es <file> <encrypt_ID1> [<encrypt_ID2>...] -u <sign_ID>
encrypt_ID1 is the ID of public key used to encrypt
sing_ID is the ID of secret key used to sign
(secring.pgp file is used - so you'll have to type secret key password)
a <file_name>.pgp file is generated
/------------------------------------------------------------------------/
Decrypt file/Check signed file:
pgp <file>
what is encrypted with a public key can be decrypted with corresponding
private key; if the file is encrypted, it is supposed to be encrypted with
your public key and you're supposed to have your secret key in secring.pgp
(so for decryption you'll have to type your secret key password)
if the file is signed, pgp will find in your public keys ring file a valid
public key to check the signed file
So:
- if the file is encrypted you'll type your secret key password when
asked and a (decrypted) file with the same name and no extension will
be generated (if the file was encrypted with the public key
corresponding to the secret key you have in your secret keys ring file)
- if the file is signed there will be a signature/check result and a file
with the same name and no extension (this file has no more signature)
will be generated (if the file was signed using a secret key
corresponding to a public key you have in your public keys ring file)
- if the file is encrypted and signed all happens like the first case,
and PGP tells if the signature is ok or not
(if the signature/check is ok you'll see written "Good signature from
user..."; if the check is not ok the file is corrupted or you don't
have the public key of who signed the file)
/------------------------------------------------------------------------/
Armor option:
if you add "a" to "s", "e" or "se/es" parameters
you generate a MIME-encoded text-file, useful if you want to
send via E-mail what you encrypted and/or signed
ex: pgp -esa ... [Encrypt and Sign / Armor file]
ex: pgp -sa ... [Sign / Armor file]
ex: pgp -ea ... [Encrypt / Armor file]
In the "config.txt" file (configuration file of PGP) you can find the
variable ArmorLines, set to 720; this mean that if you use the armor
option and the obtained file has more than 720 lines, it will be
"splitted" in more files (the first will be .as1, then .as2 and so on);
you can disable splitting putting 0 instead of 720, as "config.txt" says
a <file_name>.asc file is generated [armor option enabled] / if the file
is splitted the files are .as1, .as2, etc.
/------------------------------------------------------------------------/
Text file option:
if you want to sign a TEXT FILE letting everyone to read the contents
and letting who has PGP and your public key to check the signed file
you can add to "sa" parameter the "t" parameter
ex: pgp -sta ...
a <file_name>.asc file is generated [armor option enabled] / if the file
is splitted the files are .as1, .as2, etc.
/------------------------------------------------------------------------/
More option (for text files):
if you use the "m" parameter, who decrypts/checks the file you
encrypted/signed will not be able to save to disk the file, but
he'll read the text file on the screen
/------------------------------------------------------------------------/
Extract (copy) a key from your public keys ring file:
pgp -kx <ID> <destination_file>
you can use the armor option in order to distribute your public key via
E-mail
ex: pgp -kxa ...
/------------------------------------------------------------------------/
Add a public key to your public keys ring file:
even if you can use the -ka option, it's simpler to do just:
pgp <file_with_public_key>
and the software will ask if you want to add the public key
to your public keys ring file
<file_with_public_key> could be a keys ring file; in this case all keys
stored in it will be stored in your public keys ring file
when you are asked to certify the public key/keys, answer "no"
/------------------------------------------------------------------------/
Remove a public key from your public keys ring file:
pgp -kr <ID> pubring.pgp
/------------------------------------------------------------------------/
Overview:
Generate key-pair:
pgp -kg
Check key-pair:
pgp -kc pubring.pgp
Encrypt a file:
pgp -e[am] <file> <ID1> [<ID2>...]
Sign a file:
pgp -s[atm] <file> -u <ID>
Encrypt and Sign a file:
pgp -se[am] <file> <encrypt_ID1> [<encrypt_ID2>...] -u <sign_ID>
or pgp -es[am] <file> <encrypt_ID1> [<encrypt_ID2>...] -u <sign_ID>
Decrypt file/Check signed file:
pgp <file>
Extract (copy) a public key from pubring.pgp and put it in a file:
pgp -kx[a] <ID> <destination_file>
Add a public key to public keys ring file:
pgp <file_with_public_key>
Remove a public key from public keys ring file:
pgp -kr <ID> pubring.pgp
/------------------------------------------------------------------------/
DON'T SKIP THIS SECTION...
You can make a backup copy of randseed.bin, pubring.pgp and secring.pgp
and put it in a safe place
Be careful with your secret ring file (secring.pgp) - keep it in a safe
place and don't distribute it
In order to distribute your public key use the "pgp -kx[a]" command
NB: distribute your public key using safe ways (such as your Internet Web
page); "ID tampering" could be done; this means that if someone
intentionally generates a key pair with the same ID you use, who uses
that public key will write mail messages that you can't decrypt; I
think that the safest distribution methods are to put your public key
on your web page or to give it on floppy disks (if you have a friend
geographically near to you); the first time you use a public key
send a second (not-PGP) E-mail together asking if the file was ok;
and tell the others to do the same with your public key; I can tell
you that E-mail is not a safe way to send your public key (in fact in
my E-mails there is no public key, it's just written to download it
from my web site); UNIX-based systems allow to send E-mail without
checking your identity, I mean that you can write to me
putting the E-mail of one of my friends as sender and I couldn't
be sure of the identity of the sender, even if in the "To: " field I
see the E-mail of one of my friends
So remember: till you'll not encrypt your E-mail messages, someone
who knows something about hacking can read and eventually corrupt
the data; till you'll not sign your E-mail messages, who receives
them can't be sure of your identity; if you encrypt and sign your
E-mail messages, you use PGP in the best way
Due to "ID tampering" don't use Internet public key sites in order to
distribute your public key
/------------------------------------------------------------------------/
I hope this file helped you,
Polarsun
polarsun@email.it
/------------( END )--------------( OF )--------------( FILE )-----------/
Back to PGP page