Pgp Guarantees Privacy (6)
|
 
|
That's it.
|
"I only know we loved in vain; Lord Byron |
I see you, hoping, anticipating: "Finally! It's over!" You are almost freed. But first we will look at some of the PGP command we did not have the chance to touch upon yet. (The farewell goes to Anna and Karls who have accompanied us so faithfully.)
pgp -ke : Edit a key
The command pgp -ke <ID> allows you to edit an existing key pair. If you did not feed PGP a user ID on the command line you will be asked for one. In any case, of course you need the passphrase for the key you want to change. You can add a new user ID to the key (yes, PGP allows multiple IDs for one key), optionally make it the default ID and you can change the passphrase which might not be too bad an idea from time to time.
Example:
My key has the ID Heinz Tschabitscher <me@example.com>. I want to be known as Heinzl <me_too@example.com> as well. I type: pgp -ke Heinz; I enter my passphrase; yes, I want to add a new user ID; Heinzl <me_too@example.com>; y for making it my primary ID; no, I do not change my passphrase. (I'm happy if I can remember this current Behemoth.)
pgp -kr : Remove a key
Using the command pgp -ke <ID> you can remove a key from either key ring. If there is more than one user ID attached to a key you can remove those separately as well. To do so, the first question whether we want to remove the whole key is answered in the negative. This procedure has to be repeated for every user ID you want to remove. These questions concern the public ring. If the key is present in the secret key ring as well PGP will ask if you want to have it removed from there too.
Example:
I don't like the Heinzl-ID any more (I won't tell you why). All I want is to get rid of it. I type pgp -kr Heinzl; remove the whole key? NO!; remove ID Heinzl? YES!; no, I want to keep the key in my secret key ring.
pgp -kc : Check keys
You can check the keys on your public key ring with the command pgp -kc. PGP will certify signatures, check trust parameters and your own key against a backup version. You might want to redirect the output to a file with pgp -kc > keyanalys. Example: too uninteresting.
pgp -kd : Disable/revoke key
The above command will--in short--disable keys. You can disable somebody else's key on your public key which will prevent you from using it to encrypt something using this key. This may be necessary if this person has lost her secret key and it is thus impossible to ever decipher the message again. You need not remove the key at once. Maybe it will be useful some day. Then, you can use pgp -kd <user ID> again to re-enable the key. If you use this command on one of your public keys, however you can revoke it. This may be necessary when you've just created a new, stronger key and want people to use this one instead of the old. pgp -kd <your ID> creates a key revocation certificate which of course you need your passphrase for since it uses the secret key. You have to distribute this certificate to as many people as possible (everybody?). They will add it to their key rings where it will disable the use of your outdated public key.
Example:
I think my key is not strong enough. Therefore, i generate a new, bigger key and of course I want you to use it. Thus, I type pgp -kd Heinz; yes, permanently; I type my passphrase. Now we have to extract the key anew and distribute it, this time containing the revocation: pgp -kxa Heinz revoke.
pgp -w <file> : Wipe file
pgp -w <file> will fill a file with null-characters and the delete it. This prevents it from possible un-deletion and being read. This can also be used as a modifier when encrypting a file.
Example:
I want to send the file farewell.txt and prevent anybody (except the person I'm sending it to, of course) from ever reading it. I issue the command pgp -esaw farewell.txt -u Heinz -o hello.txt (how long does it take to do this with PGP 5.0 on a Mac?); here's my passphrase; all that remains to be done is sending hello.txt to--whom?
pgp -c <file> : Conventionally encrypt file
You can do conventional one-key encryption with PGP using the command pgp -c <file> -u <ID>. This is useful for files that you do not plan to send to anybody but just archive for yourself in an unreadable state.
Example:
The file hellwell.txt contains information I want to keep secret. Since I do not currently use it I can encipher it by typing pgp -c hellwell.txt -u Heinz; PGP asks me for my passphrase; all done. To decrypt the resulting file, hellwell.pgp I simply issue pgp hellwell.pgp and give PGP my passphrase again.
-z <passphrase> : Specify passphrase
With -z <passphrase> you can specify your passphrase for every PGP command that needs one on the command. You will not be asked for it again. Remember that it is displayed this way, however.
Example:
I could do the deciphering of the file we encrypted in the last example with pgp hellwell.pgp -z BeutelrattenGulASch 4 (at least I could try).
There is an even more dangerous way to give your passphrase. You can set the environment variable PGPPASS to this intimate part of your self. For DOS, this would be done by SET PGPPASS=BeutelrattenGulASch 4. Don't do this in any file. Never! Don't do it at all.
Never.
If you now think "Gosh, this is even more boring than the previous features (if this is possible at all)!" I can only lean back, nod and say: "Yes." Maybe it will be useful some day.
The configuration file: config.txt
There are a number of parameter you can set in PGP's configuration file config.txt.
TMP = "C:\TMP\" specifies the directory PGP will place files it uses during computation in.
MYNAME = "Heinz Tschabitscher" gives the default user ID used for signing.
LANGUAGE = "en" sets the language for help texts and anything else PGP displays. So, if you get tired of Enter pass phrase:, LANGUAGE = "fr" would result in Entrez votre mot de passe: (which I like better somehow).
ARMOR = on turns ASCII armouring on or off. Enabled, this is equivalent to specifying -a on the command line. PGP will then produce ASCII output files by default.
These are only a few (the most interesting in my opinion) of the options you can set in the configuration file. There are many more that let you for example fine tune the way handles keys introduced by others. Have a look at the PGP documentation. It's not half as boring as my babble.
