So you have your keys all set up, you’ve found a dozen people to sign them and you’ve entered the web of trust. Now you have an extremely confidential file, let’s say your tax records, and you want to send them to your accountant.
The first step is to find your accountants key. You know from talking to him earlier that he publishes to the same keyserver as you, but he forgot to give you his key id. To find him we have to run a GPG search as follows:
$ gpg --search-keys "Mister Accountant" gpg: searching for "Mister Accountant" from hkp server keys.gnupg.net (1) Mister Accountant
1024 bit DSA key 63ABD9EC, created: 2007-11-07 (2) Mister Accountant 1024 bit DSA key 01129335, created: 2006-09-11 (3) Mister Jones 1024 bit DSA key DFAAA99E, created: 2006-02-18 Keys 1-3 of 3 for "firstname.lastname@example.org". Enter number(s), N)ext, or Q)uit >
You’ll notice from the output that multiple results have been returned. Two of them even have the same uid. So how to we know which one to use? At the moment we don’t really. We know what his email address is from his business card so let’s download both those matching keys. You can either enter multiple numbers on that screen or use this command:
$ gpg --recv-keys 63ABD9EC 01129335 gpg: key 63ABD9EC: public key "Mister Accountant
" imported gpg: key 01129335: public key "Mister Accountant " imported gpg: Total number processed: 2 gpg: imported: 2
Now we have both keys we need to establish which one really belong to our accountant. To do this we’ll examine the signatures on the keys. For that we use the following commands:
$ gpg --list-sigs 63ABD9EC pub 1024D/63ABD9EC 2006-09-11 uid Mister Accountant
sig A3B14DFA 2006-09-11 Daniel Hall sig 3 63ABD9EC 2006-09-11 Mister Accountant sub 2048g/DAA19215 2006-09-11 sig 63ABD9EC 2006-09-11 Mister Accountant [daniel@rosella ~]$ gpg --list-sigs 01129335 pub 1024D/01129335 2007-11-07 uid Daniel Hall sig 3 01129335 2007-11-07 Daniel Hall sub 2048g/BBBBBBBB 2007-11-07 sig 01129335 2007-11-07 Daniel Hall
You now see that your good friend Daniel, who you trust has signed one of the keys, but nobody has signed the other. This means that as long as you trust Daniel then you can trust that key to be Mister Accountant. So now comes the easiest part of the process. Now you encrypt the file. In this case we also want to sign it so that our accountant knows these documents come from us. We just run the command:
$ gpg -e -R 63ABD9EC --sign
Again you can add the armour option to output the file as ASCII which is suitable for attaching to an email, or for those of us who are ultra secretive hiding inside a JPEG file. If you want to try your hand at hiding things in JPEG files install SteGUI or steghide.
Random Thought: Did you know the first compiler was written by a woman? Read the story of the first compiler.