GnuPG/es

Esta guía le enseñará a los usuarios de Gentoo Linux lo básico del uso de GnuPG, una herramienta para comunicaciones seguras.

Lo que el lector aprenderá de esta guía
Esta guía asume que el lector está familiarizado con la criptografía de clave pública, cifrado y firmas digitales. Si no es el caso, eche un vistazo al manual oficial de GnuPG, en particular al segundo capítulo, y luego vuelva a este artículo.

Readers will learn how to install GnuPG, create a key pair, add keys to a keyring, and submit a public key to a key server. Readers will also learn how to sign, encrypt, verify, and decrypt messages and files sent and received.

Otro software
At the very least, GnuPG must be emerged. Many applications today have some sort of support for PGP, so having  as a USE flag is a good idea. When desiring an email client capable of using GnuPG any of the following options are well suited:
 * PinePGP.
 * Mutt - A small but very powerful text-based mail client.
 * Thunderbird - Mozilla's e-mail solution.
 * Evolution - A GNOME Microsoft Outlook work alike.
 * KMail - KDE's mail client.
 * Installing KGPG might be of interest when using the KDE desktop environment. This small program allows for the generation of key pairs, importing keys from ASCII files, signing imported keys, exporting keys, among a few other nifty features.

Crear una clave
To create a key, use the command. The first time it is run, it will create some directories essential to the correct operation and implementation of GnuPG. Run it again to create the keys:

The type of key can be chosen, but most users will go for the default, RSA and RSA. Next is the key size - remember that bigger is better, but do not use a size larger than 2048 with DSA/ElGamal keys. 2048 is generally more than enough for normal email communication.

After size comes the expiration date. Here smaller is better, but users can go for a key that never expires, or for an expiration date of around 2 or 3 years.

Now it is time to enter some personal information about the key's user. When sending a public key to other users it is important that a real email address is used (as opposed to a fake one).

Now enter a key passphrase twice. It is a good idea to use a strong passphrase. If someone is able to obtain the associated private key and cracks the password they will be able to impersonate the user by sending signed messages just as the user would. The malicious user could dupe the victims contacts into believing the e-mails or messages were sent by the victim.

Next, GnuPG will generate a key. Moving the mouse, browsing the web, or streaming audio in the background will help speed up the process of generating random data, which is used to increase the security of the key pair.

Generar un certificado de revocación
After creating the keys a revocation certificate should be created. Doing this allows the user to revoke the key in case something nasty happens (such as a malicious user gaining control of the key/passphrase).

lists the keys in the public keyring. It may be used to see the ID of the key so that a revocation certificate can be created. It is a good idea to copy the entire directory and the revocation certificate (ASCII armored - ) to a secure medium (a CD-R or a USB drive stored in a safe location). Remember that the file can be used to revoke the keys and make them unusable in the future.

Exportar claves
To export a key, run. You can almost always use the key ID or something that identifies the key (in this example an email address was used). Larry now has a that he can send his friends, or place on his web page so that others can safely communicate with him.

Importar claves
Para añadir claves a un llavero público, se deben seguir los siguientes pasos:
 * 1) Importar la clave
 * 2) Comprobar la huella digital de la clave
 * 3) Después de verificar la huella digital de la clave, se debe validar.

Now we will be adding Luis Pinto's (a friend of mine) public key to our public keyring. After giving him a call and asking him for his key fingerprint, I compare the fingerprint with the output of the command. As the key is authentic, I add it to the public keyring. In this particular case, Luis's key will expire in 2003-12-01 so I am asked if I want my signature on his key to expire at the same time.

Enviar claves a los servidores de claves
Now that a key has been generated, it is probably a good idea to send it to a world key server. There are a lot of key servers in the world and most of them exchange keys. In this next example Larry the cow's key will be sent to the keys.gnupg.net server. Sending keys uses HTTP, so if a proxy is used for HTTP traffic do not forget to set it accordingly. The command for sending the key is: where   is the key ID. If a HTTP proxy is not needed then the  option can be removed.

También es buena idea enviar al servidor las claves de otras personas que Larry ha firmado. Podríamos enviar la clave de Luis Pinto al servidor. De esta forma alguien que confía en la clave de Larry puede usar la firma que ha puesto ahí para confiar en la clave de Luis.

Obtener claves desde los servidores de claves
Now we are going to search for Gustavo Felisberto's (the author of this guide :)) key and add it to the keyring of Larry the cow.

Echando un vistazo a la respuesta del servidor, es posible comprobar que se han enviado pocas claves, sin embargo solo se utiliza. Ahora la vaca Larry puede obtener la clave y firmala si confía en su procedencia.

¿Qué es un Agente GPG?
Sometimes working with certain applications requires the frequent use of a GPG key, which means that a passphrase must be frequently entered. In the past many applications supported a passphrase caching mechanism. This would make life easier for users because passphrases were automatically entered. However, this disallowed sharing this cache across programs (how secure would that be?) and forced applications to reinvent the wheel over and over again.

A GPG agent is a separate application that GPG uses to cache the passphrase in a standard and secure way. It allows applications to use GPG concurrently: if the passphrase is entered while working in one application, the other application can work with GPG without needing to unlock the key again — if the GPG Agent is configured to allow this, of course.

Gentoo proporciona algunas aplicaciones de agente GPG. El paquete se puede considerar como referencia, y será la opción principal en este artículo.

Configurar gpg-agent y pinentry
GnuPG includes. Pinentry is a helper application that  uses to request the passphrase in a graphical window. It comes in three flavors: it can pop up a window using the GTK+, QT, or curses libraries (depending on the USE flags set when emerging).

If was installed with more than one popup window type, it is possible to choose between the windows with the  command:

Now create a file called and add the following lines to define the default timeout of the passphrase (e.g. 30 minutes) and the application to be called when the passphrase needs to be retrieved (e.g. the GTK+ version of Pinentry).

Ahora configure GnuPG para que use un agente cuando sea conveniente. Edite y agregue la siguiente línea:

Ahora el sistema está (casi) listo para usar el agente GPG.

Iniciar automáticamente el agente GPG
If KDE is used as the desktop environment, edit (system-wide, for KDE4 ) or  (local user,  in KDE4). Add the following command to the appropriate file to have KDE automatically start the GPG Agent:

Additionally, uncomment the following lines in (system-wide,  in KDE4) or add it to  (local user,  in KDE4):

When using a desktop environment other than KDE, put the above lines in if  is used to start X.org or  if XDM, GDM, KDM, etc. are used.

Cifrar y firmar
Supongamos que Larry tiene un archivo que quiere enviar a Luis. Larry puede cifrarlo, firmarlo, o cifrarlo y firmarlo. Cifrarlo significa que solo Luis podrá abrirlo. La firma le indica a Luis que el archivó realmente lo creó Larry.

To encrypt:

Para firmar:

To encrypt and sign:

This will create binary files. To create ASCII files, just add the  option to the beginning of the command.

Descifrar y verificar firmas
Suppose that Larry has received an encrypted file. The command used to decrypt it is. This will decrypt the document and verify the signature (if there is one).

Cifrar y descifrar sin claves
It is possible to encrypt files using passwords instead of keys. The password itself will function as the key — it will be used as a symmetric cipher. The file can be encrypted using ; decrypting uses the same command mentioned above.

GnuPG le pedirá una una contraseña y su verificación.

Características avanzadas
Hay algunas características avanzadas agradables en GnuPG. Para encontrarlas, abra el archivo

Uncomment the two lines above. With this modification, any time GnuPG needs to check a signature and does not find the public key on the local keyring it will contact the key server at keys.gnupg.net in an attempt to fetch the public key from the server.

Another nice command is. This will contact the key server defined in the configuration file and refresh the public keys in the local keyring from there. It is capable of searching for revoked keys, new IDs, and new signatures on keys. It is a wise idea to run this command once or twice a month; if a user revokes their key this can provide a notification the key can no longer be trusted.

Acerca de las firmas en los correos electrónicos
El 95% del tiempo GnuPG se utiliza para el firmado y cifrado de mensajes de correo electrónico o para leer mensajes firmados y cifrados.

Hay dos formas de firmar o cifrar un correo electrónico con GnuPG, la antigua y nueva. En la antigua, los mensajes aparecían en texto plano sin formato posible y los archivos adjuntos estaban sin firmar o sin cifrar, a continuación se muestra un ejemplo de un mensaje firmado a la antigua:

Mensajes como éste no son buenos en el mundo actual, en el que hay hemosas interfaces gráficas y lectores de correo que comprenden HTML.

Para solucionar esto se creó una extensión a MIME (Extensiones de Correo de Internet Multipropósito). Esto añade un campo al mensaje de correo electrónico que notifica al programa lector de correo que el contenido completo del mensaje está firmado o cifrado. El problema es que no todos los lectores de correo soportan estas características. Algunos incluso desordenan el contenido (el programa Microsoft Outlook es famoso por no funcionar bien con esto).

Kgpg
Kgpg is a wonderful GUI for GnuPG. The main screen provides an area to paste text to sign or encrypt. The reverse is also true: ASCII armored text to be decrypted can also be entered.

Seahorse
Seahorse aims to be a GnuPG GUI interface for the GNOME desktop. The software has been evolving fast, but it still lacks many important features that can be found in Kgpg or the command line version.

KMail
If the  USE flag is set, KMail will be compiled with gpg support, and will be able to encrypt and decrypt inline PGP mails automatically as well as encrypting OpenPGP/MIME mails. To decrypt OpenPGP/MIME mails (which most users want) a GPG agent must be running.

Para verificar si KMail está configurado adecuadamente, vaya a. Se debería listar un entorno basado en GpgME y la casilla OpenPGP debería estar marcada. Si está listada pero en color gris, haga clic en. Si el entorno permanece en color gris esto indica que KMail no está funcionando correctamente.

Cuando no se pierda el control de KMail, lea la official página PGP de KMail para obtener más información.

Claws-Mail
This mail client is very fast with big mailboxes, has all the nice features one wants in mail readers and works well with GPG. The only problem is that it does not work with the old PGP signatures, so when receiving those kind of mails the signatures must be hand-checked.

To use a GPG key with Claws-Mail navigate to. Once there choose which key to use, most users should go with the default key.

Algunos problemas
I had some problems with photos in keys. Check the version you are using. If you have GnuPG 1.2.1-r1 and higher you are probably OK; older versions may have problems. Also most key servers do not like keys with photos, so you are better off not adding photos.

The latest versions of GnuPG seem to have broken, which was used to send all keys in a keyring to the public server.

¿Qué no se ha incluido aquí?
is a very complex tool. It lets users do much more than what has been covered here. This document is for users who are new to GnuPG. For more information check out the official GnuPG website.

This article does not cover tools such as pgp4pine, gpgpine, evolution, and Windows GPG tools.

Créditos
El Manual GnuPG de John Michael Ashley es un buen libro para principiantes.

Swift (Sven Vermeulen) por animarme a reescribir esta guía.

Everyone in the team; you guys rock.

Gracias a Tiago Serra por apoyarme en el estudio de la privacidad.