Fun things you can do with a PGP/GnuPG key
When I was asked "What else can you do with a OpenPGP/GnuPG key beyond the
normal signing/encrypting of files and e-mail messages?", I thought about
it and came up with a couple of ideas... but the question continued to nag
at me and I finally decided to do a 5-minute "lightning talk" at an
OCLUG meeting in February 2004
to discuss the topic.
With the help of some other folks who commented on an
article I posted at
Advogato.org, I have come up with a list of ideas
for ways to use your OpenPGP/PGP/GnuPG
key beyond the normal signing/encrypting files and e-mail.
PGP-encrypted Jabber IM- Have fully PGP-encrypted
instant messaging using a Jabber client such as
gabber that support the
spec for OpenPGP usage.
- Sign your packages - As described here, sign your rpms using
rpm --sign. The Debian package maintenance system apparently
automatically signs packages with your key. There is a "debsig-verify" tool
that can check these signatures. There is also a project called
dpkg-sig which is looking at
creating signatures inside of deb files and
APT Secure, which is a project
to include signatures in the apt package distribution process.
- Generate external signatures for your packages - If you don't use
RPMs or Deb files, or even if you do, you can create external signature files
that people can download and verify the integrity of your file. Two ways to
generate the external signature:
gpg -ba foo.tgz (creates foo.asc)
gpg --output foo.tgz.sig --detach-sig foo.tgz
and verification is simply:
gpg --verify foo.tgz.sig foo.tgz
- Sign your web pages - Provide a way that people can verify
the contents of your web pages.
This article and
this one give
ideas for how to do it with the PGP signature in the HTML page itself.
This link mentions external signatures as well. The process for an
external signature is quite simple. Create the HTML page and include the
link (tag and text) for the external signature file. Then generate the
external sig as mentioned above using the name you put in the link.
- PGP-encrypted voice - Use PGPfone for encrypted voice. Note that MIT has this up on their
web page that used to host PGPfone:
MIT is no longer distributing PGPfone. Given that the software has not been maintained since 1997, we doubt it would run on most modern systems.
- Get a digital timestamp on a message - Signing a message can
validate that you signed a file and it has not been modified since
that time, but what about validating when the message was sent?
The PGP Digital Timestamping
Service is one mechanism to assist.
- Post to web sites - Some sites such as
LiveJournal will let you post items on the web site via PGP-encrypted e-mail (with a paid LJ account).
- Send in your confession! - There is a
priest who takes confessions
via PGP-encrypted e-mail.
- Manage secondary DNS servers - A tool known as
allows you to manage secondary DNS servers via PGP-encrypted e-mail.
- Sign your configuration files - Several people have suggested
signing the configuration files in /etc so that modifications can be detected.
One person mentions that they have an application that checks the signatures
before the config files are loaded.
- Build it into your software - If you write software, there
are interfaces such as
that allow your program to interact with GnuPG and use keys.
Now for those folks who are interested in the whole Web of Trust and/or
statistics around the keys, there are certainly these options:
Feedback and suggestions are very welcome. If you have other ideas for
how to use a OpenPGP/PGP/GnuPG key, please e-mail me. I am particularly interested in suggestions for "regular"
computer users (i.e. not necessarily developers but just average computer
Copyright 2004 Dan York