wiki:doc/TorifyHOWTO/GnuPG

Written: 2018-05-19 (Jaruga)

Gnu Privacy Guard / GnuPG

Several technical terms are used in the below instructions and information. They are identified by their bold text. To see the glossary explaining their definitions, see this section.

GnuPG (or 'GPG' for short) is free and open-source software that allows users to generate and utilise asymmetric cryptographic key pairs (most commonly known as public and private keys) to secure communications over the internet. The public key is used to encrypt messages directed towards the key pairs owner and can be distributed in a number of ways, such as keyservers. The private key is required for decryption, and is intended to be kept secret and secure. Using this method provides integrity, authentication, non-repudiation and confidentiality. For messages that are not private, the key pair can also be used to digitally 'sign' a message. While not encrypted, it allows the receiver to verify the contents are actually from the key owner and have not been tampered with in transit. This method ensures only integrity, authentication and non-repudiation.

When a file or message is encrypted using an individuals public key, GnuPG converts it to a long string of random characters (commonly known as 'cyphertext'). In order to decrypt and read the original contents, an individual must be in control of the associated private key, as well as its password.

GPG also supports the generation and use of symmetric cryptographic keys.

Official site: https://GnuPG.org

Tor Documentation Referencing GnuPG

Torifying GnuPG

Below is instructions on Torifying GnuPG from the command line on GNU/Linux, MacOS as well as with GPG4Win / Kleopatra for Windows.

Torifying GnuPG on GNU/Linux

It is very likely both Tor and GnuPG will be in your distributions repositories. If you do not already have them installed, please refer to the documentation for your OS for more information on the packages.

Torifying GnuPG from the command line is a relatively simple task. Since v2.1, GnuPG uses dirmngr to facilitate communication with keyservers. To quote the documentation directly:

"The option --use-tor switches Dirmngr and thus GnuPG into “Tor mode” to route all network access via the Tor Network. Certain other features are disabled in this mode. The effect of --use-tor cannot be overridden by any other command or even be reloading gpg-agent. The use of --no-use-tor disables the use of Tor. The default is to use Tor if it is available on startup or after reloading dirmngr."

Another option is to insert use-tor into the ~/.gnupg/dirmngr.conf file.

For further information on dirmngr options in GnuPG, see this section of their official documentation.

Torifying GnuPG on MacOS

Torifying GnuPG on MacOS is largely done in the same fashion as the GNU/Linux instructions; the primary difference is how to install both Tor and GnuPG. The most common method is installing Tor Browser and GPG Suite. Users can also install both using brew by issuing the command brew install gnupg tor.

After installation, open up ~/.gnupg/dirmngr.conf in your favourite text editor and add the line use-tor.

Torifying GnuPG on Windows

For Windows users, the internal Tor settings of individual software is often the advised method to use the Tor network with GnuPG, when available. For those who are not confident checking their connection for leaks, there is a higher probability that the maintainers have been able to upkeep a proper Tor routing option than a home-made method being successful. Regardless, please use caution and do proper research on the security posture of a particular program before attempting to use it.

There are a couple popular front-end options for using GnuPG on Windows. For these instructions we will cover GPG4Win / Kleopatra.

  1. First and foremost, download and install GPG4Win.
    • The default installation configuration should be fine for most people.
  2. After installation, check off the 'Run Kleopatra' option. Click OK.
  3. When Kleopatra loads, hover over the 'Settings' option in the toolbar.
  4. Select 'Configure Kleopatra...'
  5. On the bottom of the left menu, select GnuPG Systems.
  6. On the top is five tabs. Select the 'Network' tab.
  7. Scroll down to the 'Options controlling the use of Tor' section.
  8. Check the box beside 'Route all network traffic via Tor'. Click OK.
    • Note: Tor Browser MUST be running.
  9. Refresh your keys to ensure Kleopatra is able to connect successfully

You should now be successfully using GnuPG via the Tor Network. It is important to remember that Tor Browser must be running first every time you wish refresh from keyservers, otherwise the connection will timeout.

Term Glossary

Term Description
Key pair A pair of of asymmetric keys, commonly known as public and private keys
Public key The half of a key pair that is distributed publicly and used for encrypting
Private key The half of a key pair that is kept secret, and is used for decryption
Keyserver A server used for the distribution of public keys and assisting in the WoT process
Integrity A verification that the enclosed contents have not been tampered with in transit
Confidentiality A verification that the enclosed contents are unreadable, except for the intended recipient
Authentication A verification that the person who is sending / signing is who they say they are
Non-repudiation Assurance that nobody, including the author, can dispute the origin of the message itself
Asymmetric keys Commonly referred to as a 'keypair'. It is two separate keys, one public, one private
Symmetric keys A older method of encryption. One key is used for both encryption and decryption

Index of Keyservers

Hostname(s) Ports / protocols Onion link Onion ports / protocols
pool.sks-keyservers.net HKP (11371) - -
hkps.pool.sks-keyservers.net HKP (11371), HKPS (443) - -
subkeys.pgp.net HKP (11371) - -
pgp.mit.edu HKP (11371) - -
keys.gnupg.net HKP (11371) - -
sks.fidocon.de HTTPS (443), HTTP (80) - -
zimmermann.mayfirst.org HKP (11371), HKPS (443) qdigse2yzvuglcix.onion HTTPS (443), HTTP (80), HKP (11371)
keys.indymedia.org HKP (11371), HTTPS (443), HKPS (443), HTTP (80) qtt2yl5jocgrk7nu.onion
2eghzlv2wwcq7u7y.onion
HTTPS (443), HTTP (80), HKP (11371)
HKP (11371), HTTP (80)
Last modified 4 months ago Last modified on Jun 25, 2018, 6:43:42 PM