[Note. This is a slightly modified version of an article that originally appeared in the March 2000 issue of Archive magazine. It is written specifically for users of RISC OS computers. Users of other versions of PGP should refer to my main PGP page.]
In a previous article, PGP for secure e-mail, I explained the concept of public-key cryptography and mentioned some reasons why you might want to use it to ensure the privacy of your e-mail, and also to authenticate your messages by means of digital signatures. If that didn't convince you of its usefulness, I recommend that you read André Bacard's PGP FAQ.
The worldwide standard program for secure e-mail is PGP (Pretty Good Privacy), which was originally created by Philip Zimmermann. Versions are now available for all major computer systems. The current RISC OS version was ported several years ago by Gareth McCaughan from an early DOS version. Unfortunately, unlike the more recent Windows versions, it can be used only from the command line and is therefore not one of the easiest programs to use. However, to make life easier, there are some excellent front ends.
This article is a brief introduction to PGP and its commands, aimed mainly at new users. Although the available front ends make the use of PGP fairly intuitive, I believe that it is helpful to learn how to use PGP from the command line, if only to gain a good understanding of what it actually does, and also because the front ends support only the most basic functions of PGP, so that the command line is essential for some special purposes.
When you have downloaded PGP, you will find a large number of files in the archive. These include the source code, contained in a directory "src" of size 1 MB. If you are not interested in how PGP is coded, or if you are short of disc space, you may safely delete that source directory. The remainder of the PGP distribution should be placed in some convenient directory on your hard disc, such as "$.PGP".
The file "pgp" in the PGP distribution is the executable which does all the work. You should put a copy of it in your library directory (usually "$.Library" by default), where it will be found whenever you type "pgp" at the command line.
Next, set the system variable PGPPATH to the name of your chosen PGP directory, so that PGP will know where to find certain important files when it is run. The best procedure is to add a line like "Set PGPPATH adfs::HardDisc4.$.PGP" in your boot sequence. You are now ready to use PGP.
A summary of the main commands can be obtained by typing the "help" command "pgp -h". Even if you forget this command, you can type simply "pgp", and you will be reminded!
When generating a key pair, PGP suggests several possible key sizes. To ensure good security for the foreseeable future, you should choose the "military grade". This gives far higher security than the other options, at almost no cost in processing time on modern computers. You are also asked for a userID to identify your key pair. The generally accepted convention for this is to include your name followed by your e-mail address enclosed in angular brackets. For example, my userID is "Nat M. Queen <email@example.com>". The key pair that you create will be stored in a pair of secret and public "keyring" files in your PGP directory.
Here, the parameter -k refers to key management, -x means that you want to extract a key, and -a means that the output should be "ASCII-armoured", so that it can be safely transmitted as part of an e-mail message; <ID> can be any substring of your userID which uniquely specifies your key among all those in your public keyring (if this substring contains spaces, it must be enclosed in double quotes: "..."); <keyfile> is the name of the file into which you want to extract the key. If you specify the filename "key", for example, PGP will name the file "key/asc" to indicate that it is ASCII-armoured. This file can be inserted into an e-mail message, or it can be placed on a website for anyone to download.
If you receive an e-mail containing an encrypted message, decrypting it is simplicity itself. Simply type the command "pgp <filename>", where <filename> is the name of the file containing the encrypted message. If the file is not in your current directory, don't forget to specify its full pathname. PGP will check that you have the correct secret key to decrypt the file, and will then ask for your pass phrase for accessing that key. If you enter the correct pass phrase, the decrypted message will be written to an output file.
When you decrypt a message, PGP automatically recognises whether it contains a digital signature. If it does, and if your public keyring contains the public key of the sender, PGP will report whether or not the signature is valid. Such digital signatures provide an almost infallible means of detecting corrupted messages or forgeries. Since a secret key is required to create a signature, a valid signature confirms that the message must have come from the owner of the secret key corresponding to the public key in your keyring. If anyone were to tamper with the message by changing even a single byte, the signature would become invalid.
Suppose now that you want to encrypt a message for someone whose public key is already in your public keyring. You can do this by means of the command "pgp -seat <textfile> <ID>", where <textfile> is the name of the file containing the message, and <ID> is any identifying substring of the intended recipient's userID. The (optional) parameter -s means that you want to add a digital signature to the message, -e indicates that it should be encrypted, -a tells PGP to make the output ASCII-armoured, and -t indicates that the original file is a text message, not a binary file, and ensures that there will be no problems if the recipient's computer has a different line terminator from your own. If the original message is in a file called "text", for example, PGP will output the encrypted (and signed) message in a file "text/asc".
Before using PGP for any serious purpose, you should read at least Volume I of the manual, which is contained in the file "doc.pgpdoc/txt" of the PGP distribution. This is important not only for learning what else PGP can do, but also for understanding how to use it well. If you use an encryption program carelessly, you may gain a false sense of security, which could be worse than no security at all; but if you use PGP properly, you will have true "military-strength" security.
If you are new to PGP, you may want to practise encrypting a few text files with your own public key and then check that you can successfully decrypt them. This will give you confidence about using PGP for real e-mail.
Back to download page, where you can also find information about other RISC OS security programs.
Main PGP page for general information about PGP.