Beginner's guide to PGP

by Nat Queen

[Note. This is a slightly modified version of an article that originally appeared in the March 2000 issue of Archive magazine. It is written specifically for users of RISC OS computers. Users of other versions of PGP should refer to my main PGP page.]

In a previous article, PGP for secure e-mail, I explained the concept of public-key cryptography and mentioned some reasons why you might want to use it to ensure the privacy of your e-mail, and also to authenticate your messages by means of digital signatures. If that didn't convince you of its usefulness, I recommend that you read André Bacard's PGP FAQ.

The worldwide standard program for secure e-mail is PGP (Pretty Good Privacy), which was originally created by Philip Zimmermann. Versions are now available for all major computer systems. The current RISC OS version was ported several years ago by Gareth McCaughan from an early DOS version. Unfortunately, unlike the more recent Windows versions, it can be used only from the command line and is therefore not one of the easiest programs to use. However, to make life easier, there are some excellent front ends.

This article is a brief introduction to PGP and its commands, aimed mainly at new users. Although the available front ends make the use of PGP fairly intuitive, I believe that it is helpful to learn how to use PGP from the command line, if only to gain a good understanding of what it actually does, and also because the front ends support only the most basic functions of PGP, so that the command line is essential for some special purposes.

Installing PGP

Although PGP for RISC OS can be downloaded directly from the author's ftp site, I recommend that you get it from my own download site at, since several good front ends for PGP and other related security software can be found in the same place.

When you have downloaded PGP, you will find a large number of files in the archive. These include the source code, contained in a directory "src" of size 1 MB. If you are not interested in how PGP is coded, or if you are short of disc space, you may safely delete that source directory. The remainder of the PGP distribution should be placed in some convenient directory on your hard disc, such as "$.PGP".

The file "pgp" in the PGP distribution is the executable which does all the work. You should put a copy of it in your library directory (usually "$.Library" by default), where it will be found whenever you type "pgp" at the command line.

Next, set the system variable PGPPATH to the name of your chosen PGP directory, so that PGP will know where to find certain important files when it is run. The best procedure is to add a line like "Set PGPPATH adfs::HardDisc4.$.PGP" in your boot sequence. You are now ready to use PGP.

A summary of the main commands can be obtained by typing the "help" command "pgp -h". Even if you forget this command, you can type simply "pgp", and you will be reminded!

Generating a key pair

Before you can use PGP for secure e-mail, you must generate a key pair by means of the command "pgp -kg". A key pair consists of a secret key and a public key. Your secret key is used to decrypt messages intended for you, and also for you to create digital signatures. This secret key remains strongly encrypted at all times on your hard disc. When you generate a key pair, you are asked for a pass phrase (not a password, which is considered very weak!), and you will later have to enter this pass phrase whenever PGP needs to use your secret key. Thus, your secret key will be inaccessible to anyone else, even if other people have access to the same computer. On the other hand, your public key should be made available to anyone who might want to send you encrypted messages or check your digital signatures.

When generating a key pair, PGP suggests several possible key sizes. To ensure good security for the foreseeable future, you should choose the "military grade". This gives far higher security than the other options, at almost no cost in processing time on modern computers. You are also asked for a userID to identify your key pair. The generally accepted convention for this is to include your name followed by your e-mail address enclosed in angular brackets. For example, my userID is "Nat M. Queen <>". The key pair that you create will be stored in a pair of secret and public "keyring" files in your PGP directory.

Receiving encrypted messages

To enable other people to send you encrypted messages, you must make your public key available to them. If you use PGP with numerous correspondents, as I do, you will probably want to learn how to submit your public key to the "key servers" on the Internet, so that you will not have to send it personally to all and sundry. For now, however, you can extract your public key into a file by means of the command "pgp -kxa <ID> <keyfile>".

Here, the parameter -k refers to key management, -x means that you want to extract a key, and -a means that the output should be "ASCII-armoured", so that it can be safely transmitted as part of an e-mail message; <ID> can be any substring of your userID which uniquely specifies your key among all those in your public keyring (if this substring contains spaces, it must be enclosed in double quotes: "..."); <keyfile> is the name of the file into which you want to extract the key. If you specify the filename "key", for example, PGP will name the file "key/asc" to indicate that it is ASCII-armoured. This file can be inserted into an e-mail message, or it can be placed on a website for anyone to download.

If you receive an e-mail containing an encrypted message, decrypting it is simplicity itself. Simply type the command "pgp <filename>", where <filename> is the name of the file containing the encrypted message. If the file is not in your current directory, don't forget to specify its full pathname. PGP will check that you have the correct secret key to decrypt the file, and will then ask for your pass phrase for accessing that key. If you enter the correct pass phrase, the decrypted message will be written to an output file.

When you decrypt a message, PGP automatically recognises whether it contains a digital signature. If it does, and if your public keyring contains the public key of the sender, PGP will report whether or not the signature is valid. Such digital signatures provide an almost infallible means of detecting corrupted messages or forgeries. Since a secret key is required to create a signature, a valid signature confirms that the message must have come from the owner of the secret key corresponding to the public key in your keyring. If anyone were to tamper with the message by changing even a single byte, the signature would become invalid.

Sending encrypted messages

To send encrypted e-mail to other users of PGP, you will need their public keys. Suppose that you have received someone's public key and have saved it in a file "key/asc". You can add this key to your public keyring by simply typing the command "pgp key/asc". PGP will recognise that the file contains a public key and will ask whether you want to add it to your public keyring.

Suppose now that you want to encrypt a message for someone whose public key is already in your public keyring. You can do this by means of the command "pgp -seat <textfile> <ID>", where <textfile> is the name of the file containing the message, and <ID> is any identifying substring of the intended recipient's userID. The (optional) parameter -s means that you want to add a digital signature to the message, -e indicates that it should be encrypted, -a tells PGP to make the output ASCII-armoured, and -t indicates that the original file is a text message, not a binary file, and ensures that there will be no problems if the recipient's computer has a different line terminator from your own. If the original message is in a file called "text", for example, PGP will output the encrypted (and signed) message in a file "text/asc".

Other options

The commands described above should be sufficient to get you started with PGP. However, PGP can also perform many other functions. For example, you can encrypt a message for several recipients simultaneously. You can remove keys from your keyring, create additional keyrings for special purposes, or change your pass phrase. You can also use PGP for "conventional encryption", i.e. simple encryption of files on disc without using the public-key system. These are just a few of the possibilities. Once you have mastered the basic commands outlined above, you should have no difficulty in learning how to use many other powerful features of PGP.

Before using PGP for any serious purpose, you should read at least Volume I of the manual, which is contained in the file "doc.pgpdoc/txt" of the PGP distribution. This is important not only for learning what else PGP can do, but also for understanding how to use it well. If you use an encryption program carelessly, you may gain a false sense of security, which could be worse than no security at all; but if you use PGP properly, you will have true "military-strength" security.

Front ends

Many users of PGP for RISC OS find its commands confusing and prefer to use a front end. Indeed, there is no need to rely entirely on raw PGP. Perhaps the front end which is most widely known is !PGPwimp by Peter Gaunt. There are several others, all of which simplify the basic operations of encryption and decryption described above, but none of which can handle all the functions that PGP can perform. Basic PGP support for users of the ANT Internet Suite is provided by Tony Hopstaken's program !AutoCrypt. All these programs can be downloaded from my security site mentioned earlier in this article. Some other mail programs include their own support for PGP.

If you are new to PGP, you may want to practise encrypting a few text files with your own public key and then check that you can successfully decrypt them. This will give you confidence about using PGP for real e-mail.

Back Back to download page, where you can also find information about other RISC OS security programs.

Back Main PGP page for general information about PGP.