Gnu Privacy Assistant for Linux installation and operation guide
GNU Privacy Assistant is a user-friendly interface for managing PGP encryption and PGP signatures. This guide describes how to install and use GNU Privacy Assistant on Linux.
GNU Privacy Assistant on Whonix-Workstation #
The GNU Privacy Assistant tool is installed by default on Whonix-Workstation and no manual installation of the GPG program is required on this system.
- For Whonix-Workstation on VirtualBox, search for GNU Privacy Assistant in the menu and click to run.
- In Qubes OS, for a created app qube from the whonix-workstation-17 template (for example: default anon-whonix) select gpa in the list of All available applications in the Settings→Applications menu, click > to move the program to the list of Applications shown in App Menu and confirm the changes by clicking OK. A shortcut to the GPA / GNU Privacy Assistant program will be visible in the Qubes system menu for the selected app qube.
Installation of GNU Privacy Assistant with APT (Debian, Ubuntu & Kali Linux) #
For Debian and Ubuntu distributions, in the command console, perform the installation of the GPA package:
user@host:~$ sudo apt-get update user@host:~$ sudo apt-get -y install gpa
We can launch the GPA via a shortcut in the application menu or a command:
user@host:~$ gpa
Installation of GNU Privacy Assistant with Flatpak (other Linux) #
Flatpak utility is installed by default in many recent Linux distributions. If the flatpak command is not available in the console, install Flatpak as instructed for the chosen distribution.
We add the Flathub repository and install package org.gnupg.GPA with commands:
sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo sudo flatpak install -y flathub org.gnupg.GPA
We can launch the GPA via a shortcut in the application menu or a command:
user@host:~$ gpa
Key generation in GNU Privacy Assistant #
- In the pop-up window we click Do it later. We open the window for changing settings from the Edit menu by selecting the Preferences option. In the new window we select Use advanced mode option and click OK.
- From the Keys menu, select New key…. In the Name field we enter the nickname we will use on the forum. In the Email field we give the darknet email if we have one, the field can be omitted. The comment field can be omitted. Change the key size in the Key size field to 3072 and click OK.
- Enter the secure password twice and click OK.
GNU Privacy Assistant does not allow the creation of keys larger than 3072 bits. However, the unofficial standard of 4096-bit PGP keys adopted in the darknet has no basis in any official recommendations, and the highest recommended value by organizations such as ECRYPT-CSA (2018) and NSA (2016) for the RSA algorithm are the mentioned 3072 bits.
Private key backup in GNU Privacy Assistant #
- Right click on the desired key from the list and select option Backup….
- We point to the secure location, make sure that in the file name the default path ( e.g. /home/user/.gnupg/ … for Linux systems) does not appear. We click Save, enter the password we set when generating the key and confirm by clicking OK.
- We close the window with information about successful export. The file … .asc is a text file that contains both the private key block -—-BEGIN PGP PRIVATE KEY BLOCK—– … and the public key block -—-BEGIN PGP PUBLIC KEY BLOCK—– …, which can be imported into another GPG program in the same way public keys are imported.
A backup copy of the private key should be encrypted with VeraCrypt or TrueCrypt and placed on external media for protection against data loss.
Importing public keys in GNU Privacy Assistant #
- Before encrypting a message, we must have the recipient’s public key. We can get the public key in an email message, in a private message on the forum or from a user profile.
- We import the previously copied public key by selecting the Paste option from the Edit menu. We close the window with information about successful export.
- The GPA program implements the WOT ( Web Of Trust ) model, so it relies on having other trusted public keys whose owners sign the PGP keys of other users confirming their correctness. To dispense with the attribution of mistrust of the imported PGP key and its owner’s signatures, right click on the imported public key and from the context menu option select Sign keys…. In the new window we select Sign only locally, confirm by clicking Yes and enter the password we set when generating the key.
We should make sure that the public key comes from a reliable source and the key fingerprint ( 0F3F1 DE0E0 75DE9 … in the above example ) is correct. A public key with the same name, email address and creation date can be created by anyone and used for impersonation. In this case, we follow the TOFU ( Trust On First Use ) model, that is, we accept the public key on the first import and later verify future key changes.
Message encryption in GNU Privacy Assistant #
- Before encrypting a message, you have to import the public key from the recipient.
- We open the editor by clicking the clipboard icon. In the text editor of the GPA program, we type the content of the message to be encrypted. We click the encryption icon, select the recipient’s public key in the list and click OK.
We do not need to import the public key again when encrypting the next messages. The key will be saved in the program files.
Message decryption in GNU Privacy Assistant #
We open the editor by clicking the clipboard icon. In the text editor of the GPA program, we paste the encrypted message. We click the decryption icon and ( if a password prompt appears ) we enter the password we set when generating the key.
Signing messages in GNU Privacy Assistant #
We open the editor by clicking the clipboard icon. In the text editor of the GPA program, we type the content of the message to be signed. We click the signing icon, select our key in the list, click OK and ( if prompted to enter a password ) enter the password we set when generating the key.
Avoid signing messages that seem universal. For example, a signed “I agree” or “It’s me” message can be saved and used to impersonate you in another conversation. Signed messages should be complete sentences describing the purpose and circumstances of the signature.
Verifying messages in GNU Privacy Assistant #
- Before verifying a message, you have to import the public key from the author.
- We open the editor by clicking the clipboard icon. In the text editor of the GPA program, we paste the signed message to be verified. We click the verify icon.
A valid signature will be marked with Valid status in green in the GPA program. We do not need to import the public key again when verifying subsequent signatures of the same author. The key will be saved in the program files.