Comments
Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.
You mentioned below that there are ways to avoid the question "use this key anyway?" when encrypting. I would appreciate further information on how:
Now they're ready to encrypt. That looks like this (encrypting the example file "example.xls"):
c:\>gpg -a --encrypt -r example@ask-leo.com example.xls
gpg: 1B917E56: There is no assurance this key belongs to the named user
pub 2048g/1B917E56 2006-03-08 Leo A. Notenboom
Primary key fingerprint: 8A4F 770F D037 D414 F4E6 B95C 6E89 72A3 874A 3EC1
Subkey fingerprint: 215A 55C8 C88A 2587 4E64 995C 5EFC 7E3F 1B91 7E56
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
Note the dire warning about making sure you know who's key you're dealing with. There are ways to confirm and avoid this message, but for now to keep things simple, we'll simply note that the Primary Key fingerprint listed here matches the fingerprint that was listed when you created the key, and answer "Yes".
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It's been a while since I did it, but if I recall correctly it involves:
- - making sure that you actually have the proper key
- - signing that key youself
Signing it essentially tells gpg that "yes, I've verified that they key
belongs to who it claims to".
Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFFzTkiCMEe9B/8oqERAqWfAJ9AEbgr3OvW6Xt0aXGavJCf0ydT1QCfRS0/
EnYiNJC91aX5gHNlCBx01RI=
=oHeH
-----END PGP SIGNATURE-----
I've used GPG for a while to secure important data stored on my PC. I haven't really used it in earnest for email encryption, though. The main reason is that it's a bit too cumbersome for most people to use. I'm now advocating a product called Private Post (http://www.privatepost.com/) to my friends and customers. It is fairly easy to install, bolts into Outlook and Outlook Express and provides an Explorer extended menu for encrypting files etc. locally as well as in emails.
Posted by: Mark at February 15, 2007 2:07 AMThis comment explains a way to avoid the message in the article stating "there is no assurance key belongs to the named user". Whether it is the "best" or even a good way is beyond my knowledge but I thought I would share what I have learned. As always with "all things secure", use at your liability!
I was receiving this message too when trying to use an imported public key from PGP (commercial "equivalent" of GnuPGP) on my GnuPGP machine. I ended up generating a key on GnuPGP and then "signing" the PGP key with my generated (and trusted) GnuPGP key with the following command:
gpg --sign-key "key name"
It prompted me with the following message:
"Are you sure that you want to sign this key with your key "my GnuPGP key name"
Really sign? (y/N)"
To which I responded "y".
To which it required the passphrase to unlock the secret key for my GnuPGP key.
To which I supplied.
I then ran the command to update my trust database:
gpg --update-trustdb
To which it found the PGP key (signed) but with no defined "trust" value. So it gave me the following:
"Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
s = skip this key
q = quit"
To which I answered (4) and was no longer prompted with the statement "...there is no assurance key belongs to the named user..."
Hope this helps others. If there's a way to do this without generating a local private key and using that to sign the public key and someone knows, please let me/us know.
Thanks.
Posted by: Matt at March 22, 2007 6:46 AMYou can avoid the assurance or trust problem by adding " --always-trust" to the command when encrypting... worked for me anyway ;)
Posted by: Ingo at April 4, 2007 1:17 AMA LOT OF THANKS.REALLY IT IS EASILY UNDERSTANDABLE MANNER. IAM VERY PROUD TO VISIT YOUR SITE AND ALSO WILL BE LEARN MORE THINGS FROM YOUR SITE.VERRRRRRRRRY THANKS.
Posted by: RAGHUMADHULLA at August 16, 2007 6:16 AMOr you can just use an service like http://www.certifiedmail.com and do away with key mumbo jumbo altogether.
And if you happen to have an X.509 certificate, you can still sign the message and send it to the recipient securely. The signing cert will be displayed to the recipient for non-repudiation, but the encryption happens without needing each recipient to have their own keys.
Posted by: Bob Janacek at February 26, 2008 12:18 PMIn the above section Encrypting Data you mentioned "There are ways to confirm and avoid this message: Use this key anyway? (y/N) y” Can you please provide more details?
Thanks,
Clint
-Leo
I would like to be able to use this program to send emails to and from my PDA. Is this possible? If so, can you please walk me through how to set this up. (I know nothing about programming).
Thank You,
Dave
I like the info of your website but I am trying to eliminate the prompt but when i type gpg --sign-key "name" it gave me this error
pub 1024D/41AFECB4 created: 2004-01-29 expires: never usage: SCA
trust: full validity: unknown
sub 1024g/693C2BF1 created: 2004-01-29 expires: never usage: E
[ unknown] (1). "keyname"
gpg: no default secret key: secret key not available
Key not changed so no update needed.
please help.
Posted by: Sam at November 7, 2008 12:03 PM
Subscribe to the RSS Feed for comments on this article.
To post a comment on "How do I send encrypted email?", please return to that article's main page.