Upgrading From PGP
2
For a long time I have wanted to switch from using PGP 2.x to using GPG (because it's Free). But I di dn't want to give up my trusty PGP key, which has a long history and has gathered a lot of signatures that I would have trouble getting again. Now that the RSA patent has expired, GPG comes with RSA support by defaul t. This means that it's actually possible to convert your PGP key to a GPG key, and use it normally with GPG. You will not need gpg-idea or any other non-free component. The steps are quite easy. I wrote them down here, because I expect that a number of Debian maintainers are in the same situation and can benefit from this advice. Note that the GPG FAQ contains a section about the same thing, but it's aimed at maintaining compatibility with PGP 2.x. The procedure I describe here is designed solely to switch to GPG without giving up your PGP key. It will not let you exchange encrypted mail with someone who still uses (only) PGP 2.x. But if you ever need to do that, you can pull out your old copy of PGP for that -- it's the same key! Here are the steps: 0. Make sure your version of GPG supports RSA. You should be okay if you have GPG 1.0.3 or newer. I used GPG 1.0.4 myself. 1. Back up your .pgp directory, and your .gnupg directory (if any). Note: I started with an empty .gnupg directory for this. If you already have a GPG ring with a set of keys, you'll end up having two keys with probably the same userids. That won't break anything, but it can be confusing and it is easy to accidentally use the wrong key. 2. Remove the passphrase from your PGP secret key. This is necessary because the secret key is protected using the IDEA algorithm, and IDEA is still patented so GPG does not support it. Command: pgp -ke userid where userid is what you use to access your key, usually your name or email address. Just hit Enter when PGP asks for the new passphrase. 3. Import your secret and public keys into GPG. Command: gpg --import $HOME/.pgp/secring.pgp $HOME/.pgp/pubring.pg p There doesn't seem to be a way to tell GPG to import only selected keys from those files, so you may want to first use PGP to export your keys to a sm all keyring. (Do not use ASCII armor for that.) I simply imported all the keys, because I wanted to convert to using GPG for everything. 4. Re-protect your secret key with a passphrase. You removed the passphrase in step 2, you can now put it back. Command: gpg --edit-key userid GPG will tell you what key you accessed and prompt you to do something wi th it. Tell it "passwd" to change the passph rase. 5. Check if everything worked. Sign and encrypt a small file,
Transcript of Upgrading From PGP
7/27/2019 Upgrading From PGP
http://slidepdf.com/reader/full/upgrading-from-pgp 1/2
For a long time I have wanted to switch from using PGP 2.x to using GPG(because it's Free). But I didn't want to give up my trusty PGP key,which has a long history and has gathered a lot of signatures thatI would have trouble getting again.
Now that the RSA patent has expired, GPG comes with RSA supportby default. This means that it's actually possible to convertyour PGP key to a GPG key, and use it normally with GPG. Youwill not need gpg-idea or any other non-free component.
The steps are quite easy. I wrote them down here, because I expectthat a number of Debian maintainers are in the same situationand can benefit from this advice.
Note that the GPG FAQ contains a section about the same thing,but it's aimed at maintaining compatibility with PGP 2.x.The procedure I describe here is designed solely to switchto GPG without giving up your PGP key. It will not let youexchange encrypted mail with someone who still uses (only) PGP 2.x.But if you ever need to do that, you can pull out your old copyof PGP for that -- it's the same key!
Here are the steps:
0. Make sure your version of GPG supports RSA. You should beokay if you have GPG 1.0.3 or newer. I used GPG 1.0.4 myself.
1. Back up your .pgp directory, and your .gnupg directory (if any).Note: I started with an empty .gnupg directory for this.If you already have a GPG ring with a set of keys, you'llend up having two keys with probably the same userids.That won't break anything, but it can be confusing and itis easy to accidentally use the wrong key.
2. Remove the passphrase from your PGP secret key. This is necessarybecause the secret key is protected using the IDEA algorithm, andIDEA is still patented so GPG does not support it.
Command:pgp -ke useridwhere userid is what you use to access your key, usually your nameor email address. Just hit Enter when PGP asks for the newpassphrase.
3. Import your secret and public keys into GPG.Command:gpg --import $HOME/.pgp/secring.pgp $HOME/.pgp/pubring.pgpThere doesn't seem to be a way to tell GPG to import only selectedkeys from those files, so you may want to first use PGP to exportyour keys to a small keyring. (Do not use ASCII armor for that.)I simply imported all the keys, because I wanted to convert to using
GPG for everything.
4. Re-protect your secret key with a passphrase.You removed the passphrase in step 2, you can now put it back.Command:gpg --edit-key useridGPG will tell you what key you accessed and prompt you to dosomething with it. Tell it "passwd" to change the passphrase.
5. Check if everything worked. Sign and encrypt a small file,
7/27/2019 Upgrading From PGP
http://slidepdf.com/reader/full/upgrading-from-pgp 2/2
mail it to a friend, see if you can decrypt something mailedto you, upload a Debian package, that sort of thing.
6. Clean up the backups. Remember, you un-protected your PGP key.It's still not protected, and it's the same key you are now usingwith GPG. Make sure no one can get at it. You can restorethe backup, or run pgp -ke again, or -- if you don't plan to everuse PGP again -- delete the key. There is a program in fileutilscalled "shred" which may help with this.
Well, I hope this helps someone. I wrote this down after exactly oneexperience with converting keys -- I'd love to have feedback fromsomeone else who tried it.
Richard Braakmanwith tips from Adam Rogoyski, Marco d'Itri, and Andrew Pimlott.
