feat: finish converting md to org

1 files changed, 220 insertions, 197 deletions

diff --git a/blog/2022-07-14-gnupg.org b/blog/2022-07-14-gnupg.org
index 66822f0..66aee7c 100644
--- a/blog/2022-07-14-gnupg.org
+++ b/blog/2022-07-14-gnupg.org
@@ -1,39 +1,41 @@
-+++
-date = 2022-07-14
-title = "GNU Privacy Guard (GPG)"
-description = "An overview of the GPG encryption program and its uses."
-draft = false
-+++
-
-## The History of GPG
-
-[GNU Privacy Guard](https://gnupg.org/), also known as GnuPG and GPG, is a free 
-("free" as in both speech and beer) software that fully implements the OpenPGP 
-Message Format documented in [RFC 4880](https://www.rfc-editor.org/rfc/rfc4880).
-
-I won't go in-depth on the full history of the software in this post, but it is 
-important to understand that GPG is not the same as PGP (Pretty Good Privacy), 
-which is a different implementation of RFC 4880. However, GPG was designed to 
-interoperate with PGP.
-
-GPG was originally developed in the late 1990s by [Werner 
-Koch](https://en.wikipedia.org/wiki/Werner_Koch) and has historically been 
-funded generously by the German government.
-
-Now that we have all the high-level info out of the way, let's dive into the 
-different aspects of GPG and its uses.
-
-## Encryption Algorithms
-
-GPG supports a wide range of different encryption algorithms, including 
-public-key, cipher, hash, and compression algorithms. The support for these 
-algorithms has grown since the adoption of the Libgcrypt library in the 2.x 
-versions of GPG.
-
-As you will be able to see below in an example of a full key generation with the 
-GPG command line tool, GPG recommends the following algorithms to new users:
-
-```sh
+#+title: GNU Privacy Guard (GPG)
+#+date:  2022-07-14
+
+** The History of GPG
+:PROPERTIES:
+:CUSTOM_ID: the-history-of-gpg
+:END:
+[[https://gnupg.org/][GNU Privacy Guard]], also known as GnuPG and GPG,
+is a free ("free" as in both speech and beer) software that fully
+implements the OpenPGP Message Format documented in
+[[https://www.rfc-editor.org/rfc/rfc4880][RFC 4880]].
+
+I won't go in-depth on the full history of the software in this post,
+but it is important to understand that GPG is not the same as PGP
+(Pretty Good Privacy), which is a different implementation of RFC 4880.
+However, GPG was designed to interoperate with PGP.
+
+GPG was originally developed in the late 1990s by
+[[https://en.wikipedia.org/wiki/Werner_Koch][Werner Koch]] and has
+historically been funded generously by the German government.
+
+Now that we have all the high-level info out of the way, let's dive into
+the different aspects of GPG and its uses.
+
+** Encryption Algorithms
+:PROPERTIES:
+:CUSTOM_ID: encryption-algorithms
+:END:
+GPG supports a wide range of different encryption algorithms, including
+public-key, cipher, hash, and compression algorithms. The support for
+these algorithms has grown since the adoption of the Libgcrypt library
+in the 2.x versions of GPG.
+
+As you will be able to see below in an example of a full key generation
+with the GPG command line tool, GPG recommends the following algorithms
+to new users:
+
+#+begin_src sh
 Please select what kind of key you want:
    (1) RSA and RSA
    (2) DSA and Elgamal
@@ -41,80 +43,84 @@ Please select what kind of key you want:
    (4) RSA (sign only)
    (9) ECC (sign and encrypt) *default*
   (10) ECC (sign only)
-```
-
-I am not doing an in-depth explanation here in order to keep the focus on GPG 
-and not encryption algorithms. If you want a deep dive into cryptography 
-or encryption algorithms, please read my other posts:
-
-- [AES Encryption](/blog/aes-encryption/) (2018)
-- [Cryptography Basics](/blog/cryptography-basics/) (2020)
-
-### Vulnerabilities
-
-As of 2022-07-14, there are a few different vulnerabilities associated with 
-GPG or the libraries it uses:
-
-- GPG versions 1.0.2–1.2.3 contains a bug where "as soon as one 
-  (GPG-generated) ElGamal signature of an arbitrary message is released, one 
-  can recover the signer's private key in less than a second on a PC." 
-  ([Source](https://www.di.ens.fr/~pnguyen/pub_Ng04.htm))
-- GPG versions prior to 1.4.2.1 contain a false positive signature 
+#+end_src
+
+I am not doing an in-depth explanation here in order to keep the focus
+on GPG and not encryption algorithms. If you want a deep dive into
+cryptography or encryption algorithms, please read my other posts:
+
+- [[/blog/aes-encryption/][AES Encryption]] (2018)
+- [[/blog/cryptography-basics/][Cryptography Basics]] (2020)
+
+*** Vulnerabilities
+:PROPERTIES:
+:CUSTOM_ID: vulnerabilities
+:END:
+As of 2022-07-14, there are a few different vulnerabilities associated
+with GPG or the libraries it uses:
+
+- GPG versions 1.0.2--1.2.3 contains a bug where "as soon as one
+  (GPG-generated) ElGamal signature of an arbitrary message is released,
+  one can recover the signer's private key in less than a second on a
+  PC." ([[https://www.di.ens.fr/~pnguyen/pub_Ng04.htm][Source]])
+- GPG versions prior to 1.4.2.1 contain a false positive signature
   verification bug.
-  ([Source](https://lists.gnupg.
-  org/pipermail/gnupg-announce/2006q1/000211.html))
-- GPG versions prior to 1.4.2.2 cannot detect injection of unsigned data.
-  (
-  [Source](https://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000218.html))
-- Libgcrypt, a library used by GPG, contained a bug which enabled full key 
-  recovery for RSA-1024 and some RSA-2048 keys.
-  This was resolved in a GPG update in 2017.
-  ([Source](https://lwn.net/Articles/727179/))
-- The [ROCA Vulnerability](https://en.wikipedia.org/wiki/ROCA_vulnerability) 
-  affects RSA keys generated by YubiKey 4 tokens.
-  ([Source](https://crocs.fi.
-  muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf))
-- The [SigSpoof Attack](https://en.wikipedia.org/wiki/SigSpoof) allows an 
-  attacker to spoof digital signatures.
-  ([Source](https://arstechnica.
-  com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/))
-- Libgcrypt 1.9.0 contains a severe flaw related to a heap buffer overflow, 
-  fixed in Libgcrypt 1.9.1 ([Source](https://web.archive.
-  org/web/20210221012505/https://www.theregister.com/2021/01/29/severe_libgcrypt_bug/))
-
-## Platforms
-
-Originally developed as a command-line program for *nix systems, GPG now has a 
-wealth of front-end applications and libraries available for end-users. However, 
-the most recommended programs remain the same:
-
-- [GnuPG](https://gnupg.org) for Linux (depending on distro)
-- [Gpg4win](https://gpg4win.org) for Windows
-- [GPGTools](https://gpgtools.org) for macOS
-
-## Creating a Key Pair
-
-In order to create a GPG key pair, a user would first need to install GPG on 
-their system. If we're assuming that the user is on Fedora Linux, they would 
-execute the following:
-
-```sh
+  ([[https://lists.gnupg.%20org/pipermail/gnupg-announce/2006q1/000211.html][Source]])
+- GPG versions prior to 1.4.2.2 cannot detect injection of unsigned
+  data. (
+  [[https://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000218.html][Source]])
+- Libgcrypt, a library used by GPG, contained a bug which enabled full
+  key recovery for RSA-1024 and some RSA-2048 keys. This was resolved in
+  a GPG update in 2017. ([[https://lwn.net/Articles/727179/][Source]])
+- The [[https://en.wikipedia.org/wiki/ROCA_vulnerability][ROCA
+  Vulnerability]] affects RSA keys generated by YubiKey 4 tokens.
+  ([[https://crocs.fi.%20muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf][Source]])
+- The [[https://en.wikipedia.org/wiki/SigSpoof][SigSpoof Attack]] allows
+  an attacker to spoof digital signatures.
+  ([[https://arstechnica.%20com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/][Source]])
+- Libgcrypt 1.9.0 contains a severe flaw related to a heap buffer
+  overflow, fixed in Libgcrypt 1.9.1
+  ([[https://web.archive.%20org/web/20210221012505/https://www.theregister.com/2021/01/29/severe_libgcrypt_bug/][Source]])
+
+** Platforms
+:PROPERTIES:
+:CUSTOM_ID: platforms
+:END:
+Originally developed as a command-line program for *nix systems, GPG now
+has a wealth of front-end applications and libraries available for
+end-users. However, the most recommended programs remain the same:
+
+- [[https://gnupg.org][GnuPG]] for Linux (depending on distro)
+- [[https://gpg4win.org][Gpg4win]] for Windows
+- [[https://gpgtools.org][GPGTools]] for macOS
+
+** Creating a Key Pair
+:PROPERTIES:
+:CUSTOM_ID: creating-a-key-pair
+:END:
+In order to create a GPG key pair, a user would first need to install
+GPG on their system. If we're assuming that the user is on Fedora Linux,
+they would execute the following:
+
+#+begin_src sh
 sudo dnf install gpg
-```
+#+end_src
 
-Once installed, a user can create a new key pair with the following command(s):
+Once installed, a user can create a new key pair with the following
+command(s):
 
-```sh
+#+begin_src sh
 gpg --full-generate-key
-```
+#+end_src
 
-GPG will walk the user through an interactive setup that asks for an algorithm 
-preference, expiration date, name, and email to associate with this key.
+GPG will walk the user through an interactive setup that asks for an
+algorithm preference, expiration date, name, and email to associate with
+this key.
 
-See the following example key set-up for a default key generation using the 
-GnuPG command-line interface:
+See the following example key set-up for a default key generation using
+the GnuPG command-line interface:
 
-```sh
+#+begin_src sh
 gpg (GnuPG) 2.3.6; Copyright (C) 2021 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
@@ -166,13 +172,15 @@ pub   ed25519 2022-07-14 [SC]
       E955B7700FFC11EF51C2BA1FE096AACDD4C32E9C
 uid                      John Doe (test key) <johndoe@example.com>
 sub   cv25519 2022-07-14 [E]
-```
+#+end_src
 
-Please note that GUI apps may differ slightly from the GPG command-line 
+Please note that GUI apps may differ slightly from the GPG command-line
 interface.
 
-## Common Usage
-
+** Common Usage
+:PROPERTIES:
+:CUSTOM_ID: common-usage
+:END:
 As noted in RFC 4880, the general functions of OpenPGP are as follows:
 
 - digital signatures
@@ -181,98 +189,110 @@ As noted in RFC 4880, the general functions of OpenPGP are as follows:
 - Radix-64 conversion
 - key management and certificate services
 
-From this, you can probably gather that the main use of GPG is for encrypting 
-data and/or signing the data with a key. The purpose of encrypting data with GPG 
-is to ensure that no one except the intended recipient(s) can access the data.
+From this, you can probably gather that the main use of GPG is for
+encrypting data and/or signing the data with a key. The purpose of
+encrypting data with GPG is to ensure that no one except the intended
+recipient(s) can access the data.
 
 Let's explore some specific GPG use-cases.
 
-### Email
-
-One of the more popular uses of GPG is to sign and/or encrypt emails. With the 
-use of a GPG keypair, you can encrypt a message, its subject, and even the 
-attachments within.
-
-The first process, regarding the signing of a message without any encryption, is 
-generally used to provide assurance that an email is truly coming from the 
-sender that the message claims. When I send an email, and it's signed with my 
-public key, the recipient(s) of the message can verify that the message was 
-signed with my personal key.
-
-The second process, regarding the actual encryption of the message and its 
-contents, works by using a combination of the sender's keys and the recipient's 
-keys. This process may vary slightly by implementation, but it most commonly 
-uses asymmetric cryptography, also known as public-key cryptography. In this 
-version of encryption, the sender's private key to sign the message and a 
-combination of the sender's keys and the recipient's public key to encrypt the 
-message.
-
-If two people each have their own private keys and exchange their public keys, 
-they can send encrypted messages back and forth with GPG. This is also possible 
-with symmetric cryptography, but the process differs since there are no key 
-pairs.
-
-Implementation of email encryption varies greatly between email clients, so you 
-will need to reference your email client's documentation to ensure you are 
-setting it up correctly for that specific client.
-
-### File Encryption
-
-As noted in the section above regarding emails, GPG enables users to be able to 
-send a message to each other if they are both set-up with GPG keys.
-In this example, I am going to show how a user could send a file called 
-`example_file.txt` to another user via the recipient's email.
-
-The sender would find the file they want to send and execute the following 
-command:
-
-```sh
+*** Email
+:PROPERTIES:
+:CUSTOM_ID: email
+:END:
+One of the more popular uses of GPG is to sign and/or encrypt emails.
+With the use of a GPG keypair, you can encrypt a message, its subject,
+and even the attachments within.
+
+The first process, regarding the signing of a message without any
+encryption, is generally used to provide assurance that an email is
+truly coming from the sender that the message claims. When I send an
+email, and it's signed with my public key, the recipient(s) of the
+message can verify that the message was signed with my personal key.
+
+The second process, regarding the actual encryption of the message and
+its contents, works by using a combination of the sender's keys and the
+recipient's keys. This process may vary slightly by implementation, but
+it most commonly uses asymmetric cryptography, also known as public-key
+cryptography. In this version of encryption, the sender's private key to
+sign the message and a combination of the sender's keys and the
+recipient's public key to encrypt the message.
+
+If two people each have their own private keys and exchange their public
+keys, they can send encrypted messages back and forth with GPG. This is
+also possible with symmetric cryptography, but the process differs since
+there are no key pairs.
+
+Implementation of email encryption varies greatly between email clients,
+so you will need to reference your email client's documentation to
+ensure you are setting it up correctly for that specific client.
+
+*** File Encryption
+:PROPERTIES:
+:CUSTOM_ID: file-encryption
+:END:
+As noted in the section above regarding emails, GPG enables users to be
+able to send a message to each other if they are both set-up with GPG
+keys. In this example, I am going to show how a user could send a file
+called =example_file.txt= to another user via the recipient's email.
+
+The sender would find the file they want to send and execute the
+following command:
+
+#+begin_src sh
 gpg --encrypt --output example_file.txt.gpg --recipient \
 recipient@example.com example_file.txt
-```
+#+end_src
 
-Once received, the recipient can decrypt the file with the following command:
+Once received, the recipient can decrypt the file with the following
+command:
 
-```sh
+#+begin_src sh
 gpg --decrypt --output example_file.txt example_file.txt.gpg
-```
-
-### Ownership Signatures
-
-One important aspect of GPG, especially for developers, is the ability to sign 
-data without encrypting it. For example, developers often sign code changes when 
-they commit the changes back to a central repository, in order to display 
-ownership of who made the changes. This allows other users to look at a code 
-change and determine that the change was valid.
-
-In order to do this using [Git](https://git-scm.com), the developer simply needs 
-to alter the `git commit` command to include the `-S` flag. Here's an example:
-
-```sh
+#+end_src
+
+*** Ownership Signatures
+:PROPERTIES:
+:CUSTOM_ID: ownership-signatures
+:END:
+One important aspect of GPG, especially for developers, is the ability
+to sign data without encrypting it. For example, developers often sign
+code changes when they commit the changes back to a central repository,
+in order to display ownership of who made the changes. This allows other
+users to look at a code change and determine that the change was valid.
+
+In order to do this using [[https://git-scm.com][Git]], the developer
+simply needs to alter the =git commit= command to include the =-S= flag.
+Here's an example:
+
+#+begin_src sh
 git commit -S -m "my commit message"
-```
+#+end_src
 
-As an expansion of the example above, Git users can configure their environment 
-with a default key to use by adding their GPG signature:
+As an expansion of the example above, Git users can configure their
+environment with a default key to use by adding their GPG signature:
 
-```sh
+#+begin_src sh
 git config --global user.signingkey XXXXXXXXXXXXXXXX
-```
+#+end_src
 
-If you're not sure what your signature is, you can find it titled `sig` in the 
-output of this command:
+If you're not sure what your signature is, you can find it titled =sig=
+in the output of this command:
 
-```sh
+#+begin_src sh
 gpg --list-signatures
-```
-
-### File Integrity
-
-When a person generates a signature for data, they are allowing users the 
-ability to verify the signature on that data in the future to ensure the data 
-has not been corrupted. This is most common with software applications hosted on 
-the internet - developers provide signatures so that users can verify a website 
-was not hijacked and download links replaced with dangerous software.
+#+end_src
+
+*** File Integrity
+:PROPERTIES:
+:CUSTOM_ID: file-integrity
+:END:
+When a person generates a signature for data, they are allowing users
+the ability to verify the signature on that data in the future to ensure
+the data has not been corrupted. This is most common with software
+applications hosted on the internet - developers provide signatures so
+that users can verify a website was not hijacked and download links
+replaced with dangerous software.
 
 In order to verify signed data, a user needs to have:
 
@@ -280,26 +300,29 @@ In order to verify signed data, a user needs to have:
 2. A signature file
 3. The public GPG key of the signer
 
-Once the signer's public key is imported on the user's system, and they have 
-the data and signature, they can verify the data with the following commands:
+Once the signer's public key is imported on the user's system, and they
+have the data and signature, they can verify the data with the following
+commands:
 
-```sh
+#+begin_src sh
 # If the signature is attached to the data
 gpg --verify [signature-file]
 
 # If the signature is detached as a separate file from the data
 gpg --verify [signature-file] [original-file]
-```
-
-## Finding Public Keys
-
-In order to use GPG with others, a user needs to know the other user(s) keys. 
-This is easy to do if the user knows the other user(s) in person, but may be 
-hard if the relationship is strictly digital. Luckily, there are a few options. 
-The first option is to look at a user's web page or social pages if they have 
-them.
+#+end_src
+
+** Finding Public Keys
+:PROPERTIES:
+:CUSTOM_ID: finding-public-keys
+:END:
+In order to use GPG with others, a user needs to know the other user(s)
+keys. This is easy to do if the user knows the other user(s) in person,
+but may be hard if the relationship is strictly digital. Luckily, there
+are a few options. The first option is to look at a user's web page or
+social pages if they have them.
 
 Otherwise, the best option is to use a keyserver, such as:
 
-- [pgp.mit.edu](https://pgp.mit.edu)
-- [keys.openpgp.org](https://keys.openpgp.org)
+- [[https://pgp.mit.edu][pgp.mit.edu]]
+- [[https://keys.openpgp.org][keys.openpgp.org]]