Easy GPG

GNU Privacy Guard (GnuPG or GPG) is a complete and free implementation of the OpenPGP (also known as PGP)

GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).

Thanks to the knowledge of GPG, you have the option of sending encrypted messages via any e-mail or service that allows communication in such a way that nobody but the recipient can read the message on the way. Cool right?

Sometimes users are afraid of complicated commands. If someone has concerns about the use of several commands, then can use the graphical frontends available for almost every operating system.

Each user must have two keys, public and private to be able to encrypt and decrypt messages.

The easiest way to understand the process is to look at the picture below

GPG Process

image source: Open PGP

So you have to create your private and public key and then learn how to share your public key, decrypt and encrypt messages. Additionally, it is also worth knowing how to sign the messages and check the signatures of others. At the beginning it seems complicated, as soon as you get it you’ll see how simple it is.

GPG Commands

Examples for Linux. Don’t forget to download version for your operating system. Commands are the same for any OS. This is just a quick guide with basics. Full documentation can be found here.

Generate a GPG key pair

Just run a command:

1
gpg --full-generate-key

and follow instructions on the screen.

Specify the kind of key you want, or press Enter to accept the default RSA and RSA.
Enter the desired key size. Recommend the maximum key size of 4096.
Enter the length of time the key should be valid. Continue without any date then key doesn’t expire.
Verify that your selections are correct.
Enter your user ID information.
Type a secure passphrase. You will use this password to encrypt and decrypt messages.

Sometimes during generating, import or export you can have some errors so best solutions is to restart gpg agent

1
gpgconf --kill gpg-agent

List secret keys

List GPG keys for which you have both a public and private key.

1
gpg --list-secret-keys --keyid-format

Example of output:

1
2
3
4
------------------------------------
sec 4096R/3BB5C34231531BA2 2019-01-01 [expires: 2020-01-01]
uid user user@example.com
ssb 4096R/42A457DF4AB29E7A 2019-01-01

From the list of GPG keys, copy the GPG key UID you’d like to use. In this example, the GPG key UID is 3BB5C34231531BA2.

Export public key

The public key is the key that you share with others so that they can encrypt the message for you. You can view and copy or export it in several ways. Try each option and compare the results to understand how each option works.

Print the GPG key UID, in ASCII armor format.

1
gpg --armor --export 3BB5C34231531BA2

Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK----- and share with others.

You can also export your public key to file (binary file).

1
gpg --export 3BB5C34231531BA2 > /tmp/my-public-key

or to a file as text

1
gpg --armour --export 3BB5C34231531BA2 > /tmp/my-public-key-text

You can also use email address or user name instead of UID.

1
gpg --export user@example.com > /tmp/my-public-key
1
gpg --export user > /tmp/my-public-key

Export secret key

It is worth taking a copy of the private key and storing it, eg on an encrypted disk. Export is useful for transferring the key to another device. Never share your private key with anyone.

Export to binary file:

1
gpg --export-secret-key --armour > /tmp/my-private-key

Export to text file:

1
gpg --export-secret-key > /tmp/my-private-key-text

Import keys

Easy like this:

1
gpg --import my-private-key
1
gpg --import any-public-key

If the key already existed, the import will fail saying ‘Key already known’. You will have to delete both the private and public key first.

Delete keys

To delete the public key

1
gpg --delete-keys user@example.com

To delete the private key

1
gpg --delete-secret-keys user@example.com

Sending to key server

Example of sending key to public key directory.

1
gpg --keyserver "hkp://keyserver.ubuntu.com" --send-key 3BB5C34231531BA2

Retrieving the key from the server

1
gpg --keyserver "hkp://keyserver.ubuntu.com" --recv-keys 3BB5C34231531BA2

Fingerprints

If you want to see “Fingerprints” to ensure that somebody is really the person they claim (like in a telephone call). This command will result in a list of relatively small numbers.

1
gpg --fingerprint

After import key verify it by displaying fingerprint and contact with owner to compare fingerprint.

Revoke a key

For several reasons you may want to revoke an existing key. For instance: the secret key has been stolen.

Create revoke certificate:

1
gpg --gen-revoke user@example.com

It will look like this:

1
2
3
4
5
6
7
8
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: A revocation certificate should follow

iEkEIBECAAkFAkGgoKsCHQAACgkQZYUAdmML6D/RDQCgrRNm4cjauVRvtz3QWVdm
0ZgDsP4An1tpIXoiO5P7G385m/KR/mGkm5sr
=piFr
-----END PGP PUBLIC KEY BLOCK-----

If you import it like a normal key then it revoke the one for which it was generated.

1
gpg --import /tmp/revoke_cert

Key signing

Signing a key means expressing that you have checked that the user really belongs to that key. You should only sign a key as being authentic when you are ABSOLUTELY SURE that the key is really authentic!!!

1
gpg --edit-key user@example.com

we will enter the interactive mode, then write

1
sign

Based on the available signatures and “ownertrusts” GnuPG determines the validity of keys. Ownertrust is a value that the owner of a key uses to determine the level of trust for a certain key. The values are:

1
2
3
4
1 = Don't know
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully

You can check results:

1
check

save changes and quit:

1
quit

We set the trust for the key on its own and it is personal information. This means that it is not exported with the key. It is even stored in a separate file.

Key trust

Trusting a key means that you will accept signatures from it.

Determining key trust:

1
gpg --edit-key user@example.com

in interactive mode write:

1
trust

Values:

1
2
3
4
5
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately

save changes and quit:

1
quit

Encrypt

Encryption of a text file (binary)

1
gpg -r recipent --encrypt /tmp/message.txt --output /tmp/message.gpg

Where recipent is the name of someone’s public key. Check your public key list gpg --list-keys. To see the signatures as well type gpg --list-sigs. This file is ready to send to your recipient.

To make it possible to copy the content, for example, to send it by e-mail

1
gpg -r recipent --encrypt /tmp/message.txt --armour --output /tmp/message.gpg

now you can open the file or display its contents in the console

1
cat /tmp/message.gpg

Copy your encrypted message, beginning with -----BEGIN PGP MESSAGE----- and ending with -----END PGP MESSAGE----- and send by email or communicator.

Decrypt

Decrypting the message:

1
gpg --decrypt /tmp/message.gpg

You will be asked for the password for your private key and you will see the decrypted message when you enter it.

Sign and verify

Signing a message:

1
gpg --sign /tmp/message.txt --armour --output /tmp/message.sig

veryfing the signature:

1
gpg --verify /tmp/message.sig

and veryfing and decrypting with help

1
gpg --decrypt /tmp/message.sig

to sign in a text form for people without gpg

1
gpg --clearsign /tmp/message.txt --output /tmp/message.sig

signing without modification of the text file with the signature in a separate file

1
gpg --detach-sig /tmp/message.txt --output /tmp/message.sig

then you verify with two files

1
gpg --verify /tmp/message.sig /tmp/message.txt

Encryption without a key

You can use symmetric encryption to encrypt a file without having a key with a one-time password.

1
gpg --symmetric /tmp/message.txt --armour --output /tmp/message-sym.gpg

Then provide the password with a separate secure channel other than the message itself.

Frontends and other software

There are several graphical interfaces for the GPG. Here are some examples.

Full list of frontends and software support GPG can be found here.