Now days with the increase in spying by organizations such as the NSA and reqular attacks against websites it’s more important than ever to secure your data and communication.
GnuPG is a free and open source OpenPGP implementation available on every major operating system that can provide strong encryption, before making use of GnuPG it’s important to understand some concepts.
The public key is an encryption key that is intended to be publicly available, at the very least the sender will need your personal public key to perform encryption, public keys are also used to verify signatures so any unauthorized changes can be detected.
Secret Key / Private Key
The secret key is used to decrypt a message or file than has been encrypted by the matching public key, the secret key should as the name suggest be kept secret as it provides additional security on top of the passphrase, secret keys are also used to sign a file so persons with your public key can verify the file has not been changed.
A passphrase is used when performing decryption or signing a file, this generally follows the same rules as making a good password except it should be much longer, around 40-60 characters is considered typical which will be for all intents and purposes unbreakable.
There are two main version usually installed stable and classic, these are run with the command ‘gpg2’ and ‘gpg’ respectively, in most cases you should always use the stable version of GnuPG, on Linux most distributions come with it already installed.
For Windows user the easiest way is to install gpg4win which can be downloaded with a graphical front end for easier use.
For this I’m going to assume you’re using the traditional command line and not a graphical front end, if you are you should check the documentation for your particular front end.
Generating a key pair
Generating a key pair (key pair being the public and secret key) is really simple, just run the following command:
You will then be asked the following:
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?
In almost all cases you want option 1 which is considered by many to be the most secure, next you will be asked to specify the key size.
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
2048 bits should be the absolute minimum for good protection with 4096 being the optimal choice where speed or size isn’t a major concern, keep in mind slower machines may have trouble dealing with a large key.
Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0)
You will then be asked for an expiry date, it’s a good idea to set this since it provide a clear indication to users that they should update their key, a key that has expired can still be used normally, although many key servers will remove expired keys.
GnuPG needs to construct a user ID to identify your key. Real name: TestKey Email address: Test@Test.com Comment: Test Key You selected this USER-ID: "TestKey (Test Key) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
You will then be asked for your real name, email address and a comment to help identify the key, both for yourself and others.
Once this is done you will be asked for the passphrase, it’s a good idea to practice using the passphrase you have chosen before making the key since writing it down would defeat the purpose, there is also no way to recover a lost passphrase.
The key will then be generated, as GnuPG suggest you should move your mouse around randomly to help generate a truly random key.
gpg: key EA40ACC3 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 5 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 5u pub 4096R/EA40ACC3 2015-11-08 Key fingerprint = CA97 B246 2A38 A2EA 6A0D 0228 2CBE 7277 EA40 ACC3 uid [ultimate] TestKey (Test Key) sub 4096R/C0523162 2015-11-08
This shows the keys were successfully generated, the key ID is EA40ACC3, it also shows the public key fingerprint which is used by the recipient to verify with you that the key they have received is correct, it also shows the key name, comment and email address along with the trust level, which for a newly generated key is ultimate (it’s your key you trust it fully), a subkey is also shown, this should not be confused with the secret key which is not shown here, GnuPG by default uses a separate subkey only for encryption with the ID here of C0523162.
Viewing your key pair
To view the public key again you can use:
gpg2 -k Test pub 4096R/EA40ACC3 2015-11-08 uid [ultimate] TestKey (Test Key) sub 4096R/C0523162 2015-11-08
To view the secret key:
gpg2 -K Test sec 4096R/EA40ACC3 2015-11-08 uid TestKey (Test Key) ssb 4096R/C0523162 2015-11-08
In this case ssb is the matching secret subkey for the public subkey C0523162, if you run this command without Test it will show all keys in your keyring which is automatically generated the first time you run GnuPG.
Exporting and using a key server
It’s very very important you always have a secure backup of both your public and secret keys, to do this you can export them, to export the public key (public sub key is automatically included):
gpg2 --armor --export -o pub.asc Test
This exports the public Test key to the file pub.asc, the –armor option makes it output the key in plain text rather than binary, the result looks something like this:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 IZKKutUkIBxjUTv7NJUOewfJ0HtD/O/vDTMdGsbyV8t2Fdc0GLnmrpuHaiwDlNHt vYgFz3WVTaYKxMSES/DfJFf492Hfk4PFGn5xn/4MAcbCQ5LAQkYQViU5LrBJahDO 4tBb4ykayAIqDgqEOIGRBeaU65Zp7LSbxK1noHnHskZzI41uRFR0DbeqNXOTu6Dd NuvdojaVnzfbnLoh2N58rkc9rAIJcQ3IJN3ZABEBAAGJAh8EGAEIAAkFAlY/j4AC GwwACgkQLL5yd+pArMO+hQ/7Bgz+vZA2gXP5ceGh32MMIhCWgFPyehzHOqK50iOQ JwrxWl+2qqQB/+xtQFgxXGfSDJTYhPAaVhpPObX09zeEgz1UH3Va2Rih/SH9C2Dw swtNh/aqJ6OPGa//YNyk++rva/nQR5w5NTAx6iNBcFdneKnM5G++au0vfO5JjXtG sAAN0h3v6U3W7lEKB02jhAQM/6xwVK4mvs8ff0pY+4Iem3UrrD0UzqpGnI2GEz5a lZ+9NjSAJIeji2xSrWCoOV4Ru9a5Y1JX0DL8WKWTgJJM2Ga4Y5itVQj6pTueuyOK eBfjVkejgmYvr4DbVk8OaJ2oopUJTIhPN7fanmMaW9Cp0lUW+Ml2fpBfPZEq4/XV 1J8eyIdw7OTl/X5GUg91WH2xZD2SCGSVhUFEzts+B1CUxfQNFViFn4ew77VWX+za NRY8mQxjyVU2wNgdKBivu8+cmRtk+iLG5sXDpqaI1QlUpxwvkmm6I0PGV+EnOnvW 3yboQpWXuD4SZDl386hQaF09kGodnUp6Ct77l3Cex2Lo29pdnE5Mwu0fK3sJkcHI oMffoKRD8zy6Jp7t0RbpiHlkt3a6CaSjZ8vT14djPb1sRn/jO+KDOKZVeFiE+JPD F4WEMhk74QOqlQH1IvWjcCxCZWKvjNB4eXgdzLlbnZnI26AFwkEoxNqBPjmtUaQC uvg= =BGpH -----END PGP PUBLIC KEY BLOCK-----
It’s very important you do not modify this in any way, this can now be stored or sent to whoever you want.
To export the secret key:
gpg2 --armor --export-secret-key -o sec.key Test
This should never be given to anyone but it’s also of critical importance that you have it safely stored, if you loose it you can never decrypt or sign again with the key.
Public keys are often stored on a public keyserver for convenience, to send your key to a keyserver (in this example I’m sending it to pgp.mit.edu):
gpg2 --keyserver pgp.mit.edu --send-keys EA40ACC3
To get a key from the keyserver use:
gpg2 --keyserver pgp.mit.edu --recv-keys EA40ACC3
It should be noted there is no way for you to delete the key from the server, some servers may delete keys that have expired or that have received a revocation certificate, this requires the secret key so it’s best done right after key creation.
gpg2 --output pub-revoke.gpg --gen-revoke EA40ACC3
To use this you import the revocation certificate and then send the key again to the keyserver.
gpg2 --import pub-revoke.gpg gpg2 --keyserver pgp.mit.edu --send-keys EA40ACC3
Importing a key is very easy for both public and secret keys:
gpg2 --import pub.asc gpg2 --import sec.asc
A key that is imported is by default untrusted, to change this you need to go into key editing mode:
gpg2 --edit-key test
This will show the usage of each key and subkey, S being Sign, C being create certificate, A being authentication and E being encryption.
You can get the fingerprint by typing ‘fpr’ you should always use this to verify any key sent to you.
You can switch between the public and secret keys by typing ‘toggle’.
To change the trust type ‘trust’ and answer the following question, ultimate trust should only be assigned to keys you are 100% sure of.
When you are done make sure you type ‘save’.
Encryption and Decryption
Encryption is the main purpose on GnuPG, this can be done two ways, encrypting a message or encrypting a file.
To encrypt a message use:
gpg2 --armor -r Test -e
You can now type your message, when finished hit ctrl + d, the encrypted message will now be given:
-----BEGIN PGP MESSAGE----- Version: GnuPG v2 hQEMAxzJ34dtBd7eAQgAjf/jdG58LvYt8//szu25fw5GGc4GoAosaWuGT6RmciD5 Pqj7SQlYFs0qodT42OYpSs1cSSdyR6Xz5XCJj/H+Z3FeOmHmQqdPbI5igsq7inZe KU4to8vrMPifTavumhuXOoY/sBEWnoSwb95DeLfZs46rziFWIUrajzqsl5uXmO5U 2culeNUfga1ppad/P73WFr7m5sdQcnizVbs1w+ODxOKc082P1zzxfJ9x49uZQmTZ dRRUp/ajPIPiYfckqlV68S9BYh4IjNtXL3dbf4BpxS98B07PQsmAgni39+J+Sie6 2nvLq0sDxdcv9Dxsd3eBYCUhCuUzpQHwx48tjXh5LNJGAa39Ctz5NHrt7he5vy3D WXLSHOpv3eAQXr/7zpN1m325D+4P45XMZTcPDBjXO6CJVrHjRTDLE2rsT9EjksFN VNi/MlRDVA== =/qRd -----END PGP MESSAGE----
To decrypt a message use:
Paste in the message and it should ask for the decryption key, if not try hit ctrl + d.
If the passphrase is correct you will see the original message.
Windows has a problem with not recognizing ctrl + d so this method as far as I can tell will not work.
Encrypting a file can be done like so:
gpg2 --armor -r Test -o test.txt.gpg -e test.txt
Since –armor outputs ASCII you can send the encrypted text in test.txt.gpg in an email as long as the recipient knows it’s a file and the intended file extension, or as an attachment.
gpg2 -o test.txt -d test.txt.gpg
Signing a file is a great way to ensure the recipient can verify that they have the correct unmodified file, this is similar in many ways to a file hash.
To sign a file do:
gpg2 --armor -u Test -b test.txt
This will create a test.txt.asc file which contains the file signature, this is known as a detached signature which is most often what you want, this should be included along with the file you are sending.
If you are sending an encrypted file you should generate your signature from the original file, under UNIX systems it’s common to sign a .tar archive before it gets compressed, for example with bzip2.
To verify the signature.
gpg2 --verify test.txt.asc
This may look like a lot of work but it’s really very simple once you’ve done it a few times, there are a bunch of friendly user interfaces such as GPA available so you don’t have to remember the commends, for quick reference you can type ‘gpg2 –help’, this guide doesn’t cover everything but it’s enough to get you started.
Online security is very important so it’s well worth taking the time to learn how to use encryption effectively.