What is GPG
GPG is a command-line encryption tool that follows the OpenPGP standard (but supports other encryption schemes as well). It was developed to replace Symantec’s PGP cryptographic software suite. It’s one of the most commonly used OpenPGP implementations.
Before reading this tutorial, make sure you understand PGP.
How to use GPG
This section explains the most important functions of GPG.
Listing stored keys
To list all public keys stored in your keyring, use
$ gpg --list-keys /home/user/.gnupg/pubring.gpg ----------------------------- pub 4096R/54DDD393 2014-06-27 uid VeraCrypt Team <firstname.lastname@example.org> pub 3072R/6091B1F8 2016-08-09 uid Nadim Kobeissi <email@example.com> sub 3072R/A4D437B0 2016-08-09 pub 4096R/CD994F73 2015-08-14 [expires: 2017-07-15] uid Micah Lee <firstname.lastname@example.org> uid Micah Lee <email@example.com> uid Micah Lee <firstname.lastname@example.org> uid Micah Lee <email@example.com> uid Micah Lee <firstname.lastname@example.org> pub 4096R/58ACD84F 2015-01-18 [expires: 2018-01-11] uid Tails developers (offline long-term identity key) <email@example.com> uid Tails developers <firstname.lastname@example.org> sub 4096R/752A3DB6 2015-01-18 [expires: 2018-01-11] sub 4096R/2F699C56 2015-01-18 [expires: 2018-01-11] sub 4096R/A0EDAA41 2016-08-30 [expires: 2018-01-11]
Each “block” of text, separated by a blank line, represents one key. (todo block?)
pub 4096R/54DDD393 2014-06-27
pub means it’s a public key, the
4096 is the bit length (how many bits of randomness the key consists of), the
54DDD393 is the Key-ID and the
2014-06-07 is the date the key was generated on.
uid stands for User ID. A User ID is the name/email (and comment) info — for example
The Privacy Guide (admin) <email@example.com>. A key can have multiple Key IDs, as you can see on Micah Lee’s public key.
To list all private keys stored in your keyring, use
[user@vault ~]$ gpg --list-secret-keys /home/user/.gnupg/secring.gpg ----------------------------- sec 4096R/4412E912 2017-05-22 uid The Privacy Guide <firstname.lastname@example.org> ssb 4096R/CC84135D 2017-05-22
sec means that it’s a private (secret) key and the
ssb is basically the same as
sub, but for private keys.
Generating a key
To generate a new key(pair), use
(Filled-in values are in bold and italic.)
$ gpg --gen-key gpg (GnuPG) 1.4.21; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire
= key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: The Privacy Guide Email address: email@example.com Comment: admin You selected this USER-ID: "The Privacy Guide (admin) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. [enter password] We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++ ...+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..............................+++++ ....+++++ gpg: key 4412E912 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 4096R/4412E912 2017-05-22 Key fingerprint = AE9B 418A 72B2 D4A7 3BEA F402 90BD 83DE 4412 E912 uid The Privacy Guide (admin) sub 4096R/CC84135D 2017-05-22
Generating a revocation certificate
To generate a revocation certificate, use
(Filled-in values are in bold and italic.)
$ gpg --gen-revoke firstname.lastname@example.org sec 4096R/4412E912 2017-05-22 The Privacy Guide <email@example.com> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 0 Enter an optional description; end it with an empty line: > [enter] Reason for revocation: No reason specified (No description given) Is this okay? (y/N) y You need a passphrase to unlock the secret key for user: "The Privacy Guide <firstname.lastname@example.org>" 4096-bit RSA key, ID 4412E912, created 2017-05-22 ASCII armored output forced. Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others! -----BEGIN PGP PUBLIC KEY BLOCK----- Comment: A revocation certificate should follow [... the revocation certificate ...] -----END PGP PUBLIC KEY BLOCK-----
Importing a key
To import a public key or a private key, use the
$ gpg --import key.pgp or
$ echo THE_KEY_IN_ASCII | gpg --import key.pgp
Exporting a key
To export a public key, use the
$ gpg --export KEY_ID
To export a private key, use the
$ gpg --export-secret-keys KEY_ID
Since PGP can operate both in ASCII mode and “raw” mode, it’s important to understand when to use which one.
When sending something that will be viewed as text (i.e. an email), you should use ASCII mode. On the other hand, when sending a file, you can (and should, it will make the encrypted file smaller) use the default non-ASCII mode.
To operate in ASCII mode, use the
To encrypt a file in GPG, use the
-e) switch. Note that you have to specify the recipient as well — so GPG knows which public key to use. To do that, use the
$ gpg --encrypt --recipient RECIPIENTS_EMAIL FILE_NAME or
$ gpg -e -r RECIPIENTS_EMAIL FILE_NAME
To encrypt something using symmetric cryptography, use the
$ gpg -c FILE_NAME and you’ll be prompted for the password (the key).
To encrypt a message (for example, an email), you can either save it into a file and then encrypt it, or you can pipe
echo’s output to
echo """Hello World""" | gpg -a -e -r RECIPIENTS_EMAIL
Selecting Key ID
If you use multiple keys, you need to specify which key to use for signing and decrypting. You can do this by using the
-u) switch along with the email or Key-ID you want to use.
$ gpg -a -e -s -u MY_EMAIL -r RECIPIENTS_EMAIL FILE_NAME or
$ gpg -d -u MY_UID FILE_NAME
To sign files, use the
$ gpg -s FILE_NAME or to encrypt it as well
$ gpg -e -s -r RECIPIENTS_EMAIL FILE_NAME
Same as encrypting messages, but using the
$ gpg -s FILE_WITH_MESSAGE or
$ echo "Hello World" | gpg -s
To decrypt files (or messages — again, either by using pipe or saving it into a file), you can use the
-d) switch, or no switch at all — it’s the default option.
$ gpg FILE_NAME or
$ gpg -d FILE_NAME
You will be prompted for the password.
To find the fingerprint of a key, use the
$ gpg --fingerprint email@example.com pub 4096R/4412E912 2017-05-22 Key fingerprint = AE9B 418A 72B2 D4A7 3BEA F402 90BD 83DE 4412 E912 uid The Privacy Guide <firstname.lastname@example.org> sub 4096R/CC84135D 2017-05-22
When you’re verifying files, you have two files: the file you want to verify and the file with the signature. Generally, the signature file’s name is the same as that of the file you want to verify, but with
.pgp (or something like that) after it. Make sure both files are in the same directory.
To verify a file, simply run
$ gpg --verify filename in the directory with both files.