Introduction to GPG

Published on Mar. 27, 2017 by Gabriel Bordeaux

GPG is better than this lock

What is GPG?

GPG is a GPL alternative to PGP. It is a powerful encryption tool created by Werner Koch. You can read more about GPG on Wikipedia. Below you will find the main commands to use GPG to encrypt personnal documents for your own use or to send encrypted documents to others.

It already seems complicated

Install GPG

Linux

On Debian/Ububtu, you just have to run the following command ad "root":

apt-get install gnupg

Max OS

On Mac OS, you can install https://www.gpgtools.org to use GPG.

Windows

Find on Google how to install GPG on a Windows computer

Create a key

Important note about the passphrase you are going to choose: Your passphrase (password to decrypt documents) will be the main weakness of your encrypted files. You need to choose a strong passphrase.

To create a key, run the following command in your Terminal:

gpg --gen-key

The program will ask you a few questions, here are a few recommendations:

  • Please select what kind of key you want: choose "(1) RSA and RSA (default)"
  • Please specify how long the key should be valid: choose "0 = key does not expire"

Encrypt / decrypt my first documents

Encrypt a file

First, you can create a test file:

echo "toto" > test_crypt

Then, to encrypt it, just run the following command:

gpg --encrypt test_crypt

You'll be asked who is allowed to decrypt the document. If you wish to avoid that, you can run the following command (just put your name as recipient):

gpg --recipient 'Gabriel Bordeaux' --encrypt test_crypt

If you want to send this document to someone else, you need to add his or her key ID as recipient (replace "HY67JG98" with the key ID):

gpg --recipient 'HY67JG98' --encrypt test_crypt

Make your encryption ASCCI readable : ideal to copy the data in an email / on a forum... (replace "HY67JG98" with the key ID):

gpg --armor --recipient 'HY67JG98' --encrypt test_crypt

Note: on Mac OS, you can securely delete the initial document using "srm" instead of "rm":

srm test_crypt

Encrypt a file without using public-key cryptography

Symmetric encryption does not use the public key/private key system. Anyone will be able to decrypt the document with the correct passphrase, even if he or she is not a "recipient". Just run the following command:

gpg -c test_crypt

Decrypt a file / folder

To decrypt a document, just run the following command:

gpg --output test_crypt --decrypt test_crypt.gpg

Sign a document

Signing a document will:

  • Certify the document
  • Give a timestamp to the document
  • Certify that the document is not modified before decryption: if it is, the signature verification will fail If you sign a document, you will not really be able to deny creating it (because it is signed with your private key, not with your public key).

Sign a GPG file

To learn how to sign a document, please refer to the official documentation : http://www.gnupg.org/gph/en/manual/x135.html.

Verifying a signature

gpg --verify test_crypt.gpg

Full example:

gabs-MacBook-Air-2:~ gab$ gpg --verify test_crypt.gpg
gpg: Signature made Thu Nov 29 20:59:47 2012 EST using RSA key ID 8CC1B974
gpg: Good signature from "Gabriel Bordeaux <gab@idontlikespam.com>"

Key servers

It's time to share your Public Key

Instead of sending your GPG public key with all your contacts, you can share it on a KeyServer. Most servers synchronize changes with each other.

First, display your public key in ASCII by running the following command:

gpg --armor --export 8CC1B974

Then just copy and paste it on http://keys.gnupg.net or another key server.

Search for someone else's key

To search for someone else's key, you can go on http://keys.gnupg.net (or another key server) or run the following command:

gpg --search-keys NAME_TO_SEARCH

Configuration file

Your GPG configuration file should be available in "~/.gnupg/gpg.conf"

Set the default encryption mode

I recommend using the cipher AES256, which uses a 256-bit Advanced Encryption Standard (AES) key to encrypt the data. You can set up cipher AES256 as your default encryption mode by adding the following lines anywhere in your configuration file:

# Default cipher
cipher-algo AES256

Set the default key

It's a good idea to set your own Key ID as the default key. Find the following line in the configuration file, replace the key ID with your key ID and un-comment the file (replace the key ID with yours):

default-key 8CC1B974

Useful tools

Trust a key

You should trust your own key "ultimately" and can trust the Key IDs of the people you exchange files with, depending on how sure you are their Key ID really comes from them.

To trust a key, run (replace the key ID with the key you wish to trust):

gpg --edit-key 8CC1B974

Then, type:

trust

Full example:

gab@ovh1:~$ gpg --edit-key 8CC1B974
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/8CC1B974  created: 2012-11-29  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/E1586024  created: 2012-11-29  expires: never       usage: E   
[ultimate] (1). Gabriel Bordeaux (test key) <gab@idontlikespam.com>

gpg> trust
pub  2048R/8CC1B974  created: 2012-11-29  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/E1586024  created: 2012-11-29  expires: never       usage: E   
[ultimate] (1). Gabriel Bordeaux (test key) <gab@idontlikespam.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  2048R/8CC1B974  created: 2012-11-29  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/E1586024  created: 2012-11-29  expires: never       usage: E   
[ultimate] (1). Gabriel Bordeaux (test key) <gab@idontlikespam.com>

gpg> quit

Export my public key

You can export your public key to send it to other people. They'll be able to send you encrypted documents that you will be able to decrypt.

Note: Replace "8CC1B974" with your good key ID.

gpg --export 8CC1B974 > gab_public.key

Export my public key in an ASCII-encrypted-file

You can export your public key to send it to other people. They'll be able to send you encrypted documents that you will be able to decrypt.

Note: Replace "8CC1B974" with your good key ID.

gpg --armor --export 8CC1B974 > gab_public.key

Export my secret key

Note: Replace "8CC1B974" with your good key ID. Note': Do not communicate this file to anyone.

gpg --export-secret-key 8CC1B974 > gab_secret.key

Export my secret key in an ASCII-encrypted-file

Note: Replace "8CC1B974" with your good key ID. Note': Do not communicate this file to anyone.

gpg --armor --export-secret-key 8CC1B974 > gab_secret.key

Import a public or a secret Key

This tool allows you to import your keys onto another computer that you own or to import someone else's public key so that you can send him or her encrypted documents.

gpg --import FILE

List keys

gpg --list-keys

List secret keys

gpg --list-secret-keys

Change my passphrase

To change your passphrase, run (replace the key ID with the key you wish to trust):

gpg --edit-key 8CC1B974

Then, type:

passwd

Full example:

gab@ovh1:~$ gpg --edit-key 8CC1B974
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/8CC1B974  created: 2012-11-29  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/E1586024  created: 2012-11-29  expires: never       usage: E   
[ultimate] (1). Gabriel Bordeaux (test key) <gab@idontlikespam.com>

gpg> passwd
Key is protected.

You need a passphrase to unlock the secret key for
user: "Gabriel Bordeaux (test key) <gab@idontlikespam.com>"
2048-bit RSA key, ID 8CC1B974, created 2012-11-29

Enter the new passphrase for this secret key.

                   
gpg> quit
Save changes? (y/N) y

Delete a public key

Note: Replace "8CC1B974" with your good key ID.

gpg --delete-key 8CC1B974

Delete a secret key

Note: Replace "8CC1B974" with your good key ID.

gpg --delete-secret-key 8CC1B974

Try it yourself

You can download my public key here: E1A5D827

If you read correctly the article, you should be able to import my public key then encrypt your message and send it to me.