In this write-up, I'll take you on a tour of what a Gnu Privacy Guard is, what it is used for, how to get it installed, and explore some of its features. This is a detailed guide, so I encourage you to use the table of contents to navigate to the information you need easily.
Table of Content
- What is GPG
- Use Case
- How it Works
- Installing GPG
- Getting your GPG key pair
- Updating/Renewing a key Expiration date
- Changing a key Passphrase
- Exporting and Importing a key
- Exporting your public key
- Importing other's public key
- Uploading your key to a key server
- Searching/Retrieving a key from a key server
- Exporting a private key
- Encrypting messages
- Decrypting messages
- Deleting a key
Gnu Privacy Guard(GnuPG or GPG) is an Open Source version of the Pretty Good Privacy(PGP) Cryptographic software suite that is used for file encryption. GPG is based on the OpenPGP encryption standard which makes it compatible with PGP tools.
One common use case of GPG is to encrypt files and email messages. GPG converts plain text into complex code of unreadable characters called ciphertext to ensure the secure transmission of information. GPG is also used to sign documents, and Git commits through digital signatures so that the authenticity of messages can be verified.
GPG combines symmetric-key cryptography (Secret key) and asymmetric cryptography(Public + Private key) to provide high data protection.
A public and a private key make up a GPG key pair. The private key, which is to be kept secret, is used to decrypt files and sign messages. The public key can be made available to anyone and is used to verify signed messages(signature) or to encrypt messages.
Let's understand how GPG works with the following example:
Say Ammy and John want to share a secret message. Firstly, both of them have to generate their GPG key pair. Then they share their public key either by a key server so that each has the other public key in their Keyring ( a special file that stores a group of public keys used by a certificate authority). Ammy creates the message, encrypts it with John's public key, signs the message using her private key, and then sends it over to John. John receives the encrypted message, decrypts it using his private key, and then uses Ammy's public key to verify that the message is truly from Ammy.
Note that you can only decrypt a message which was encrypted using your public key.
First, you have to install the GPG command line utility.
To verify if you have GPG, run the following command on your terminal:
If not, follow through the steps to get GPG on your specific OS.
GPG is installed by default on most distributions. If that's not the case, you can install it using your package manager.
sudo apt install gnupg
The easiest way to install GPG on Mac is to use Mac Homebrew.
brew install gnupg
If you are a Windows user by now, you already know that Windows always tends to complicate things, doesn't it?
If you have GIT BASH installed, then you already have access to GPG. Launch GIT BASH and run the following command to get the version of gpg installed:
If you don't have GIT BASH installed, you can install Gpg4win (GNU Privacy Guard for Windows)
To generate your GPG key pair, run the following command:
This will start up an interactive question section that will be used to configure your key:
- Please select what kind of key you want: go with the default option(1)
- What keysize do you want? Choose 4096. choosing a higher bit reduces the risk of the key being compromised by hackers
- Key is valid for?: 1y ( means it expires after 1 year). It's a good idea to set one as it can be renewed easily. If your key gets compromised or your laptop gets stolen, you won’t have to worry much because the key will just expire on its own. You can also revoke your key as an option if this should happen
- Is this correct? y
- Real name: input your real name
- Email address: email@example.com
- Comment: Optional comment that will be visible in your signature(you can skip this)
- Change (N)ame, ©omment, (E)mail or (O)kay/(Q)uit?: verify all information are correct and enter "O"
- Enter passphrase: Enter a secure Passphrase. Write this down somewhere, or use a password manager to save it.
At this point, gpg will generate your key using entropy. Entropy refers to the degree of unpredictability and randomness present within a system. To enhance the randomness of the generating key, gpg encourages you to perform some actions like moving your mouse, typing on the keyboard, etc.
Once your key is generated, you can view it by running the following command. If you have more than one key in your keyring, it will be shown:
From the preceding image, the
pub section indicates the primary key. The primary key is the top-level key, and the certificate is identified by the Key ID of the primary key. The
sub section indicates a subkey. A subkey is a key that is stored as a sub-component of another key.
6A303B4CA0B8AE457715DA82F3FAFC9F22F2713E is called the fingerprint.
Key ID, which is a shorthand method for referring to a particular key, is of two types, and both are derived from the fingerprint. The 'short' keyid is the low 32 bits, or last 8 hex digits, of the fingerprint and thus is 22F2713E. The 'long' keyid is the low 64 bits, or last 16 hex digits, of the fingerprint and thus is F3FAFC9F22F2713E.
You can also run the following command to get the short and long keyid:
gpg --list-keys --keyid-format=short
gpg --list-keys --keyid-format=long
Take the following command if you wish to update your key expiration date:
gpg --edit-key key-id
This will start up an interactive question section:
- key 0: to choose which key to edit
- key is valid for (0): 2y
- Is this correct?: Y
- enter your passphrase.
Repeat the preceding process to update the subkey expiration date, but this time, enter key 1.
The following steps update your key Passphrase:
gpg --passwd F3FAFC9F22F2713E
- Enter the current passphrase.
- Enter a new passphrase.
GPG will be useless if we can't share our key with the people we wish to communicate with. Up next, we will look at how to export, import, and share GPG keys.
To export your public key from your keyring, run the following command:
gpg --export -armor key-id
-a command-line option outputs the public key in ASCII format.
To export the public key to a file named public_key.asc, run the following:
gpg --export -a F3FAFC9F22F2713E > public_key.asc
If you call the
ls -a statement, you will see the file in your current directory. Run
cat public_key.asc to view the file. You can then share this file with a correspondent via email or another appropriate method so they can import it into their keyring.
To import a correspondent public key obtained as a text file, named jonh_publickey.asc to your keyring, run the following command:
gpg --import jonh_publickey.asc
Key servers are a good place to upload your public key and share it with others. These key servers are used to house people’s public keys from all over the world. There are many public key servers like Ubuntu, GnuPG, OpenPGP, and MIT key servers.
To send your public key to a certain key server from within GPG, run the following command:
gpg --keyserver <key-server> --send-keys <key-id>
gpg --keyserver pgp.mit.edu --send-keys F3FAFC9F22F2713E
You can search for people by name or email from a public key server, then import the keys that you find to your keyring.
To get a correspondent public key from a key server, you first search for their public key by name or email and then retrieve the public to your keyring:
gpg --keyserver <key-server> --search-keys <search_parameter>
gpg --keyserver pgp.mit.edu --search-keys firstname.lastname@example.org
If the search returns more than one key, you can specify the number(s) to indicate which key would be imported.
If you know the key ID of a correspondent, you can retrieve its public key from a certain key server:
gpg --keyserver <key-server> --recv-keys <digit-key-id>
gpg --keyserver pgp.mit.edu --recv-keys F3FAFC9F22F2713E
If you want to use the same GPG key across different machines, you should export your private key as well as your public key. To do this, run the following command:
gpg --export-secrete-key -a > private_key.asc
You will need to enter a passphrase to export the private key. This passphrase will also be used while importing the private key.
If you have a message written in a file named message.txt you may want to encrypt it and send it to a correspondent. To encrypt a file, run the following command:
gpg -r F3FAFC9F22F2713E -a -e message.txt
--encrypt command option encrypts the file. The
--recipient option specifies the recipient key ID and the
-a option outputs the file in ASCII format.
The file is encrypted with the public key of key ID F3FAFC9F22F2713E and will need the corresponding private key to decrypt the message. The output of the command is stored in a file named message.txt.asc. Again, use the
ls -a statement to view this.
To encrypt a message for more than one person, run the following command:
gpg -r<key-id-1>-r<key-id-2> -a -efile.txt
To decrypt a message in a file named reply.txt.asc, the
--decrypt command option is used. GPG will automatically select the appropriate private key to decrypt the message. You will also need the passphrase of the associated private key.
gpg -d reply.txt.asc
To decrypt and write the output to a file named reply.txt run the following command:
gpg -d reply.txt.asc > reply.txt
As one of the uses of the GPG key pair, you can sign a message to approve it or verify a signature to check its authenticity. To sign a file and not necessarily encrypt it, use the
--sign option. The output of the following command would be in a
.gpg (binary) format:
To convert the output of a signature file to an ASCII format, use the
--clearsign command option.
gpg --clearsign message.txt
To verify a signature, use the
--verify option or
--decrypt option( even though the file is not encrypted):
gpg --verify message.txt.asc
gpg --decrypt message.txt.asc
If you want to encrypt and also sign a file, run the following command:
gpg --sign -r F3FAFC9F22F2713E -a -e message.txt
Until now, we have only encountered signatures that are embedded into the file along with the message. However, it is also possible to have a detached signature file that is separate from the message file. This type of signature is called a detached signature.
They're most common for verifying software to ensure that nobody has tampered with the application other than the actual developer(s) who've signed it.
To create a detached signature, the
-b command option is used
gpg --detach-sign message.txt
There are two ways to verify a detached signature:
1) When the original file(message file) has the same name as the signature file; If the signature file has the same filename as the message file but ends in either
.asc (ASCII Armoured) or
.gpg (raw binary), then you can simply pass the signature's name to gpg, and it will auto-detect the message filename.
gpg --verify message.txt.asc
2) When the signature file and the message file have different names or are located in different directories, it is important to provide gpg with the names of both files. Place the signature's file name after
--verify, and then the original filename after that.
gpg --verify message.txt.asc message.txt
If you wish to remove a correspondent public key or private key from your keyring, run the following commands:
To remove the private key:
gpg --delete-secrete-key key-id
To remove a public key:
gpg --delete-key key-id
If your GPG key pair gets compromised or you lose access to your secret key, you would want to revoke or nullify the key.
From GPG 2.1 and above, a revocation certificate is created by default when you create a GPG key pair. For every key pair created using this version, an ASCII armored revocation certificate is generated and saved in a file located in the
openpgp-revocs.d directory. This directory can be found within the GnuPG home directory. Each certificate is named after the fingerprint of the corresponding key.
To revoke your key, import the revocation certificate
gpg --import revoke-certificate-name.rev
It is advisable to back up this revocation certificate in a secure and separate location in case your computer gets stolen.
Before I conclude, I just want to point out that there are various different ways to specify a correspondent ID to GPG. The following are some various ways to do so:
- Using the Key ID in its short format.
- Using the key ID in its long format.
- Using the Fingerprint.
- Using the user's email address.
Wow! You now have the knowledge and skills needed to successfully generate your GPG key pair and start using it. Note that this is not an exhaustive guide to GPG features. Instead, it offers a concise introduction to some of the fundamental aspects of the tool. I encourage you to explore the GPG [manpage].(https://www.gnupg.org/gph/de/manual/r1023.html)
Cover image from Infosec Images