_______ ____ ____ __ __ ____ __ ______ ______ /_ __// __// __// /_/ // _ / / / / __ // ____/ / / / __// /_ / __ // _ < / /_ / /_/ // /_ / /_/ /___//___//_/ /_//____//___//_____//_____/ techblog.koponen.se [ / ] [ howto ] [ reviews ] [ webapps ] [ youtube ] [ links ] [ about ] -------------------------------------------------------------------------
techblog.koponen.se [ / ] [ howto ] [ reviews ] [ webapps ] [ youtube ] [ about ] [ links ] -------------------------------------
HOWTO
ENCRYPTION
USE GPG
Published: 20190205
Tested on:
GPG (GnuPG) 2.2.4 (Ubuntu 18.04 amd64 stock)
OS: Pop!_OS 18.04 nvidia (Ubuntu 18.04 amd64)
-
INDEX
01. warning
02. install gpg
03. create your private key
04. look at your key
05. export your key
06. distribute your key
07. import other keys
08. view your keyring
09. view your private keys
10. sign a key
11. backing up your keyring
12. restoring your keyring from backup
13. encrypting and signing a file/message
14. decrypting a file/message
15. deleting keys
-
Install GPG (debian/ubuntu command)
$ sudo apt -y install gpg
Create your own private (secret) key.
$ gpg --full-generate-key
The output will look something like this:
$ gpg --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 3650
Key expires at Thu 01 Feb 2029 08:24:14 PM CET
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Thomas A Anderson
mail address: neo@pseudohacker.org
Comment:
You selected this USER-ID:
"Thomas A Anderson <neo@pseudohacker.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 218427165FA8D632 marked as ultimately trusted
gpg: revocation certificate stored as '/home/neo/.gnupg/openpgp-revocs.d/35CAC00AB5D0622EF3217497218427165FA8D632.rev'
public and secret key created and signed.
pub rsa4096 2019-02-04 [SC] [expires: 2029-02-01]
35CAC00AB5D0622EF3217497218427165FA8D632
uid Thomas A Anderson <neo@pseudohacker.org>
sub rsa4096 2019-02-04 [E] [expires: 2029-02-01]
$
Now you have a key pair!
The key pair has both a public key (that you spread to others) and a secret key (that you never give anyone).
You can look at your public key by typing:
$ gpg --list-keys --fingerprint
/home/neo/.gnupg/pubring.kbx
--------------------------------
pub rsa4096 2019-02-04 [SC] [expires: 2029-02-01]
35CA C00A B5D0 622E F321 7497 2184 2716 5FA8 D632
uid [ultimate] Thomas A Anderson <neo@pseudohacker.org>
sub rsa4096 2019-02-04 [E] [expires: 2029-02-01]
$
In order for others to be able to send you encrypted files/messages you need to give them your public key.
This can be done with the command:
$ gpg --export --armor neo@pseudohacker.org > neo_public_key.asc
Optionally:
$ gpg --export --armor "Thomas A Anderson <neo@pseudohacker.org>" > neo_public_key.asc
Spread your key!
The file you just created (neo_public_key.asc) can be put anywhere.
You can for instance put it on a webserver to be read by anyone.
You can upload your public to the MIT PGP Key Server by pointing a web browser to: pgp.mit.edu
However, if you want others to be able to verify the
authenticity/integrity/fidelity/truthfulness of your public key embedded
in your public ascii key file, you need to personally, face-to-face, hand over
the fingerprint of your public key, so that they can verify your public key.
Or, if you're really desperate, you can use a proxy that you both trust.
So now let's communicate with others!
You've downloaded the public_key_file of your friend (maybe you got it off pgp.mit.edu),
verified the fingerprint and now you want to import his public key, into your keyring,
so that you can use it.
We assume that your friend's public key is in a file called friend_key_public.asc
This command will import the contents of the file into your keyring:
$ gpg --import friend_key_public.asc
gpg: key 15D8B785ACCD6F43: public key "Trinity <trinity@pseudohacker.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
$
The key is now in your keyring.
The keyring is your own personal database of public and secret (private) keys.
You can view all the public keys in your keyring by typing:
$ gpg --list-keys [--fingerprint]
You can view all secret (private) keys in your keyring with the command:
$ gpg --list-secret-keys [--fingerprint]
Sign your friend's key with your secret key.
(Your keyring will save that your secret (private) key trusts your friend's key.)
$ gpg [--local-user "Thomas A Anderson <neo@pseudohacker.org>"] --sign-key "Trinity <trinity@pseudohacker.org>"
pub rsa4096/15D8B785ACCD6F43
created: 2019-02-04 expires: 2029-02-01 usage: SC
trust: unknown validity: unknown
sub rsa4096/392CB82474589892
created: 2019-02-04 expires: 2029-02-01 usage: E
[ unknown] (1). Trinity <trinity@pseudohacker.org>
pub rsa4096/15D8B785ACCD6F43
created: 2019-02-04 expires: 2029-02-01 usage: SC
trust: unknown validity: unknown
Primary key fingerprint: D0ED 7B2E AE3C B2C7 FEE1 0A2F 15D8 B785 ACCD 6F43
Trinity <trinity@pseudohacker.org>
This key is due to expire on 2029-02-01.
Are you sure that you want to sign this key with your
key "Thomas A Anderson <neo@pseudohacker.org>" (218427165FA8D632)
Really sign? (y/N) y
$
You can export your entire keyring (database), for backup/migration purposes.
Export public keys:
$ gpg --export --armor > public_keys.asc
Export secret keys:
$ gpg --export-secret-keys --armor > secret_keys.asc
Export the trust Db (how all the keys trust each other):
$ gpg --export-ownertrust > trustdb.asc
As you realize, the secret_keys.asc contains all your secrets.
If someone else gets a hold of this file they can abuse your identity.
So keep it safe.
Restoring from backup.
(If you wanna start from scratch, start with "rm -rf ~/.gnupg")
If you want to import a keyring backup file, you type:
$ gpgconf --kill gpg-agent
$ gpg --list-keys
gpg: directory '/home/neo/.gnupg' created
gpg: keybox '/home/neo/.gnupg/pubring.kbx' created
gpg: /home/neo/.gnupg/trustdb.gpg: trustdb created
$ gpg --import secret_keys.asc
$ gpg --import public_keys.asc
$ gpg --import-ownertrust trustdb.asc
$
Encrypting and signing a file to send to a friend.
In this example we assume that message_clear.txt is a cleartext file, containing your data.
And message_encrypted.asc will be signed by you, so the recipient can verify it's origin.
The file message_encrypted.asc will also be encrypted with the recipient's public key, so only he can read it.
$ gpg --encrypt --sign --armor [--local-user "Thomas A Anderson <neo@pseudohacker.org>"] --recipient "Trinity <trinity@pseudohacker.org>" --output message_encrypted.gpg message_clear.txt
The file message_encrypted.gpg can now be sent in which ever way you want, pasted into an email if you want.
Decrypting (reading) an encrypted file that was encrypted with one of your public keys:
$ gpg --decrypt message_encrypted.gpg > message_decrypted.txt
If you want to delete keys from your keyring...
$ gpg --delete-keys "Trinity <trinity@pseudohacker.org>"
$ gpg --delete-secret-keys "Thomas A Anderson <neo@pseudohacker.org">