gpg (Gnu Privacy Guard) is an open source command line tool for encryption and decryption, in this article we go over how to generate and revoke a key, sharing or importing this generated key and the encryption and decryption of files.
Table of contents.
- Basic encryption and decryption.
- Key generation.
- Key revocation.
- Importing a public key.
- Sharing a public key.
- Encrypting a file.
- Decrypting a file.
- Refreshing keys
Password protecting a system doesn't prevent one from bypassing it and having access to files and directories therefore it is necessary to have essential files encrypted with a password such that even if the hard disk is compromised any unauthorized persons will not be able to read its contents.
Linux provides gpg(Gnu Privacy Guard), an open source implementation of PGP(Pretty Good privacy). gpg allows one to encrypt and sign data and communications, additionally it features versatile management of keys including access modules for all kinds of public key directories.
Sending a file involves the sender securely encrypting a file with a his/her own private key together with the recipient's public key and to decrypt the sent file the receiver uses his/her private key together with the sender's public key. Therefore public keys must be shared between the two parties, that is the sender must have the receiver's public key and vice versa.
Although one can share public keys, private keys should remain private.
The syntax is as follows,
gpg [options] [files]
Basic encryption and decryption.
For encrypting a file we use the -c option,
gpg -c file
After executing this command a prompt for entering the password and its confirmation will be displayed.
Once done, you should see the file file.gpg which will hold the encrypted contents of file.
To decrypt a file we use the -d option,
gpg -d file.gpg
If you waited about 10 minutes you should be prompted for a password, otherwise gpg will print out the encrypted text from file.gpg as output without requiring a password.
We can also extract the contents of the file while decrypting it as follows,
After this operation the original file file will be created.
To generate a key locally we write,
After executing this command we will be prompted to choose an encryption algorithm, enter the number and press enter to proceed.
Next we select a bit-length for the keys and press enter.
The next step involves selecting the time period in which this key we are about to generate will be valid, for example 1y means that after one year we will need to renew it, 0 means that it will never expire, 1 means it expires after one day.
After entering the duration, you will be prompted for a confirmation.
The next step is entering your details such as a name, email address and a comment, then a confirmation will follow, we can opt to change any of the entered details. If the details are ok we type O and proceed.
Next we will enter a paraphrase and confirm it, after which we are done and will have our keys generated.
Here is the whole process,
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. # Step 1 Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (14) Existing key from card Your selection? 1 # Step 2 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (4096) 2048 Requested keysize is 2048 bits # Step 3 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1 Key expires at Thu Oct 11 13:23:10 2022 EAT Is this correct? (y/N) y # Step 4 GnuPG needs to construct a user ID to identify your key. Real name: bob Email address: firstname.lastname@example.org Comment: key generation for bob You selected this USER-ID: "bob (key generation for bob) <email@example.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O # Step 5 We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /home/bob/.gnupg/trustdb.gpg: trustdb created gpg: key F1E1BD6A36CB85A8 marked as ultimately trusted gpg: directory '/home/bob/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/bob/.gnupg/openpgp-revocs.d/45C0217B9CE01A924065FC4DF1E1BD6A36CB85A8.rev' public and secret key created and signed. pub rsa2048 2022-02-02 [SC] [expires: 2022-10-03] 45C0217B9CE01A924065FC4DF1E1BD6A36CB85A8 uid bob (key generation for bob) <firstname.lastname@example.org> sub rsa2048 2022-02-02 [E] [expires: 2022-10-03]
Assuming that our key has been compromised, a revocation certificate should be generated so as to disassociate the old key from our identity so we can generate a new one.
Generating a revocation certificate.
gpg --output ~/revoke.crt --gen-revoke email@example.com
sec rsa2048/F1E1BD6A36CB85A8 2022-02-02 bob (key generation for bob) <firstname.lastname@example.org> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > The key is compromised > Reason for revocation: Key has been compromised The key is compromised Is this okay? (y/N) y ASCII armored output forced. Revocation certificate created.
After this operation a file revoke.crt is created in the specified directory, to be safe we can change permissions so that only us can have permissions to r/w/e it.
Importing a public key.
As discussed earlier to encrypt a file/message so that the only the intended recipient can view its contents, we need their public key.
In this section we discuss how to import a recipient's public key,
Assuming alice has sent us her public key and have it stored in the current directory, we can import it as follows,
gpg --import alice.key
After this operation, you should see the name and email address associated with this key, in this case they should match alice's details.
A public key can also be uploaded by alice to a public key server e.g MIT's public key server, If this is the case we use the --keyserver followed by the key server and --search-keys option followed by the person's name/email address in order to locate it.
gpg --keyserver pgp.mit.edu --search-keys email@example.com
After we execute this command, if the email has a match, it will be listed, so we select it and it is imported.
Details of the owner will be displayed.
Verification and key signing.
Assuming we used the second method to get the public key from the server, we may need to verify it.
To do this we match the fingerprint from alice's key and the fingerprint we generate from the received key, if they match then it is verified,
gpg --fingerprint firstname.lastname@example.org
After verification we sign it so as to avoid confirmation prompts from gpg everytime we wish to encrypt/decrypt messages to/from the alice.
gpg --sign-key email@example.com
Sharing a public key.
In this case we are alice and are trying to share our key with bob.
gpg --output ~/alice.key --amor --export firstname.lastname@example.org
--output defines the file the key will be exported to, --export to export key from gpg local key store and share it as a file, --armor tells gpg to generate ASCII output.
After this operation we should have a file alice.key.
To share it on a public server pgp.mit.edu we use --send-keys to send it there and --keyserver which is followed by the server address. A fingerprint is provided so as to identify the key to send,
gpg --send-keys --keyserver pgp.mit.edu 12H0450B9DF01A924065GC4DF2E7BD9A36CB23A8
If successful we should get a confirmation it was sent.
Encrypting a file.
gpg --encrypt --sign --armor -r email@example.com message.txt
--encrypt to encrypt the file,
--sign, to sign the file with our details(bob).
--armor, to create an ASCII file(.asc).
--r, defines the recipient(firstname.lastname@example.org).
message.txt is the message we are encrypting.
The file message.asc is now the encrypted version and can only be read by alice who has bob's public key and her own private key.
Decrypting a file.
gpg --decrypt message.asc > message.txt
--decrypt, will decrypt message.asc to plain text and send output to message.txt assuming we have the sender's public key and our own private key.
Keys may change as we have seen, for example our private key might be compromised, or it might be expired, either way we need to generate a new key pair then send the public key to a key server or use other means to get it the the other party.
Assuming the other party does the above, we can use the --refresh--keys option to check if a key has changed, if so we will know from the output of the command.
gpg --keyserver pgp.mit.edu --refresh-keys
gpg is used for encrypting email, messages, files, documents or anything that one may need to send to another user securely or encrypting important data in a computer system.
After encrypting a file/message, only the intended user will be able to decrypt it. Each person(sender, receiver) will hold a private and public key. The latter together with a private key is used to decrypt the sent file which was previously encrypted using the private key and public key.
Encryption algorithms used with gpg are strong and cannot be easily brute forced but this does not mean for us to use weak passwords since it will be futile, also if one forgets a password, recovering this data means breaking a very strong encryption.
- Execute man gpg for the manual page or gpg --help.