Toggle search
Toggle menu
3
3
1
65
John's Wiki
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

GPG Encryption

From John's Wiki
More actions

GPG - GNU Privacy Guard

Overview

GPG is an alternative implementation of the OpenPGP standard. GPG/PGP uses asymmetric encryption to generate a public / private key pair. With asymmetric encryption, any data encrypted by the public key can only be decrypted by the private key and vice versa.

The intention is to make your public key known and freely available while keeping your private key secret. Other’s can then use your public key to encrypt some data and send it to you, knowing that only you can decrypt it with your private key.

Common Commands

Note: We'll be using email@example.com as a stand in for a key's identifier. The GPG tool will let you use a few different things in place of email@example.com to work as a key's identifier.

To create a new key pair run the command below and follow the dialogue options. 

gpg --full-generate-key

After generating your keys you can list them with the command below. 

gpg --list-keys

You can list the secret keys you have with the command below. 

gpg --list-secret-keys

Immediately after creating a new keypair you’ll want to sign your own key. 

gpg --sign-key email@example.com

From there you’re ready to export your public key and give it to others. 

gpg --output ~/gpg_key.pub --armor --export email@example.com

Once your friend has your public gpg key they can import it using the command below. 

gpg --import ~/gpg_key.pub

Then to encrypt something with your public key your friend can run the below with your public key. 

gpg --encrypt --sign --armor -r email@example.com file.txt

That will generate a file.txt.gpg which is the encrypted copy of the message.

Once your friend sends you the encrypted file.txt.gpg back you can verify its authenticity by running the commmand below. 

gpg --always-trust --verify file.txt.gpg

Finally you can decrypt it with the below command. 

gpg --decrypt file.txt.gpg

Here are some additional commands.

To delete someone else's public key from your keychain. 

gpg --delete-key email@example.com

To delete your own secret key. 

gpg --delete-secret-key email@example.com && gpg --delete-key email@example.com

To see how much GPG clout a particular key has check the number of signatures. 

gpg --list-sig email@example.com

To list the longform keyid format (needed to get sub fingerprint for later upload). 

gpg --keyid-format LONG --list-keys email@example.com

To send a key to the three major key stores out there. 

gpg --send-keys 156DF784C8EACD80    # OpenPGP
gpg --keyserver keys.openpgp.org --send-keys 156DF784C8EACD80    # OpenGPG
gpg --keyserver keyserver.ubuntu.com --send-keys 156DF784C8EACD80    # Ubuntu

Search a keystore for a persons key. 

gpg --keyserver keys.openpgp.org --search-keys email@example.com

Signing & Encrypting

GPG offers the ability to sign data and to encrypt data. Message signing ensures data integrity (aka the message has not been changed) and message authenticity (aka the message came from where it says it came from). Where as encryption ensure confidentiality (aka that the data cannot be read in transit).

In reality, signing is just encrypting a message using the private key. Then it can only be decrypted by the corresponding public key. Anyone can with the public key can decrypt and read a signed message. They know since they used the public key to decrypt it that it must have been encrypted (aka signed) with the private key and therefore must have come from the private key holder.

Signing and encryption are not mutually exclusive. With GPG its possible for data to be, encrypted and signed; encrypted and not signed; and signed but not encrypted.

The most secure method is to first encrypt a message with the recipient’s public key and then sign the message using your private key before sending it. That way on the receiving side anyone can verify that the message came from you because it can only be decrypted with your public key. Likewise, they can know that the message has not been altered in transit because again the signed file could only have been created by your private key.

The signature on a message becomes invalid if the message is altered, even if the message is sent in plain text. If someone changed the message the signature file would also need changed and the only person who can change the signature file is the private key holder.

Finally once the recipient receives the message and verifies its authenticity they can then decrypt it using their private key.

Sources

https://gist.github.com/F21/b0e8c62c49dfab267ff1d0c6af39ab84

https://www.digitalocean.com/community/tutorials/how-to-use-gpg-to-encrypt-and-sign-messages

Retrieved from "https://wiki.johnlradford.io/index.php?title=GPG_Encryption&oldid=66"
Contents
Last modified
This page was last edited on 23 September 2024, at 16:56.