Use gpg

From Linuxintro
Revision as of 12:27, 25 April 2009 by imported>ChrisM (→‎Importing keys)

Introduction

gpg (more specific: GnuPG) can be used to encrypt/decrypt all sort of data, text including mails and binary files, for use of a recipient or for everyone who knows the passphrase (symmetric encryption). It is one of the most established standards for encryption and embedded into many applications, though this article focuses on direct use of gpg on the CLI.

Installation

Packages should be available for all distributions. The package is usually called "gnupg". If you do not know how to install packages, look here.

Usage

Creating a key

First, you should create an own key. This will allow you to sign data with your key, so other people can be sure it stems from you (if they trust the authenticity of your key) and it will allow people to encrypt data with your public key that only you, using your private key, can decrypt.

GPG stores all of its data under ~/.gnupg, though that will be created automatically. So just run:

gnupg --gen-key

Select "DSA and ElGamal" as key type and select a decent key length. If you are not concerned about how long your key will be in its ASCII representation (so you do not want to attach it to every mail or so), you should probably just use 4096.

Now you can select when the key will expire. This is up to you, however for a first test, you might want to create a key that expires after some days, so no one thinks that this is a permanent key though you do not use it any longer.

Confirm and enter you name, mail address and an optional comment. The mail address should be one that people will try to mail to later (if using the key for mailing) so that they get the key right off the key server.

Confirm another time and now choose a secure passphrase for the private key. This will protect your private key from illicit use, even if someone gets it (you should make sure it does not come this far!). Now just generate some entropy, surf the web, move the move etc., and your key should be generated and ready to use.

Perhaps you want to deploy your key to a key server now for your contacts to download. Read more about this below.

Exporting your key

When exporting a key, you most likely want a so called "ASCII armor". That means that no binary data is printed, but only alphanumeric characters. Of course this will make the output some bytes larger, but you will get data that can safely be printed everywhere like in a mail or on a homepage.

You get that ASCII armor by specifing -a as a parameter. Please note that this works for many other modes like encryption too and is very useful.

Export:

gpg --export -a [key-id] (get key id with gpg -k, leave out -a to get binary data)

Of course, you can redirect the output in a file and send this to your friends. Or just grab the ASCII armored output and inserted it via copy & paste somewhere.

Most likely you will also want your public key to be uploaded to a key server you everywhere can find it.

gpg --send-key 53CA1DC7

You can change the key server, per default subkeys.pgp.net should be used. But because your key will be synchronized between the key servers and spread to the other ones, that should not be needed.

Importing keys

Import is really simple, just call:

gpg --import

Now you can copy & paste a key you got and finish by closing the input (Ctrl + D).

Or you could just pipe a key contained in a file:

gpg --import < key

Import will process multiple keys at once and import public and private keys- whatever it will find!

Listing all known keys

...

Encryption

...

Decryption

...

Signing and verifying signs

...

Symmetric encryption/decryption

...

Going further

  • Setup gpg-agent which helps you by caching pass phrases, if you want.
  • Install a graphical frontend like kgpg (good KDE frontend, albeit a bit buggy).