GnuPG for people that don't like GnuPG

Some people hate using GnuPG (GPG), or just plain don't undestand it. This is a quick and dirty guide for those people that MUST use it but don't really WANT to.


So for some reason you have to use GnuPG (GPG for shorts). It may because you work somewhere with minimal privacy/security conscience, or just because you are on a project that decided to sign commits using a GPG/PGP key (I will use PGP/GPG key interchangeably here). The problem is, you have no idea of what you should be doing. Fear not, you can totally fake it until you make it with a few easy commands.

If in some of the commands below you see a lot of gibberish on the screen, check if you didn’t forget to add --armor to it. It makes the output to be ASCII text and not binary gibberish.

Step One - Generate a key pair:

You should have gnupg installed. Use your package manager to do that on Linux, or download it on Windows. If you use Mac OS X use the Homebrew version but be aware that there are some incompatibilities between GnuPG and MacGPG2/GPGTools that require the usage of a nightly version of the later.

This is a full session describing a key pair creation, just answer the questions and you will end with a fully functional PGP key pair ready to use:

% gpg --gen-key
gpg (GnuPG) 1.4.13; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Thu Apr 27 17:16:04 2023 EDT
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Testing Smith
Email address: example@example.com
Comment:
You selected this USER-ID:
    "Testing Smith <example@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

gpg: gpg-agent is not available in this session
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++
....+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++
+++++
gpg: key 64E4DFD8 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   4  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1  valid:   4  signed:   0  trust: 0-, 0q, 0n, 3m, 1f, 0u
gpg: next trustdb check due at 2015-08-18
pub   2048R/64E4DFD8 2013-04-29 [expires: 2023-04-27]
      Key fingerprint = 3546 93CD 098B E5E6 0F05  5DBE F5BD 6066 64E4 DFD8
uid                  Testing Smith <example@example.com>
sub   2048R/9A0F9041 2013-04-29 [expires: 2023-04-27]

According to most literature, a 2048 bit key should be good for securing data until 2030, so a 10 year expiry date is fine. If you want to use more than 10 years use 4096 bit, but don’t go over 30 years expiry and NEVER make a key that doesn’t expire.

Also, NEVER create a keypair without a passphrase. And remember, it’s a passphrase not a password. Use something long, creative and that you won’t forget. It’s not like you are going to type it every 5 minutes.

Seriously if you just created a keypair that never expires or without a passphrase, delete it with gpg --delete-secret-key and create a new, proper one, or edit your ridiculously unsafe one with gpg --edit-key (using the commands passwd and expire and then save).

If at any point you don’t like or get something wrong, just press CTRL+C and start again, the key is only saved after those last lines are printed.

Step Two - Export your keys

You have a key pair. That means you have a private and a public key. The public key you want to make know to people to be able to encrypt/sign things to you while the private key you want to keep safe. For that reason, you want to export both keys to text files to facilitate both those tasks:

Exporting the public key to a file:

% gpg --armor --output public_key.gpg --export example@example.com

Exporting the private key to a file:

% gpg --armor --output private_key.gpg --export-secret-keys example@example.com

The private key file you want to save somewhere else. Put it on a thumb drive, backup disk, online backup, anywhere you are confident you won’t lose it. If you lose your private key you won’t be able to access anything that was encrypted using it. For reals, if you lose it, there goes the data.

The public file is another story. You can lose it, share it, put it on your Facebook, Twitter, send it via email, and if you lose it you can just regenerate it from your private key. Anyone that wants to encrypt or sign stuff for you must have it so make it easily accessible.

If you are a really nice guy you should send your public key to one of the key servers around the world, so people can search your email and retrieve your key automatically. For that you need your Key ID, and since this is a thing that people may ask you someday, this is how you find it:

% gpg --list-keys example@example.com
pub   2048R/64E4DFD8 2013-04-29 [expires: 2023-04-27]
uid                  Testing Smith <example@example.com>
sub   2048R/9A0F9041 2013-04-29 [expires: 2023-04-27]

When you list a key, the ID is the number after pub ??????/. In this case the ?????? is 2048R because the key is 2048 bit RSA, but that will vary. So in this case the key ID is 64E4DFD8. With that information you can do:

% gpg --keyserver pgp.mit.edu --send-keys 64E4DFD8

And your public key will be available on the PGP network after a few days (the servers are connected so they will replicate the key worldwide eventually)

Step Three - Encrypt and Decrypt stuff with your keys

Finally, after creating your keypair and exporting your keys, it’s time to do something useful with them. This is a simple example to encrypt a simple text to someone (in this case, myself):

% gpg --armor --encrypt
You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line: jose

Current recipients:
4096R/17898967 2010-09-10 "José de Paula Eufrásio Júnior <jose.junior@gmail.com>"

Enter the user ID.  End with an empty line:
This is just a text message
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: GPGTools - http://gpgtools.org

hQIMA7sOk1QXiYlnAQ//U74eBVPt7XLBOhvRAWtEJ2Q2L9eN5wsjtvQaPiTOHSiF
JiD8ZT9giPJLn2Dr2ViS6Qhhm3MOGc3V1SxpQvavigC6nIHgzTXPG5CdsiQgLPIk
iXrxpd3rnrnMiCMb/rodbEeYNiJ6q5OiztCfpjFNMBD4lwCSf7wbQNL/TUzADqlA
gIi1mH9Dw3r5PsY3mD6omoRj5MlVCpKDqnAj58iarvRm2NCUvdnWciwXX1KTBFM1
9EnXH3Kyox2RFW78xfh9/OVcX8UAmN25PdgtoSOQMBLLScslKn5ivlTxqhiTW/8N
XS0G1hkTMKJ6ya6vHshp+ei4pOYtqTlVoTZ5xYVc8jv6xhJC/mbTtC3TEdgrcrsY
UIA4F4BfzTi8Si8JeYK50wjdy+425Zqub7+CkYb8n2uTtyqZRrlvd3vvAYtbcmeO
TgD74CCAGomVmN0uQeLKxoFNE6Fre02wEg0m/37eEustpbI1qRtY4z5MHOFsIYU+
+xBSUEcYaVjK95KIpoaGjBA4l8FrwEQRK1/hlFgQkzm9kCiQGjaeOqXr69MFqvFs
OOkCo1asQGBv3CKTPVX/wg2vTi11KPtpBSIV2+pL+U/UwjG6Z7LF0y++y/7obYdu
QBTKPd9tnVVwuC47kENn33vq7454P70hxwHvDc1BWLHsrHf5GMq7lem8ibpLEEvS
VgFhC0qjKyvFD+Aa24BKqQusBiRhSuV/U2oCV/fnkTmIpjLJMAGlmQPojbrCw3lF
Dyv9VZpmb1do6MobHc+dAieKpptNL94yHxppakOIsCAXfADyKolm
=lBMX
-----END PGP MESSAGE-----

So I just typed jose so it could find my key on my keychain and added it as my single recipient, typed the message to be encrypted (“this is just a text message”) and finished it with an EOF signal (CTRL+D). The output is the encrypted message that you can send via email or IM or print on a piece of paper, and it’s all the content included between the -----BEGIN PGP MESSAGE----- and -----END PGP MESSAGE-----.

Decrypting is just as easy:

% gpg --decrypt
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: GPGTools - http://gpgtools.org

hQIMA7sOk1QXiYlnAQ//U74eBVPt7XLBOhvRAWtEJ2Q2L9eN5wsjtvQaPiTOHSiF
JiD8ZT9giPJLn2Dr2ViS6Qhhm3MOGc3V1SxpQvavigC6nIHgzTXPG5CdsiQgLPIk
iXrxpd3rnrnMiCMb/rodbEeYNiJ6q5OiztCfpjFNMBD4lwCSf7wbQNL/TUzADqlA
gIi1mH9Dw3r5PsY3mD6omoRj5MlVCpKDqnAj58iarvRm2NCUvdnWciwXX1KTBFM1
9EnXH3Kyox2RFW78xfh9/OVcX8UAmN25PdgtoSOQMBLLScslKn5ivlTxqhiTW/8N
XS0G1hkTMKJ6ya6vHshp+ei4pOYtqTlVoTZ5xYVc8jv6xhJC/mbTtC3TEdgrcrsY
UIA4F4BfzTi8Si8JeYK50wjdy+425Zqub7+CkYb8n2uTtyqZRrlvd3vvAYtbcmeO
TgD74CCAGomVmN0uQeLKxoFNE6Fre02wEg0m/37eEustpbI1qRtY4z5MHOFsIYU+
+xBSUEcYaVjK95KIpoaGjBA4l8FrwEQRK1/hlFgQkzm9kCiQGjaeOqXr69MFqvFs
OOkCo1asQGBv3CKTPVX/wg2vTi11KPtpBSIV2+pL+U/UwjG6Z7LF0y++y/7obYdu
QBTKPd9tnVVwuC47kENn33vq7454P70hxwHvDc1BWLHsrHf5GMq7lem8ibpLEEvS
VgFhC0qjKyvFD+Aa24BKqQusBiRhSuV/U2oCV/fnkTmIpjLJMAGlmQPojbrCw3lF
Dyv9VZpmb1do6MobHc+dAieKpptNL94yHxppakOIsCAXfADyKolm
=lBMX
-----END PGP MESSAGE-----
You need a passphrase to unlock the secret key for
user: "José de Paula Eufrásio Júnior <jose.junior@gmail.com>"
4096-bit RSA key, ID 17898967, created 2010-09-10 (main key ID 031161FF)

gpg: gpg-agent is not available in this session
gpg: encrypted with 4096-bit RSA key, ID 17898967, created 2010-09-10
      "José de Paula Eufrásio Júnior <jose.junior@gmail.com>"
This is just a text message

Paste the message, enter the passphrase for the private key, read the message. Simple like that.

Those are arguably the two most useless uses of GPG, though, but they are a very good way to show how it works on a quick and dirty way.

There are tools and plugins out there to make GPG usage painless and quick, like graphical interfaces for encrypting files, key management and plugins for mail clients for easy signing/encrypting of email messages, but creating and managing keys via the command line are good basics to pick up.

cya

 
comments powered by Disqus