The GNU Privacy Guard

The GNU Privacy Guard (GPG) is a cryptographic suite released under the GPL license.

GPG uses the public/private key cryptography architecture to encrypt/decrypt the contents in a safe way.

With this software you can easly manage your keys and use cryptography to secure your file and communication.

You can use it to encrypt file, emails and everything you want!

Key management

Generate your first keys

The first step you have to do in order to use gpg, is to generate your keys. With the keys you’ll be able to encrypt and decrypt file.

So use the “gpg –gen-key” to generate the keys. This command acts in an interactive way and you must answer to some questions.

First, you have to choose the kind of key. The first option is selected by default and you should choose it so at the end, in your keyring, will be available two keys. Note that with the third and fourth options, you’ll obtain a key that can be used only to sign and not to encrypt.

root@debian:~# gpg --gen-key
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)

Your selection? 1

Here, you’re asked to choose the expiration date of your key. Choose the most appropriate option that fits your needs. In our example the key will never expire.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Then you have to choose the length of your keys. 2048 bits is a reasonable choice.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all

At the end, if you’re satisfied confirm whit “y”.

Is this correct (y/N) y

Now it’s time to insert the data about the user ID, which will identify your key. So insert the real name, the email address and a comment about the key.

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) "

Real name: James Smith
Email address: james@localhost
Comment: My First Key
You selected this USER-ID:
"James Smith (My First Key) "

It’s time to insert the passphrase of your key. This is one of the most important steps, because the passphrase will protect your private key, so you must to be careful and choose a very strong password.

Like every password, don’t use dictionary words, real name, birth date and everything that can be found easily. Instead use numbers, lower and upper case letters and punctuation. If an attacker will gain the access on your private key, he must first bypass the encryption on the key (he must break the passphrase), so a weak password means that the risk to lose all the encrypted files is very high.

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Then confirm with “O” your insertion.
You need a Passphrase to protect your secret key.

Enter passphrase:

Repeat passphrase: 

In this step gpg will generate the public and private key. As you can see the keys are generated using “a lot of random bytes” and is better if you can perform some other actions (move the mouse, type something with the keyboard, open some applications, etc.).

At the end of the process you will obtain the key ID. In our case the ID is 4CF30FD4.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 268 more bytes)
.+++++
+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++
......+++++
gpg: key 4CF30FD4 marked as ultimately trusted
public and secret key created and signed.

The summary of your first key show some information like the fingerprint of the key.

The fingerprint is the "signature" of your keys and you can check it with gpg --fingerprint james@localhost.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/4CF30FD4 2011-03-19
Key fingerprint = 4CE0 E53B 22A4 0F9D 5272 0F52 3892 F462 4CF3 0FD4
uid James Smith (My First Key) 
sub 2048R/050A93EA 2011-03-19

List your keys

When you have generated your keys, you can list them with the gpg --list-key command: 

root@debian:~# gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/4CF30FD4 2011-03-19
uid                  James Smith (My First Key) 
sub   2048R/050A93EA 2011-03-19

This will show you the public key. As you can see, these information come from the pubring.gpg file.

If you want to list your secret key you can use gpg --list-secret-key:

root@debian:~# gpg --list-secret-key
/root/.gnupg/secring.gpg
------------------------
sec   2048R/4CF30FD4 2011-03-19
uid                  James Smith (My First Key) 
ssb   2048R/050A93EA 2011-03-19

You can see that the output of this two commands is quite the same, only for few exceptions.

First the "--list-secret-key" takes the information from the secring.gpg file. Second, if we look at the first column we can see that for the first command we have "pub" and "sub" while for the second "sec" and "ssb".

Backing up your secret keys

Next step is to backup your secret keys, this mostly because security reasons. For example if you loose your key, then you will not be able to decrypt your documents anymore.

For do this, you can export the key to an .asc file:

gpg --export-secret-key --armor james@localhost > james_private_key.asc

The "--armor" will add some line to the file used by OpenGPG to reconstruct data later.

You must secure this file against thefts or bad people.

Key Server

Key servers are very useful because they let you to spread your public key. When your public key is available to the others, they can encrypt content to send to you or verify file that you have signed before.

You can use a web key server, like the MIT key server or send your key through the command line:

gpg --keyserver hkp://pgp.mit.edu --send-key KEY_ID

This will send your public key to the MIT's key server. Replace KEY_ID with the ID of your key.

Encryption / Decryption

Encrpyt

When your keys are ready to use, you can begin encrypt your files.

To do this you can use the gpg command followed by some arguments:

gpg -e -r james@localhost somefile

If there aren't errors, this command will generate a .gpg file in the local directory. This file is encrypted ("-e") using the keys

of the james keyring ("-r").

If we look with "file" the results we should obtain this:

root@debian:~# file somefile.gpg 
somefile.gpg: GPG encrypted data

Decrpyt

Decryption is much simpler than encryption.

You must only pass to gpg the previously encrypted file:

root@debian:~# gpg test.gpg 

You need a passphrase to unlock the secret key for
user: "James Smith (My First Key) "
2048-bit RSA key, ID 050A93EA, created 2011-03-19 (main key ID 4CF30FD4)

gpg: encrypted with 2048-bit RSA key, ID 050A93EA, created 2011-03-19
      "James Smith (My First Key) "
File `test' exists. Overwrite? (y/N) y

When you give the file as parameter, gpg will recognize the key that was used to encrypt it.

Then you will asked for your password and at the end of the process you will have the decrypted file in the current directory.

Revoke your keys

When you work with keys and passphrase, there are some problems that can occur, for example when you forgot your passphrase or when your keys become unusable. In these cases you will not be able to decrypt file crypted with your public key.

To avoid this, you should generate a revocation certificate.

Revocation certificates are used to notify to the other that a key is no longer available and that you want to withdraw the keys from the public domain.

To generate this kind of certificates you can do the following:

gpg --output revocation_cert.asc --gen-revoke KEY_ID

This will generate in the revocation_cert.asc your certificate.

Now you have to revoke first your local keys:

gpg --import revocation_cert.asc

Then send this revoked keys to your key server:

gpg --keyserver pgp.mit.edu --send-keys KEY_ID