Ryan Jacobs


GPG Part 1

Introduction

GPG is a key-based encryption system. Each user creates a keypair, which contains both a Public and a Private Key.

Public Keys should be shared with everyone! Someone can encrypt a message with a Public Key, and only the user with the paired Private Key can decrypt it. This is the basis of key-based encryption.

Private should be kept private! If your Private Key is compromised, other people could pretend to be you! Luckily, in order to compromise a Private Key, both the Private Key and the password to the Private Key are needed.

Example

Alice wants to send a message to Bob so that only Bob can read it. For simplicity's sake, we'll call the message: msg.txt.

So, what does Alice do? Well first she grabs Bob's Public Key off of the internet, (which Bob should have posted somewhere online or emailed it). Then Alice encrypts msg.txt with Bob's Public Key. And finally, Alice can post the message online or email it to Bob, knowing fully well that only Bob will be able to decrypt her message.

The End.

Actually Doing It!

Ah... Finally, after a long, laborious introduction we can now begin to encrypt stuff!

First let's create a fresh keypair.
If it asks you anything about key type, keysize, etc, just go with the defaults :)

Note: You should try to have as little as possible personal keypairs. Giving a person a key that they know you'll have for a while is better than giving them a key that you may or may not change within the next month. Get what I'm saying?

If you already have a keypair, you can skip this step.

[email protected] ~/example $ gpg --gen-key
gpg (GnuPG) 2.0.26; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Billy-Bob Joe
Email address: [email protected]
Comment:
You selected this USER-ID:
    "Billy-Bob Joe <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

gpg: key DF0FDA07 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   2048R/DF0FDA07 2014-09-24
      Key fingerprint = E81B B32C A5EE 91BE 3624  D5DD BE4D D4CB DF0F DA07
uid       [ultimate] Billy-Bob Joe <[email protected]>
sub   2048R/C5CFBED7 2014-09-24

Now What?

Well, now that you have a keypair, you also have a Public Key and a Private Key.
Let's export that Public Key so we can give it to people!

[email protected] ~/example $ gpg -a --export
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBFQiGIcBCADETKu64kPuMsONDQQQ+/UsI4B3DFPBlLz4r2NwEneA1Fnb4ROd
XGV3gPqpBe23nBiHtwisOTjpmTLAZ4bng7D+/KRaHYElo7JvFyPJ5x5gG500iO+0
m3wv3hDBfgX0fwjnnf6F//ZqL2novBW+b5qWwjRUyUPOeA1iXRcFXSt9rwWw7ilc
dv7Fru2Z1gaTpNbBxx2z/UHqE0jLtblmN/25n8c0hNg+hEVIdcPThq1toC6tmhvR
zxe7sJ4TBhYCZl3zQD7GGWSCVp2VzyH0PjtkCP6VlR1sjnobJDHi6+a/uMH3TVgs
4G4DWc7ZrXD4TPwR8m9q29OiRRC2hJXwE9QzABEBAAG0H0JpbGx5LUJvYiBKb2Ug
PGJiakB3ZWJzaXRlLm5ldD6JATkEEwECACMFAlQiGIcCGwMHCwkIBwMCAQYVCAIJ
CgsEFgIDAQIeAQIXgAAKCRC+TdTL3w/aB1nACACms7U+zAEVJ2wadkgzsQP0fvXa
J3ujhvFwrtzCgbJ2mSJZDaA9Pxt0LLWyUb0vDB/K8AGCKzTB6f1ys//wVPEl/jKn
TvCqy8zhkJgDOoy3ThDvavD3bXCADf+GHEZDBtwfxzFlwkD5L5fPklMAEtqe8fJW
Da9jc1271VrtG1Y7CF3LT2PbtLF54bpXalUhasDi9eIzDpxgnEI+728INMINb190
Rr+NyrIlw6ZSMiRJXKHlPlUEdzjIiMZYYEULEihDmwYP8aI/RRPlIF9Astkv6PLO
K7ei4ta1a7tExc92vFYalLqptthNoQL/S5JwBErNtYGlu/kk6xr6w8dszlbHuQEN
BFQiGIcBCADTC+MvV1rz/Lj6EjBgJkPWq3W3yUlWUYjP5eqlHFe2Wz/9Syg0/j6q
ONUvOMssVPF2VQzu5oBItberbj5znIvRXkHhtMSOevsML5OxDb9reRvFlu6yqkRL
1nLDRJquA4Vn2px6gV1h+ZqauHh8qYZivNGDazXg2GuvU9+fVlu28mj0R5Fa8kRz
7jJJWRZSb6wOgHtTThmijSuIEYbkCJKRCxMor1iveEjTHORek0l4LISnb3yFQBQk
yMGW8rDWHVu1ktQcugfCMMTGFC+3otZNeHHkI8iEBzw230bk2DhlPfwOSTPRA0EG
2mTPUET0oL8Y7w+9ieoPiWZkTEqm8g7jABEBAAGJAR8EGAECAAkFAlQiGIcCGwwA
CgkQvk3Uy98P2geDKQgAjfoqaB3YZwG5nRDF1BB5gIFPbO39uI3FB4Bxfujk8Ecf
giCtPtX7PgqhVb8dCZazhs4EB90Zs6K03wTeHp3ZfFkqSSmZuPW0XO8TQxczZw61
PTPBpSDLl9Y7rn2DykreLYyte8Pk8Nh3K5fJWSTl78/0arGWT5A4ocxDRCXUBKy8
TRuff3zUaf3cR03OvxSJ7G0K/YTXIMhDH1aKYx2UQW9ts9XR5Xz+D3ML07T/UTmv
uu8pxBhQB9ktzT+Ne+MnXh+99phOhaFPgFtiHLMrXju3iKJhlHap+v/EcgXzmFHC
lwwEmo39DVutvzYkmX3FZ2Qd6wnEm9XK7vIaX7ZKoQ==
=yHH2
-----END PGP PUBLIC KEY BLOCK-----

Yay! Now give that Public Key away! To your best friend, to the mailman, or to your best friend who happens to be the mailman! I don't care, just give it away!

Just on a side note, if you manage to import the key posted above, send me an encrypted message... *wink* Although you probably don't know how to do this yet, (which is fine). You'll learn about this in GPG - Part 2.

Encrypting Files for Recipients

Let's encrypt some stuff!
In this example we'll be encrypting a file with ourselves as the recipient.

First we'll create a file to encrypt.

echo "I love pink poodles." > super_secret.txt

Now we'll encrypt the file... (Replace 'Billy-Bob' with your first name)

gpg --armor --encrypt --recipient 'Billy-Bob' super_secret.txt

A breakdown of the options:

--armor      # -a, enable ascii output
--encrypt    # -e, we want to encrypt
--recipient  # -r, who will be able to decrypt it
# Typically you'll use the short options. However, it helps to understand
# what the options mean first.

Now you can see the encrypted file. Let's delete the old file too.

[email protected] ~/example $ ls
super_secret.txt  super_secret.txt.asc
[email protected] ~/example $ rm super_secret.txt
[email protected] ~/example $ ls
super_secret.txt.asc

[email protected] ~/example $ cat super_secret.txt.asc
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

hQIMA4WxEsEqIT/MAQ//YRlvEEhmoqwa0Q72C7GScM7heMqJiyiWbxf/Y0IgazWA
+KvyQuNRPBLBFioS4rkiOZ4LviAN65iIE4uN2haxOkIicFKt18ju6AkfOOvhCk+I
Bfjaxl3CFvcYV//mnHaKrASr4Vd2WYAsQTPsvaeGJ1VmTlXWM6N+58mf9NnmV51r
n2N/FQNTN3SfH8Xb8DZJxibxzlexbsEsVtkE2StTP6t+wDgV8FegiSBgWD1l4IiZ
xUY1SWB7kO7ssx3bz+xgVewaPbpbxXGhzCFAalm6G3RCP+nSZy32RAyuAull7EKJ
dZtzcI94KAUjp2zmkYydl3aN0/tUKG/13VsZzo8cJP+1i9b3ezGTynuYhpf2UQr9
XsrZKxFXt2Ak2ItAcSEl3YyQj99JTvsoMd97M0etQsCWIWMRXunp0leY8rL2Q3uh
xGYAebGYVftbsf+0Pv4/gdO12nvzxFzXfDDYSnNbTN9XnqT99FOamyIDvvMVTvd3
a/rwHo5Neal5engK9TvcF/1DeYih7UlZ3UxYxQboCHjgoD8nNGCLIva64PxbB0Us
yhvY7g6ORV4jko/5TEzt1752MCexpX/ebwUmWvCkewTAsQbe9RWbabVYvXopzADk
iOZmyH0pC+9RVn36sgnnD0h/jwEUG38KcDkRSlUwCZJCqznR6/fv6FVZtrqtme/S
YAE3OCZzlmeBZc+a9OrMq6Yi2gJFs2fn7LQh1EheOl3KtooQqgmY6xy4sIkmaxYg
kJrDIDL8iPmb+65TNVnBn0uSKPNh+CoV0SBCgvVNgPB36Fy5VYH6QVdlIS3HyHRB
Dg==
=gAB7
-----END PGP MESSAGE-----
[email protected] ~/example $

Yay! We encrypted a file! You can see how the contents of super_secret.txt.asc look like garbage to the human eye, (but they're really not :D)

Decrypting Files Addressed to Your Public Keys

We can only decrypt files if they were encrypted with our Public Key. And, we know that we encrypted super_secret.txt with our Public Key. So that means: we can decrypt it!

[email protected] ~/example $ ls
super_secret.txt.asc
[email protected] ~/example $ gpg super_secret.txt.asc
password:
[email protected] ~/example $ ls -lh
total 8.0K
-rw-r--r-- 1 ryan users  21 Sep 23 18:55 super_secret.txt
-rw-r--r-- 1 ryan users 929 Sep 23 18:44 super_secret.txt.asc

[email protected] ~/example $ cat super_secret.txt
I love pink poodles.

As you can see, decrypting files is incredibly easy.

Wrapping Up

I hope you learned a lot from that huge dump of information. Now you should be perfectly capable of encrypting files with Public Keys and sending them to their recipients. And, you should also be capable of decrypting files that have been encrypted with your Public Key, (which by far is the easiest thing).

You now understand how keypair-based encryption works!

Do you want to learn even more about GPG? Read my guide GPG - Part 2!