Private and public keys are at the heart of gpg’s encryption and decryption processes. The best first step is to create a key pair for yourself.
- Generate a private key.
You’ll have to answer a bunch of questions:
Code: Select all
gpg --gen-key
- What kind and size of key you want; the defaults are probably good enough.
- How long the key should be valid. You can safely choose a non-expiring key for your own use. If you plan to use a key for public signing, you might want to consider a yearly expiration.
- Your real name and e-mail address; these are necessary for identifying your key in a larger set of keys.
- A comment for your key, perhaps to distinquish a key used for special tasks like signing software releases. The comment can be empty.
- A passphrase. Whatever you do, don’t forget it! Your key, and all your encrypted files, will be useless if you do.
- Generate an ASCII version of your public key.
You can freely distribute this file by sending it to friends, posting it on your web site, or whatever.
Code: Select all
gpg --armor --output pubkey.txt --export 'Your Name'
- You might also want to register your key with public keyservers so that others can retrieve your key without having to contact you directly.
Code: Select all
gpg --send-keys 'Your Name' --keyserver hkp://subkeys.pgp.net
Encrypting files for your personal use is quite easy.
- Encrypt a file called foo.txt. The argument to the --recipient option should be the all or part of the name you used when generating your private key.
The encrypted version of the file will by default be named foo.txt.gpg. You can modify that behavior using the --output (-o) option.
Code: Select all
# the long version gpg --encrypt --recipient 'Your Name' foo.txt # using terse options gpg -e -r Name foo.txt
- Decrypt the encrypted file. You’ll be asked to provide the passphrase you used when generating your private key. If you don’t use the --output option, the contents of the encrypted file will be sent to standard output.
Code: Select all
gpg --output foo.txt --decrypt foo.txt.gpg
Code: Select all
# example Makefile for viewing/editing an encrypted file
GPGID = [email protected]
FILEPLAIN = foo.txt
FILECRYPT = $(FILEPLAIN).gpg
GPG = gpg
RM = /bin/rm -i
VI = vim
all:
@echo ""
@echo "usage:"
@echo ""
@echo "* make view -- to see $(FILEPLAIN)"
@echo "* make edit -- to edit $(FILEPLAIN)"
@echo ""
edit:
@umask 0077;\
$(GPG) --output $(FILEPLAIN) --decrypt $(FILECRYPT)
@$(VI) $(FILEPLAIN)
@umask 0077;\
$(GPG) --encrypt --recipient $(GPGID) $(FILEPLAIN)
@$(RM) $(FILEPLAIN)
view:
@umask 0077; $(GPG) --decrypt $(FILECRYPT) | less
The really cool thing about GnuPG is that you can safely encrypt files for others using publicly available keys.
- Import your friend’s key, which you might have received via e-mail or on a floppy. If the file is named key.asc, then just use the --import option to add it to your keyring:
That’s it! You can verify the import using the --list-keys option.
Code: Select all
gpg --import key.asc
- Alternatively, you might be able to find your friend’s key on a public keyserver.
Here’s what a session looks like when someone searches for my key.
Code: Select all
gpg --search-keys '[email protected]' --keyserver hkp://subkeys.pgp.net
You’ll note that my key has four different e-mail addresses attached to it. That’s perfectly normal.Code: Select all
$ gpg --search-keys heinlein@madboa gpgkeys: WARNING: this is an *experimental* HKP interface! gpgkeys: searching for "heinlein@madboa" from HKP server subkeys.pgp.net Keys 1-5 of 5 for "heinlein@madboa" (1) Paul Heinlein <[email protected]> 1024 bit DSA key 8F54CA35, created 2000-11-10 (2) Paul Heinlein <[email protected]> 1024 bit DSA key 8F54CA35, created 2000-11-10 (3) Paul Heinlein <[email protected]> 1024 bit DSA key 8F54CA35, created 2000-11-10 (4) Paul Heinlein <[email protected]> 1024 bit DSA key 8F54CA35, created 2000-11-10 (5) [user attribute packet] 1024 bit DSA key 8F54CA35, created 2000-11-10 Enter number(s), N)ext, or Q)uit > 1 gpgkeys: WARNING: this is an *experimental* HKP interface! gpg: key 8F54CA35: public key "Paul Heinlein <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1
- Once you’ve got the other person’s public key, encrypt a file using it.
You’ll end up with a file called foo.txt.gpg that you can send as an e-mail attachment or make available for downloading via ftp or the web.
Code: Select all
gpg --encrypt --recipient '[email protected]' foo.txt
If someone sends you an encrypted file, the file has typically been encrypted using your public key. Decrypting it is no different than decrypting a file you’ve encrypted for your own use.
Code: Select all
gpg --output foo.txt --decrypt foo.txt.gpg
GnuPG can come in handy when you want to be assured that the file you’ve just downloaded is the one its creator wants you to have. The OpenVPN developers, for instance, release GnuPG signatures for all their downloads.
To verify a file using its detached signature, you must first have imported the signer’s public key. Assume we’ve downloaded crucial.tar.gz and the developers have also released a signature file, crucial.tar.gz.asc. Once you’re confident that you have the developers’ public key in your local keyring, then the verification step is easy:
Code: Select all
gpg --verify crucial.tar.gz.asc crucial.tar.gz
Code: Select all
gpg --armor --detach-sign your-file.zip
Basic Key Management
After a while, you will probably have several keys in your ring. It’s easy to list them all:
Code: Select all
gpg --list-keys
Code: Select all
gpg --delete-key '[email protected]'