gpg (more specific: GnuPG) can be used to encrypt/decrypt all sort of data including mails and binary files, for use of a recipient or for everyone who knows the passphrase (symmetric encryption). It is one of the most established standards for encryption and embedded into many applications, though this article focuses on direct use of gpg on the CLI.
Packages should be available for all distributions. The package is usually called "gnupg". If you do not know how to install packages, look here.
Creating a key
First, you should create an own key. This will allow you to sign data with your key, so other people can be sure it stems from you (if they trust the authenticity of your key) and it will allow people to encrypt data with your public key that only you, using your private key, can decrypt.
GPG stores all of its data under ~/.gnupg, though that will be created automatically. So just run:
Select "DSA and ElGamal" as key type and select a decent key length. If you are not concerned about how long your key will be in its ASCII representation (so you do not want to attach it to every mail or so), you should probably just use 4096.
Now you can select when the key will expire. This is up to you, however for a first test, you might want to create a key that expires after some days, so no one thinks that this is a permanent key though you do not use it any longer.
Confirm and enter you name, mail address and an optional comment. The mail address should be one that people will try to mail to later (if using the key for mailing) so that they get the key right off the key server.
Confirm another time and now choose a secure passphrase for the private key. This will protect your private key from illicit use, even if someone gets it (you should make sure it does not come this far!). Now just generate some entropy, surf the web, move the move etc., and your key should be generated and ready to use.
Perhaps you want to deploy your key to a key server now for your contacts to download. Read more about this below.
Exporting your key
When exporting a key, you most likely want a so called "ASCII armor". That means that no binary data is printed, but only alphanumeric characters. Of course this will make the output some bytes larger, but you will get data that can safely be printed everywhere like in a mail or on a homepage.
You get that ASCII armor by specifing -a as a parameter. Please note that this works for many other modes like encryption too and is very useful.
gpg --export -a [key-id] (get key id with gpg -k, leave out -a to get binary data)
Of course, you can redirect the output in a file and send this to your friends. Or just grab the ASCII armored output and inserted it via copy & paste somewhere.
Most likely you will also want your public key to be uploaded to a key server you everywhere can find it.
gpg --send-key 53CA1DC7
You can change the key server, per default subkeys.pgp.net should be used. But because your key will be synchronized between the key servers and spread to the other ones, that should not be needed.
Import is really simple, just call:
Now you can copy & paste a key you got and finish by closing the input (Ctrl + D).
Or you could just pipe a key contained in a file:
gpg --import < key
Import will process multiple keys at once and import public and private keys- whatever it will find!
Importing from a key server is also very simple and can be done interactively:
gpg --search-keys [mailaddress]
Now it requests a list of all available keys for that mail address from the key server and you can import the ones you want by just typing their number.
If you know the key id, you can import the key directly with:
Listing all known keys
This is the only operation that is a bit of confusingly on the command line, once you have collected a decent number of keys. You probably should use a GUI frontend for this.
Anyway, to list all your stored public keys:
To list your private keys:
Show the GPG fingerprints (useful for checking the identity of a key):
To encrypt something you must have imported the recipient's public key. Then you can encrypt arbitrary data for this person:
# echo hallo>welt # gpg -e welt You did not specify a user ID. (you may use "-r") Current recipients: Enter the user ID. End with an empty line: email@example.com gpg: 2CC97A3A: There is no assurance this key belongs to the named user pub 2048g/2CC97A3A 2001-03-23 Thorsten Staerk <Thorsten@Staerk.de> Primary key fingerprint: 4014 A34B 86D2 22F8 CDE8 3F6B F97B 6141 37A3 9F1B Subkey fingerprint: 0223 F8A6 DB78 8602 F558 C2BE CDC8 1219 2CC9 7A3A It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y Current recipients: 2048g/2CC97A3A 2001-03-23 "John Dull <firstname.lastname@example.org>" Enter the user ID. End with an empty line: # ll welt.gpg -rw-r--r-- 1 root root 563 Jul 21 03:22 welt.gpg # hexdump -C welt.gpg 00000000 85 02 0e 03 cd c8 12 19 2c c9 7a 3a 10 08 00 c5 |........,.z:....| 00000010 b4 c6 e9 f9 2e 43 28 b6 57 96 e7 fb d9 8e 00 e2 |.....C(.W.......| [...]
Depending on what you want to do with the data, you can request encapsulation of the encrypted data in an ASCII armor (see above). Specify -a and you will get only printable (alpha-numeric) characters, at the price of a slightly larger output. If you do not redirect GnuPG's output to a file, you should really do this, otherwise you will get binary trash sent to your terminal.
# gpg -ea welt You did not specify a user ID. (you may use "-r") Current recipients: Enter the user ID. End with an empty line: email@example.com gpg: 2CC97A3A: There is no assurance this key belongs to the named user pub 2048g/2CC97A3A 2001-03-23 John Dull <firstname.lastname@example.org> Primary key fingerprint: 4014 A34B 86D2 22F8 CDE8 3F6B F97B 6141 37A3 9F1B Subkey fingerprint: 0223 F8A6 DB78 8602 F558 C2BE CDC8 1219 2CC9 7A3A It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y Current recipients: 2048g/2CC97A3A 2001-03-23 "John Dull <email@example.com>" Enter the user ID. End with an empty line: # cat welt.asc -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.18 (GNU/Linux) hQIOA83IEhksyXo6EAf/QS387gGczQ82EdS9y6wkYEo/umiNXRAbODz8ZVkc7Zvv n0JO+V/CxEtkHsjOtNOicA7e1jZvOKjkzqQ/3Xj/FLGrH8nlVIMT/fDDZwvbOwuL 4qghn5N68tLqDesJwKMnc3PqYpHVSBDp1c9+zFnE5SfTpMYVxyIkxU+POjohYhQe UATzahHz9eBWDSIKAKCM/CbLrjsZW4Cu3ErLU/T2Rgeg9CFIM8l79YUiWTuJIiz/ FfVIj1r2oPxufBtQ2dMO7xIWFJ9gSIGO1WFb2DItnTAQar3LgSo/jYjd3tWeEx1Y 8D2h6UAaMw437GGYbOK6cIz0SSKg8WjbO8cRYlipXgf9GgSWJPWcwHCj5y+s9vWk 9IPmUrLZWw1VFIpaCVnueAk+FkBHyJuphJozEG+diM2QbbN3JWqAkYRsZ6mVf4DP WbRHVQ17VWU9jTinjVmerPNNPSTFdVrGN//SMlRu0h3Du7CfbtqGo9YY5p36LeQ8 E3NOwwEPDKo45Ewh+1GKQSs6yrqIZJqFpYXM3hcUgyL+UuKYOeI4ieEoNoT7eTya eLz/wHRfGquZkMzsEi6+jjx7AakIV6i7LjNjOOt2fhF4zXt66R0z5I2ICiHb5Wd3 V0n3e3rLJBTPTx2gFqgNxlrXZHos+aSd7BlhsiMdA1mGHTBdkUcrIkoOl839wVSP mskgL1rJfIooBavLNp9Fb4HFKHALn1ZyVB1jn81WltjF9/4= =3Bnb -----END PGP MESSAGE-----
Note: Encrypting something can be combined with signing it. More information on signing follows below.
Decrypting requires that you have the private key and its passphrase.
and paste your encrypted message like this:
-----BEGIN PGP MESSAGE----- Charset: UTF-8 Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ hQIOA58pC+QiINQwEAf/QZj9T7IgLtXbL2E169DcQxs1CUH/md84FzC4Heokz/Uq Xk9fCFK0uY6y2FzG6ikdXzrbFb/Bzta31mvPF+vEsKJhM7fVF7DRhc3Q02VhIq+O G+rTPRRG1QlxCTbA+ef/cdHB/HgduGAr11G7mZ1A9GOO+bgMo8g+l749zRVZxKke MswDWIZHvdDt09L0PZMvJpSsHs0GmHrkuga69+DinWtodZHXgAi0eOi7uc+AL0SN ROncpYoHe660f2su3GSo8Lx04gCazAdbUKMwUYCqwVunfuLINwzTRFqdfEgAheI+ fvT+7ryBVl2Qs8YntG4qEQ10FB20S7nMBUUuc4bCgAf9HD7SiIf0ht3IrEUNdCZm ZLBu2slxui3vmOn51tOmNXO+1Tz0B9X16akQd7TGPnFjq8Sh/QyXeCJBmuoIyov4 dr+m+Pa9kp2qNbc4fJCvQREAi99WC2BXEpIR/6avpbJvOiP+MFEW8S4pBD3AHEoW gqn2BOrDksgrdjwjFL6Cooi0GdH2v6fTznKW17IbA5CcFyQnkh+ug2c7P1JPt/Gm pBKTSdVpY0sJVw0fxcCTjiB8ou9ktlkQfQS7oeHpU4X6FoOCFT9v+jTf2NvQpoNr Dt6XjxGHhWTCvw6Gk3AhUValtJpQqhgQAP2+EmHAnDwxUqFugqNI0zzzPgmrd+Ez iYUCDAOLlSc6Trci1wEQAMYm5tfLmGipac2kRetap8gZQxcFa5NJzoZinWKzc/S1 c2e6dLXiu2/yG94Rz95MEAapbt9IBk96VxIWK7AJeanF7/A6XW7J6u8OjvBN4B3k hu3Hue0D9Uw5r25SdqK8o4QITnk/Ckd3mAH4fomHB9GCGlFn6CopPl4u6LsY5F4L eW3H5F0JIBZl8ugAE5U6Kq3q8qUGiINOgRnjaBrqH6VnIBdui8iFiE6ibXSV3dJe yxp4jN8HPKR3q3wqzVijelPb/bdsvqjw/HVmh5GDwwK3DRd9RBp3+kJVCmx3aEfH RF9os2CCyiZXp49zOoqHbeuirYU1Ov0+RiHCfuVNxj/dvIPOOTBdEduss1ZGxEOp yC2KI68v++l6N8NcX91rTUiY+/pM+fQa/dDxoQpJeCo1eHgPwHpkX1963+AYkY0M KYyF7LggXt2Wjof4kCUunU+jLEsiFl8eUz/mL8S4WteOIdTq+4K9rVdRjQlh2Mgd RWED6vhxfZp/LwLUnWjXq9rrGCebwG58YiK28PUqTZ4pvAAGtr5RsGq3SCYQDEGF FD5QgtXUz12aKIbAAMbweaaXYHRPqkbMiWOR7drszLK9LXVAHJM+RdVAADVtfPyo NoyACmdOgH6FCxYsZibX4WT+uTvy2rDG9CKpQLx69e7R5TnQTM52lK0fPgWRoYV+ 0uoBfSLtpplkF5ShZXlWDuZstXVp42bSSMhjDnefSoi8EiKxcOyD+nyY1tPbVe2z 9oz1/JR+0I9+VrE9Ilu7zNFTQxscDocH50m4aB/uHwTTEBI4NhzHzkrOm/r5j6hm c7EsfdGdTDo7hpnZShLPywJgq5bqeckxoOsBdPJoaVCDhSO1CHy9QfGoz1NxAQI4 DllwHxcWiT+e5RRtIJlRlLRnPKhbQgSFg/ra3wMRYxxKUT3sceD8CgCci2BTFQZP kJJo6bg8lukxqIRoe5FeyF94DDtVSmCINzO+q0rw7PfVn3Vg8K3Wb2PqqzcHQZh0 lm24XO/F7HfMr5vx/k/CQt8vuAQZ/kwGGs2T9SWDcAOJC1dxDRNCLizIXuwRi5QL LJBuRFdeqfNdLe+Rt57yBdGweJzklEUZvyyTqTE/4HJ80JINg6Zv4UrEMgFUZsap DQhuFbOykqlvRvzcdhfEFVmNlfbKv481GSJNx6agodfkJlUaBlZo/ZisAZoixXOu yJEmkAcO89dy3mRBSpmEhrKtGeQvsLPBfoVsMbLuNJHw1RHg3KjbzuX+vjxahujF esrUGGwvoZRoAiT7LeZV1PnZu4xttp2WugccOA0EV67gqCdRwcM8VIk3hKs7CXIq KWvBcFic+Ht9rDiPMgju2z8zAwBqpU/0klbgbyYV6MLxPyZA7/IaE0JcXW1izyc1 VQ5woJc2hVXVZfTdEktFgXq/blHY3E8l1nJ+04aq6Kq0pRW6Ejyi3GzIGVwmmwtG QxbdpNAOgXZCcbas8qkkdQIJtXa4Z9SKosx+DQ8OxVbD9pbT9JHX4Er1dQ/qqQ72 cUUN3ZPbbfqyZBzyGuW2sDZaEhdbGnfeRf/NLCzGxY86CJx6lwDP3ykfVmf4bK76 sWtIdQgS3JklY5RWl+2D6Z9ykFlxw9mY+SKYHAL4v3BSsO9IvozEv9P3W1yOPP3D 6pLqLbdWFcax43dJQDI1f/L89TzfE2knn/WN+69VUUA+GJ7AOkdt34lt3H0k40I6 sf97IDVh3LFITJSlGATah6b2/SS3EiIn5MHxb9D9v3wIuQV90lMualrTYkeu4Bx3 4aVIq+cZ+uCSjJtWz/E8cGmlmEyDpds0GygBFLN7IR2xbWIJw0CJoG4iraActEhg nzQG62oYjMEHda8I3LO+zGE1odZLD9grvvlOAH8pLf7vmFc3cNYRc13RoIX3JCHu AouXApbso6RuXechqSZ2Kse2K2PDgE6xbWMJLfiyUonWwqaL+VOYyCSHRa4zjaC4 9HT4MnlpkSahqDzT1ZOTrD9RviOwGu7KfP3FDaIfYdAETHFDnADU1bRuTTaezVZW TRqEUwFWfksVfmAiTkxRGpVWCjO8o5vDphlXgZY= =UWFZ -----END PGP MESSAGE-----
You will then be asked for the passphrase by a graphical pop-up. Enter it. Then type CTRL_D in the console. You will be shown the clear text in the console.
Signing and verifying signs
Signing differs from encryption in that the cleartext is not scrambled. Even someone without GPG can still read your data, but someone with GPG is able to verify your signature (in contrast to encryption, which contains no signature) and verify that the message has been signed with your private key.
In general it is a good idea to combine encryption and signing, especially for mails.
To sign something, call:
But more useful is to create a detached sign with -b:
With a detached sign, your message is still readable without GPG and the signature can be transmitted after the message or even separately. This is the most common mode for signing mails, since not every recipient has GPG available.
Both commands will use your primary private key for signing, but you can change that behaviour but specifing the "local user" with -u to sign with another key. In any case, you will of course need to enter the private key passphrase to use it to sign something.
Like with encryption, you probably want to ASCII-armor the signing output.
To verify a sign:
Again you need to provide the signed data on stdin or as a filename.
Symmetric encryption requires no keys but just generates data with a symmetric cipher that can be decrypted by everyone who knows the secret passphrase.
Input is expected- as always- on stdin, after having specified the passphrase that will be able to decrypt the data.
Again: You probably want to generate ASCII-armored output.
For the experts: You can also combine symmetric and signing to provide a signed symmetric encrypted message. And you can even combine symmetric encryption and (asymmetric) key encryption to generate a message that can be either decrypted by having one of the recipient's private keys or by having the passphrase that has been used for the symmetric encryption! This comes in quite handy sometimes.
With a revocation certificate you are able to revoke the key that the certiciate was generated for, in case the key has been stolen or is simply not being used anymore. That ensures that no one continues to trust messages signed with the key or encrypts data for decryption with this key.
You generate a revocation certificate with --gen-revoke:
gpg --gen-revoke [key]
The key can again be specified in various ways, most common is to just use the mail address.
GnuPG now asks for the reason why the certiciate is being revoked and allows you to provide an additional description. After entering your passphrase you will then get your revocation certiciate.
It is a good advise, to create revocation certificates of all your private keys and store them in a safe (!) place.
- Setup gpg-agent which helps you by caching pass phrases, if you want.
- Install a graphical frontend like kgpg (good KDE frontend, albeit a bit buggy).