While there is a great deal of material online regarding gpg, it is pretty hard to find a brief tutorial that explains in layman terms how to set up gpg, how to encrypt and decrypt files. It is important to know what goes behind the scenes and how crypto works. Luckily, the documentation is pretty good and clear. But not brief.
I have decided to write a post, so one can always come back and see what command to use to perform a particular action. Eventually, these commands will be learned. For the reader: I assume you know what cryptography is, what it is used for, and have heard of gpg, etc.
To generate public/private keypair:
Enter appropriate values when promped. Opt for 4096-bit key length. Enter 0 so key does not expire if you wish so. To list keys that you have on a system:
Save both your public and private keys somewhere safe! I recommend writing all your ~/.gnupg/ folder to a small-size usb-drive and keep it safe.
As this tutorial recommends:
Creating a revocation key/certificate
A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way.
It is recommended to create a revocation certificate when you create your key. Keep your revocation certificate on a medium that you can safely secure, like a thumb drive in a locked box.
You can create a revocation certificate by :
gpg --output revoke.asc --gen-revoke $GPGKEY
The revocation key may be printed and/or stored as a file. Take care to safeguard your revocation key.
Anybody having access to your revocation certificate can revoke your key, rendering it useless.
If you need to create an ASCII version of your public key (to give it to a friend, for example), run this command:
gpg --output mykey.asc --export -a D8FC66D2
where “D8FC66D2” is your key-id
To upload your key to a keyserver, run:
gpg --send-keys --keyserver keyserver.ubuntu.com D8FC66D2
Encrypt file with symmetric key:
gpg -c file1.txt
gpg -ca file1.txt # for ascii-looking file
You will be prompted to enter passphrase. First command creates file1.txt.gpg Second command creates file1.txt.asc Make sure you keep original unencrypted file safe!
gpg -d file1.txt.asc
This will output contents to standard output, so if you want to decrypt and write it to file:
gpg -o outputfile -d file1.txt.asc
Enter passphrase. Pay attention to the warning: message was not signed.
To encrypt and sign with your private key:
gpg -csa file1.txt
Enter passphrase for symmetric encryption and passphrase for your private key when prompted. This time warning is: message was not integrity protected.
To encrypt with public key:
gpg -ear email@example.com file1.txt
-e stands for ‘encrypt’
-r is whose public key you want to use. In example above, we encrypted to our own public key, so only we (or people who have out private key :) can decrypt the file. Use your friends email if you want to encrypt with her public key.
-a stands for — armor -> use ascii-looking format.
To decrypt with you private key:
gpg -o outputfile.txt -d file1.txt.asc
gpg -d file1.txt.asc > outputfile.txt
Enter passphrase for you private key.
To import your friends public key (if she posted it on her website or has given it to you):
gpg --import KEYFILE
To trust the key:
gpg --edit key NAME
To export a public key to an ascii text file, run:
gpg -a --export NAME > yourpublickey.gpg
To export a private (or secret) key to an ascii text file, run:
gpg -a --export-secret-keys NAME > yourprivatekey.gpg
To delete a public key from the local key ring:
gpg --delete-keys NAME
To delete a secret key from the local key ring:
gpg --delete-secret-key NAME
Keys are referred to by name or partial name. I normally type in the email associated with the key and it always works.
To integrity check and validate the file — create a digital signature. This makes sure that files were not modified:
gpg --ba -u firstname.lastname@example.org file1.txt
Now your friend can verify your signature:
gpg --verify file1.txt.asc
~/.gnupg/gpg.conf is your configuration file.
Look here for list of all the options.
For example, you can set which key to use by default, or encrypt to your own public key by default if to recipient is specified. You can enable/disable verbose console output messages and many other things.
Some more links to good tutorials and guides on gpg:
- Wikipedia article: https://en.wikipedia.org/wiki/GNU_Privacy_Guard
- How to back up your keys: http://wiki.openskills.org/OpenSkills/OpenPGP+Key+Backup
Originally published 4.27.2014