How to deal with GPG Keys
Your brief commands cheatsheet on working with your secret keys
GPG Keys make using Asymmetrical Encryption easier to deal with as an end-user. If you don’t know what Asymmetrical Encryption is, don’t worry! I got you covered:
Creating your GPG private-public key pair
If you want a quick way with some default settings, you can use
gpg --gen-key
If you want to get really in-depth with your key configurations, then you should enter:
gpg --full-gen-key
With the --full-gen-key
flag, you would be asked to:
- Specify the key encryption algorithm.
- Specify the Elliptical Curve.
- Specify the expiry date.
And then there’s some basic information on your name, email, and the comment (intended use). This will add a private-public key-pair to your system.
List your keys
gpg --list-keys
You could view a list of all your private-public keys and all public keys that you have imported into your system.
The output looks like the following:
pub ed25519 YYYY-MM-DD [SC] [expires: YYYY-MM-DD]
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
uid [ultimate] John Doe (My Private Key) <john@doe.com>
sub cv25519 YYYY-MM-DD [E] [expires: YYYY-MM-DD]
I have masked my key here, but you should see a long hex number. That is your keyid. The last 8 hex digits of your keyid is your short keyid.
Exporting your public key
You want to send your friend your public key? You must export it into a file and send him the file (in plain text is okay since public keys are freely distributed).
gpg --armor --output pub.key --export <your@email>
This will generate a file pub.key
which will contain your public key that you can distribute.
Publishing your public key
Sometimes, sending your public key is not always possible (you will see this when signing your JAR files on mavenCentral
). You may need to send your key over to a key server.
Knowing your keyid, you could send your key with the below command:
gpg --keyserver keyserver.ubuntu.com --send-keys FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
The other keyservers include:
keys.openpgp.org
pgp.mit.edu
Importing someone’s public key
You could import your friend’s in two ways, similar to the above. If you have a their public key file, you could simply import that with:
gpg --import that-pub.key
Importing from keyserver
If you know their email, you could search for it in the keyserver:
gpg --keyserver keyserver.ubuntu.com --search-key your@friend.com
Or if you already know their public keyid, then you can import it directly:
gpg --keyserver keyserver.ubuntu.com --recv-keys FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
We’ve handled dealing with keys, but how would you encrypt or sign files with gpg
?
Encrypting a file
Using gpg, you can encrypt a file for only your friend to decrypt. This is done by first encrypting with your private key and then encrypting it again with your friend’s public key. You can do this with:
gpg -o file.enc -e -r your@frienddomain.com file
This is take regular file and output an encrypted file, file.enc
. Note: your@frienddomain.com must appear when you list your keys with gpg --list-keys
. If not, try importing their public key with the commands described above.
Decrypting a file
gpg
has a way of understanding who the sender of the encrypted files are, through processes I am not entirely sure of. But you can simply decrypt a file with:
gpg -d file.enc
Perhaps this technique also requires you to have your friend’s key imported into your system. Do reply and let me know!
Signing a file
You can create a detached armored signature of a file with:
gpg -ab file.txt
This creates a file file.text.asc
which is the file’s signature. You can then verify this signature with:
gpg --verify file.txt.asc file.txt
and it should give you a successful message.
Thank you for reading if you made it this far. I hope you often visit this article to remind yourself of the useful GPG commands.
Want to connect?
GitHub profile
Portfolio website