GnuPG is an extremely versatile piece of FOSS that can be used to greatly enhance your security and privacy, admittedly it's not the most user friendly, but all things considered it's by far the best you can get.
Some popular uses for GnuPG are:
- Encrypting email communications
- Encrypting files
- Proof of identity
- File integrity verification
- Organizational security
GnuPG is implemented in a variety of other software including email and file transfer clients, it's particularly notable for its widespread usage among FOSS communities.
If you're running a Linux distribution, BSD or a similar system chances are you already have GnuPG (also referred to as GPG) installed, you can check by typing the following in your terminal of choice.
gpg --version -v
If you don't get anything use your systems package management or build from source to install it.
For Windows users gpg4win is the only real choice available, the full download also includes the Kleopatra user interface if you want to use that, Mac OS X users have a few more options, the most popular being GPG Suite which also contains a nice user interface.
Public Key Cryptography
GnuPG primarily uses public key cryptography, this consists of two separate but related keys known as the public and private key, as the name suggest one can be public and the other must be kept private, the public key is used to perform encryption while the secret key is used to decrypt.
The first task when using GnuPG for the first time is to generate your keypair, which is also protected by a passphrase, so even if your secret key is compromised the password would still need to be broken, the generated keys are stored in your keyring file along with any keys you have imported*.
Generating your keypair
Note: For versions older than 2.0 use --gen-keys instead of --full-generate-key.
gpg --full-generate-key Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) Your selection?
You will be asked what type of key you want, the traditional cipher used is RSA but this is gradually being replaced with more modern elliptic curve cryptography (ECC), older versions of GPG will not offer you ECC, if you're going to use RSA the minimum key complexity must be at least 2048 bit, you might be wondering why it says RSA and RSA, this is because it generates two pairs, one used for signing and one for encryption.
You will be asked to set an expiration date, this is highly recommended, a value of 2 years is usually fine, you can still use a key after it has expired, it's more to alert other people and yourself the key should not be used, you will also be asked to enter your name, email address and an optional comment.
Finally you will be asked for a passphrase, choose as good one that you can easily remember, it should have at least 14 alphanumeric characters, preferably more.
Listing your keys
To list your public keys use the following:
gpg -k pub rsa2048/3A667E8AF50B404D 2017-06-19 [SC] [expires: 2018-06-19] DE84E91CCE713BE652132A8E3A667E8AF50B404D uid [ultimate] test key <email@example.com> sub rsa2048/37DEA43755409894 2017-06-19 [E] [expires: 2018-06-19]
As mentioned before two keypairs are generated, the key pair used for encryption is stored as a subkey, by default any key you generate is given ultimate trust, to list your secret keys use:
gpg -K sec rsa2048/3A667E8AF50B404D 2017-06-19 [SC] [expires: 2018-06-19] DE84E91CCE713BE652132A8E3A667E8AF50B404D uid [ultimate] test key <firstname.lastname@example.org> ssb rsa2048/37DEA43755409894 2017-06-19 [E] [expires: 2018-06-19]
As you can see pretty much identical, the key IDs are exactly the same since the pair is linked, if you ever lose your secret key for example you will never be able to perform any operation that requires the secret key such as decryption.
Note: Depending on your GnuPG options the display may be slightly different in particular the key id can be displayed shorter or longer and the fingerprint hidden, to display the fingerprint, which is also the full key ID use gpg --fingerprint
Exporting and importing keys
Often you will want to send someone your public key or have it available on your website, to do this you need to export the key from your keyring, you can export it as a binary file or a readable ASCII file by adding the -a or --armor option.
gpg -a --export 3A667E8AF50B404D > key.gpg
This exports the key in ASCII format in to the key.gpg file, you can specify the key to export by name or email address, however to avoid mistakes using the key ID is strongly recommended, this will give you the following:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFlIVg0BCADClmdkCaqC6hZ9S64tge/ObSmR+DCG1OQGd8yUIRwWXUg/oPIa z+jPdnP0KIYxLXo2pN6B8c2Jb2z3OJgtW39OPEDV0g7p+ZhAtsMAWOIOyB/Pf+mZ /ByVqHJzvwENTqIff6s0JDgTFmMbjx2JVmSSL1b6eKFvx2TqF/JAy70UXEmFEx48 UiAOPeCvMmMnSoT65iihfudlP+LnFfKFfMVpwp5H0nwfFeP4daFj2WVzoDGCLqCg ZbUDhHgMhiVeS33DknKFizGIQ1Hww8G118DKmSyxxBuT3c+X2ieaRZk08RganZgw 3xzzDZTPg71HRbiNld4gGYpcL6KOImY1NQ6xABEBAAG0GHRlc3Qga2V5IDx0ZXN0 QHRlc3QuY29tPokBVAQTAQgAPhYhBN6E6RzOcTvmUhMqjjpmfor1C0BNBQJZSFYN AhsDBQkB4TOABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEDpmfor1C0BNuywI AKxo8h3BmfooVo3RvcsHlevidAC5wq/cbGVCSBeJnj5H7cVpwghC8d8kQ9olR8w1 z7Z3Ew4kD/29pDOTNPMd8dBIA/YMGVP/Ea2ApiSQ3fDrYr4QS3RT2b4ArgUxvskB UxF9h8gNkML50NWE1EFvPr6AMqRY22p0F3J/lKxKdI6XiObRLlZRKmzzixHdGvR4 9/UawZB671B4ABI52RQTRcW2d7vtKlXpf4rLzyD6srvg+9KWyabVcVsPfHVALH2c xkN7m5PaSPdfsJ+beY5jlZacGTOsaNvmhdPiIHaM66EafaFy6YWJAXOWk0EeTtb9 OIfzS/rexppYOpkn+LQaOTi5AQ0EWUhWDQEIAMA7GVQVp1jsvOnveB9iUiqTxGmT +4qBdRDj/bHGGBPIALt/yz3SaUg0O3JxQIvhEV/x0QsILHVPIvCW48rULsJnKN0q R9kSAg7sIamki1cDC4M2DIuyIxSTdO8bhi4gGzlMEVV8u6IMGyU6i1kWBEuWxlC1 4FUNYiP7mBnHTCEyTjvtxDh2dAcQZfsps2nmqy2BpT6CAm1nsIIDcPgyN0kwdl97 dNOn+PvdAqq/Ys2ZPHmPePfYonuITPKR1jUXP17KvB99BkJktNTl/jWDBagY9c9i 63dL0k1luwVh9LDdiDq3aFzB8stgwQ/QHYbiavjaGyg6gPZwqawFDtDczZ0AEQEA AYkBPAQYAQgAJhYhBN6E6RzOcTvmUhMqjjpmfor1C0BNBQJZSFYNAhsMBQkB4TOA AAoJEDpmfor1C0BNPL0H/iY1skMaRJV28tTv4Mj2LSpOdzp8SV0GaNFVmZ4StyIu 4qqJ1xO4mdvtTv3bMofZOCD/D2fTzQEVFz/wSXgvMNrLwKCV2MowVVUNYS39lQSN llqfJOoB1DJfm0brH0XAHJORNjbJEdi3obqTfMoe6vIzZ0DWQeoTulyrdbNjr0LT v+HlZHNr3tZAo8+hIfEF7DH9pNJp6QdQ6aiCnpXoAamko332c7E25YLdRfExtNW3 BdsPudSfmg/rT7UCEONqKzImLGdTlnuNrvbNGSioA8eItlKdJ3qXmcowRCgH5rYd 21HOaB6NGkDT5j8FyIQk3sNb4nzrD3II6H3dKPHZIpE= =Fc5i -----END PGP PUBLIC KEY BLOCK-----
To import the key you simply do the following:
gpg --import key.gpg
Exporting secret keys
Since the the secret keys are so important it's vital you have a secure backup, the easiest, although perhaps not the most secure way is to print it out, whichever method you choose all that really matters is that you have a reliable backup.
gpg -a --export-secret-keys 3A667E8AF50B404D > secret.gpg
The secret key will also include your public keys so there is no need to export both, exporting does require your passphrase to be entered.
In part two we will be putting this practical use.