Getting started using GnuPG encryption - Part 1

GnuPG Logo

GnuPG is an extremely versatile piece of FOSS that can be used to greatly enhance your security and privacy, admittedly it's not the most user friendly, but all things considered it's by far the best you can get.

Some popular uses for GnuPG are:

GnuPG is implemented in a variety of other software including email and file transfer clients, it's particularly notable for its widespread usage among FOSS communities.

Installing GnuPG

If you're running a Linux distribution, BSD or a similar system chances are you already have GnuPG (also referred to as GPG) installed, you can check by typing the following in your terminal of choice.

gpg --version -v

If you don't get anything use your systems package management or build from source to install it.

For Windows users gpg4win is the only real choice available, the full download also includes the Kleopatra user interface if you want to use that, Mac OS X users have a few more options, the most popular being GPG Suite which also contains a nice user interface.

Public Key Cryptography

GnuPG primarily uses public key cryptography, this consists of two separate but related keys known as the public and private key, as the name suggest one can be public and the other must be kept private, the public key is used to perform encryption while the secret key is used to decrypt.

The first task when using GnuPG for the first time is to generate your keypair, which is also protected by a passphrase, so even if your secret key is compromised the password would still need to be broken, the generated keys are stored in your keyring file along with any keys you have imported*.

Generating your keypair

Note: For versions older than 2.0 use --gen-keys instead of --full-generate-key.

gpg --full-generate-key
        Please select what kind of key you want:
        (1) RSA and RSA (default)
        (2) DSA and Elgamal
        (3) DSA (sign only)
        (4) RSA (sign only)
        (7) DSA (set your own capabilities)
        (8) RSA (set your own capabilities)
        (9) ECC and ECC
        (10) ECC (sign only)
        (11) ECC (set your own capabilities)
        Your selection? 

You will be asked what type of key you want, the traditional cipher used is RSA but this is gradually being replaced with more modern elliptic curve cryptography (ECC), older versions of GPG will not offer you ECC, if you're going to use RSA the minimum key complexity must be at least 2048 bit, you might be wondering why it says RSA and RSA, this is because it generates two pairs, one used for signing and one for encryption.

You will be asked to set an expiration date, this is highly recommended, a value of 2 years is usually fine, you can still use a key after it has expired, it's more to alert other people and yourself the key should not be used, you will also be asked to enter your name, email address and an optional comment.

Finally you will be asked for a passphrase, choose as good one that you can easily remember, it should have at least 14 alphanumeric characters, preferably more.

Listing your keys

To list your public keys use the following:

gpg -k
    pub   rsa2048/3A667E8AF50B404D 2017-06-19 [SC] [expires: 2018-06-19]
    uid                 [ultimate] test key <>
    sub   rsa2048/37DEA43755409894 2017-06-19 [E] [expires: 2018-06-19]

As mentioned before two keypairs are generated, the key pair used for encryption is stored as a subkey, by default any key you generate is given ultimate trust, to list your secret keys use:

gpg -K
    sec   rsa2048/3A667E8AF50B404D 2017-06-19 [SC] [expires: 2018-06-19]
    uid                 [ultimate] test key <>
    ssb   rsa2048/37DEA43755409894 2017-06-19 [E] [expires: 2018-06-19]

As you can see pretty much identical, the key IDs are exactly the same since the pair is linked, if you ever lose your secret key for example you will never be able to perform any operation that requires the secret key such as decryption.

Note: Depending on your GnuPG options the display may be slightly different in particular the key id can be displayed shorter or longer and the fingerprint hidden, to display the fingerprint, which is also the full key ID use gpg --fingerprint

Exporting and importing keys

Often you will want to send someone your public key or have it available on your website, to do this you need to export the key from your keyring, you can export it as a binary file or a readable ASCII file by adding the -a or --armor option.

gpg -a --export 3A667E8AF50B404D > key.gpg

This exports the key in ASCII format in to the key.gpg file, you can specify the key to export by name or email address, however to avoid mistakes using the key ID is strongly recommended, this will give you the following:


        -----END PGP PUBLIC KEY BLOCK-----

To import the key you simply do the following:

gpg --import key.gpg

Exporting secret keys

Since the the secret keys are so important it's vital you have a secure backup, the easiest, although perhaps not the most secure way is to print it out, whichever method you choose all that really matters is that you have a reliable backup.

gpg -a --export-secret-keys 3A667E8AF50B404D > secret.gpg

The secret key will also include your public keys so there is no need to export both, exporting does require your passphrase to be entered.

In part two we will be putting this practical use.


Comments, ideas and criticism welcome.

No comments at the moment, why not make one ?