~andreicek/

Quick guide to GnuPG

Saturday, September 2, 2017

Point of this document is to get you up and running. We will explain the basics of how PGP works, setup on MacOS/*nix systems, encrypting/decrypting data, and the process of signing and verifying messages.

Please note that once this document is more than a year old you will need to recheck all of the things mentioned here.

Last edited: 09/02/2017

Setup

There are a few ways you can setup PGP on your computer, some will include a wider set of tools, and others will cover only the basics. You might want to have a look at Keybase.io, OpenPGP, or GPG suite. Today we will focus on gnupg - it will provide all the needed tools in a compact form.

Installation:

You need to define a pin entry application. Do the following after installing gpg2:

echo $(which pinentry) >> ~/.gnupg/gpg-agent.conf gpg-connect-agent reloadagent /bye

Generating your keys

Start by issuing gpg --gen-key. This will ask you a range of questions: your real name, email, type of a key, and key size.

Use:

Use a secure passphrase that you will never share with anyone!

This will generate your private and public key pair which you can use for all further actions.

Sharing your keys

Without sharing your keys all of this is in vain. What you will give out to people who you trust is you public key. You can export that using the following command:

gpg --armor --export <your email>

example of that would be:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFfxB14BEADIMKJxVt+axX6FBTdBTFxP2MsJSmLIkcMRtUzAZKYNMI/QqHuw
3hN1fLPXvrU/R8FhHLFnFpSG7ag1v2cf4uRQQ1Uq9M/S/2u5a/jooCnksQ3NWgvG
8RkjnPDHqEypfxobXYTTuGVcvGKymKPcNyQMEKsLQ4yK98CekGwGhNEnIeY1XjkO
atdsvWCPt6WLbZ3YDAiJmDVRB+klYwiZvIC6kS+Dua8y3EyzzzNA0f7REkXnPZ+8
cbfagf8qhLtYMen16koPxxjDCvcfqT3L0Rl9fMNTDHL4CTl5iNjUDWXT4H80NQtm
SHjGFe+ZqQeqtF/1bRHyxJrqhUE8Fccq4EvjaTRPJ001tg++Q9VDj1yOloVjYOlK
dTRquXSa23mEF0JjVglAykNJwxoR6PRMeU1XII6QVc/JiYJpkGgGEAS7qJpVFPKL
LBS+cqAgdiyPkf0dMfA04xyYyXbcPq3404QT8oLIzW1ta0v5OLko7v9ftcr+5fZD
7kQMkTpu6Ph/c/nc/lacQxIYLahpF3VDiwWozQLwIHzVYw+GWtjIP4d3Wc3sXO0N
J1XNL7aVvWEn2KEbKy35h8n5fM874iCCPM+0MDJTXqokE0aaf6yci1VTOON8fAFF
8KqaKlzjQlfvY0StsS86TNTH916pPjsLIkSTbXB0oce2/8QKsVnHCX4w2wARAQAB
tD5BbmRyZWkgWnZvbmltaXIgQ3Jua292aWMgKE15IEdQRyBrZXkpIDxjcm5rb3Zp
Yy5hLnpAZ21haWwuY29tPokCOQQTAQgAIwUCV/EZ1QIbAwcLCQgHAwIBBhUIAgkK
CwQWAgMBAh4BAheAAAoJEPYR6u+gfVQBe5UQALkn9tUw9C9fKLyn/oY0/18+XDTV
K0Tm8LTb+h/QUou7p/EQEgGD8BJN/219PEG5gt2qFWB/kBGw6s2ZJIS/UmkMB/TV
IzaSYELUnwF5STd2l7aG8an53uDhteDB3pnZ/4wv2/ckDyy8asUxcMtY0WiGSz0W
JLybODDb66LqS91OWbG13TKUyM9fAj/aSV3tDtBXWY2tWdimei5qdokvkr8+5O/f
QW79H6HmGXvij3y1EXq5j8P0/qmSDcADdnW0We+0HIeN1mxa1sHCxK+/4HMPqQTn
h0cZa86ALKmElpr1Zyk0YK1/Lj4ez8WlQROLuy5i3oURPDblEb+7tPK/d8Lx8Sx6
6Wy+r6kO68NHZTdZeZk8SdTUDu0u7iXo2VI1Q6jjqaKZVuHIaIITbVWcGpFqLMiO
+aYCNQWGFvtppuZBTUWjNcq+e7w4pYR0jfCe6MsBnC36TQapHLnhaM8Bt27dEFRy
f/z6ai3pHahgR6LmLVTh8MCzcEboA3moDaElDSRuhAkm01PiEAmqPAbJAZyp6pMx
983BAaMUfBQhA65NwqGb9WN+pCO0/lN3JTPcxt7BlUiqubSlBGwF13pK+iT1ZOqZ
AH5cWxJvKCiTKrshIGKUWTw7aGe756ZOXgj/SjsFwmsuA3Hr+Wxmesypr2r/1yG/
t+whsCKL+X2TUCd2tDlBbmRyZWkgWnZvbmltaXIgQ3Jua292aWMgKE15IEdQRyBr
ZXkpIDxhbmRyZWlAaW5maW51bS5jbz6JAjwEEwEIACYCGwMHCwkIBwMCAQYVCAIJ
CgsEFgIDAQIeAQIXgAUCV/EZ1gIZAQAKCRD2EervoH1UATjaD/9OuH0Ocxxqi/xz
6TjAIo3ATP8Pp469jwVCuL4GDdWkysMgJlKb2hJjA0K+5zjbrJ/8nAelSNeFqcWZ
9IKLIj9nlfwlkTIxu+0O9Ef4z0Tc7ZS1v3KUm3G7J8L1Z8f+OYH7wx3Z9oK51V2/
uIurwjCwqDnLhcxS2BnoVxjY/A0WZ5fPRL4k//mLaIpNCi1c39jUn+HwdVMLcKyv
IrLEZYUeJNO/h3dd4vDGX5fVBnMTKIOBKlX/uaMH5VWuWz1mFyJBZw1O/XHH4jwx
Rela94MuJfMFwoVCOU0Nj28ZI5Vj3ja78bOlFTSHelRX9E4tDxnh2fkTeQfhS27R
A5V2eCb+OmG8jtVEA/S3mTy3TB+/u+OsX9qLr9+G8INvSP4/JrdNiFhdLiEA4Boe
Wu8pcfH6fIvR3hdderGNf1kW7kWEvzEDKCBF0g9AqU7mlDxTfftfxK3179lNIK4h
ZyNBKmbB7+yAUjlmzWrb/witfC3fBSOgn8e4xInRWUFOJst1zx6+3aWDO/b142Ch
3weXqWaBQ0SmZd9UrXL/2jk/mxLADX/Gyi4eHwI1e+Bz4vt49LlwpaYFZDyhmz7u
22YU+QgeuPLd+bFp+mv4pz68OpRG112c/lQ81gU2CK/RruYYHljyHjn6nXPRtDGW
0Wf9RBOz9eEcWHEPrgwYsZTuYxkvsLkCDQRX8QdeARAAqWvUdgUKGeCf5Ey9v37x
QUjOxHJ17WiNBGGqrnt5EMRwp7GmrZEzRy8UFMGn2nrbCxBcRZCELmSevDiHRGtk
5o82S6QbnghejOvvJ83K2DRydHv6cugNn+P/BNzedviRfz7s0Rru4v22YvHKnPcn
DkFIarmZmi4ZoW8KkY9OC4HWP9AlNSzRuXCIX0xwvHUpL/G3i93rSjR3A5FEpGqO
Rqd8vFTLAVLGe/6UdudKAAKYbdAoMRI0PEetYW2E/TROp4AVs7DEGubUCMOZZdDx
d9qcxfP01x1+awQBCAJuxVIBbS9O6FIr7MTr+V/GDbSyDG3BUcFTcg2pzhbbKw2B
ufOZ+m+/LUOs0AZ6mydHLGLDi5CTZLLMVXYlzfZx5gfOIv38XD9khY0TnzExg7fB
BVDxRDIz6EgmBa/aEcC+GmC1kKaU2GtQqrt3ws2+SjoZ8YIHVr292+iOh3eceylN
ZNnBE6KhONIHk03HAjjf2nXcPU9bpBx1snq0HkAKBCGuwXSGS1wFbTejBjEETW2F
kscYZZ9vGV9FBn9280jk1MFqIZjTDktA5G/H6MNJHVpyi7nsAhwhZJ4yglCEoMLq
AIItWTIWstvwebz6az0LZJlpMGYw8Eti5fP40AacEOwcQy9Qt9NR56zkmi/7OsfZ
kGXx9XS0a5idNyR4zvi0eRcAEQEAAYkCHwQYAQgACQUCV/EHXgIbDAAKCRD2Eerv
oH1UAUgpD/9sCgXXFAtsMGSwcPlN/BJJcTFp1eLAabTvfbFVIbal1bxmF5RKPFEP
Ueqt2F1ENxiNat5NU6F++K8AeE35xPPYTIRaAMzsx2in/b5EzuZgPZQxYJuwsjKP
lO07V7B6zhf0zqLTORa/Zrtck0cEe8OvYX5+GWe025NzdLwRZ8NCoy54vkux41ZQ
zfJ5qleFxaRphHoeFDz1IRuSNCWdJYdgNVTUc/TejKrvjTf5SlkN1nA14DdQWsKa
AL3HbKhopU2jE2Y4hJU5KLrtQlmIL+gGwuFJ/6/e21HqEqeGoaY2WgOzrJy7jLkp
l1O4e/+qOJbjoI75aBAmEAN5YfNhtwZJJ5EsNd3sGNcmjkNDku2Ym2acTGFYEGZr
lf42uOLkoKdTGcKEki2NtE0Jo5WcbTz/0r4W3TpRJ+Zv958TOHZdGmkOUQNrpNl8
/2DJqOpYgR/S/AhW+MDixmtNkb1MVRilNXBNtIVgN2IbBT5ADfsasf5mLhr+DrjA
fXvRSFvzvgecwNTfZkH9TazLeGyCCQnfKyURpTymD3coVYwUH5r6zDXp0Rrv4Ecs
A3g3Kx6tKA/yv0eNkUaxux9MRSpNFH5bOTFvFgSE+0+F6E4W/CBB8FIOIuTMcBx1
ZotjG9KYMajexU3a5l5U/RjoPnOe3PIw64iFrtrjIZ8URuLR+bS08w==
=g982
-----END PGP PUBLIC KEY BLOCK-----

Importing keys is also really easy. Let’s presume that the key we saw before is saved in the file called andrei.asc.

gpg --import andrei.asc

Signing keys

Each key should be signed. When generating your key, you sign it by default. After exchanging keys with someone you might want to sign theirs and upload it to a key server (more on that later). You can sign their key like this:

gpg --edit-key andrei@infinum.co sign save

Be sure to sign their key only if you trust the source where you received it from. Usual places would be other people servers (like this one), Facebook, etc.

Uploading to key servers

Keys are usually uploaded to a key server for others to get and upload. You can upload yours and other people keys. If you signed their key When uploading it, you are making that public.

gpg --keyserver pgp.mit.edu --send-key F611EAEFA07D5401

Substitute F611EAEFA07D5401 with either your key ID or your friend keys ID.

In this example I used pgp.mit.edu. You can use it or any other key server. Note that you can also use Keybase, but the upload procedure will differ. Also, now you can host your public key on Facebook as well - add it here.

Encrypting

When you encrypt a file you need to add all of the recipients or else no-one will be able to open it. If you do not add your self you will not be able to open it.

gpg -e -r andrei@infinum.co my-file.txt

You can now send my-file.asc via email or Slack. More recipients can be added by adding -r <email> as many times you need.

Decrypting

If you got a file that is intended for you you can decrypt it using the following command:

gpg -d my-file.asc

And, provided that you have the correct private key you can now read the contents.

Signing messages

If for some reason you need/wish to provide proof that it’s really you who have sent the message you can sign any file following this commands:

gpg --clearsign <file>

this will create a file with the same filename but the extension will be asc. This file can be distributed around. It’s contents are in plain text but it contains the info about who signed the message and if the message was changed in any way. Your message might look something like:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello world!
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEkP1HhW4SFSnJPPVTgezHrVTn+MIFAljS6noACgkQgezHrVTn
+MIz5wf/c+GqGwArhTKyV+CXTsxgEBX1xZXw2JXH2h5DD4wq6zXti9NJL1lukjE9
Z8k3HPgOgURqyNH/EQscCWicGN9YZWn304WSt4r4K2d/VnhToDNd+4AHzjS1BhNY
xTHBXRud3hquIypIuW1iJUzSzH8+7zNzNPdxZwFWvfd4YJmdZM5/8bOzpKZWF8Ci
lKMn9cWzBD8px3BP+I6RqSZ2ETDeHjcfgmnveVhjalHVooJJrdpB9Pd8yl/YDhb+
zOPsPdZ1DMgQS1bUIpz4IbotEVdFgOLueGisatTi/6nHqQeG22sHvtAxYqRkGmcM
7CNfzT6l+A3PnwSE/pUsor9GmnDBrg==
=EaMk
-----END PGP SIGNATURE-----

Verifying the message

You might want to verify if the message you got is really from the sender. This can be done by:

gpg --detach-sig <file>

This will create a file with an extension sig that can be used to verify the message:

gpg --verify <filename>.sig <filename>

Please do verify your messages.

Image courtesy of XKCD.

If you liked this post consider buying me a cup of coffee.