For what is GPG used?
GPG stands for GNU Privacy Guard, GPG or GnuPG. It is used to encrypt a file, apply digital signature to it, provide higher security, and more. You can install GPG with gpg or gnupg2 package.
First step in using GPG is to generate pair of private/public keys, just like with SSH. GPG uses typical asymmetric keys, where public key is shared with everyone, and private key is safe with you. Private key is called secret key.
# gpg --gen-key
GPG asks for three questions, such as full name, email address, and passphrase. The email and passphrase must be remembered because passphrase allows you to use your private key. Basically, email and passphrase are used to unlock your private key.
Important step while generating keys, is that GPG needs random strokes of mouse and keyboard to generate key (its just weird). To do this step faster, before issuing gpg –gen-key command, use rngd -r /dev/urandom and then run gpg –gen-key command. This utility will generate that randomness and make the process faster.
After the keys are generated, they are stored in a file. That file is called keyring, inside ~/.gnupg/ directory. Keyring is same as authorized_hosts file with SSH.
Exporting public key
Again, similar situation with SSH, once we generated private (secret) key, and public key, they are placed on our keyring. Now, you must share that public key with someone else, in order for him to encrypt your file.
# gpg --export firstname.lastname@example.org > gpgkey123.pub
After this is done, you can share this file with anyone and he will be able to encrypt files, and we will be able to decrypt them with our private key. While sending a file to your friend, you may run to a problem where it won’t send. Regenerate new public key, but add –armor option to generate key in ASCII format.
When you receive public key from someone, that key is used to encrypt file for someone else. Also, that public key must be added to our own keyring before using it. This is called importing, and it’s done with this command:
# gpg --import gpgkey123.pub
After we added their public key to our keyring, we can encrypt files with it. To view our keyring keys, use this command:
# gpg --list-keys
Encrypting and decrypting data
Someone sent us his public key. We have public key on our keyring and now we can encrypt files with that public key. You do this with this command:
# gpg --out encryptedFile --recipient email@example.com --encrypt originalFile.txt
In the example above, we first say the name of encrypted file, then who will receive it, and which file needs to be encrypted. Now, the person who gets this encrypted file can only decrypt it with his own private or secret key. He uses this command to decrypt it:
# gpg --out mynewfile.txt --decrypt encryptedFile
Straightforward command, decrypt file called encryptedFile and give it a name “mynewfile.txt“.
Signing messages and verifying signatures
When you encrypt a file, and send it through a network, it may become corrupted. To verify this, we can digitally sign gpg encrypted files. In a nut shell, there is time stamp and it certifies the file. If the file is modified in any way, gpg will alert file’s receiver.
To sign a file, use —sign option, or when you want to send it as ASCII, then use —clearsign switch. To encrypt digital signature, gpg uses your private key and asks for passphrase that will protect this signature. Encrypting the file:
# gpg --out encryptedFile --recipient firstname.lastname@example.org --encrypt secret.txt
Then, to digitally sign it, you this command:
# gpg --out signedEncryptedFile --sign encryptedFile
When recipient gets this encrypted and signed file, he can verify it with gpg –verify signedEncryptedFile
Decrypting digitally signed file
Once we get the file, we must verify it to make sure it is not corrupt, then decrypt it, and finally reveal what we got inside. First, let’s verify this signed and encrypted file that we got called signedFile. If it is correct, make it new file called “encrypted.gpg”
# gpg --out encrypted.gpg --verify signedFile
After the file is verified, decrypt file with this command:
# gpg --out decrypted.txt --decrypt encrypted.gpg
We told gpg to use encrypted.gpg file, and decrypt it in new decrypted file called “decrypted.txt” which could be read easily now.
Revoking a key
If your private key has been stolen or compromised, revoke your public key:
- Generate a revocation certificate
- Import revocation certificate into your keyring
- Make revocation certificate available for anyone who has your public key.
To generate revocation certificate use the following command:
# gpg --out key-revocation.asc --gen-revoke email@example.com
After we get revocation certificate called key-revocation.asc, we can import it in our keyring with:
# gpg --import key-revocation.asc