Generates key pair:
gpg –gen-key
Lists public and private current keys:
gpg –list-keys
gpg –list-secret-keys
Exports public key / private key:
gpg –armor –export jaz@example.com
gpg –export-secret-key –armor “jaz@example.com” > private.key
Imports a public key / private key:
gpg –import joe.ca
gpg –allow-secret-key-import –import private.key
Delete public / private key:
gpg –delete-key “jaz@example.com”
gpg –delete-secret-key “jaz@example.com”
Encrypt a document with someone’s public key:
gpg –output out.gpg –encrypt –recipient jaz@example.com doc
gpg -o out.gpg -e -r jaz@example.com doc
Decrypt an encrypted file:
gpg –output doc –decrypt doc.pgp
gpg -o doc –decrypt doc.pgp
Symmetric encryption:
gpg –output doc.gpg –symmetric doc
gpg -o doc.gpg -c doc
GPG
Gnu Privacy Gard is an open source of Pretty Good Privacy and 100% compatible with PGP.It based on PKI (Public key private key encryption). GPG encrypts data / mails etc.
Steps in Encrypting Data using the GPG
Step 1:
Genarate PKI pairs (Public/private Key)
# gpg –gen-key
This will Prompt for options like key strength and various other details and store the key inside ~/.gnupg/.
pubring.gpg and secring.gpg are the public and private keys respectively.
Now make note of the key finger print. This is used to matching the public keys.
# gpg –list-keys
This will show the keys that has been generated
# gpg –fingerprint
This will show the finger print for the keys.
Step 2:
Now we can encrypt the data using the private key
Encrypt the data:
# gpg –list-keys
This will list the keys
# gpg –encrypt -r kiran install.log
-r is used to define the public key ID also can use the user name(This reffers which key has to be used) and the install.log is the file that we are encrypting. As a result a new file will be created by the name install.log.gpg. Now if we cat the content of the file install.log.gpg now we can see that the file is been encrypted (This will use the compression as well so file size will be less than the original file).
Decrypt the data:
#gpg –decrypt install.log.gpg
Will decrypt the file and the STDOUT will be shown in the bash terminal.
# gpg -o install.log –decrypt install.log.gpg
This will decrypt to the file install.log
Encryption Decryption using the Armor
# gpg -e –armor -r kiran install.log
This will encrypt the data with armored (Neatly encrypts the data). Creates the file with the name install.log.asc
# gpg –decrypt install.log.asc
this will decrypt the encryption with armor
Encryption and Decryption accross the network:
Now in this case we have to export the publicring keys and import it on remote machine to decrypt the data.
Exporting the public Key.
In host1:
# gpg –export –armor -o remotehost1.asc.pub
This will export the public key to the file remotehost.asc. Now this key can be imported to any host for decryption.
In host2:
# gpg –export –armor -o remotehost2.asc.pub
Now both the users have exported their public keys. Now we can import the public keys to system to create “web of trust”.
Now import the keys
In Host 1:
get the public key of Host2 “remotehost2.asc.pub” securely and import it
# gpg –import remotehost2.asc.pub
This will import the key of Host2 in host1 for the current user
# gpg –list-keys
This will show all the keys.
Now import the keys
In Host 2 also:
get the public key of Host1 “remotehost1.asc.pub” securely and import it
# gpg –import remotehost1.asc.pub
# gpg –list-keys
Now we have both the pub keys installed in both systems.
Testing the encryption:
# gpg –list-keys
# gpg -e -r 89909823636 –armor -o test.txt.asc test.txt
While encryption make sure that the same key is used. For this instead of giving the username for the flag ” -r ” use the key ID in our case it is “89909823636”. Now this will re-confirm the key that going to encrypt.
This will encrypt the file and send this accross the wire to host2.
In host2
# gpg –list-keys
Find the key which has the ID 89909823636 from above command
# gpg –decrypt -r 89909823636 -o test.txt test.txt.asc
This will decrypt the file and create the new file test.txt.
GPG – Signing & Encryption
* Signing is different from encrypting the data. Signing is to prove the authenticity of the data send to the reciever stating that “This data belongs to the sender”. Signing is independent to encryption of data. We can encrypt without signing. Sign and Encrypt to prove authenticity is recommended.
Signing a file:
The Private key of the sender is used to sign the data. And the recipient decrypts the signature using senders public key.
Encrypt the data
# gpg -e –armor -r 80098FC8 file.txt
This will armor and encrypt the file using the key ID 80098FC8 .
When a file is singed, when decrypting the the data the gpg will show the signature
Signing and Encrypting:
#gpg -se –armor -r 80098FC8 file.txt
This will encrypt as well as sign the data using the private key 80098FC8 . Now when we decrypt the data the gpg will show the signature as well as Key finger print and also about the key whether it is trusted or not in the shell output.
#gpg -d -r 80098FC8 file.txt.asc
This will decrypt the data along with it will show the signature too. But if the trust level of the key is not set this will show you the msg that “there is no indication that this key belongs to sender”
Increasing the Trust Level of the KEY.(Certifying the key with trusted signature):
#gpg –edit-key 8177ACE
This will give the promtp to edit the key having the ID 8177ACE.
Command> help
Will show the help menu
Command> trust
Now give the trust level(the each level will be explained by the interactive menu in gpg) Select from 1 to 5 class of trust.
Command> quit
Now the trust level is set.
So now sign, encrypt and send to remote user. Now decrypt the file in the remote machine.
Note:- Still if u see that trust need to increased in remote machine, This means in remote system also we have to increase the trust level. Now test again.
GPG – detaching the signature:
(–detach-sign or -b) This option will detach the signature from the encrypted file and both the signature and encrypted file can be send it separately to remote system.When creating the detached signature no need to specify the recipients (-r) public key. The process of creating the signature relies upon the senders private key.
Creating the encrypted file and a separate signature for it.
# gpg -ea -r 8900DAC08 test.txt
This will create a encrypted file called test.txt.asc. But this will not be signed.
# gpg -b test.txt.asc
(-b will tell to create a seperate signature) The signature created by each and every file will be different.
This will create a file called test.txt.asc.sig
Now send both the file to remote system.
Testing the file with the signature in remote system.
When verifying and decrypting the content of assosiated encrypted file follow this
1. Verify the md5sum
2. Verify the signature
3. Decrypt the encrypted file
Verify the md5sum
# Check the md5sum and compare with the sender’s md5sum for both the file and signature
Verify the signature
# gpg –verify test.text.asc.sig test.text.asc
This will return the signature status.
Decrypt the encrypted file
# gpg -d -o test.txt test.text.asc
Integrating the GPG with mail clients:
The encryption is based on the email address in allmost all the MUA. It is not done by the key ID. So make sure that the matching key has been installed in both of senders and relievers MUA before encrypting and sending the msg. The GPG key has to be created and trust level has to be defined with the exact mail ID.
This is the Command Generates key pair:
gpg –gen-key
You have to selet the type of key
1 Please select what kind of key you want:
2 (1) DSA and Elgamal (default)
3 (2) DSA (sign only)
4 (5) RSA (sign only)
5 Your selection?
You have to specify the key pair size
1 What keysize do you want?
Then you have to specify expiration date
1 Please specify how long the key should be valid.
2 0 = key does not expire
3 <n> = key expires in n days
4 <n>w = key expires in n weeks
5 <n>m = key expires in n months
6 <n>y = key expires in n years
7 Key is valid for? (0)
You must also provide a USER ID. You need a User-ID to identify your key;
1 from Real Name, Comment and Email Address in this form:
2 “mohan ramadoss <mohan@mohan.com>”
3
4 Real name:
GnuPG need a Passphrase to protect your private key.
1 Enter passphrase:
Now you have successfully create the keys. To list keys use the commandline option –list-keys
1 gpg –list-keys
2 /users/user/.gnupg/pubring.gpg
3 —————————————
4 pub 1024D/BB7576AC 2012-03-03 mohan (ramadoss) <mohan@mohan.com>
5 sub 1024g/78E9A8FA 2012-03-03
Encrypting and decrypting documents
The –encrypt(-e) option is used to encrypt files.
1 gpg –output doc.gpg –recipient mohan@mohan.com –-encrypt mydoc
Note if you are not specify ouput filename default name will be mydoc.asc
The –-recipient(-r) option is also important which specify the public key to which the key should encrypt.
By default there is only one public key but when we encrypt files for someone else we have to import their public key using
1 gpg –import key_file_to_import
Then to encrypt
1 gpg -r mohan@mohan.com -e file_to_encrypt
To decrypt the file you can use the –decrypt option. You need the private key to which the message was encrypted.
view source
print?
1 gpg –output doc –decrypt mydoc.asc
2 Enter passphrase:
Lists public and private current keys:
gpg –list-keys
gpg –list-secret-keys
Exports public key / private key:
gpg –armor –export mohan@mohan.com
gpg –export-secret-key –armor “mohan@mohan.com” > private.key
Imports a public key / private key:
gpg –import mohan.ca
gpg –allow-secret-key-import –import private.key
Delete public / private key:
gpg –delete-key “mohan@mohan.com”
gpg –delete-secret-key “mohan@mohan.com”
Encrypt a document with someone’s public key:
gpg –output out.gpg –encrypt –recipient mohan@mohan.com doc
gpg -o out.gpg -e -r mohan@mohan.com doc
Decrypt an encrypted file:
gpg –output doc –decrypt doc.pgp
gpg -o doc –decrypt doc.pgp
Symmetric encryption:
gpg –output doc.gpg –symmetric doc
gpg -o doc.gpg -c doc
Symmetric encryption:
gpg –output doc.gpg –symmetric doc
gpg -o doc.gpg -c doc
Securing Data
-The Need For Encryption
-Symmetric Encryption
Symmetric uses a secret/password to encrypt and decrypt a message.
You can use GnuPG (cli command is ‘gpg’) to encrypt and decrypt a file symmetrically. Arguments:
–symmetric/-c == symmetric cipher (CAST5 by default)
–force-mdc == if you don’t have this you’ll get “message was not integrity protected”
There are many more things you can specify.
echo “awesome secret message” > /tmp/file
gpg –symmetric –force-mdc /tmp/file
#(enter password)
#this creates a /tmp/file.gpg
#beware that /tmp/file still exists
#to decrypt:
gpg –decrypt /tmp/file.gpg
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
awesome secret message
-Asymmetric Encryption
Uses a key-pair. A public key and a private key.
A message encrypted with the public key can only be decrypted with the private key.
A message encrypted with the private key can only be decrypted with the public key.
GnuPG can let you handle this.
Login with a user called ‘labber’:
gpg –gen-key
# in this interactive dialog enter username: labber, e-mail and password
# this doesn’t always work, might take _long_time_, eventually I just tried on another machine
echo “secret message” > /tmp/file
gpg -e -r labber /tmp/file
# enter password
gpg –decrypt /tmp/file
# enter password
To export the public key in ASCII format you can:
gpg –armor –output “key.txt” –export “labber”
Quick’n easy gpg cheatsheet
If you found this page, hopefully it’s what you were looking for. It’s just a brief explanation of some of the command line functionality from gnu privacy guard (gpg). Please email me if you find any errors (scout3801@gmail.com ).
Filenames are italicized (loosely, some aren’t, sorry), so if you see something italicized, think “put my filename there.”
I’ve used User Name as being the name associated with the key. Sorry that isn’t very imaginative. I *think* gpg is pretty wide in it’s user assignments, ie. the name for my private key is Charles Lockhart, but I can reference that by just putting in Lockhart. That doesn’t make any sense, sorry.
to create a key:
gpg –gen-key
generally you can select the defaults.
to export a public key into file public.key:
gpg –export -a “User Name” > public.key
This will create a file called public.key with the ascii representation of the public key for User Name. This is a variation on:
gpg –export
which by itself is basically going to print out a bunch of crap to your screen. I recommend against doing this.
gpg –export -a “User Name”
prints out the public key for User Name to the command line, which is only semi-useful
to export a private key:
gpg –export-secret-key -a “User Name” > private.key
This will create a file called private.key with the ascii representation of the private key for User Name.
It’s pretty much like exporting a public key, but you have to override some default protections. There’s a note (*) at the bottom explaining why you may want to do this.
to import a public key:
gpg –import public.key
This adds the public key in the file “public.key” to your public key ring.
to import a private key:
gpg –allow-secret-key-import –import private.key
This adds the private key in the file “private.key” to your private key ring. There’s a note (*) at the bottom explaining why you may want to do this.
to delete a public key (from your public key ring):
gpg –delete-key “User Name”
This removes the public key from your public key ring.
NOTE! If there is a private key on your private key ring associated with this public key, you will get an error! You must delete your private key for this key pair from your private key ring first.
to delete an private key (a key on your private key ring):
gpg –delete-secret-key “User Name”
This deletes the secret key from your secret key ring.
To list the keys in your public key ring:
gpg –list-keys
To list the keys in your secret key ring:
gpg –list-secret-keys
To generate a short list of numbers that you can use via an alternative method to verify a public key, use:
gpg –fingerprint > fingerprint
This creates the file fingerprint with your fingerprint info.
To encrypt data, use:
gpg -e -u “Sender User Name” -r “Receiver User Name” somefile
There are some useful options here, such as -u to specify the secret key to be used, and -r to specify the public key of the recipient.
As an example: gpg -e -u “Charles Lockhart” -r “A Friend” mydata.tar
This should create a file called “mydata.tar.gpg” that contains the encrypted data. I think you specify the senders username so that the recipient can verify that the contents are from that person (using the fingerprint?).
NOTE!: mydata.tar is not removed, you end up with two files, so if you want to have only the encrypted file in existance, you probably have to delete mydata.tar yourself.
An interesting side note, I encrypted the preemptive kernel patch, a file of 55,247 bytes, and ended up with an encrypted file of 15,276 bytes.
To decrypt data, use:
gpg -d mydata.tar.gpg
If you have multiple secret keys, it’ll choose the correct one, or output an error if the correct one doesn’t exist. You’ll be prompted to enter your passphrase. Afterwards there will exist the file “mydata.tar”, and the encrypted “original,” mydata.tar.gpg.
NOTE: when I originally wrote this cheat sheet, that’s how it worked on my system, however it looks now like “gpg -d mydata.tar.gpg” dumps the file contents to standard output. The working alternative (worked on my system, anyway) would be to use “gpg -o outputfile -d encryptedfile.gpg”, or using mydata.tar.gpg as an example, I’d run “gpg -o mydata.tar -d mydata.tar.gpg”. Alternatively you could run something like “gpg -d mydata.tar.gpg > mydata.tar” and just push the output into a file. Seemed to work either way.
Ok, so what if you’re a paranoid bastard and want to encrypt some of your own files, so nobody can break into your computer and get them? Simply encrypt them using yourself as the recipient.
I haven’t used the commands:
gpg –edit-key
gpg –gen-revoke
- –gen-revoke creates a revocation certificate, which when distributed to people and keyservers tells them that your key is no longer valid, see http://www.gnupg.org/gph/en/manual/r721.html
- –edit-key allows you do do an assortment of key tasks, see http://www.gnupg.org/gph/en/manual/r899.html
Sharing Secret Keys
NOTE!: the following use cases indicate why the secret-key import/export commands exist, or at least a couple ideas of what you could do with them. HOWEVER, there’s some logistics required for sharing that secret-key. How do you get it from one computer to another? I guess encrypting it and sending it by email would probably be ok, but I wouldn’t send it unencrypted with email, that’d be DANGEROUS.
Use Case *.1 : Mentioned above were the commands for exporting and importing secret keys, and I want to explain one reason of why maybe you’d want to do this. Basically if you want one key-pair for all of your computers (assuming you have multiple computers), then this allows you export that key-pair from the original computer and import it to your other computers.
Use Case *.2 : Mentioned above were the commands for exporting and importing secret keys, and I want to explain one reason of why maybe you’d want to do this. Basically, if you belonged to a group, and wanted to create a single key-pair for that group, one person would create the key-pair, then export the public and private keys, give them to the other members of the group, and they would all import that key-pair. Then a member of the group or someone outside could use the group public key, encrypt the message and/or data, and send it to members of the group, and all of them would be able to access the message and/or data. Basically you could create a simplified system where only one public key was needed to send encrypted stuffs to muliple recipients.
Recent Comments