GnuPG
Usage
Generating a keypair:
gpg --full-generate-key
Listing keys:
gpg --list-keys [UID] gpg --list-secret-keys [UID]
Show fingerprint:
gpg --fingerprint [UID]
Exporting the public/secret key:
gpg --armor --export UID gpg --armor --export-secret-keys UID
Importing a public key:
gpg --recv-keys UID
Sending a public key to a keyserver:
gpg --send-keys UID
Select a diffent keyserver with:
gpg --keyserver keyserver.ubuntu.com [...]
- keyserver.ubuntu.com
- keyring.debian.org
- pgp.mit.edu
- keys.openpgp.org
Encrypt/Decrypt a file:
gpg --encrypt --armor --recipient ID file.txt gpg --decrypt file.txt.asc --output file.txt
Verify a file:
$ gpg --list-packets file.iso.asc :signature packet: algo 1, keyid 293ACD0907D9495A [...] $ gpg --recv-keys 293ACD0907D9495A gpg: requesting key 01A1234B from hkp server keys.gnupg.net gpg: key 01A1234B: public key "Foo Bar <foo@example.net>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 4 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 4u gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) $ gpg --verify file.iso.asc gpg: assuming signed data in `file.iso' gpg: Signature made Tue 29 Mar 2016 12:13:14 AM PDT using RSA key ID 01A1234B gpg: Good signature from "Foo Bar <foo@example.net>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 85E3 8F69 046B 44C1 EC9F CD43 293A CD09 07D9 495A
Backup secret keys:
$ gpg --list-secret-keys --keyid-format LONG
$ gpg --output backup_KEYID.gpg --armor --export-options backup --export-secret-keys [KEYID]
Restore with:
$ gpg --import-options restore --import backup_KEYID.gpg
We may have to reset the trust level of the key to ultimate again, since it's our own key.
Advanced Topics
Key Generation
Generating a key non-interactively:
$ cat foo %echo Generating a standard key Key-Type: RSA Key-Length: 4096 Subkey-Type: RSA Subkey-Length: 4096 Name-Real: Joe Tester # Name-Comment: no comment Name-Email: joe@foo.bar Expire-Date: 0 Passphrase: s3cr3t # %pubring foo.pub # %secring foo.sec # Do a commit here, so that we can later print "done" :-) %commit %echo done $ gpg --batch --gen-key foo gpg: Generating a standard key ++++++++++.+++++..++++++++++++++++++++... $ gpg --list-secret-keys joe sec 1024R/37F9FB0C 2011-01-10 uid Joe Tester <joe@foo.bar> ssb 1024R/911410E8 2011-01-10
Symmetric Encryption
We want to create an encrypted version of a file:
$ cat file hello
With GnuPG 1.4:
$ cat file | gpg --armor --symmetric --cipher-algo aes256 --digest-algo sha512 > file.asc $ ls -go file file.asc -rw-r--r--. 1 6 Mar 6 15:06 file -rw-r--r--. 1 185 Mar 6 15:07 file.asc $ gpg --decrypt file.asc gpg: AES256 encrypted data Enter passphrase: gpg: encrypted with 1 passphrase hello
Note: changing the passphrase for symmetric keys means we need to re-encrypt the key material.[1] While this is possible in batch mode, we don't want to provide the passphrase on the command line, so let's do this in two steps:
$ gpg --decrypt file.asc > $TMPDIR/foo # NOTE: TMPDIR should be set and # should point to volatile memory, e.g. tmpfs! $ gpg --armor --symmetric --cipher-algo aes256 --digest-algo sha512 < foo > file_new.asc
Let's try this with GnuPG 2.x. The passphrase will be asked by a program called pinentry-ncurses:[2]
$ gpg2 --yes --batch --symmetric --cipher-algo aes256 --digest-algo sha512 --armor file ┌─────────────────────────────────────────────────────┐ │ Enter passphrase │ │ │ │ │ │ Passphrase ******__________________________________ │ │ │ │ <OK> <Cancel> │ └─────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────┐ │ Please re-enter this passphrase │ │ │ │ Passphrase ******__________________________________ │ │ │ │ <OK> <Cancel> │ └─────────────────────────────────────────────────────┘
Without pinentry-ncurses, we'd have to specify our password on stdin - not a good idea:
$ gpg2 --yes --batch --symmetric --cipher-algo aes256 --digest-algo sha512 --armor --passphrase-fd 0 file s3cr3t $ ls -go file file.asc -rw-r--r--. 1 6 Mar 6 15:06 file -rw-r--r--. 1 189 Mar 6 15:22 file.asc
Decrypting will make use of pinentry-ncurses again:
$ gpg2 --decrypt file.asc ┌─────────────────────────────────────────────────────┐ │ Enter passphrase │ │ │ │ │ │ Passphrase ******__________________________________ │ │ │ │ <OK> <Cancel> | └─────────────────────────────────────────────────────┘ hello
Without pinentry-ncurses, we have to specify our password on stdin again:
$ gpg2 --decrypt --passphrase-fd 0 file.asc s3cr3t gpg: AES256 encrypted data gpg: encrypted with 1 passphrase hello
PGP/MIME vs S/MIME
As summarized elsewhere[3], here's a short comparison of both standards:
PGP/MIME
- Uses the OpenPGP RFCs and standards.
- The "signature.asc" detached signature is in plain text.
- Flexibility in algorithm choice for encryption, signing and compression.
- Relies on a distributed trust model.
- Not as widely deployed in MUAs as S/MIME.
- Public key must be distributed separately from the signature.
- Trivial to integrate with webmail providers.
- Can only be used with signing documents.
- An expiration date does not need to be set on the public key.
- Free.
S/MIME
- Based on a number of RFCs and standards.
- The "smime.p7s" detached signature is in a binary format.
- Generally, the Certificate Authority (CA) chooses the algorithm and key size.
- Relies on a centralized trust model.
- More widely deployed than PGP/MIME
- Public certificate distributed in each detached signature.
- Difficult to integrate with webmail providers.
- Can be used for both signatures and encryption.
- Generally, the public certificate expires once per year.
- Some CAs provide certs free for personal use, but most if not all CAs charge for professional use.
Implementations
GPGTools
gnupg-vim
- Get gnupg.vim and save it under ~/.vim/plugin/
- Encrypt a textfile which will be your safe later on:
gpg -r mail@example.com -e secret.txt
- You now have secret.txt and secret.txt.gpg. You could do
gpg -d secret.txt.gpg
to decrypt your file or use your new ViM plugin:
vim secret.txt.gpg
and type in your passphrase. (Yeah, you better remove the old secret.txt now)
Links
- confirmation for --export-secret-key
strange error message, how to delete key("Oops: keyid_from_fingerprint: no pubkey"
)