GPG Key
In other languages: English | Afrikaans | Albanian | Arabic | Brazilian | Bulgarian | Catalan | Chinese | Croatian | Czech | Danish | Dutch | Esperanto | Estonian | Filipino | Finnish | Flemish | French | German | Greek | Hebrew | Hindi | Hungarian | Indonesian | Italian | Japanese | Latvian | Lithuanian | Macedonian | Malay | Malayalam | Norwegian (Bokmål) | Norwegian (Nynorsk) | Persian | Polish | Portuguese | Romanian | Russian | Serbian | Slovak | Slovenian | Spanish | Swedish | Turkish | Ukrainian | UrduContents |
Introduction
GPG, the 'GNU Privacy Guard' is an open source tool which allows one to very securely encrypt and sign data. This howto will outline how to secure files, and digitally sign emails.
GPG Usage
Obtaining GPG
Linux
GPG is already present preinstalled on all of the Linux distributions I have come across, as the command 'gpg' and friends. If not, use your distribution's package manager to install it.
FreeBSD
In FreeBSD, GPG can be installed from the ports collection:
# cd /usr/ports/security/gnupg # make install clean
Windows
GPG for Windows can be downloaded here: http://www.gnupg.org/download/
Generating keys
First, we must generate the keys needed to encrypt out data against. A matching 'public key' and a 'private key' are generated. The private key should be kept only by you, and you must not allow it to get compromised. Public keys can be sent to anyone you want to receive secure data from. The public key can only encrypt data, and ONLY the matching private key can decrypt this data again, ie. not another public key.
Type:
# gpg --gen-key
The defaults should be sufficient and everything is pretty much self explanatory. At the end, a passphrase must be entered. Do not disclose this to anyone, if your private key is stolen by someone, the passphrase is the only form of protection you have.
Listing keys
Type:
# gpg --list-keys
On my system, I get output like:
/home/jonny/.gnupg/pubring.gpg ------------------------------ pub 1024D/446C786C 2008-07-28 uid Example (Example Key) <example@example.com> sub 4096g/FB8E3A35 2008-07-28
The data after the 'uid' bit is the key's user ID. To reference a particular key, you will need to use part of the user ID so that GPG knows which key you are referring to, if you have many. This could be the email address, the comment or name for example.
Exporting a public key
Type:
# gpg --output public_key.gpg --armor --export <user ID>
I have explained what <user ID> is above. Try the email address you used for to generate your key.
This command will leave you with a public_key.gpg which can be sent to your friends, allowing them to encrypt data which can only be decrypted by you, with your private key.
Importing a public key
Your friend, who has received the public key you have just generated will then type:
# gpg --import blake.gpg
This will import the key to his keyring. He can view the key using:
# gpg --list-keys
Encrypting and Decrypting
Your friend can now encrypt a top secret document (secret_document.doc) before emailing it to you, using a command like this:
# gpg --output secret_document.doc.gpg --encrypt --recipient <user ID> secret_document.doc
When you have received this document, you can decrypt it using:
# gpg --output secret_document --decrypt secret_document.doc.gpg
Here, you will be asked for your passphrase.
Digital signatures in emails
An email, here email.txt, can be digitally signed using your private key. People with your public key can then verify that the email is indeed from you. To generate the signature type:
# gpg --output email.sig --detach-sig email.txt
The signature file, email.sig can then be attached to the email. The recipient of the email can check that it is from you (if he has your public key) by typing: gpg --verify email.sig email
More Information
For further information, check out the GPG documentation (which this howto was based on): http://www.gnupg.org/documentation/index.en.html
