Encryption with gpg, a story (really, a tutorial)
GPG is a compatible replacement of PGP. That, in and of itself, is confusing.
That each acronym is sufficiently obtuse on its own is enough to prompt a less privacy minded developer to give up. GPG stands for Gnu Privacy Guard and PGP stands for Pretty Good Privacy. Pretty Good Privacy came first and prompted the government to prosecute the creator, Phil Zimmerman, for exporting munitions illegally. He published the code in a book, and then he was exporting a book not munitions.
The first thing to understand about
gpg is that it is not like
openssl takes inputs and delivers outputs and maintains no state inbetween
gpg, on the other hand, functions as a key server along with
encrypting, decrypting and key generation. It runs in the background, a
daemon, and manages your private keys and the public keys of others. It is a
program intended to encrypt emails and therefore uses option names like
recipient to indicate which public key to encrypt a message with.
Its a key manager
When you understand gpg as key manager before you understand it as an
encryption tool then it is easier to learn how to use. Therefore, you should install the program with
apt-get and then use it to list all the keys that its managing.
> gpg --list-keys gpg: directory `/Users/chriserin/.gnupg' created gpg: new configuration file `/Users/chriserin/.gnupg/gpg.conf' created gpg: WARNING: options in `/Users/chriserin/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/Users/chriserin/.gnupg/pubring.gpg' created gpg: /Users/chriserin/.gnupg/trustdb.gpg: trustdb created
It has created files and issued a warning. It needed to have the resources to manage your keys and now it has them. If we list keys again:
> gpg --list-keys
Nothing. Great. Lets get started. Here's a public key that you can manage.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQENBFjceoMBCADDgOGwaQAVv53E+vT1RhYtUBdU7igdKb+K1cBb/0y7SV9A7zBi /N5z2GhsL6cU7vXoX2QoMpDhQ2MYP48nWCmVeff9izinqrjXA05ViSMnPhpEGuq0 joiAy3QE1xzdiYdvmOcr4PR2rDuz7kIybJi41a+4TPA2fqkGtOsaXfwm6qH5KwhE oEu1QuZi8X7aiHA0A/tN2sKSos7JSf7G/Ps1XQlkCgF8hQ19jSy3uaZ3d69Rplqf UMMukPzlQYQCXltuAyqac86G/jVHJPMmL4ttAagC9vQMnHdQyOhzXhjERGSOCt6w MW+sv1JGUROB+rNIYBktF7sviQBwwDyxODX9ABEBAAG0OkNocmlzIEVyaW4gKEJl IEtpbmQgVG8gT3RoZXJzKSA8Y2hyaXMuZXJpbkBoYXNocm9ja2V0LmNvbT6JATkE EwEIACMFAljceoMCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRBaN+T0 fHMfFK8cCACtkhMQ0AumUL9M3eDR8P5DPhGOH14SuobeL5fl/iLTaho2P9ie+R+f wFG6m1s0+HxNGMqHTqDdkRYejfwlovPh96aDWz7rwzlECw5zDoLKvxnbk7Lkcy8I Sl+9JwzAEra2wn+V2iTD9kBNBrzB6IqLny6Q/+i6xaLamANH3ZYgwVQbxt05nUPO anGiex5Gu0i5O9FfuHwUjiFdkdtpP5pHX1Lbq0rW8c4rt/6uTQ4DAISIKgphZDw5 Bcg1QytVQ4jdB7Wjyf6uTtDc01pDj79v0VA2O4r/cA6Qk5UwdCmBbKYFARFEEUQT CdVKPP/TfOdmPbLjhbn4A3d5V8AsCi1TuQENBFjceoMBCACy7x3s5kprHmNiKpga 8YP4BhZKG29UTd5TSiPi2M66pXTEz7HHFcW/sZH0i9o5UGS2ueh7m5tRQk8+REVp Cn7MCOOaaQuS3ISRbZxJIloojHwT7W1SV25KH2Xf2Hs/R//Evu9ajdX5ohfVsZ55 DFyptEi7BX1dz445+htCMUwAFwjkWnUSG3D1ueFOG/bhZbytfthBiInqHgVh6gYQ e18ond4fcsFqzwj2FpfoXa7DYl/RiywfYRkZFjaddJ8+cqdU3Vrt57lRoLd206US s5ql77yam3pzWWif+nmiSnPJujj5PzLZWlcUSz3cQ8rAs6ZVFFoxULbBu97ZQ3T6 /lOXABEBAAGJAR8EGAEIAAkFAljceoMCGwwACgkQWjfk9HxzHxRU/Af9HkN3dqAx KsIyXQRnPq33JHTw82urcpRlytAozDhym5PJzUeQsVZ8EZYrjHMa+YgjJ6OR2d4R aH7cAJUHgig7DZog7ilPJDv/JOtMlHkHBqY7O8SNicuNVr6SNRbO5FRhaXTi4pIE WMYl/Jni+0DL0GyIhnzIpxzJGYtY88EJ0obpqWENj829gqFUaHjPs7k0L/1uPTWY AT8jdSukbKLc4xtFTa9R/8G8QLW+DtQiDWk+cuVpnF4YiCOIKWCp/rVtdv55EytH g+4Xod7FGO4t8WQTPEXb08DLae6ikLMp7gMXDs0kXnk3P1w646nwbpBUi1z0AkZv SUlCJaGiY+Eclg== =qZVn -----END PGP PUBLIC KEY BLOCK-----
You can copy this public key to a file named
chriserin.pub and import it:
> gpg --import chriserin.pub
Now when you run list-keys you can see a key is listed:
> gpg --list-keys pub 2048R/7C731F14 2017-03-30 uid [ unknown] Chris Erin (Be Kind To Others) <firstname.lastname@example.org> sub 2048R/1CC31A83 2017-03-30
Now we have a key to encrypt with. Please encrypt a message for me that only I can read.
> echo "a really interesting message" | gpg --armor --encrypt --recipient email@example.com
Now, if you send me the output of that message, only I will be able to read it.
There is an interesting option there,
--armor. The man pages describe
Create ASCII armored output
Its something you need if you plan on transmiting this message in ascii formats like email.
When I get your message I'll be curious and want to decrypt it. Decrypting is a little bit more envolved then encrypting but still relatively easy.
First, I need to make sure that my private key is managed.
> gpg --list-secret-keys
Nothing! I'll need to import it.
> gpg --import chriserin.priv > gpg --list-secret-keys sec 2048R/7C731F14 2017-03-30 uid Chris Erin (Be Kind To Others) <firstname.lastname@example.org> ssb 2048R/1CC31A83 2017-03-30
Now lets decrypt the message. What's unique about the decryption process on my end is that I need to enter a passphrase. I will be prompted to enter this passphrase when the below command is run.
> gpg --output interesting.txt --no-tty message.gpg
I should now have a file that has the content
a really interesting message
Creating a key pair
Necessary if you expect to receive encrypted messages is a key pair. A public key that you can distribute on the internet as freely as you see fit and a private key which should be guarded and protected.
gpg provides a command option for this:
> gpg --gen-key
Which asks you for a set of information including your name, email, an optional comment, and a passphrase. As we've seen while encrypting a message, the email is the unique identifier by which the user specifies a recipient and through which the gpg program identifies which public key to use for encryption.
One tricky thing about this key generation on linux is that when generating the key itself the program complained about not having enough entropy and hung until the entropy requirement was met. When googling I discovered that this was a common complaint and most often solved by installing the rng-tools with apt-get as described here.
If you are able to create a key successfully it should be in your list of keys, both the secret list and the public list:
> gpg --list-keys > gpg --list-secrety-keys
You'll want to have a public key to distribute which you can obtain with:
> gpg --export -a "Chris Erin" > chriserin.pub
And potentially you'll want to move the private key to a different location. It can be exported with:
> gpg --export-secret-keys -a "Chris Erin" > chriserin.priv
Finally, knowing that you can manage keys with gpg you are probably assuming that they are deleteable. Delete them with:
> gpg --delete-secret-keys email@example.com > gpg --delete-keys firstname.lastname@example.org
Now you're back where you started. Happy encrypting!