GNU Privacy Guard or better known as GPG is public key cryptography implementation and it is free software replacement for the Symantec’s PGP cryptographic.
In this post I will show you how to generate new GPG key pairs and encrypt or/and signature files.
Generate new GPG key pair
At beginning we have to generate public and private key pair using
gpg --gen-key. This introductions follow way how I did my GPG keys, but if you would like to know more about every step I recommend go to look at https://fedoraproject.org/wiki/Creating_GPG_Keys.
$ gpg --gen-key gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?
Select 1 (default) and press Enter.
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
Default 2048 bits long key enough for me, so I press Enter.
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0)
I use default value 0 (key does not expire).
Key does not expire at all Is this correct? (y/N)
If you also choose no expire, then press y and Enter.
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <[email protected]>" Real name: Niko Kiuru Email address: [email protected] Comment:You selected this USER-ID: "Niko Kiuru <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
Give your real name, email address and comment section is optional, I left it empty. And when your identify information is inputted, press O.
Now new key pair located in
List of keys
When we are created one key in keyring, we can list all our keys to terminal.
$ gpg --list-keys /home/niko/.gnupg/pubring.gpg ----------------------------- pub 2048R/AAAAXXXX 2015-10-04 uid Niko Kiuru <[email protected]> sub 2048R/BBBBXXXX 2015-10-04
Pub section tell us my master key User ID, which are in my option AAAAXXXX.
We are generate new key pair and we are looking for how it looks like from terminal. Now we will encrypt one file.
First write some text file which we would like to encrypt later.
$ echo "Hello GPG! I would like to encrypt this messages" > hello $ cat hello Hello GPG! I would like to encrypt this messages
Okay, now we have a file, and we are wrote some message from there. Next I would like to encrypt and signature that file by my GPG private key. When I encrypt file, I have to specify which is my master key’s User ID. Command
gpg --list-keys show all my keys and I selected my key.
$ gpg -r AAAAXXXX -e hello
Encrypted file is named by hello.gpg which are binary format encrypted file. There is only one way to open this file, and it is decrypt file by your private key. Next we decrypt this file.
$ gpg hello.gpg You need a passphrase to unlock the secret key for user: "Niko Kiuru <[email protected]>" 2048-bit RSA key, ID BBBBXXXX, created 2015-10-04 (main key ID AAAAXXXX) gpg: encrypted with 2048-bit RSA key, ID BBBBXXXX, created 2015-10-04 "Niko Kiuru <[email protected]>" Hello GPG! I would like to encrypt this messages
Print tells that I am signature file by myself, and at the end of print is my encrypted message.
Simple passphrase protected file
If you would like to protect some file in simple, you can also use symmetric protection which are protected via passphrase.
Write some file and encrypt it.
$ echo "Hello GPG! This file will be passphrase protected." > hello $ gpg -c hello
Now you have to give some passphrase, and then file hello.gpg is the same file but encrypted. In default gpg use CAST5 cipher algorithm for encrypt symmetric files. You can decrypt hello.gpg by command
$ gpg hello.gpg gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected