Unless otherwise noted, articles © 2005-2008 Doug Spencer, SecurityBulletins.com. Linking to articles is welcomed. Articles on this site are general information and are NOT GUARANTEED to work for your specific needs. I offer paid professional consulting services and will be happy to develop custom solutions for your specific needs. View the consulting page for more information.


Gnu Privacy Guard (GPG)

From SecurityBulletins.com

Jump to: navigation, search

Written by Doug Spencer Oct 14, 2006

GNU Privacy Guard provides public key encryption for files and e-mail. This article explains some of the operations of GPG.

GPG uses public key encryption. This means you will have two keys. The first key is a public key that can be distributed in any manner you wish. The PUBLIC key is NOT a secret. The second key is your private key, which should be secured and never be distributed.

To get started once you have installed GPG, you must create your keys. You can create keys as follows:

$ gpg --gen-key
gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: directory `/home/oracle/.gnupg' created
gpg: new configuration file `/home/oracle/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/oracle/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/oracle/.gnupg/secring.gpg' created
gpg: keyring `/home/oracle/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Mon Oct 13 18:27:26 2008 CDT
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Oracle User
Email address: oracle@securitybulletins.com
Comment: Oracle test account
You selected this USER-ID:
    "Oracle User (Oracle test account) <oracle@securitybulletins.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++.+++++++++++++++++++++++++++++++++++..++++++++++..+++++++++++++++++++++++++.++++++++++..++++++++++++++++++++..++++++++++..++++++++++>+++++..>+++++....<+++++...................>+++++....................................<.+++++.>+++++.....+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++..+++++..+++++.+++++..+++++...+++++++++++++++...++++++++++...+++++.++++++++++..++++++++++++++++++++..+++++++++++++++++++++++++....+++++...+++++.+++++.+++++.++++++++++>+++++.+++++......+++++^^^^^^^^^^^
gpg: /home/oracle/.gnupg/trustdb.gpg: trustdb created
gpg: key 5D783818 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2008-10-13
pub   1024D/5D783818 2006-10-14 [expires: 2008-10-13]
      Key fingerprint = ED15 BCD3 0FA8 BDB3 F79A  55F2 8181 3FA1 5D78 3818
uid                  Oracle User (Oracle test account) <oracle@securitybulletins.com>
sub   2048g/1D4FAC02 2006-10-14 [expires: 2008-10-13]

Now that you have generated your keys, we will look at the other options available. You will probably want to exchange your public key. To export your key in a format that can be sent over e-mail or other communication links, the following command will print the ASCII version of your public key:

$ gpg --export -a "Oracle User" # Put your name here. You can verify your name using gpg --list-keys
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.3 (GNU/Linux)

mQGiBEUxcusRBADENsK3UARrtSImJnEVDYEHKjxsmzhbqn6hjrGGG2L4Qs2EAEyT
aDpiOdCoFoc+XQtsR0VYHJIN6nVC7qDyMgSF4D7IhpYy4720lhrBgo1sIUsQRN/u
17E7jad2Yp0Y58UFTPaSR+mwwbW0FhIMtKIvxQzv8+hdrw0WnlpRwfliKwCgr1DU
oHRh1lBxY2w9Wk22YaTfidMEAIJX6L43taj3mKn45pYSPBFGs1C+htOnOm9ygS7P
z4dWkPPQCjOyCbVAmoY0Q7Nx4ZGcG/ViY9NjQ2YuIayWFg1LR/AWGjnXw6d+ZaB/
2hFF5QLE5PzeAG8+np1y95CsAyABqlovQmBa3VgYUV2p3zVn8ZfjcYsYV0/eK3bf
IOrvA/9cINE+dCnkesgIpwdZWo/86j6TjuGKTCAl8wxb4+LSHbVhOE1ZXAjbdFII
1VOGtGW86FBZ6piGGx2Mh6/6MRR9U8HfFbJ7HaY0TTe+n2ZLS1kFu6ztx5lkTqwT
h3Yt2a51m7ZcZ1QmifE9+SQFOvNriDZX4bZ907VHyNNhgU9hf7RAT3JhY2xlIFVz
ZXIgKE9yYWNsZSB0ZXN0IGFjY291bnQpIDxvcmFjbGVAc2VjdXJpdHlidWxsZXRp
bnMuY29tPohmBBMRAgAmBQJFMXLrAhsDBQkDwmcABgsJCAcDAgQVAggDBBYCAwEC
HgECF4AACgkQgYE/oV14OBjr4gCZAcmC5NheK0IO3of8iXfwqXA/tXcAnRDuTQo/
frr/fr+FBwZNE98/T6xYuQINBEUxcvIQCACx+j7Vzf23inE8zGVtOijXxXQ5rxXv
f8BJKrpJ1hVdoKA5YfMmJaTvKcWsTcuSbkMTo4wMxWe627y3MBWe+X7ElJEWYAoY
EKMMwrG2DnhvaEcui7976sQn11EJT6NobV7OFTQpbfyMk/d3G7xw61yutlLgT0dW
BFjMsGx6SSi/2cztTFsdtsXAjir7sKlE71zgTMyDI52CZU7YuaJ5u1TCQoPVyYh+
fPFIXM8vVzmMx+g+tFNbKiwYXEz6jH/qOUCprAd2Qi8LLopIGIDKcT4W1/UVT6ZD
TtTfpYboO9mEbJY4X9wraZ5yje7hfj3TPmDk8tZ5xoLqG9dPeSvy6/KHAAQNB/4w
UxT5uCRjHFEyKsfZSD/NIIgOR+aN9vNca4hoRXQYwZaQouLjXryNlOuwQ7CYKk7O
2ih7ib7Oq75WPVVpRUyCJJxsn+NKmLsakc+C8qUxl0VZOxlrQ1OJdcR7KdwM0wgg
oIYZx0yocH9t33+j3vKYb8wC7TYvnk7eHvmlxYJhcK5G1a6ZyQuS9eVmeI1qqy/A
2xBy3icsk25JaxeOU5CzBk2oFMtRL1eUu5sQ9177MT9ta20qMyAjGVO0ut8Mqsrx
7C02eHC4BIk2123KdP98681wHQ9ng1D4UCR4aus+PpZ2lkV2LkC8WTFZWSzpaRrA
/rMeuMKEeg1AjckN04ViiE8EGBECAA8FAkUxcvICGwwFCQPCZwAACgkQgYE/oV14
OBhZywCeLNubdKJ8n2cZ54qH+wNCX0Jf2H8AmwRidK7VoXm3VWvwwupBTNYQyXRp
=7Z3b
-----END PGP PUBLIC KEY BLOCK-----

Note that the header and footer are both noted as a "PUBLIC KEY BLOCK" so you can be sure you are exchanging the public key and not giving away your private key.

You will probably want to import public keys from the people you want to correspond with as well. To import a key, the following will work:

$ gpg --import
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.3 (GNU/Linux)

mQGiBEUxcLQRBACTASZA6jyquRQDApqZVyFoL+1FfIaflyYYooM84R3KCHQG9nPt
eRAwgBqJWCB6kDK8hs3vBP/MNKNFfrv0CvjowQojjYVHSKK3nrur6p4ZH0fVUO8f
Fx5lL7AjoFlBQU+qQ3A1qtn75Vu1Pi3k8Jr538wu+CNdljlxYm0iP2IN7wCg/GMM
gA2JWgprZMCJwO4XI9sN9vUD/0AdflKnVMd/vh0QJ9APtZg1RDHj8xyVNT/PYfI5
e7M9UHMImy2IzO5FWrePAZDBzFYwQs19a13oWrjB+rH/ZoYOEajpS58tO8FZiiPH
IYLmBktD8BdADQrMP8rLPlx653ss1cr4PMvldLDBfH8DZzK2pCjQ32zIrdliQ84v
6XfsA/0RYtYmVz4601v+/EFFJw7H+0ZPpuqC/OnfwWG0+87nyKY67mU1kPJGCuoY
BQaTv68/rf6oLC2MdIjX8EOcyuJ0GM4A3uXtAk/P8zzBkVY//nHrabNE4xficcD9
TyXYIrjCdm9j/Ei2d31RC2xernagswjjvFbWndwIfKOdfkfhmLQ8VGVzdGluZyBP
bmVUd28gKFRlc3RpbmcgR1BHKSA8dGVzdGluZ0BzZWN1cml0eWJ1bGxldGlucy5j
b20+iGYEExECACYFAkUxcLQCGwMFCQPCZwAGCwkIBwMCBBUCCAMEFgIDAQIeAQIX
gAAKCRCPt/flSoEMdRyzAKDpoq4kwBUhw6jkFANCU14QcXdOXACfdYV6yTYmEtqa
W8SYWCvTMN87Ze65Ag0ERTFwwRAIAJlqIsLnPLe2KJY4nPW2RXO5cnye8ZmLLZqw
5zAUu53ZrUMCOSEx1TxMRFssjCoq+GxohcuWvS6LYzD2AzPtfmai5TlbmFqOXu2l
4xLpZkQWqiCrZ/aKHb/keuVDcNai7h6QzYHtEkAG2T6eUFZ9ra2/OMgkfW3n8IPi
zay/MKbRfScNVFyqPivCAKH/UDtifaTXIPSao6GJOqhE1DKgFEoGQwdiIkUzS3PO
AMNBPIh66G8WFw3ScfT6C1sxa3M5nMEC5yGPAdgT3jzynFOlI4xdBeMfR/H17+IP
M5G+sfxEwzj7bGguJqC7NhX7v+nJM6EZ0QFHLx86RZAXumACv/MAAwYH/0in31fa
2WJ9yCC5OeRsiohpvUqiDIKPxj9XUW6srcXNTJDZc8iBd+gv2N5/YJeKG5eaZvaJ
XQxCHTjkTjMcp3yXobGfOV8qb1cdpPljr0AhIfQBwURSHcax9D58/Pz9EJGQTvbF
wVW9k9M84CS5bs1lkbHULqJrNiWQx7HDAQZ6Q3NOTvd0q4r0B2A87DuIb+nUvUqD
aNKSKbKFXlJgsb94hiZUoxCeUAmkvGsUgxkf6evewqW7Yis5ewjWI5Yam1RYv2xN
ytOAZqfthgGZZEtCWhE7qpgXz/XkzmYZ4dL2qMdXKvs+iCVH7Pw/oMrxB/ym4Sj1
6ZcBEv/qQRc6cg6ITwQYEQIADwUCRTFwwQIbDAUJA8JnAAAKCRCPt/flSoEMdeDi
AKCpocIza6CF6uMkDJqFpvHLjVQPlwCfcyXhGQMrBODW+Eiv/M4JrmozNzg=
=mhM6
-----END PGP PUBLIC KEY BLOCK-----
gpg: key 4A810C75: public key "Testing OneTwo (Testing GPG) <testing@securitybulletins.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

You can now encrypt a message in a file to this user as follows. The message in this example is a text file called "testmsg.txt." I have the following text in the file:

$ cat /tmp/testmsg.txt
This is a test from the Oracle User
$ gpg -e -a testmsg.txt
You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line: Test User
gpg: 4802A415: There is no assurance this key belongs to the named user

pub  2048g/4802A415 2006-10-14 Test User (Test user) <test@securitybulletins.com>
 Primary key fingerprint: 91B4 C767 7CA7 003B BD9F  7819 6237 A6B4 AE25 CC99
      Subkey fingerprint: 983D 8D81 3824 C1AB 2555  0D69 AD7C C0F7 4802 A415

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

Current recipients:
2048g/4802A415 2006-10-14 "Test User (Test user) <test@securitybulletins.com>"

Enter the user ID.  End with an empty line: 

The encrypted message is in a file named testmsg.txt.asc to signify that it is an ASCII Armored text file.

To decrypt a message, use the following commands:

$ gpg -d /tmp/testmsg.txt.asc 

You need a passphrase to unlock the secret key for
user: "Test User (Test user) <test@securitybulletins.com>"
2048-bit ELG-E key, ID 4802A415, created 2006-10-14 (main key ID AE25CC99)

gpg: encrypted with 2048-bit ELG-E key, ID 4802A415, created 2006-10-14
      "Test User (Test user) <test@securitybulletins.com>"
This is a test from the Oracle User

You will notice that the original message is displayed to the text console. If you want to decrypt to a file, don't use the -d option and GPG will output to a file by stripping the .asc suffix.

There are front-ends to GPG that make it easier to use. A list of front-ends for many operating systems can be found at http://www.gnupg.org/(en)/related_software/frontends.html. For UNIX and Linux systems, there are many front-ends, from a frontend for the Emacs and VI editors to e-mail programs that include GPG support.

The GPG Manual, available at http://www.gnupg.org/gph/en/manual.html is another good resource for using GPG.

Personal tools