How to use GPG
Why am I writing this?
I have looked up “how to use gpg” so many times, on so many websites, and have found every guide to be focused on something I don’t use or worded in such a way that I get confused and revoke all of my keys (that hasn’t actually happened…yet). I thought I’d whip up a quick guide
that could serve as a reference for future Kaashif, who may not remember anything about GPG other than
gpg -ear and
This is easy. Most distros come with it, for package signing among other things. The ones that don’t have it easily installable from their package repos as either “gpg”, “gpg2”, “gnupg” or “gnupg2”. While GPG and GPG 2 are actually different programs, many distros don’t make the distinction, since hardly anyone uses GPG1 anymore.
Generating a key
gpg --gen-key You have to be an idiot to get this wrong. Defaults are fine, unless someone has broken RSA with quantum magic. Make sure the email is right.
After generating a key
1. Create a revocation cerificate
gpg --output revokecert --gen-revoke $KEY
2. Back up everything
I somehow managed to lose two GPG private keys, of which I had only generated one revocation certificate. I’ll never make that mistake again - I have it backed up on a CD, on a USB drive and on a server. Nothing off-site, though, so someone could theoretically burn down my house and I’d lose everything.
How to use your newfound encryption powers
To encrypt plain text from stdin, just do
gpg -ear $KEY The $KEY refers to the recipient. It’s fine to use your own pubkey when testing, but you have to use the pubkey of the person who will decrypt the text! That’s the cornerstone of everything to do with keys. Imagine someone saying “I’ll send you this lock only I have the key to”, that would be idiotic when they have the means available to send you a lock only you have the key to.
If someone sends you a properly encrypted message, invoke
gpg -d. Since you should only have one private key at this point, it’ll take input from stdin which, hopefully, has been encrypted with your pubkey and can be decrypted with your private key.
Let’s say someone doesn’t want to use GPG because they’re too lazy (a very realistic scenario). Maybe you’re posting on a mailing list, where GPG isn’t necessary, and just annoys everyone. You still want people to know that you sent the message and not an imposter with fake headers, correct? Well you’re in luck, you can attach a GPG signature to your messages. This is basically a copy of the message which can be decrypted with your public key. Since you are the only person with the private key, you must have been the person to sign the message. The command to use is
gpg --clearsign. No need to specify a key, because you only have one private key
Encrypting files into a binary format
gpg -ear? The “a” means ASCII. Take that out and it magically outputs a binary file, with the input filename and a ".gpg" extension.
What is my key?
——BEGIN PGP PUBLIC KEY BLOCK—— Version: GnuPG v1.4.14 (GNU/Linux)
mQENBFH38X4BCAC25Ra3yhPjXtqWmYbxHHG3Esn4en9z0yWCE4AukNUm8MX1kPna 1TqBFkw8WhhQKV1v+U0T18zoWwpMm1tUJdVWaUVc2/4iyR49d3SI81K+g7CuQuz1 YjyMG1zOzWeswfcJjZF4+Ti/fZIR7fNc+neAfGg9WMpAvdfMWAjuuV44vrAZQey+ bgpVN3uEJYntyzJRkgkqTNS2JatrL0IOVmfKtrNzuHQy5THJn2uDm9+Eg/tVe0Jp bfz5AJKqqGUpE9jitCKc55n5xvJrlOQyWaIWuSiaKRRRiupswVAVoEa5y8JOckyb l5q10F6hCIWq+ohGV/huGSvMNAMoU9+8vdXbABEBAAG0R0thYXNoaWYgSHltYWJh Y2N1cyAoUHJvZ3JhbW1lciwgc3lzYWRtaW4pIDxrYWFzaGlmaHltYWJhY2N1c0Bn bWFpbC5jb20+iQE4BBMBAgAiBQJR9/F+AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe AQIXgAAKCRBa0dhzPoELBO6IB/40BRr2DrajYJ6y9yGpUHJIPT+KC90i62r0D3vM raHz3/shBOOJEeyqhxcmwByWkhBRjEkkt3xgaWlj6XzvuBY457p54f6bIKeKwXpT WJAVdhM2VSQdTyX/Svo3lnVYv0bozbRIb88M6FvTF8Cv631zSImAAKuPD2X7ZYl1 2p3gLVWB//vkAr2WAJjq1qrcmoVtixbs5HeM65MR7hcE30vCJzswev7m+4mQXFR3 LoMNoC1Zx2iYBNgUNMpoGaGdPTohMD8gCklr86R+OzCORrWyKBl4qc608Dmt+myG Rs5OH6c9yBYiHIfc9UYaMoPXIdvQBwO/4bOOOZbwqp7Onjy7uQENBFH38X4BCADo Obc//asuZBCJtf2GSZGrWvWJVYv06a3noIBb9TG+6fAZ40c1zlPJzCSa6wU8aeXn 6UvbQI7W014wWlO+JvvpaZzEsJ+qnxkZQqEne1BqTb32OmIJLInDQhsZsoR/PNSQ KRUshS9kLBSez2EBA7rV2cJ6X2a2Dtb75PlzysjmHrws1ZOelYRu3DorYfUQ05jL IhCFQRCHgryK0yD+mZy55F9JHGHWooTGTStBmNW5dDpXdPUcHeZm5ICXkuQC1tzV apW/vy77PB3ZVTxX/wEuATgbfbPiGpvqVQWr+CTnQOpVGoAMByHdlkHaKtGnjUlI vp9Xep+cbS4GOjpJ0khZABEBAAGJAR8EGAECAAkFAlH38X4CGwwACgkQWtHYcz6B CwTqWgf/ROZ5mmloJ/86iCeGzxzIHMWF4m8dwMGa3SZ310umsl83ydM5hixmRM43 cABzEq7sbgirmg31GAkGwU0dQ6z9R4TSSbDFS8nz1EztvuNabMTPfc9AdtE/ig2P o6Hul8n3A6330RDk94QtqBw3Eppsr6PgQ+hA2rbfy7YRca6p100cC9yOAdc5gvmr 0qTfFtX71/Nxrcok+88uOk3PMwyvW/6HCs9m7jfx2RZe3DmQ5ykZ7qMe5YM4xGKy SteLT0+yQNETungL5lyC0V/JAgAIQXItQytEXL9TEKeEP2jCrRD4lDa98qMkbNDI ba2AGJ2aj3+u9787VaY7bSRFQH8Kwg== =1hN6 -----END PGP PUBLIC KEY BLOCK-----
How did I generate that?
gpg --export -a $KEY. Once again, you can take out the "-a" and add an "—output " to get binary output.
Where do I find more public keys?
Go to a keyserver, like pgp.mit.edu. You should also submit your public key there by invoking
gpg --send-keys --keyserver pgp.mit.edu $KEY. The key will propagate to other servers, so you cannot delete or edit a key once it’s there. Make sure everything is correct and backed up. Don’t search my name, I don’t want to be embarrassed. If you must, my key is the most up to date one, I lost the old one, and revoked the other one…due to losing it. Do what I say, not what I do.
gpg -ear $KEY - Encrypt plaintext from stdin
gpg -d - Decrypt plaintext from stdin
gpg --export -a $KEY - Export ASCII-armoured key to stdout
gpg --import $FILE - Import key from a file
gpg --clearsign - Sign a message from stdin, leaving the message human-readable
gpg --detach-sig $SIGFILE $FILE - Sign a file and create a detached signature in another file
gpg --some-sort-of-command --output $FILE - Do something, then output to a file