kaashif's blog

Programming, software freedom and Unix


How to use GPG

Why am I writing this?

I have looked up “how to use gpg” so many times, on so many websites, and have found every guide to be focused on something I don’t use or worded in such a way that I get confused and revoke all of my keys (that hasn’t actually happened…yet). I thought I’d whip up a quick guide

that could serve as a reference for future Kaashif, who may not remember anything about GPG other than gpg -ear and gpg -d.

Installing GPG

This is easy. Most distros come with it, for package signing among other things. The ones that don’t have it easily installable from their package repos as either “gpg”, “gpg2”, “gnupg” or “gnupg2”. While GPG and GPG 2 are actually different programs, many distros don’t make the distinction, since hardly anyone uses GPG1 anymore.

Generating a key

gpg --gen-key You have to be an idiot to get this wrong. Defaults are fine, unless someone has broken RSA with quantum magic. Make sure the email is right.

After generating a key

Two things:
1. Create a revocation cerificate gpg --output revokecert --gen-revoke $KEY
2. Back up everything
I somehow managed to lose two GPG private keys, of which I had only generated one revocation certificate. I’ll never make that mistake again - I have it backed up on a CD, on a USB drive and on a server. Nothing off-site, though, so someone could theoretically burn down my house and I’d lose everything.

How to use your newfound encryption powers

To encrypt plain text from stdin, just do gpg -ear $KEY The $KEY refers to the recipient. It’s fine to use your own pubkey when testing, but you have to use the pubkey of the person who will decrypt the text! That’s the cornerstone of everything to do with keys. Imagine someone saying “I’ll send you this lock only I have the key to”, that would be idiotic when they have the means available to send you a lock only you have the key to.

If someone sends you a properly encrypted message, invoke gpg -d. Since you should only have one private key at this point, it’ll take input from stdin which, hopefully, has been encrypted with your pubkey and can be decrypted with your private key.

Signatures

Let’s say someone doesn’t want to use GPG because they’re too lazy (a very realistic scenario). Maybe you’re posting on a mailing list, where GPG isn’t necessary, and just annoys everyone. You still want people to know that you sent the message and not an imposter with fake headers, correct? Well you’re in luck, you can attach a GPG signature to your messages. This is basically a copy of the message which can be decrypted with your public key. Since you are the only person with the private key, you must have been the person to sign the message. The command to use is gpg --clearsign. No need to specify a key, because you only have one private key

Encrypting files into a binary format

Remember using gpg -ear? The “a” means ASCII. Take that out and it magically outputs a binary file, with the input filename and a ".gpg" extension.

What is my key?

——BEGIN PGP PUBLIC KEY BLOCK—— Version: GnuPG v1.4.14 (GNU/Linux)

mQENBFH38X4BCAC25Ra3yhPjXtqWmYbxHHG3Esn4en9z0yWCE4AukNUm8MX1kPna
1TqBFkw8WhhQKV1v+U0T18zoWwpMm1tUJdVWaUVc2/4iyR49d3SI81K+g7CuQuz1
YjyMG1zOzWeswfcJjZF4+Ti/fZIR7fNc+neAfGg9WMpAvdfMWAjuuV44vrAZQey+
bgpVN3uEJYntyzJRkgkqTNS2JatrL0IOVmfKtrNzuHQy5THJn2uDm9+Eg/tVe0Jp
bfz5AJKqqGUpE9jitCKc55n5xvJrlOQyWaIWuSiaKRRRiupswVAVoEa5y8JOckyb
l5q10F6hCIWq+ohGV/huGSvMNAMoU9+8vdXbABEBAAG0R0thYXNoaWYgSHltYWJh
Y2N1cyAoUHJvZ3JhbW1lciwgc3lzYWRtaW4pIDxrYWFzaGlmaHltYWJhY2N1c0Bn
bWFpbC5jb20+iQE4BBMBAgAiBQJR9/F+AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe
AQIXgAAKCRBa0dhzPoELBO6IB/40BRr2DrajYJ6y9yGpUHJIPT+KC90i62r0D3vM
raHz3/shBOOJEeyqhxcmwByWkhBRjEkkt3xgaWlj6XzvuBY457p54f6bIKeKwXpT
WJAVdhM2VSQdTyX/Svo3lnVYv0bozbRIb88M6FvTF8Cv631zSImAAKuPD2X7ZYl1
2p3gLVWB//vkAr2WAJjq1qrcmoVtixbs5HeM65MR7hcE30vCJzswev7m+4mQXFR3
LoMNoC1Zx2iYBNgUNMpoGaGdPTohMD8gCklr86R+OzCORrWyKBl4qc608Dmt+myG
Rs5OH6c9yBYiHIfc9UYaMoPXIdvQBwO/4bOOOZbwqp7Onjy7uQENBFH38X4BCADo
Obc//asuZBCJtf2GSZGrWvWJVYv06a3noIBb9TG+6fAZ40c1zlPJzCSa6wU8aeXn
6UvbQI7W014wWlO+JvvpaZzEsJ+qnxkZQqEne1BqTb32OmIJLInDQhsZsoR/PNSQ
KRUshS9kLBSez2EBA7rV2cJ6X2a2Dtb75PlzysjmHrws1ZOelYRu3DorYfUQ05jL
IhCFQRCHgryK0yD+mZy55F9JHGHWooTGTStBmNW5dDpXdPUcHeZm5ICXkuQC1tzV
apW/vy77PB3ZVTxX/wEuATgbfbPiGpvqVQWr+CTnQOpVGoAMByHdlkHaKtGnjUlI
vp9Xep+cbS4GOjpJ0khZABEBAAGJAR8EGAECAAkFAlH38X4CGwwACgkQWtHYcz6B
CwTqWgf/ROZ5mmloJ/86iCeGzxzIHMWF4m8dwMGa3SZ310umsl83ydM5hixmRM43
cABzEq7sbgirmg31GAkGwU0dQ6z9R4TSSbDFS8nz1EztvuNabMTPfc9AdtE/ig2P
o6Hul8n3A6330RDk94QtqBw3Eppsr6PgQ+hA2rbfy7YRca6p100cC9yOAdc5gvmr
0qTfFtX71/Nxrcok+88uOk3PMwyvW/6HCs9m7jfx2RZe3DmQ5ykZ7qMe5YM4xGKy
SteLT0+yQNETungL5lyC0V/JAgAIQXItQytEXL9TEKeEP2jCrRD4lDa98qMkbNDI
ba2AGJ2aj3+u9787VaY7bSRFQH8Kwg==
=1hN6
-----END PGP PUBLIC KEY BLOCK-----

How did I generate that?

gpg --export -a $KEY. Once again, you can take out the "-a" and add an "—output " to get binary output.

Where do I find more public keys?

Go to a keyserver, like pgp.mit.edu. You should also submit your public key there by invoking gpg --send-keys --keyserver pgp.mit.edu $KEY. The key will propagate to other servers, so you cannot delete or edit a key once it’s there. Make sure everything is correct and backed up. Don’t search my name, I don’t want to be embarrassed. If you must, my key is the most up to date one, I lost the old one, and revoked the other one…due to losing it. Do what I say, not what I do.

Summary

gpg -ear $KEY - Encrypt plaintext from stdin

gpg -d - Decrypt plaintext from stdin

gpg --export -a $KEY - Export ASCII-armoured key to stdout

gpg --import $FILE - Import key from a file

gpg --clearsign - Sign a message from stdin, leaving the message human-readable

gpg --detach-sig $SIGFILE $FILE - Sign a file and create a detached signature in another file

gpg --some-sort-of-command --output $FILE - Do something, then output to a file