====== File Encryption with GPG on *nix ======
GNU Privacy Guard is Open Source encryption software.  It is 
an implementation of the OpenPGP standard.  GnuPG enables you to 
encrypt and sign your data and communication, features a versatile 
key managment system as well as access modules for all kind of 
public key directories.

[[http://www.gnupg.org/documentation/howtos.en.html|GnuPG HOWTOs]]


===== GnuPG Basics =====

=== Passphrase File Encryption ===

The simplest encryption is with a symmetric cipher. A file can be encrypted with a passphrase and anyone who knows the passphrase can decrypt it, thus keys are not needed. You will note, after encrypting sensitivefile the original file remains untouched.  A new, encrypted file is created with a '.gpg' suffix.

<code>
> gpg -c sensitivefile               # Encrypt a sensitivefile with password
> gpg sensitivefile.gpg              # Decrypt sensitivefile 
</code>


=== Using Keys ===

Public and private keys are the heart of asymmetric cryptography. Key points to remember:

    * Your public key is used by others to encrypt files that only you as the receiver can decrypt.  The sender cannot even decrypt the file unless they are also a receiver. The public key is thus meant to be distributed.

    * Your private key is encrypted with your passphrase and is used to decrypt files which were encrypted with your public key. The private key must be kept secure. **If the key or passphrase is lost, so are all the files encrypted with your public key.**


The first step is to generate a key pair. You will be asked a series of questions.  The defaults are reasonable, however you will have to enter at least your full name and email and optionally a comment. Depending on your need, you may also want to select a more appropriate key lifetime than non expiring.  The comment is useful to create more than one key with the same name and email. Also you should use a "passphrase", not a simple password.

<code>$ gpg --gen-key
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1
Key expires at Thu 04 Feb 2010 08:37:34 AM EST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Physics Computer Network
Email address: staff@physics.purdue.edu
Comment: Example key, 1 day life.
You selected this USER-ID:
    "Physics Computer Network (Example key, 1 day life.) <staff@physics.purdue.edu>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.+++++....+++++.+++++++++++++++.+++++.+++++.+++++.+++++.+++++++++++++++.++++++++++++++++++++++++++++++.++++++++++.+++++++++++++++.+++++++++++++++>+++++........................................>.+++++...<..+++++.............................>+++++..........+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++++++++++++..++++++++++++++++++++.++++++++++.+++++...+++++...+++++++++++++++++++++++++.+++++++++++++++.++++++++++.....+++++..+++++++++++++++++++++++++.+++++>..+++++.+++++>+++++................>+++++...<.+++++.......+++++^^^
gpg: key F520101A marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   4  signed:   3  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1  valid:   3  signed:   0  trust: 0-, 0q, 1n, 0m, 2f, 0u
gpg: next trustdb check due at 2010-02-04
pub   1024D/F520101A 2010-02-03 [expires: 2010-02-04]
      Key fingerprint = FDB8 0538 9E5E DDD9 4E9F  F0CB B3BE 3FA7 F520 101A
uid                  Physics Computer Network (Example key, 1 day life.) <staff@physics.purdue.edu>
sub   2048g/F14E2C72 2010-02-03 [expires: 2010-02-04]

</code>



==== Encryption/Decryption ====

Summary of commonly used options:

    *   -s sign data
    *   -e encrypt data
    *   -d decrypt data
    *   -r NAME encrypt for recipient NAME (or 'Full Name' or 'email@domain')
    *   -a create ascii armored output of a key
    *   -o use as output file



The examples use 'Your Name' and 'Alice' as the keys are referred to by the email or full name or partial name. 


== Encrypt for personal use only ==

No need to import or export any key for this. You have the necessary keys already if you have run gpg --gen-key.

<code>
> gpg -s -e -r 'Your Name' file               # Sign and encrypt with your public key
> gpg -o file -d file.gpg                     # Decrypt. Use -o or it goes to stdout
</code>

== Encrypt - Decrypt with keys ==

First you need to export your public key for someone else to use it. And you need to import the public key from Alice to encrypt a file for her. You can either handle the keys in simple ascii files or use a public key server.

For example, Alice exports her public key and you import it, you can then encrypt a file for her. Only Alice will be able to decrypt it.

<code>
> gpg -a -o alicekey.asc --export 'Alice'     # Alice exports her key in ascii format
> gpg --send-keys --keyserver cryptonomicon.mit.edu KEYID   # She then puts her key on a  key server.
> gpg --import alicekey.asc                   # You import her key into your key ring, from the alicekey.asc file.
> gpg --search-keys --keyserver cryptonomicon.mit.edu 'Alice' # or get her key from a server.
</code>

Once the keys are imported it is trivial to encrypt or decrypt a file:

<code>
> gpg -s -e -r 'Alice' file                      # Sign and encrypt a file for Alice.
> gpg -d file.gpg -o file                     # Decrypt a file encrypted by Alice for you.
</code>

== Key administration ==
<code>
> gpg --list-keys                             # list public keys and see the KEYIDS
    The KEYID follows the '/' e.g. for: pub   1024D/F520101A  the KEYID is F520101A
> gpg --fingerprint KEYID                     # Show the fingerprint of a key
> gpg --gen-revoke 'Your Name'                # generate revocation certificate
> gpg --list-secret-keys                      # list private keys
> gpg --delete-keys NAME                      # delete a public key from local key ring
> gpg --edit-key KEYID                        # Edit key (e.g sign, trust, etc.)
</code>