====== File Encryption with GPG on Mac ======
GNU Privacy Guard is Open Source encryption software.  It is 
an implementation of the OpenPGP standard.  GnuPG enables you to 
encrypt and sign your data and communication, features a versatile 
key managment system as well as access modules for all kind of 
public key directories.

[[http://www.gnupg.org/documentation/howtos.en.html|GnuPG HOWTOs]]

===== GnuPG Installation =====
To begin, GnuPG must first be installed onto your machine.  
  * Download the [[http://www.gpgtools.org/macgpg2/|latest version of MacGPG2]] and install it onto your machine.  NOTE that this requires Mac OSX 10.4.x or higher.
  * Once the program is installed, logout, then back in again to ensure all components are ready for use.


===== GnuPG Basics =====

=== Passphrase File Encryption ===

The simplest encryption is with a symmetric cipher. A file can be encrypted with a passphrase and anyone who knows the passphrase can decrypt it, thus keys are not needed. You will note, after encrypting sensitivefile the original file remains untouched.  A new, encrypted file is created with a '.gpg' suffix.

<code>
> gpg -c sensitivefile               # Encrypt a sensitivefile with password
> gpg sensitivefile.gpg              # Decrypt sensitivefile 
</code>


=== Using Keys ===

Public and private keys are the heart of asymmetric cryptography. Key points to remember:

    * Your public key is used by others to encrypt files that only you as the receiver can decrypt.  The sender cannot even decrypt the file unless they are also a receiver. The public key is thus meant to be distributed.

    * Your private key is encrypted with your passphrase and is used to decrypt files which were encrypted with your public key. The private key must be kept secure. **If the key or passphrase is lost, so are all the files encrypted with your public key.**


The first step is to generate a key pair. You will be asked a series of questions.  The defaults are reasonable, however you will have to enter at least your full name and email and optionally a comment. Depending on your need, you may also want to select a more appropriate key lifetime than non expiring.  The comment is useful to create more than one key with the same name and email. Also you should use a "passphrase", not a simple password.

<code>$ gpg --gen-key
gpg (GnuPG/MacGPG2) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 2
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits   
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1
Key expires at Sat Feb  6 10:47:57 2010 EST
Is this correct? (y/N) y
                        
GnuPG needs to construct a user ID to identify your key.

Real name: Physics Computer Network
Email address: staff@physics.purdue.edu
Comment: Example Key, 1 day life       
You selected this USER-ID:      
    "Physics Computer Network (Example Key, 1 day life) <staff@physics.purdue.edu>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.    

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 2275F891 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2010-02-06
pub   2048D/2275F891 2010-02-05 [expires: 2010-02-06]
      Key fingerprint = 8C3E 5263 E6A4 6B0C 9B32  CFEC F52B D641 2275 F891
uid                  Physics Computer Network (Example Key, 1 day life) <staff@physics.purdue.edu>
sub   2048g/32295B57 2010-02-05 [expires: 2010-02-06]


</code>



==== Encryption/Decryption ====

Summary of commonly used options:

    *   -s sign data
    *   -e encrypt data
    *   -d decrypt data
    *   -r NAME encrypt for recipient NAME (or 'Full Name' or 'email@domain')
    *   -a create ascii armored output of a key
    *   -o use as output file



The examples use 'Your Name' and 'Alice' as the keys are referred to by the email or full name or partial name. 


== Encrypt for personal use only ==

No need to import or export any key for this. You have the necessary keys already if you have run gpg --gen-key.

<code>
> gpg -s -e -r 'Your Name' file               # Sign and encrypt with your public key
> gpg -o file -d file.gpg                     # Decrypt. Use -o or it goes to stdout
</code>

== Encrypt - Decrypt with keys ==

First you need to export your public key for someone else to use it. And you need to import the public key from Alice to encrypt a file for her. You can either handle the keys in simple ascii files or use a public key server.

For example, Alice exports her public key and you import it, you can then encrypt a file for her. Only Alice will be able to decrypt it.

<code>
> gpg -a -o alicekey.asc --export 'Alice'     # Alice exports her key in ascii format
> gpg --send-keys --keyserver cryptonomicon.mit.edu KEYID   # She then puts her key on a  key server.
> gpg --import alicekey.asc                   # You import her key into your key ring, from the alicekey.asc file.
> gpg --search-keys --keyserver cryptonomicon.mit.edu 'Alice' # or get her key from a server.
</code>

Once the keys are imported it is trivial to encrypt or decrypt a file:

<code>
> gpg -s -e -r 'Alice' file                      # Sign and encrypt a file for Alice.
> gpg -d file.gpg -o file                     # Decrypt a file encrypted by Alice for you.
</code>

== Key administration ==
<code>
> gpg --list-keys                             # list public keys and see the KEYIDS
    The KEYID follows the '/' e.g. for: pub   1024D/F520101A  the KEYID is F520101A
> gpg --fingerprint KEYID                     # Show the fingerprint of a key
> gpg --gen-revoke 'Your Name'                # generate revocation certificate
> gpg --list-secret-keys                      # list private keys
> gpg --delete-keys NAME                      # delete a public key from local key ring
> gpg --edit-key KEYID                        # Edit key (e.g sign, trust, etc.)
</code>