GNU Privacy Guard is Open Source encryption software. It is an implementation of the OpenPGP standard. GnuPG enables you to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories.
The simplest encryption is with a symmetric cipher. A file can be encrypted with a passphrase and anyone who knows the passphrase can decrypt it, thus keys are not needed. You will note, after encrypting sensitivefile the original file remains untouched. A new, encrypted file is created with a '.gpg' suffix.
> gpg -c sensitivefile # Encrypt a sensitivefile with password > gpg sensitivefile.gpg # Decrypt sensitivefile
Public and private keys are the heart of asymmetric cryptography. Key points to remember:
The first step is to generate a key pair. You will be asked a series of questions. The defaults are reasonable, however you will have to enter at least your full name and email and optionally a comment. Depending on your need, you may also want to select a more appropriate key lifetime than non expiring. The comment is useful to create more than one key with the same name and email. Also you should use a “passphrase”, not a simple password.
$ gpg --gen-key
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1
Key expires at Thu 04 Feb 2010 08:37:34 AM EST
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Physics Computer Network
Email address: staff@physics.purdue.edu
Comment: Example key, 1 day life.
You selected this USER-ID:
"Physics Computer Network (Example key, 1 day life.) <staff@physics.purdue.edu>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.+++++....+++++.+++++++++++++++.+++++.+++++.+++++.+++++.+++++++++++++++.++++++++++++++++++++++++++++++.++++++++++.+++++++++++++++.+++++++++++++++>+++++........................................>.+++++...<..+++++.............................>+++++..........+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++++++++++++..++++++++++++++++++++.++++++++++.+++++...+++++...+++++++++++++++++++++++++.+++++++++++++++.++++++++++.....+++++..+++++++++++++++++++++++++.+++++>..+++++.+++++>+++++................>+++++...<.+++++.......+++++^^^
gpg: key F520101A marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 4 signed: 3 trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1 valid: 3 signed: 0 trust: 0-, 0q, 1n, 0m, 2f, 0u
gpg: next trustdb check due at 2010-02-04
pub 1024D/F520101A 2010-02-03 [expires: 2010-02-04]
Key fingerprint = FDB8 0538 9E5E DDD9 4E9F F0CB B3BE 3FA7 F520 101A
uid Physics Computer Network (Example key, 1 day life.) <staff@physics.purdue.edu>
sub 2048g/F14E2C72 2010-02-03 [expires: 2010-02-04]
Summary of commonly used options:
The examples use 'Your Name' and 'Alice' as the keys are referred to by the email or full name or partial name.
No need to import or export any key for this. You have the necessary keys already if you have run gpg –gen-key.
> gpg -s -e -r 'Your Name' file # Sign and encrypt with your public key > gpg -o file -d file.gpg # Decrypt. Use -o or it goes to stdout
First you need to export your public key for someone else to use it. And you need to import the public key from Alice to encrypt a file for her. You can either handle the keys in simple ascii files or use a public key server.
For example, Alice exports her public key and you import it, you can then encrypt a file for her. Only Alice will be able to decrypt it.
> gpg -a -o alicekey.asc --export 'Alice' # Alice exports her key in ascii format > gpg --send-keys --keyserver cryptonomicon.mit.edu KEYID # She then puts her key on a key server. > gpg --import alicekey.asc # You import her key into your key ring, from the alicekey.asc file. > gpg --search-keys --keyserver cryptonomicon.mit.edu 'Alice' # or get her key from a server.
Once the keys are imported it is trivial to encrypt or decrypt a file:
> gpg -s -e -r 'Alice' file # Sign and encrypt a file for Alice. > gpg -d file.gpg -o file # Decrypt a file encrypted by Alice for you.
> gpg --list-keys # list public keys and see the KEYIDS
The KEYID follows the '/' e.g. for: pub 1024D/F520101A the KEYID is F520101A
> gpg --fingerprint KEYID # Show the fingerprint of a key
> gpg --gen-revoke 'Your Name' # generate revocation certificate
> gpg --list-secret-keys # list private keys
> gpg --delete-keys NAME # delete a public key from local key ring
> gpg --edit-key KEYID # Edit key (e.g sign, trust, etc.)