OBS: Você pode ler esse post em português em https://gjuniioor.github.io/blog/gnupg/
NOTE: You can read this post in portuguese in https://gjuniioor.github.io/blog/gnupg/
Gnu Privacy Guard 1 - or GnuPG, or even more lower, GPG - is an implementation of the protocol for encrypting messages OpenPGP.
In a video lesson 2, disclosered on Ciência Hacker’s channel, it has been shown the use of GPG. Here goes a paper to introduce its concept and usage to the reader.
OpenPGP is a protocol widely used, previously, to e-mails encryption. Based on PGP 3, emerged, bringing a strong and “relatively easy” encryption method. It uses public keys (asymmeric - reading this paper is strongly recommended 4 for better understanding its context) as its encryption engine and define formats to generate encrypted messages, file signing, certificates and so on…
Here 5 you can find the OpenPGP site and there’s also an episode from the podcast Segurança Legal which tells about him, it can be accessed through here 6.
Being briefly on this matter. GnuPG comes by default on most unix-like systems. But if you need, here goes some commands that might be useful:
sudo pacman -S gnupg --noconfirm
sudo yum install gnupg -y
sudo apt-get install gnupg -y
Or, you can access the download page on the project’s site 7.
GPG can be used since e-mails to files exchanges. It works no alone but with the concept of public and private keys. In other words, we can generate a key pair in which the private one stays under our protection and the public one we can discloser to the people. When they need to talk with me, they can use my public key to encrypt the data and so, only I will be able to read. When I want to sign something with my own key, they will, through the fingerprint, be able to see, for example, that really was me who did it.
It is a common thing to see people sharing their fingerprint codes through their contact page, for example, to rise the level of confidence.
But as said, it doesn’t work only with the use of keys. You can also create a security phrase with a friend and use it to encrypt data with it. Let’s see how it works on our first case. After that, we discuss into generating key pair and its use.
To do that, it’s enough to have the software installed properly and to run the command:
$ gpg -c file
file is the one you want to encrypt.
A security phrase will be asked. I don’t need to comment about the special characters usage and strong password, right? After this process, a file with extension
.gpg will be generated, which is protected with the security phrase.
-c discussed only says to GPG to use symmetric encryption on the process with no need of the key pair.
To have the clean file to be read, its enough to perform:
$ gpg file.gpg
If you wish, you can use the option
-d, but this option will only show the file content to the screen and won’t create a new file free to be read. On the media files case (image, video …) or some binary itself, maybe it won’t be interesting.
Well, on the other cases, it can be very useful. In file exchange, you can use this process.
Let’s start to improve the GPG usage we did till now. As said, it uses the key pair public/private to use asymmetric encryption (if you don’t know what this is about, I strongly recommend you to read this paper 4). So, let’s go!
The GPG creates a keychain in which you will be able to manage the keys you need. In other words, it’s enough to insert the someone’s public key into your keychain, and when you need to encrypt/decrypt some data, you will be able to indicate from who is the message and voilà!
Vamos, num primeiro momento apenas criar nosso par de chaves. Para isso basta utilizar o comando:
$ gpg --gen-key
Firstly will be asked about the key type to be used. It warns yo that DSA and RSA are used only for signings and there’s others options: RSA (and RSA) and DSA (and Elgamal). By default, the first option is marked. Let’s keep her.
Right after that comes the question about the RSA key length, which can be from 1024 to 4096 bits. 1024 is just a fine length, but compared to the other options, it’s weak. 4096, on the other hand, is more secure, hoever far more delayed. The software idicates 2048, let’s accept its suggestion.
Then it asks about the life-time of the key.
0 means that the key won’t expire. Any other number means days of life-time. The numbers followed by
y indicates weeks, months and years respectively. Once that we can change the “security phrase” (forward) we can use
Now, provide some informatios like, name, e-mail address and a comment. After this procedure, it asks a “security phrase”. It good to invest in security on her using the concept of a good password.
Once it’s all done, your key will be generated. It needs some “random” data to do that in an elegant way. As suggestion, the software asks us to do some activities like keyboard typing, move the mouse pointer randomly.
Adding more informations to the keys.
If you have more that one e-mail address, is a good use to put them as identifier to the generated key. For this, we insert this new identifier.
To edit the key, you will need the command:
$ gpg --edit-key <id>
This ID represents something that identify the key that you want to modify. You can get some informations from the output of the command:
Once inside the GPG prompt you can use commands like
help to show the help menu and don’t get lost on the first contact.
Using the command
adduid you’ll be able to insert a new e-mail address, nickname or whatever you want. Finishing this step, use the command
save to let the modification to get effect and to quit GPG prompt.
If you had sent your key to a server without this new information you can resend your key and it will be updated. This step of sending keys to servers will be discuessed forward.
Managing the keys.
The keychain, as said before, is something created by GPG to store the keys that you add. Let’s see now a little bit of it’s use. O chaveiro, como já foi dito, é algo criado pelo GPG para armazenar as chaves que você adiciona. Vamos ver agora um pouco do uso do chaveiro.
You’ll be able to list all the keys that you have by typing the command:
$ gpg --list-keys
If you want to see the private keys, use:
$ gpg --list-secret-key
Normaly here it only shows the private keys, your or from the groups that use like that.
If you want to export your keys to send to some contact, to use it on an e-mail client, a chat, or simply to send to a server (in the case you need it this way), let’s see how to do it.
Keep in mind that to any process on this step we’ll need and ideitifier of a key. To get this information, list the keys that you have and choose an information from a key that is unique compared to the others.
The basic command to export key is
--export. It will show the key like it really is, in binary format and stuff like that. If you want to see it in ascii format, use the
-a option to do so. To save it into a file, you can use the redirectors or
--output option. Let’s see some examples:
$ gpg --export -a <id> > key.pub.asc $ gpg --output key.gpg -a --export <id>
Don’t forget, the ascii output is largely used around the world. Therefore, it a good option to have it exported on this format.
To export your private key, the only thing that needs to be changed is that in the place of
--export-key you’ll need to use
Exporting your primary key, it’s goot to keep her in a safe place! Because your public key will be placed on keyservers (in the case you use this paper till the end), but the private one, you can’t upload there.
To import a key is simple, type:
$ gpg --import key.gpg
OBS: The software doesn’t do any distinction between private or public keys on the importing process. Or better, it doesn’t demands you to especify it.
After imporing process, you could sign it to you it’s authenticity. Use the command:
$ gpg --sign-key <id>
In which `` means the code of the shown key. For example BC71CF75.
This code you can confirm, for example, calling to the key owner, talking to him personaly, seeing if he really take on that key is him in his website, anyway.
File encryption with keys.
Keeping in mind (or on clipboard kkk) some identifier to the key that you wish to use, type:
$ gpg --encrypt file
You can use or not the
--output option, it’s up to you to decide.
After the command, it will ask some information that identify the key that you wish to use, type then te e-mail, nae, ID or something that identify the correct key.
File decryption with keys.
To decrypt is very easy. You can use
--output or not, as you wish:
$ gpg --decrypt file
Note that it’s no necessary to especify the key once that the idea is that you have the key on your keychain. In the case that this wasn’t found, a warning is shown on the screen and then you can use the key ID to download from the servers or to search in some other place.
Key server use the HKP protocol (HTTP Keyserve Protocol), which would be an adaptation from HTTP for transporting keys.
There’s several servers spread all around the world, simple choose one to use. For example, the server from the PGP project itself 8 or GnuPG 9. Most of this servers, after receiving a key, share it to partners, so it keeps the possibility to have all keys online. Therefore, it’s likely that after seding to the GnuPG server, in some moments latter it will be also on PGP, or MIT and so on.
To use an specific server simple use the parameter
--keyserver and pass the server like argument. For example:
$ gpg --keyserver hkp://keys.gnupg.net:11371 --search-keys gjuniioor
The port 11371 is default on servers like this, but nothing prevents the administrator to change it.
NOTE: The parameter
--search-keyswill the better discussed forward.
So, to be able to send, in an easy way, your key to friends and contacts is cool that you send it to a server. It’s a simple process:
$ gpg --send-key <id>
The ID is the key identifier, that code, like BC71CF75 that was already discussed before.
Note that neigher was necessary to indicate a server, the software uses by default the GnuPG server.
There’s some servers that features a web interface to make searchs and sending keys, like the PGP’s for example. Simply use the HTTP protocol instead of hkp itself, on the same door, it anwsers.
Now, to be able to import someone’s key that is on a specific server is veri simple. You only need to know some information that your contact might have used on the key registration, for example, name, e-mail, comment, nickname or the proper key id itself (as I said, it’s very common the to share them on the personal websites). After that, simply type the command:
$ gpg --keyserver hkp://subkeys.pgp.net:11371 --search-keys gjuniioor
This will search for my key (you’ll now be able to encrypt things in the case you want to talk with me, even if it’s only a test, to see if you really get the concept and stuff like that)
It will display a key list that was found and a numeration at the left representing, at this moment, the key id. Note that there’s a prompt GPG waiting for you command If you put the key number, it will add this respective key into your keychain. If you type
Q you will quit GPG prompt.
We seen on this paper the usage of the text mode client gpg. But there’s several GUI tools build with the same goal to simplify the GnuPG useage. A simple research will find some alternatives. I won’t indicate any of them because I’ve never used , I always prefered CLI clients.
After everything learning on this paper, is good to know the common flow of the GPG usage. In the case it isn’t clear enough:
- Send your public key to the people. They can use it to encrypt data that only you can read using the private key.
- Get the public from from someone and you can encrypt data with it, but only the owner of the private key can have access to the actual encrypted data content.
To alse use it in groups in which a member encryptssomething with the public key of this group and everyone (and only those) whom had the privat key will have access to the actual content.
It’s extremely important to keep your information sage! Ths fisical risk (which can happens in the case of losing cellphones and stuff like that) é very little when compared with abstract losses, like e-mail content read, personal stuff disclosered and so on.
Do not keep thinking that this is everything! There’s a lot more to be discussed. Below follow some links to give you a track follow… And more, to run the command
man gpg works just fine! Have fun! ;)