The GNU Privacy Guard is an encryption tool that allows easy access to certain symmetric and asymmetric functions. It can be used primarily for encryption of documents and email.
GPG implements the Pretty Good Privacy (PGP) protocol. For asymmetric encryption, each individual has a publicly known encryption key and a private key known only to them. One encrypts a message to send to someone else using their public key, who then decrypts it using their private key. Both the encrypted message and the short key are sent to the receiver who first uses the receiver's private key to decrypt the short key and then uses that key to decrypt the message.
***The following commands will be used in Terminal (Mac, Linux) or PowerShell (Windows)***
Step 1) Download and install the GPG software suite.
Windows: http://gpg4win.org/
Macintosh: https://gpgtools.org
Linux: Use your package manager to retrieve the gpg package from your distribution's repositories.
Step 2) Generate your key
Command: gpg --gen-key
Command Explanation: The --gen-key flag tells the gpg program to create a new keypair with information you provide.
Explanation: This command takes the information which you provide to the program and generates your public/private key pair. This set of two related keys allows individuals with your public key to encrypt text and data such that only your private key can decrypt them, and allows you to digitally sign documents with your private key such that your signature can be verified with your public key.
Expected Output:
---------------------------------------
gpg (GnuPG) 2.0.21; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Example Name
Email address: Example@provider.com
Comment: A short comment about this key
You selected this USER-ID:
"Example Name (A short comment about this key) <Example@provider.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
[NOTE: this message may be printed several times]
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 7 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 7 signed: 0 trust: 3-, 0q, 0n, 4m, 0f, 0u
pub 4096R/701CA524 2013-08-26
Key fingerprint = 7739 8C52 90D6 D94C F109 68D8 EA68 84E2 701C A524
uid Example Name (A short comment about this key) <Example@provider.com>
sub 4096R/23D1F37D 2013-08-26
--------------------------------------
Step 2.5) Learn how to see our key information
Command: gpg --list-keys
Command: gpg --list-keys [UniqueID]
Command explanation: The --list-keys flag will list all of the keys you currently have in your local keyring. These keys are associated with all of the information contained in them, and so in certain situations it is possible to list a subset of these keys by providing a uniquely identifying peice of information associated with that key. Often this unique identifier is the name of the person the key belongs to.
Expected Output:
-------------------------------------
$ gpg --list-keys example
pub 4096R/701CA524 2013-08-26
uid Example Name (A short comment about this key) <Example@provider.com>
sub 4096R/23D1F37D 2013-08-26
------------------------------
Step 3) Generate your revocation key
Command: gpg --output [outputfile.asc] --gen-revoke [KeyID]
Command Explanation: the --output flag tells the gpg program the file name to output the requested data to. The --gen-revoke flag lets gpg know that you would like to generate a revocation key for the provided keyID.
Explanation: Your revocation key is a small file which can be uploaded to a keyserver to let that key server know that the owner of a key believes it has been compromised, and those who have the public key should be alerted to the fact that communications may no longer be secure.
Expected Output:
---------------------------------
$ gpg --output revoke.asc --gen-revoke 701CA524
sec 4096R/701CA524 2013-08-26 Example Name (A short comment about this key) <Example@provider.com>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "Example Name (A short comment about this key) <Example@provider.com>"
4096-bit RSA key, ID 701CA524, created 2013-08-26
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
-----------------------------------------------
Step 4) Get your key fingerprint
Command: gpg --fingerprint
Command: gpg --fingerprint [UniqueID]
Command Explanation: The --fingerprint flag specifies that you would like gpg to output all of the fingerprints for the keys in your keyring. When a UniqueID is specified only fingerprints from keys matching that unique ID are displayed.
Explanation: Your public key itself is a rather large series of bits which can be represented as letters, numbers, and symbols. For example my public key, written longhand, looks like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.19 (GNU/Linux)
mQINBE+IreIBEADofXo+AjMNY4GHvQneCBWaaris8TxpazDdqyhacKQSXDnBizm/
yjHSGpo3wcj+Hn5Ec14pCAgR6CAsf1yibEMRrkB7LG1ZGZGcByMJE4gVo+KsxQ80
OaG42Vl2NJ/DeDeDwXh9YNosIGBTeC2RlPmAvVZcTn99zFX8ScB5pqg5pMjUqlcz
p+4wZKqEuAba02U4yFT1cJBhfqYqIQ1Ac7xBDlHu+rOQT3fNAurMcYswNWU4oYRc
yGX7Joao9+PSbZak+hn0pjtRr+gNseiHYcxN03jQ/xIFTsyZm8WqqdmwGFL+eALF
uIVlmrsvaD99mCXZvMzuj1N/4ZDjk4rjb77ryOl+8+BEehy9IcBHthF7GSsLbiy4
MBHgmQouiNXbA4HixrSUC8h5aPBgzGbv0IWQujw+NM7XJ0XUxgyvXzA1tH+aoSVP
Kbm+Rl8J9hCgers6kY/S4MWe2XEmFDmW+1X95PE5viYu0XJh7XJNAZQ3IKNBHE5Q
rxQaHdjarJB8KL6ekSzmA729kvB/lTqWl+nXyTrWdcfI5p1YN0TxFmp1DBnzPIik
o7kDfFmUEVP1irCXkgKcy13qtNkqI/oK+NisV7qUfm3o1mZNYQ78og7ywUI1shGa
WNRBcazSYZyju90H8XzXvh34IWRVXF1Ch/MH7KtEUSNEAHgb3OFlszTK6wARAQAB
tCJCcmlhbiBCYWxzYW1vIDxGYWx4NDQ0NEBnbWFpbC5jb20+iQI4BBMBAgAiBQJP
iK3iAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBUhx6ZZvJA06JiEACe
EvcINCCAFwbge+e4SUimu45jnsR+AYA/qL2oEQwS6HaHz16EuE3NrOAhSorgBS3L
QZQJSLCi4PZD7Fm1JP55d86b0KW0I/FGx+sQFvdTM0mWvUEeGWdUbi0sO19TMGSG
JqEREi/kyVBK38SJCO4ms3yN98W8yXcOYGjBAPm++R+DW5HBJ+vnWzoOcFFqPzUQ
/b+ZwD0dn7mz0/24W6jrxLz/AcovJiOhwYZRECIUimnm6exOJHrNdEnt7acOX7UQ
2Yj4b+zru9NLRkcsyCXjOqn3TgehIQA/XC1ifeB4MrRchPxgpJLm1s1UXu3sPpop
FdI5WI8Fo3kg6sYuMNKclwH+hh6kDSVE/mfNRGZpgdRvX/mTLwiNAbex6uDBEPhX
IUfUTfNYSEVy+g7nHo7UaXLoIPnt9r8SKfLkVEQ1zciiPJwiVsabedEolZYY7ueB
bvrnyDoJ5yNFOvnllmLG04gxIa25XvvI2aOK1idAE9E70aOIyvB4V9i9SsAEoHrw
J3fNilNW7fWJK5GV93Gk09V1svzOZv/O28l9zDVB6PW4n7SsXGlwZGhgPBCSDG8G
haOz9/M5UPg2pQP7DoKYA3xEhP1VDn6zpbzN5GH1Yo5xvdySEjNLCdtz78u5PiA9
pHsqMNCze+IB/4a6X0PHucxa1Wfj/OxQwAtLprESGrkCDQRPiK3iARAA228XWIwa
39imz3aEoeMHVS4O3e6+6gV1BaNnb6FgYqt5+lqkU5Say0yn92N2s0uFnlSF1bAc
u1tGRuia863P1c5CHnyX5y10LVFYBwmKHBtEqMnGkWZbf1UDwRfB16ikruyEaG2Q
Ic9V7ylCQQL2oo8k0A9xlIJEmKKux6EZj8QK7k77OzuFqasA3ikFtJpK/+moGq3l
Pr8wmm1GufnKoxfu//18YN4CH6NIB3mcOmEdQkQpoF2kM2Lgt0TU5aJzW886zPSM
UTmEDqXumybfuq8UzCbz0InntIY4uNxrdyrBY0meT9Jxq2/ZL2/LW+N1trUxoI3r
OpVdgaHQOeTpA/JaZdrHy/CKiwosa43WPtSKLL6N8THGhFLPFkifMtiPykOlOB1F
9XxGIN51Y0m6aLpi7yG7mPAYRISttuV2RBsybA/zyALfyqVadamXKAqO4xZsHCYM
QfoGdgrOqD3YxWuexDHpnTOYCmA+WmeqqVMy4qWmNf7XKXhRjSv7TdrxzjFrydx7
p+QOOPqrhsvbIf9QeE37E8liyAkprbjvSG/++JSo9raajHv+R0A76O2G0gyuTKu7
4BfKMxaFJKSyxrcDLuldmIbbF4NyfX5qsJ1ze42fOoGiQWNBOeYrBwjnarkYOnas
iXrFgAQqazu1+OrnVl7kqPR7nfL/CBFeN4sAEQEAAYkCHwQYAQIACQUCT4it4gIb
DAAKCRBUhx6ZZvJA05zcEADmbpS52ZD4LOfa6y5sznwbge8JunxsluI7muGTWn4s
Vo8OGqVJC9KhPHGnaPBUS+4yq0Nq6aH/iQx+PLcWlg5HeoOCy286ek2EeldstBGJ
nGW4S6FO/0Y97iuXLgZ860e++KfpHr5rITw6cRmwJhgfuZt86ajbLWR8FbDIxZo/
3iv/cIAg8a7TD6Sv9h2JCyE+Znx7wvit0aWEODLx6IObjnP/tgeolwNMTSP7ZMjG
LbvBlNtSyJnCl8qgzZ/jfAssVVejSrnomxGURf3WDIhFM0otJMpxc0NyUHCMWYWH
Kjs6eScDCS307c3IoGVWkrrvwKyRazqzRXpKB66MY8VpDYG4fn3ue3H3dQKJb99N
bwzb538t3MNwAlPkVm3CnYQWoOrvAaHSWS/ld55N4c+umLuvgbIpBpIfPjhjvpf3
yrHsznWTVhO0qK3T3Ysh5xMQqgXAfFX4f1Beysm+l58nSUGlL48t7n77xv3PYUyX
CRiDJEPUenZENc/HW/x+hxja77lnoFXy/UwuipB773q6p6NbgHPxmsKe3VEBm0W7
H1qyjFzqLd3YyEyFylqPXFcZfrcKpyAVd/XGppqFv6QI6+Ibn30/fChpRIlHzSv3
PAxEovzBE4Gw/pavb+2Isip2233mVJGCHnSeV4r2x9Jt9sVZAMXK7HDr8X9EjPYM
kA==
=qAKm
-----END PGP PUBLIC KEY BLOCK-----
That's quite a mouthful to read to someone else to confirm that they have the correct public key for you. Luckily we have some handy bits of math called hash functions which take files of varying lengths and generate a fixed size string of letters and numbers which can be used to verify their integrity. Key signatures are themselves a hash of public keys, and therefore allow people to verify the integrity of public keys without reading all of the ascii-armored bits.
Expected Output:
------------------------------
$ gpg --fingerprint example
pub 4096R/701CA524 2013-08-26
Key fingerprint = 7739 8C52 90D6 D94C F109 68D8 EA68 84E2 701C A524
uid Example Name (A short comment about this key) <Example@provider.com>
sub 4096R/23D1F37D 2013-08-26
----------------------------------
Step 5) Upload your public key to a keyserver.
Command: gpg --send-keys [keyID]
Command Explanation: The --send-keys flag will, when not provided with a keyID send all of the keys you have locally to the keyserver. When provided with one or multiple keyID's the command will send just those keys to the server.
Explanation: Uploading our public key to a keyserver is one method of distributing your public key to multiple other individuals. This same task could be accomplished by placing our public key file on a USB thumb drive and manually moving the file to other people's computers, but by using a keyserver we can streamline this process so long as we don't mind our public keys being publically accessible.
Expected Command Output:
----------------------------------
$ gpg --send-keys 701CA524
gpg: sending key 701CA524 to hkp server keys.gnupg.net
---------------------------------------
Step 6) Search for and Retrieve another person's key
Command: gpg --search-keys "search term(s)"
Command Explanation: The --search-keys flag followed by quoted search terms will request a list of keys which match that term from the keyserver.
Explanation: This allows us to select keys from an interactive list of keys matching our search term and download them into our local key ring in order to perform further operations with or on them.
Expected Output:
--------------------------
$ gpg --search-keys "search term(s)"
gpg: searching for "search term(s)" from hkp server keys.gnupg.net
(1) [Key Information would appear here]
(2) [More Key Information might appear here]
(3) [And perhaps even more here]
Keys 1-# of # for "search term(s)". Enter number(s), N)ext, or Q)uit > [Number of Key Desired]
----------------------------
Step 6.5) Retrieve a key from the keyserver if we already know the keyID
Command: gpg --recv-key [keyID]
Command Explanation: The --recv-key flag allows us to retrieve a key we have directly specified via its keyID
Expected Output:
---------------------------
]$ gpg --recv-key 701CA524
gpg: requesting key 701CA524 from hkp server keys.gnupg.net
gpg: key 701CA524: "Example Name (A short comment about this key) <Example@provider.com>" changed
gpg: Total number processed: 1
gpg: unchanged: 0
---------------------------
Step 7) Verify the authenticity of a retrieved key
Command: gpg --fingerprint [Retrieved Uniqe ID]
Note: This fingerprint MUST match the fingerprint provided to you securely from the individual whose key you are authenticating
Command Explanation: The --fingerprint flag specifies that you would like gpg to output all of the fingerprints for the keys in your keyring. When a UniqueID is specified only fingerprints from keys matching that unique ID are displayed.
Explanation: Because of the nature of cryptography it is essential to establish that a public key you have recieved from a third party (in this case the keyserver) is properly correlated with the private key it is meant to link to which is held by the individual or group you want to communicate with. Checking fingerprints is the crux of trusting keys, and is arguably the most important step of this entire set of instructions.
Expected Output:
------------------------------
$ gpg --fingerprint example
pub 4096R/701CA524 2013-08-26
Key fingerprint = 7739 8C52 90D6 D94C F109 68D8 EA68 84E2 701C A524
uid Example Name (A short comment about this key) <Example@provider.com>
sub 4096R/23D1F37D 2013-08-26
----------------------------------
Step 8) Sign a key
command: gpg --sign-key [Uniqe Identifier]
Command Explanation: The --sign-key flag signs the key provided via the specified unique identifier with your own private key, such that the signature can be validated with your public key.
Explanation: Signing a key's creates a trust network such that you may communicate securely with the individual whos key you have signed. On a larger scale key signing allows allows individuals who have not signed each other's keys to communicate, provided that a complete path between them can be created via other individuals signatures.
Expected Output:
-----------------------------------
$ gpg --sign-key 701CA524
pub 4096R/701CA524 created: 2013-08-26 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/23D1F37D created: 2013-08-26 expires: never usage: E
[ultimate] (1). Example Name (A short comment about this key) <Example@provider.com>
pub 4096R/701CA524 created: 2013-08-26 expires: never usage: SC
trust: ultimate validity: ultimate
Primary key fingerprint: 7739 8C52 90D6 D94C F109 68D8 EA68 84E2 701C A524
Example Name (A short comment about this key) <Example@provider.com>
Are you sure that you want to sign this key with your
key "Your Name <Your Email>" (Your KeyID)
Really sign? (y/N) y
You need a passphrase to unlock the secret key for
user: "Your Name <Your Email>"
4096-bit RSA key, ID Your KeyID, created creation date
-------------------------------------------
Step 9) Return the signed key to the keyserver
Command: gpg --send-keys [KeyID of newly signed key]
Command Explanation: The --send-keys flag specifies which of our keys we would like to send to the keyserver as specified by their keyID's.
Explanation: When signing a key we are only signing our own local copy. In order for the rest of our trust network to benefit from the fact that we have endorsed this key we must provide them with the updated copy which contains our signature. This is done by reuploading the now signed version of the key to the keyserver so others may view our signature and obtain the most up to date version of the key.
Step 10) Keeping your keyring up to date
Command: gpg --refresh-keys
Command Explanation: The --refresh-keys flag retrieves the newest version of all of the keys in our keyring from the keyserver.
Explanation: It is always beneficial to have the most recent version of all of the keys in your keyring. These new version may contain new signatures which connect you to more people in the trust network. Refreshing your keyring is also the primary way in which the keyserver can alert you that a revocation certificate for one of the keys in your keyring has been issued, allowing you to discard that key.
Created by Brian Balsamo. Used with permission.