2018/03/08

Using GnuPG

1. Installing GnuPG

On various Linux flavors it is apparently available by default. On macos we can brew it.
brew install gpg

2. Generate Keys

I strongly recommend not to use the short version --gen-key because it uses by default RSA algorithm which does not allow key signing. I recommend to use --full-generate-key and use kind "DSA and Elgamal" to generate the pair of keys (Public key and Private key). You will be required to enter a password, this password will be required every-time a message needs to be decrypted because it will use your private key.
gpg --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 2
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits   
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
                        
GnuPG needs to construct a user ID to identify your key.

Real name: YOURID
Email address: yourid@email.com
Comment:                       
You selected this USER-ID:
    "YOURID "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

3. Exporting and importing keys

Export public key

To export in ASCII armor format:
gpg --output YOURID.pub.gpg --armor --export YOURID
To export in binary format simply skip the --armor parameter.

Export private key

Similar to public key, to export a private key in ASCII armor format:
gpg --output YOURID.sec.gpg --armor --export-secret-keys YOURID
To export in binary format simply skip the --armor parameter.

Import public key

To simply import the key we can use the --import command.
gpg --import OTHERID.pub.gpg
HOWEVER, at this point using this new key to decrypt something will lead to WARNings because the key is not verified, not trusted, not checked, etc. Please make sure you have the right key (check the fingerprint) and trust it. For full conceptual explanation see the official docs here and here
gpg --list-keys
gpg --edit-key OTHERID

> fpr
> sign
> check
> trust
> save
There is a good guide here too from Digital Ocean guys.

Import private key

We use the same --import command. gpg will recognize if key is private or public :)
gpg --import blake.secret.gpg
# (type password)
To see the list of private keys in the keyring:
gpg --list-secret-keys

Asymmetric encryption and decryption

Asymmetric cryptography means the message is encrypted with the public key and decrypted with the private key that is paired with that public key. This means, the sender cannot decrypt the message. Only the receiver can decrypt it (Off-course, unless the message was sent to self)

Encrypt a file

To asymmetrically encrypt a file we need to have the public key of the receiver in the keyring.
gpg --output file.doc.gpg --local-user SENDERID --armor --encrypt --sign --recipient RECEIVERID file.doc
or a shorter version
gpg --output file.doc.gpg -u SENDERID -r RECEIVERID -ase file.doc
We can skip the --armor or -a option to have encrypted files in binary format.
Not recommended but we can skip the --sign or -s option to not sign it.
If --local-user or -u is skipped then the default key will be used.

Decrypt a file

To asymmetrically decrypt a file we must have the private key that corresponds to the public key that was used at encryption time.
To decrypt and verify the sign:
gpg --output file.doc --decrypt file.doc.gpg
This command will requires two things to succeed:
  1. A kind of key able to sign (RSA does not do it, that is why I suggested to use DSA and Elgamal kind).
  2. Option --sign or -s should be passed at encryption time.
Not recommended but if you need to skip sign verification:
gpg --output file.doc --skip-verify --decrypt file.doc.pgp

Symmetric Encryption

Encrypt a file (Symmetric encryption)

Symmetric encryption requires just a password. Anyone with this password should be able to decrypt to file.
gpg --output file.doc.gpg --symmetric file.doc
(enter password)

More

0 comments :