GnuPG for Everyone
Introduction
In today’s digital age, safeguarding our personal information and communications is of utmost importance. One effective solution to ensure privacy and security is GnuPG (GNU Privacy Guard). In this blog post, we’ll explore what GnuPG is and how it can help you protect your sensitive data from prying eyes.
What is GnuPG?
GnuPG, also known as GNU Privacy Guard, is a software application that allows you to encrypt and sign your data. It acts like a digital lock, ensuring that only the intended recipient can access the information you send. GnuPG is built on the OpenPGP standard, a widely accepted method for encryption and digital signatures.
How does it work?
GnuPG uses a clever combination of secret and public keys. Think of it as having two keys: one to lock (public key) and one to unlock (private key). You freely share your public key with others, allowing them to send you encrypted messages. Meanwhile, you keep your private key secure and use it to decrypt the encrypted messages or sign documents with your digital signature. This process ensures that your data remains confidential and tamper-proof.
Getting Started - Preparations
Installation
GPG is always installed in basically all the GNU/Linux distributions (e.g. Ubuntu, Debian, Arch Linux, etc.), all you need to do is to open your terminal, and type gpg --version
, the output should look similar to the following.
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/frank/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
For macOS, it is basically the same, due to the importance of GnuPG.
For Microsoft Windows, you can choose either to install Windows Subsystem for Linux, or you can install Gpg4win.
After that, use gpg --version
to check the version.
This tutorial will based on Ubuntu GNU/Linux 22.04
, and the GnuPG version will be 2.2.27
.
Generating keys.
First you need to choose the algorithms you want. Here is a table to help you choose the proper algorithms you want.
Algorithm (bit size) | Usually Called | Strength | Speed/Efficiency | Compatibility | Initial date |
---|---|---|---|---|---|
RSA 2048/3072/4096 | RSA | Fine/Decent/Great | Generally slow | Great | 1977 |
DSA | DSA | Poor, known vulnerability | Untested | Untested | 1991 |
Ed25519 (256-bit) | EdDSA | Decent | Fast | Bad on some old devices, generally good | 2011 |
NIST P-256/384/521 | ECDSA | Decent/Great/Extreme | Slower than Ed25519, faster than RSA | Generally good | 2005 |
Usually, Ed25519
is great for most individual use (including me), so we are going with it.
Use gpg --full-generate-key --expert
to generate a pair of keys.
Instructions:
--full-generate-key
indicates that we need to generate a key using our own preferences instead of the default ones.
--expert
indicates we want the extra settings and algorithms (including ECC) instead of only RSA and DSA.
If you decided to use Ed25519, choose (9) ECC and ECC
and choose Curve 25519
later.
Usually we do not need a valid date, so type 0
. Type your name and email addresses in (doesn’t have to be real, this is just an identifier).
Next it will ask you for a passphrase, make sure you can remember it and make it strong as possible. If you lose the passphrase, there is no way to decrypt the key thus you can’t use it to signing or decrypting files any more.
A few seconds later, you will get your pair of keys.
Exporting your keys.
The first thing you should do is to export your keys to a secure place like an encrypted flash drive. Just in case your computer is lost or you accidentally deleted your GnuPG config folder.
Use the following command to export it.
gpg --export-secret-keys --armor -o key.asc <YOUR_EMAIL_ADDRESS>
Instructions:
--export-secret-keys
indicates that we want to export our secret key (private key).
--armor
indicates that we need an ASCII-encoded, human-readable file instead of binary file.
-o
indicates that we need to specify an output file afterwards.
<YOUR_EMAIL_ADDRESS>
is where you need to put your email address (the one when you generate your key) in.
Put your passphrase in and you will get a file called key.asc
. Copy this file to your flash drive and put it in a secure place like your vault. Make sure nobody has access to it.
Generating revocation certificate.
In case your key is compromised, you need to ask other people to stop trusting the signatures you have made before. You will need a revocation certificate to let people stop trusting your compromised key.
Use the following command to generate it.
gpg --armor -o revoke.asc --gen-revoke <YOUR_EMAIL_ADDRESS>
Instructions:
--armor
indicates that we need an ASCII-encoded, human-readable file instead of binary file.
-o
indicates that we need to specify an output file afterwards.
--gen-revoke
indicates that we want to generate a revocation certificate.
<YOUR_EMAIL_ADDRESS>
is where you need to put your email address (the one when you generate your key) in.
Put your revocation certificate in the same confidential flash drive where you also put your secret key on so that nobody can revoke your key on purpose.
Exporting your public key.
Public key is used to encrypt files and validating your signatures. Thus you need to export your public key and send it to someone else so that other people can encrypt files to you and validating your signatures.
Different from secret keys, you should send your public key to somebody else. (it even can be put on a public server where anyone can fetch your key from it, it is called a Keyserver. More on that later.)
Use the following command to generate it.
gpg --armor -o public.asc --export <YOUR_EMAIL_ADDRESS>
Instructions:
--armor
indicates that we need an ASCII-encoded, human-readable file instead of binary file.
-o
indicates that we need to specify an output file afterwards.
--export
indicates that we need to export our public key.
<YOUR_EMAIL_ADDRESS>
is where you need to put your email address (the one when you generate your key) in.
Importing other people’s public key.
Let’s say your friend has also generated a pair of key and signed/encrypted a file for you, you need to import their public key to your computer in order to operate, you can use the command gpg --import <PUBLIC_KEY>.asc/gpg
to import their key(s).
Getting Started - Using it
Signing files
The most obvious thing we can do with GnuPG is, of course, signing files.
You can use the following command to easily sign a file.
gpg --clearsign <YOUR_FILE>
You don’t need to specify your email address as long as you only have one private key (which you probably should) stored on your computer.
You will get a .asc
file in your directory, with your file and signature embedded in one file.
It is not recommended to use this method, especially when you are signing non-text files.
What if I don’t want them in one file?
Easy, use the following command to make them detached.
gpg --detach-sign --armor <YOUR_FILE>
After that, you will also get a .asc
signature file.
Note that you can always remove the
--armor
flag if you don’t want them to be ASCII-encoded, the file extension will be turned into.gpg
.
Clearsign doesn’t need the
--armor
flag because it will always be ASCII-encoded.
Validating files
Now you have signed your file, it is time to validate them.
If you used --clearsign
, it can be as simple as using gpg --verify <YOUR_FILE>.asc/gpg
.
The result should look like the following.
gpg: Signature made Tue 18 Jul 2023 07:25:31 PM HKT
gpg: using EDDSA key 4DC3FFA83F910D5C0A410C97686CCCCCCCCCCCCC
gpg: Good signature from "Frank Ruan <[email protected]>" [ultimate]
gpg: WARNING: not a detached signature; file 'test_file' was NOT verified!
Remember what I have said earlier? It is not recommended to sign ANY non-text files with Clearsign.
If you used --detach-sign
, it can be done using gpg --verify <SIGNATURE_FILE>.asc/gpg <YOUR_FILE>
The result may look like this.
gpg: Signature made Tue 18 Jul 2023 07:28:18 PM HKT
gpg: using EDDSA key 4DC3FFA83F910D5C0A410C97686CCCCCCCCCCCCC
gpg: Good signature from "Frank Ruan <[email protected]>" [ultimate]
It is always recommended to use Detached Sign to sign your files.
Encrypting files
Now it is the most important part, encrypting files.
Signing and encrypting
If you are encrypting files for yourself, and meanwhile you need to make sure the files’ integrity when you decrypt them, you should use Signing & Encrypting.
It is as simple as using the command gpg --encrypt -r <YOUR_EMAIL_ADDRESS> --sign <YOUR_FILE>
-r
indicates the recipient
of the file.
One of the features of GnuPG is that you can sign the files using your private key and encrypt them to multiple people at the same time, as long as you have their public key and they have your public key to ensure the signature. If you are just encrypting files for yourself, then there should be only one recipient, that is you.
You will get a .gpg
file, that will be your encrypted file.
If you are encrypting files for other people, but sign the file using your key, you can simply putting more -r <EMAIL_ADDRESS>
in the command. For example, your command may look like this:
gpg --sign --encrypt -r [email protected] -r [email protected] -r [email protected] myfile.tar
GnuPG is clever enough to still using your key (because this is the only one which is usable) to sign the file.
Note that the file will become larger (as always) if you specify multiple recipients.
It is possible to create a encrypted file for other people but you yourself cannot decrypt it. Simply removing yourself from the recipients.
Encrypting directories/folders?
You may noticed that all the commands above are targeting single files, not directories.
How to encrypt/sign a folder? It is easy, simply create an archive. I personally prefer using Tar + Zstandard.
This the command I use to sign and encrypt folders/directories.
tar cv ./classified_docs | zstd -T0 -1 | gpg --batch --sign --encrypt -r [email protected] --compression-algo None > classified_docs.tar.zst.gpg
Note: You can learn more about the Zstandard compression level in their official website. For me, level 1 is good for most cases. And also, you need to disable the compression which is enabled by default by GnuPG (they use GZIP).
Encrypting but not signing?
Sometimes you need to encrypt some files to send, but you don’t necessarily want the recipient know who you are (i.e. you want to keep anonymous, assume that you have a completely anonymous platform to let the recipient know that “you” encrypted some thing for him/her). Not signing the file is possible, you can simply removing the --sign
flag.
gpg --encrypt -r <RECIPIENT_EMAIL> -r <RECIPIENT_2_EMAIL> <YOUR_FILE>
If you are going through the whole tutorial, you may have noticed that this time, it doesn’t ask you for a passphrase. Which means, it doesn’t sign the file.
And we can verify that by simply typing gpg --verify <YOUR_FILE>.gpg
, it will error.
gpg: verify signatures failed: Unexpected error
Decrypting files
Okay, assume you have an encrypted file, whether it is encrypted by yourself or by your friends. You need to decrypt them.
You can simply typing the following command to decrypt the file.
gpg --output YOUR_FILE --decrypt <YOUR_ENCRYPTED_FILE>.gpg
Note: You MUST specify an output file, otherwise GnuPG will dump all the files (even binary files) to STDOUT (aka. Your screen), which is terrible.
However, if you are sure that this is some text files (aka. SMS, Emails, etc.), you can dump them to the terminal without specifying the output file.
If this file is also signed, GnuPG will also validate the signature and give you the result. If it is not signed, then nothing will happen, it just decrypts the file.
Outro
That’s it, now you have known how to operate GnuPG in a basic level. There are still a lot of things available for you to use (e.g. Moving your keys to a hardware-based module, setting trust levels for the keys, uploading your keys to keyserver, etc.), but I am not going to mention them here, leaving you yourself to Google and explore :D.
Hoping you can have a better digital life with the help of GnuPG, and hope you can gain a more privacy life under the surveillance system which all the countries are basically doing. (period)