GnuPG: How to use it and how you can benefit from it
I just wanted to create a notes for using GnuPG which is a very cool and useful tool in dealing your privacy and secret data in the internet.
$> gpg --gen-key
// to create for your own key
$> gpg --delete-secret-keys myemail@email.com
// where your myemail@email.com is the uid of the key
// first delete the secret keys before deleting the key
$> gpg --delete-key myemail@email.com
// to delete the key
$> gpg --export -a "myemail@email.com" > public.key
// to export and create a file named public.key containing your public key signature. Your public key signature will be used by others so that they can encrypt the file/message from your key but they won't never decrypt it unless you also give them your private key. Only your private key can decrypt such encrypted message from your public key encrypted file/message.
$> gpg --export-secret-key -a "myemail@email.com" > private.key
// this will export a private key which you can use to decrypt your file/message. You must be careful to conceal this for your own safety or you must trust the person you'll be sharing this private key, if you have to and have a valid reason of sharing it.
To import the public key, do,
$ gpg --import public.key
gpg: keyring `/home/geekgogie/.gnupg/secring.gpg' created
gpg: keyring `/home/geekgogie/.gnupg/pubring.gpg' created
gpg: /home/geekgogie/.gnupg/trustdb.gpg: trustdb created
gpg: key 4136418C: public key "Geek Gogie (I am Geek) <myemail@email.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
To import the private key, do
$ gpg --allow-secret-key-import --import private.key
gpg: key 4136418C: secret key imported
gpg: key 4136418C: "Geek Gogie (I am Geek) <myemail@email.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
$ gpg -o paul -d paul.gpg
You need a passphrase to unlock the secret key for
user: "Geek Gogie (I am Geek) <myemail@email.com>"
2048-bit ELG key, ID FEAF0B10, created 2013-07-07 (main key ID 4136418C)
can't connect to `/home/geekgogie/.gnupg/S.gpg-agent': No such file or directory
pinentry-gtk2: no LC_CTYPE known - assuming UTF-8
gpg: encrypted with 2048-bit ELG key, ID FEAF0B10, created 2013-07-07
"Geek Gogie (I am Geek) <myemail@email.com>"
Then, let's check if the the file is right
[geekgogie@localhost gpg-test]$ file testimage
testimage: JPEG image data, JFIF standard 1.01
By the way, the S.gpg-agent is just a socket that the daemon has just created.
In Linux with RPM packages like RedHat or CentOS, you can verify using
To send your gpg public key to a HPK server,
#> gpg --send-keys --keyserver cryptonomicon.mit.edu 874DF6B1
gpg: sending key 874DF6B1 to hkp server cryptonomicon.mit.edu
Now, let say you wanted to encrypt a file using a public key from your friend or someone that have shared his/her public key to you and wanted to encrypt a file for her to decrypt on her end, just do,
$ gpg --import tp.asc
gpg: key 874DF6B1: public key "Test Key (meow meow) <myemail@email.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
[geekgogie@localhost gpg-test]$ gpg -k
/home/geekgogie/.gnupg/pubring.gpg
-------------------------------
pub 2048D/874DF6B1 2013-07-07 [expires: 2013-07-12]
uid Test Key (meow meow) <myemail@email.com>
sub 2048g/8F44DA88 2013-07-07 [expires: 2013-07-12]
Decrypting and Encrypting
To encrypt a file, just do
[geekgogie@localhost gpg-test]$ gpg -a -e -r 'Test Key' imagefile
gpg: 8F44DA88: There is no assurance this key belongs to the named user
pub 2048g/8F44DA88 2013-07-07 Test Key (meow meow) <myemail@email.com>
Primary key fingerprint: 3156 692F CD96 269E 8A09 7DA0 7518 F4D6 874D F6B1
Subkey fingerprint: 3EBF CD97 973C C9E7 147B 0B93 B5BE D265 8F44 DA88
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Note that you cannot decrypt this since you don't have his/her private key.
To decrypt the file,
#> gpg -o testpic.jpg -d tp.asc
Helpful links:
http://www.gnupg.org/gph/en/manual.html
http://www.physics.purdue.edu/PCN/doc/wiki/wiki:procedures:encrypt:mac
http://www.madboa.com/geek/gpg-quickstart/
http://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/
https://www.torproject.org/docs/verifying-signatures.html.en
And a sample HPK server,
http://cryptonomicon.mit.edu/
$> gpg --gen-key
// to create for your own key
$> gpg --delete-secret-keys myemail@email.com
// where your myemail@email.com is the uid of the key
// first delete the secret keys before deleting the key
$> gpg --delete-key myemail@email.com
// to delete the key
$> gpg --export -a "myemail@email.com" > public.key
// to export and create a file named public.key containing your public key signature. Your public key signature will be used by others so that they can encrypt the file/message from your key but they won't never decrypt it unless you also give them your private key. Only your private key can decrypt such encrypted message from your public key encrypted file/message.
$> gpg --export-secret-key -a "myemail@email.com" > private.key
// this will export a private key which you can use to decrypt your file/message. You must be careful to conceal this for your own safety or you must trust the person you'll be sharing this private key, if you have to and have a valid reason of sharing it.
To import the public key, do,
$ gpg --import public.key
gpg: keyring `/home/geekgogie/.gnupg/secring.gpg' created
gpg: keyring `/home/geekgogie/.gnupg/pubring.gpg' created
gpg: /home/geekgogie/.gnupg/trustdb.gpg: trustdb created
gpg: key 4136418C: public key "Geek Gogie (I am Geek) <myemail@email.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
To import the private key, do
$ gpg --allow-secret-key-import --import private.key
gpg: key 4136418C: secret key imported
gpg: key 4136418C: "Geek Gogie (I am Geek) <myemail@email.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
$ gpg -o paul -d paul.gpg
You need a passphrase to unlock the secret key for
user: "Geek Gogie (I am Geek) <myemail@email.com>"
2048-bit ELG key, ID FEAF0B10, created 2013-07-07 (main key ID 4136418C)
can't connect to `/home/geekgogie/.gnupg/S.gpg-agent': No such file or directory
pinentry-gtk2: no LC_CTYPE known - assuming UTF-8
gpg: encrypted with 2048-bit ELG key, ID FEAF0B10, created 2013-07-07
"Geek Gogie (I am Geek) <myemail@email.com>"
Then, let's check if the the file is right
[geekgogie@localhost gpg-test]$ file testimage
testimage: JPEG image data, JFIF standard 1.01
If you can see this error below,
can't connect to `/home/geekgogie/.gnupg/S.gpg-agent': No such file or directory
which you can see in the example above, then this link would be very helpful to you, http://www.linuxquestions.org/questions/linux-security-4/gpg-gpg-agent-can't-connect-to-root-gnupg-s-gpg-agent-611843/. What this mean is that, you'll just need to run the gpg as a deamon per se, so running thru daemon would need you to execute the command below,
$> gpg-agent --daemon
GPG_AGENT_INFO=/tmp/gpg-J2Cp4U/S.gpg-agent:2523:1; export GPG_AGENT_INFO;
then you'll just have to copy at as like creating a symbolic link,
$ cp -fs /tmp/gpg-J2Cp4U/S.gpg-agent ~/.gnupg/
[geekgogie@localhost gpg-test]$ ls -alt ~/.gnupg/S.gpg-agent
lrwxrwxrwx. 1 geekgogie geekgogie 27 Jul 7 22:52 /home/geekgogie/.gnupg/S.gpg-agent -> /tmp/gpg-J2Cp4U/S.gpg-agent
In Linux with RPM packages like RedHat or CentOS, you can verify using
$ rpm -K filename.rpm
To send your gpg public key to a HPK server,
#> gpg --send-keys --keyserver cryptonomicon.mit.edu 874DF6B1
gpg: sending key 874DF6B1 to hkp server cryptonomicon.mit.edu
Then you can search for your key,
#> gpg --search-keys --keyserver cryptonomicon.mit.edu 'Test Key'
gpg: searching for "Test Key" from hkp server cryptonomicon.mit.edu
(1) Test Key (meow meow) <myemail@email.com>
2048 bit DSA key 874DF6B1, created: 2013-07-07
Keys 1-1 of 1 for "Test Key". Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 874DF6B1 from hkp server cryptonomicon.mit.edu
gpg: key 874DF6B1: "Test Key (meow meow) <myemail@email.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
To edit your expired key, you can do,
#> gpg --edit-key myemail@email.com
gpg (GnuPG/MacGPG2) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 2048D/874DF6B1 created: 2013-07-07 expires: 2013-07-09 usage: SC
trust: ultimate validity: ultimate
sub 2048g/8F44DA88 created: 2013-07-07 expired: 2013-07-08 usage: E
[ultimate] (1). Test Key (meow meow) <myemail@email.com>
gpg> list
pub 2048D/874DF6B1 created: 2013-07-07 expires: 2013-07-09 usage: SC
trust: ultimate validity: ultimate
sub 2048g/8F44DA88 created: 2013-07-07 expired: 2013-07-08 usage: E
[ultimate] (1). Test Key (meow meow) <myemail@email.com>
gpg> key 0
pub 2048D/874DF6B1 created: 2013-07-07 expires: 2013-07-09 usage: SC
trust: ultimate validity: ultimate
sub 2048g/8F44DA88 created: 2013-07-07 expired: 2013-07-08 usage: E
[ultimate] (1). Test Key (meow meow) <myemail@email.com>
gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 4
Key expires at Sat Jul 13 05:45:34 2013 PHT
Is this correct? (y/N) y
You need a passphrase to unlock the secret key for
user: "Test Key (meow meow) <myemail@email.com>"
2048-bit DSA key, ID 874DF6B1, created 2013-07-07
pub 2048D/874DF6B1 created: 2013-07-07 expires: 2013-07-12 usage: SC
trust: ultimate validity: ultimate
sub 2048g/8F44DA88 created: 2013-07-07 expired: 2013-07-08 usage: E
[ultimate] (1). Test Key (meow meow) <myemail@email.com>
gpg> key 1
pub 2048D/874DF6B1 created: 2013-07-07 expires: 2013-07-12 usage: SC
trust: ultimate validity: ultimate
sub* 2048g/8F44DA88 created: 2013-07-07 expired: 2013-07-08 usage: E
[ultimate] (1). Test Key (meow meow) <myemail@email.com>
gpg> expire
Changing expiration time for a subkey.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 4
Key expires at Sat Jul 13 05:46:13 2013 PHT
Is this correct? (y/N) y
You need a passphrase to unlock the secret key for
user: "Test Key (meow meow) <myemail@email.com>"
2048-bit DSA key, ID 874DF6B1, created 2013-07-07
pub 2048D/874DF6B1 created: 2013-07-07 expires: 2013-07-12 usage: SC
trust: ultimate validity: ultimate
sub* 2048g/8F44DA88 created: 2013-07-07 expires: 2013-07-12 usage: E
[ultimate] (1). Test Key (meow meow) <myemail@email.com>
gpg> save
$ gpg --import tp.asc
gpg: key 874DF6B1: public key "Test Key (meow meow) <myemail@email.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
[geekgogie@localhost gpg-test]$ gpg -k
/home/geekgogie/.gnupg/pubring.gpg
-------------------------------
pub 2048D/874DF6B1 2013-07-07 [expires: 2013-07-12]
uid Test Key (meow meow) <myemail@email.com>
sub 2048g/8F44DA88 2013-07-07 [expires: 2013-07-12]
Decrypting and Encrypting
To encrypt a file, just do
[geekgogie@localhost gpg-test]$ gpg -a -e -r 'Test Key' imagefile
gpg: 8F44DA88: There is no assurance this key belongs to the named user
pub 2048g/8F44DA88 2013-07-07 Test Key (meow meow) <myemail@email.com>
Primary key fingerprint: 3156 692F CD96 269E 8A09 7DA0 7518 F4D6 874D F6B1
Subkey fingerprint: 3EBF CD97 973C C9E7 147B 0B93 B5BE D265 8F44 DA88
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Note that you cannot decrypt this since you don't have his/her private key.
To decrypt the file,
#> gpg -o testpic.jpg -d tp.asc
Helpful links:
http://www.gnupg.org/gph/en/manual.html
http://www.physics.purdue.edu/PCN/doc/wiki/wiki:procedures:encrypt:mac
http://www.madboa.com/geek/gpg-quickstart/
http://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/
https://www.torproject.org/docs/verifying-signatures.html.en
And a sample HPK server,
http://cryptonomicon.mit.edu/
Comments
Post a Comment