5 minutes
Using GPG Keys
GPG (GNU Privacy Guard) is an encryption tool that allows us to secure data and communications. It is an open source implementation of the OpenPGP standard which stems from PGP and is based on public-key cryptogrophy which uses public and private key pairs for encryption and decryption.
Let’s give a hypothetical situation on how this can be used. Let’s say I need to receive a sensitive file from a coworker. Here are the steps that I would follow.
- Generate a GPG key which would include a public and private key
- Share the public key with my coworker.
- My coworker could then encrypt the file with my public key then send it back to me
- Then I could use my private key to decrypt the file
Now let’s go over the actual steps of how to do this.
Key Generation
We can generate our own key by running gpg --full-generate-key which will guide us through a series of questions such as what key algorithm we want to use, the keysize, and the length of time the key should be valid for. At the end of the key generation, it will prompt for a password for the key.
❯ gpg --full-generate-key
gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)
Requested keysize is 3072 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1
Key expires at Wed 17 Apr 2024 02:38:19 AM EDT
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: jocelyn
Email address: jk@test.com
Comment: To test gpg
You selected this USER-ID:
"jocelyn (To test gpg) <jk@test.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We can list all the keys in our keyring by running gpg --list-keys for public keys and gpg --list-secret-keys for private keys
❯ gpg --list-keys
------------------------------
pub rsa3072 2024-04-16 [SC] [expires: 2024-04-17]
44EF66288AF
uid [ultimate] jocelyn (To test gpg) <jk@test.com>
sub rsa3072 2024-04-16 [E] [expires: 2024-04-17]
❯ gpg --list-secret-keys
------------------------------
sec rsa3072 2024-04-16 [SC] [expires: 2024-04-17]
44EF66288AF
uid [ultimate] jocelyn (To test gpg) <jk@test.com>
ssb rsa3072 2024-04-16 [E] [expires: 2024-04-17]
We can then export the public key using the Key ID (in this case 44EF66288AF) and provide it to others in either a public key file (.asc) or just by copying the GPG public key block and sharing it.
❯ gpg --export 44EF66288AF > publickey.asc
❯ file publickey.asc
publickey.asc: OpenPGP Public Key Version 4, Created Tue Apr 16 06:41:08 2024, RSA (Encrypt or Sign, 3072 bits); User ID; Signature; OpenPGP Certificate
❯ gpg --armor --export 44EF66288AF
-----BEGIN PGP PUBLIC KEY BLOCK-----
RANDOM STUFF HERE
-----END PGP PUBLIC KEY BLOCK-----
Encrypting a Message
We can encrypt a message using the public key by running gpg -ear <USER>.
-e= encrypt data-a= ASCII armored output-r= recipient USER-ID
gpg is pretty flexible in that you can list keys and encrypt with recipient using email, name, partial name, etc.
❯ gpg --list-keys jk
pub rsa3072 2024-04-16 [SC] [expires: 2024-04-17]
44EF66288AF
uid [ultimate] jocelyn (To test gpg) <jk@test.com>
sub rsa3072 2024-04-16 [E] [expires: 2024-04-17]
❯ gpg --list-keys joce
pub rsa3072 2024-04-16 [SC] [expires: 2024-04-17]
44EF66288AF
uid [ultimate] jocelyn (To test gpg) <jk@test.com>
sub rsa3072 2024-04-16 [E] [expires: 2024-04-17]
❯ gpg --list-keys test
pub rsa3072 2024-04-16 [SC] [expires: 2024-04-17]
44EF66288AF
uid [ultimate] jocelyn (To test gpg) <jk@test.com>
sub rsa3072 2024-04-16 [E] [expires: 2024-04-17]
❯ gpg --list-keys none
gpg: error reading key: No public key
❯ gpg -ear jk
thisisatest!
WE CAN DO MULTIPLE LINES
-----BEGIN PGP MESSAGE-----
RANDOM STUFF HERE
-----END PGP MESSAGE-----
Decrypting a Message
Now if we want to decrypt it, we can run gpg -d, paste in the message, hit ENTER, and CTRL+D.
-d= decrypt
❯ gpg -d
-----BEGIN PGP MESSAGE-----
-----END PGP MESSAGE-----
gpg: encrypted with rsa3072 key, ID 116C9FD, created 2024-04-16
"jocelyn (To test gpg) <jk@test.com>"
THISISATEST!!!%
You can also decrypt from a file running gpg -d filename.gpg
❯ cat test.gpg
-----BEGIN PGP MESSAGE-----
-----END PGP MESSAGE-----
❯ gpg -d test.gpg
gpg: encrypted with rsa3072 key, ID 116C9FD, created 2024-04-16
"jocelyn (To test gpg) <jk@test.com>"
this is a test message
Importing a Key
Now let’s say we need to import a public key from someone else to use it to encrypt something. We can run gpg --import and it will show up in our gpg --list-keys.
Deleting a Key
We can delete a public key by running gpg --delete-key <KEY_ID_OR_EMAIL>.
To delete a private key, we will need to run gpg --delete-secret-key <KEY_ID_OR_EMAIL>
❯ gpg --delete-secret-key 44EF66288AF
gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec rsa3072/19B3521E 2024-04-16 jocelyn (To test gpg) <jk@test.com>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
❯ gpg --delete-key 44EF66288AF
gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa3072/19B3521E 2024-04-16 jocelyn (To test gpg) <jk@test.com>
Delete this key from the keyring? (y/N) y
And that is the basics of using GPG keys! This personally helped me learn how asymmetric encryption works.