GPG Encryption 101
Sometimes you need to send a file securely — like secure mail — but you don’t always want to pay for secure messaging services. This is something that GPG can help you solve!
What is GPG?
GPG stands for the GNU Privacy Guard. GNU Privacy Guard is a free and open source implementation of the PGP encryption standards. You can read up more on their history at https://gnupg.org/ . If you’d like to learn more about how GNU open source projects work, you can learn more at https://www.gnu.org/home.en.html .
What are public and private keys?
Think of it like having a P.O. box at the post office. The post office gives you a key that you can use to put things in the mailbox to send, like a package. That’s a public key. They have a master key that let’s them unlock it on the other side that only the mailman has — that’s a private key.
What is a GPG keyring?
GPG Keyring is a software version of a literal keyring. In our post office analogy above, you have your own keyring — it has your house keys, your car key, etc., and you’d have your P.O. box key. That’s your keyring. The mailman might have a different keyring — his keyring would have his work truck key, and the keys to all the mailboxes he needs to open — those are the private keys. He also has they keys for the public side of things that he can use to go make copies for the people that need them. That’s his keyring.
Practical GPG 101
We are going to walk through a practical example to create and use PGP keys. Here are the steps.
- Create a GPG private and public key pair
- Send our public key to a friend
- Import that public key as our friend
- Encrypt a file as our friend and send it to us
- Decrypt that file that our friend sent us using our GPG keys
Hopefully that will be a good start in feeling more comfortable with how GPG works
Create a GPG private and public key pair
First, we’re going to create the mailmans set of keys. He’s going to have to have a private key that only he gets, and a public key that he can share with the new tenant.
First, create a new directory that we can use for our example.
mtaylor@taylorm02:~/olympus$ mkdir newgpg
mtaylor@taylorm02:~/olympus$ cd newgpg/Throughout this tutorial we’re going to use a special flag — homedir . that lets us cheat a little bit and use our current directories for our GPG keyrings instead of the standard one that linux uses in ~/.gnupg — This will make sure our tutorial doesn’t interfere with your “real” keyring if you decide to do real work with GPG later.
First, notice that we don’t have any keys — this key listing operation will create a public keyring and a trustdb if they don’t already exist, but you won’t see any output because we have no keys.
mtaylor@taylorm02:~/olympus/newgpg$ gpg --homedir . --list-keys
gpg: WARNING: unsafe permissions on homedir '/home/mtaylor/olympus/newgpg'
gpg: keybox '/home/mtaylor/olympus/newgpg/pubring.kbx' created
gpg: /home/mtaylor/olympus/newgpg/trustdb.gpg: trustdb created
mtaylor@taylorm02:~/olympus/newgpg$So let’s create our first pub/private key pair. GPG is doing a few things here:
- It asks you for yoru real name
- Asks for an email address
- Asks for confirmation
- Generates random data to use for the encryption
- creates the public and private key pair and signs them
mtaylor@taylorm02:~/olympus/newgpg$ gpg --homedir . --generate-key
gpg: WARNING: unsafe permissions on homedir '/home/mtaylor/olympus/newgpg'
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.Note: Use "gpg --full-generate-key" for a full featured key generation dialog.GnuPG needs to construct a user ID to identify your key.Real name: Micheal Taylor
Email address: mtaylor@artemishealth.com
You selected this USER-ID:
"Micheal Taylor <mtaylor@artemishealth.com>"Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 40B407FA6F40ABAB marked as ultimately trusted
gpg: directory '/home/mtaylor/olympus/newgpg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/mtaylor/olympus/newgpg/openpgp-revocs.d/EF6863A56C96DBCCEACF0B3040B407FA6F40ABAB.rev'
public and secret key created and signed.pub rsa3072 2021-06-11 [SC] [expires: 2023-06-11]
EF6863A56C96DBCCEACF0B3040B407FA6F40ABAB
uid Micheal Taylor <mtaylor@artemishealth.com>
sub rsa3072 2021-06-11 [E] [expires: 2023-06-11]mtaylor@taylorm02:~/olympus/newgpg$
Now if you run the — list-keys flag, you’ll see some!
mtaylor@taylorm02:~/olympus/newgpg$ gpg --homedir . --list-keys
gpg: WARNING: unsafe permissions on homedir '/home/mtaylor/olympus/newgpg'
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-06-11
/home/mtaylor/olympus/newgpg/pubring.kbx
----------------------------------------
pub rsa3072 2021-06-11 [SC] [expires: 2023-06-11]
EF6863A56C96DBCCEACF0B3040B407FA6F40ABAB
uid [ultimate] Micheal Taylor <mtaylor@artemishealth.com>
sub rsa3072 2021-06-11 [E] [expires: 2023-06-11]mtaylor@taylorm02:~/olympus/newgpg$
Export your public key so your friends can use them
First, let’s create a directory called friend.
mtaylor@taylorm02:~/olympus/newgpg$ mkdir friendWe’re not actually going to send our key to a friend, but we’re going to simulate it by using a new directory and giving them the public key — so let’s export our PGP key to a public.key folder in our friend directory. The file we’re creating is the public key file that you would send someone who wants to send you encrypted data.
mtaylor@taylorm02:~/olympus/newgpg$ gpg --homedir . --armor --export mtaylor@artemishealth.com > friend/public.key
gpg: WARNING: unsafe permissions on homedir '/home/mtaylor/olympus/newgpg'
mtaylor@taylorm02:~/olympus/newgpg$You can cat this file to see what it looks like:
mtaylor@taylorm02:~/olympus/newgpg$ cat friend/public.key
-----BEGIN PGP PUBLIC KEY BLOCK-----mQGNBGDDkaoBDADHsglniaD9IeoENa2r1TAFVUHrHcCvHL04ZFv/yYxQyghiDd4q
rbwpfYoDmPEn6DgFDC5hnFlQ/txuqhuFRZ7wSC7whplQETW9aa72Ngwmjz4YeiNZ
pvPZI1cHTSlwxb56iHATrC3n/BE0Cy1yPPYYUM6iIff3bi9t5PsZUYfuy5XadWk0
CWmypgQkK4awqzG2DLFMU41Q46esDL0o9abRU2XS82QKAGH1lCmVzQdwGx1unlSg
yclpVTJDqcMenHIzthfhzH5O0Hvgcii928Y8ZWvpMt8yJPDugVqdg5TG7iTT8sk3
56v50Uk8iAXKnT4cShjk/BvQEYnlgCuNeTPiNvSFXhcEVMowOhDAnlOYisjr0xbP
5Xld67/JWqkoHzytc/WLPM7LjjK5vKNOPui0DoVUlVeGwvh4crqGt+/FzeVxO5YP
e/N8LdDTzbIRrgrJPD/eEPYA34p47PEsZPnTwC4bRN1jXCDCmVfuayVntW6fgqIA
bp2a8vD1lGWSOMsAEQEAAbQqTWljaGVhbCBUYXlsb3IgPG10YXlsb3JAYXJ0ZW1p
c2hlYWx0aC5jb20+iQHUBBMBCgA+FiEE72hjpWyW28zqzwswQLQH+m9Aq6sFAmDD
kaoCGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQQLQH+m9Aq6tL
xQv/dfxPLN7zKU8v6w2vZt3GXtHRmoGYWYP+6IQ0vh2CQ/RubTFdeYYW5rT496Wh
kQrRSSpBg2lwRP/vVAhO+N8/1h2h1TzEJAaYAzKGTFMWHA3Lm7Xh3zn1OkBSYexD
A4IC0iFLiZjT2Y0YI18g4cyo3eXePrbvAwSAhU/Q/MqtsSBBHQtFrT05zsrQ+ukV
8NJx20GEjdmkR/0HbsFgkDdIpVD4n+Z9hYsYKCLN84sfH6PSaIdkf64P4dzJBEir
ZOfGb8TIQd6xQbYpWC4LkpWwTXjWCyN304s/Wvpkyeag1hgdH3+kwbP/LS9qALZU
G4g5vyZI6wiFaX9zblBS3s1oSpVtJf+3icTyBBIBdwJiRTCYOyhSlxAbeZ7Aacoa
7kSD7kqcQoHA7RdnZ6bCKXE7iT6Vc84hpNx32fUzE7nt52+gcttI6QnuLPwtF0Is
NcBl757iFaswzKI0ecFcywOlEfP5lgTlC71HO7xTCx+r4xpcqkZA2IpGuwUXCl6d
DGNguQGNBGDDkaoBDADGkMYP9c9N8EpDQJpvQjRa3d63mWGO1mWIzZ7mjVyYsMrP
0+FqtPqZTQ6E/Ft6bLnShiS5KlBMmCzxZO9u6/N69tplw+jrM+GOKPVJVI646Nbq
57hCE6oXUS8STy0MJPsCKCTX0Goam2BfKp+WScdofM7c5viEBDL2+U+r5qXWWN5X
w2LVLqwq/sGSgw7GkPYbWzNcXdMb9G46rXmaebragHU5/kKipI/h7af23DniAc53
/A0r/IEG/QJ7pEa+u+TG3ZRTlsLeO2xT/ybTFHILnydJiEguL/KaPBMD708cmy4K
Jc2fst3uwGoL6QZSGoZCaQrFHUJpYFAtrWAUC88EDnQHW2vbQjS5ZUSE7Ror9zi9
bZR2RIyBR+BCdx/dbe1ks8yekF+QRwzkJdHr22+b2NrSJJp04bYcpbMl7TDNlyZO
8sn4mevr24jC/xTiJmreOjIBG1BQifhe+iQKyuUY1NkMV3gDcxt2YLSSc+V4SYuK
sqJvnnl63EuMhCnHV2MAEQEAAYkBvAQYAQoAJhYhBO9oY6VsltvM6s8LMEC0B/pv
QKurBQJgw5GqAhsMBQkDwmcAAAoJEEC0B/pvQKurZ5wL/0EiQKEerzJYLWtMxncn
jE3J5vybEG745XAsbyyG/zpTuSrf0NAMwmaUWu7OaDERePOuLzRXJdqKiFZA2NHn
iRcGmVYshkK9a6AfFox7MvjwihEx/SEPMogJ2ALhT4S4GxQoFuG3XWU7XSmCyjyi
XNAPvb475glSLvZDY2GrFg1mD3+wltik/jnqpGU4Lj9DX35+yveujuw83mzb8TfM
GnSY5Ejm8r+a9HY9iA1Z1483Doh/Uq80DVPfwaRl8+5J/AiuX4QDGLxnllyEqtxs
9r4ljAxSnJ7G8mIdaoGjYtlM1MFNc3eW/4UO213ZCWpCCYvIueUzvN+3XTXXRRBO
i1TViQuc8a7ex+Yeb76v0/bk7zTDLWoziG+H4vazvB8qBpwJNCgpbUvYzCT/5A5I
Dud9ELvmgYt0LE7kfPptGm9rxQVp6MiYrHSlpTwdR7/ycIa2kE7OhtLS3OTeaAJU
GVp/jMGQKs94UqL8LMIQVN7vWUCoUfhbhvDRdzg9GAvBfg==
=zMB0
-----END PGP PUBLIC KEY BLOCK-----
mtaylor@taylorm02:~/olympus/newgpg$
Import the public key as a friend
Now I’m your friend — let’s move into the friend directory and we’ll simulate being another person using the — homedir flag on the gpg command.
mtaylor@taylorm02:~/olympus/newgpg$ cd friend/We want a file that we can encrypt, so let’s make one:
mtaylor@taylorm02:~/olympus/newgpg/friend$ echo "This is super secret!" > secrets.txt
mtaylor@taylorm02:~/olympus/newgpg/friend$ ll
total 16
drwxr-xr-x 2 mtaylor mtaylor 4096 Jun 11 10:40 ./
drwxr-xr-x 5 mtaylor mtaylor 4096 Jun 11 10:40 ../
-rw-r--r-- 1 mtaylor mtaylor 2468 Jun 11 10:40 public.key
-rw-r--r-- 1 mtaylor mtaylor 22 Jun 11 10:40 secrets.txtWe need to import the public key that was sent to us before we can use GPG to encrypt it — by adding it to our key ring.
mtaylor@taylorm02:~/olympus/newgpg/friend$ gpg --homedir . --import public.key
gpg: WARNING: unsafe permissions on homedir '/home/mtaylor/olympus/newgpg/friend'
gpg: keybox '/home/mtaylor/olympus/newgpg/friend/pubring.kbx' created
gpg: /home/mtaylor/olympus/newgpg/friend/trustdb.gpg: trustdb created
gpg: key 40B407FA6F40ABAB: public key "Micheal Taylor <mtaylor@artemishealth.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
mtaylor@taylorm02:~/olympus/newgpg/friend$By default, GPG won’t have the signing information for this key — the signing information is the way that we know this public key really came from who it says it did. Because of this, for our tutorial, we’re just going to accept that we know who sent us this key, rather than trying to overcomplicate things that are already complicated enough.
Here are the commands you’ll run in order:
gpg — homedir . — edit-key mtaylor@artemishealth.comtrust5quit
It should look like this:
mtaylor@taylorm02:~/olympus/newgpg/friend$ gpg --homedir . --edit-key mtaylor@artemishealth.com
gpg: WARNING: unsafe permissions on homedir '/home/mtaylor/olympus/newgpg/friend'
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.pub rsa3072/40B407FA6F40ABAB
created: 2021-06-11 expires: 2023-06-11 usage: SC
trust: unknown validity: unknown
sub rsa3072/DA2D27F74293D475
created: 2021-06-11 expires: 2023-06-11 usage: E
[ unknown] (1). Micheal Taylor <mtaylor@artemishealth.com>gpg> trust
pub rsa3072/40B407FA6F40ABAB
created: 2021-06-11 expires: 2023-06-11 usage: SC
trust: unknown validity: unknown
sub rsa3072/DA2D27F74293D475
created: 2021-06-11 expires: 2023-06-11 usage: E
[ unknown] (1). Micheal Taylor <mtaylor@artemishealth.com>Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menuYour decision? 4pub rsa3072/40B407FA6F40ABAB
created: 2021-06-11 expires: 2023-06-11 usage: SC
trust: full validity: unknown
sub rsa3072/DA2D27F74293D475
created: 2021-06-11 expires: 2023-06-11 usage: E
[ unknown] (1). Micheal Taylor <mtaylor@artemishealth.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.gpg> quit
mtaylor@taylorm02:~/olympus/newgpg/friend$
Now we can use this key to encrypt things!
Encrypt a file as our friend and send it to us
First let’s make our file to encrypt:
mtaylor@taylorm02:~/olympus/newgpg/friend$ echo "This is super secret!" > secrets.txtThen, we can encrypt it
mtaylor@taylorm02:~/olympus/newgpg/friend$ gpg --homedir . --output encrypted.gpg --encrypt --recipient mtaylor@artemishealth.com secrets.txt
gpg: WARNING: unsafe permissions on homedir '/home/mtaylor/olympus/newgpg/friend'
mtaylor@taylorm02:~/olympus/newgpg/friend$If you try and look at this file, it’s now gibberish, and that’s perfect, thta’s what we want!
mtaylor@taylorm02:~/olympus/newgpg/friend$ cat encrypted.gpg
���-'�B��u
�}C`1N}�EHTL�FPg� �i@�փX���m�X�BM 73
�;�$�_���lH�����L�M�]���PS6Ɗ�p��BQ�ϕ���]5��h��
���nTi�RӶ`��'v%��E��#�o�bV�ED��
;д��Hw]��l��tV븸��|RD7��Aˊ}{�3�E��#?����~����Ԏ�1;���ؙ�A���(��m�w�V�B�6jV�
���y��l����=�[- ��e��a� L�uӌ�lfpE��=�P:
��sg^.eӷt�Oe�n��o��$.��4�r3Kn,�[ �BF�<�/��$j�WG�c_&u�
l��LkSmtaylor@taylorm02:~/olympus/newgpg/friend$Now we can send that file to our friend! We’re going to simulate sending that file by copying it into our other directory:
mtaylor@taylorm02:~/olympus/newgpg/friend$ cd ../
mtaylor@taylorm02:~/olympus/newgpg$ cp friend/encrypted.gpg .Decrypt that file that our friend sent us using our GPG keys
Now we can decrypt our file! You will be prompted to enter the password for your secret key.
mtaylor@taylorm02:~/olympus/newgpg$ gpg --homedir . --output decrypted.txt --decrypt encrypted.gpg
gpg: WARNING: unsafe permissions on homedir '/home/mtaylor/olympus/newgpg'
gpg: encrypted with 3072-bit RSA key, ID DA2D27F74293D475, created 2021-06-11
"Micheal Taylor <mtaylor@artemishealth.com>"And now you can see your file contents!
mtaylor@taylorm02:~/olympus/newgpg$ cat decrypted.txt
This is super secret!Congratulations, you’re an encryption expert!
