Tony Wolski

Scratching the surface of GPG


This post is just a reference really to document my beginnings with GPG so that I can refer to it in the future. The GNU Privacy Handbook is a great reference.

On OS X GPG isn’t installed by default so install it:

MacOSX> brew install gpg

Generate a new key pair

Generate yourself a new keypair:

MacOSX> gpg --gen-key
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and    redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?

Accept all the defaults for now and enter your personal information when prompted:

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <[email protected]>"

Real name: Anthony Wolski
Email address: [email protected]
Comment: No comment
You selected this USER-ID:
    "Anthony Wolski (No comment) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

Enter passphrase:

You can verify that the key was generated by using the --list-keys argument:

MacOSX> gpg --list-keys
pub   2048R/C2B16D05 2015-09-11
uid                  Anthony Wolski (No comment) <[email protected]>
sub   2048R/90BF6AD2 2015-09-11

Now you should follow the instructions at the GPG manual to generate a revocation certificate. I’ll leave that as a task for you.

Export a public key

In order to communicate with others you need to generate a public key. The way GPG works is that when somebody wants to send you an encrypted message, they encrypt the document or message using your public key. Only the holder of the private key can decrypt that document or message. So first, you must export a public key.

MacOSX> gpg --armor --output awolski.gpg --export [email protected] 
MacOSX> cat awolski.gpg
Version: GnuPG v1

Now send that key to someone you want to be able to communicate with securely. With your public key, they’ll be able to encrypt messages or documents, send them to you in encrypted form, and you, and only you, will be able to decrypt them using your private key.

Import a public key

You’ll need to import the public key of anyone you want to send encrypted messages to. To demonstrate the process, I booted up a Vagrant machine and created a private keypair on the VM. Then I imported the public key I created previously.

VagrantVM> gpg --import /vagrant/awolski.gpg
gpg: /home/vagrant/.gnupg/trustdb.gpg: trustdb created
gpg: key C2B16D05: public key "Anthony Wolski (No comment) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Note that /vagrant on the VM is a default synced folder from my OS X host to the VM, and I’d copied the exported public key to the root of where my Vagrant file resides. And I’d also run vagrant ssh to get into the machine.

The documentation states that once the key is imported it should be validated. See the documentation above on how to do that, but effectively run gpg with --edit-key and then sign it.

VagrantVM> gpg --edit-key [email protected]
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
pub  2048R/C2B16D05  created: 2015-09-11  expires: never       usage: SC
                 trust: unknown       validity: unknown
sub  2048R/90BF6AD2  created: 2015-09-11  expires: never       usage: E
[ unknown] (1). Anthony Wolski (No comment) <[email protected]>
gpg> sign
pub   2048R/C2B16D05 2015-09-11 Anthony Wolski (No comment) <[email protected]>
 Primary key fingerprint: A510 7F0A 02A9 15DC 03FE  E187 3353 5755 C2B1 6D05
Are you really sure that you want to sign this key with your key: "Anthony Wolski (No comment) <[email protected]>"

Really sign?

Now it’s time to encrypt something to send (to yourself!).

Encrypting a document

Now I’m going to create a document that I need to send securely:

VagrantVM> echo "Really secret info" > secret.txt
VagrantVM> cat secret.txt
Really secret info

And then encrypt it

VagrantVM> gpg --output secret.txt.gpg --encrypt --recipient [email protected] secret.txt

We can verify the contents of the output file have indeed been encrypted:

VagrantVM> cat secret.txt.gpg

Decrypting a document

I copied the encrypted file back to my host machine where I originally created my keypair. I can decrypt the file like so:

MacOSX> gpg --output secret.txt --decrypt secret.txt.gpg
MacOSX> cat secret.txt
Really secret info

And there you have it, there is the original contents of the secret file unencrypted.

Your thoughts? I'd love to hear them. Please get in contact.