This post is just a reference really to document my beginnings with GPG so that I can refer to it in the future. The GNU Privacy Handbook is a great reference.
On OS X GPG isn’t installed by default so install it:
MacOSX> brew install gpg
Generate a new key pair
Generate yourself a new keypair:
MacOSX> gpg --gen-key gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?
Accept all the defaults for now and enter your personal information when prompted:
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <[email protected]>" Real name: Anthony Wolski Email address: [email protected] Comment: No comment You selected this USER-ID: "Anthony Wolski (No comment) <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. Enter passphrase:
You can verify that the key was generated by using the
MacOSX> gpg --list-keys pub 2048R/C2B16D05 2015-09-11 uid Anthony Wolski (No comment) <[email protected]> sub 2048R/90BF6AD2 2015-09-11
Now you should follow the instructions at the GPG manual to generate a revocation certificate. I’ll leave that as a task for you.
Export a public key
In order to communicate with others you need to generate a public key. The way GPG works is that when somebody wants to send you an encrypted message, they encrypt the document or message using your public key. Only the holder of the private key can decrypt that document or message. So first, you must export a public key.
MacOSX> gpg --armor --output awolski.gpg --export [email protected] MacOSX> cat awolski.gpg -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 mQENBFXymgEBCACkmLhIHh6QnC7fzql4EttTcopIeejyfHFwzLYFtBd0fsywOQOA RhUI4B/+8QQkgJ3H0OvcITr0i/kgqZu7+9NsJL7YNDWzE4xKIj6MO+h+GdUhTq4E ZtHgfE5vy8vGREfup0YIYAdjJjVp/LZv4mmbpCTXT/mUbcywhQ8wqs5r2xtxJZ7t 9pXmP+TlDPursQZt/MkCGxl4XSPQbrrBe9FDa8/R1YVc7SaD8R7p/EeyS2v0a/oM DWKU4eAETsqi/GKx1B38ObKZuoRe45qQ9Zd/n4KV+++uj5yy+IvWmxDU6vQ8UQVH 3yiPC68wTsPmwvyyZw/ViN2XmaCO/5N5gKD7ABEBAAG0O0FudGhvbnkgV29sc2tp IChObyBjb21tZW50KSA8YW50aG9ueS53b2xza2lAYm9ndXNlbWFpbC5jb20+iQE4 BBMBAgAiBQJV8poBAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAzU1dV wrFtBa2bCACGII7PqA3tLejRDlH9r7arza3HZK/7N3MWZpErtizwT3RxgLJeZ6eg EmT/q8k5FMtEei56pS2gpvorHc4HXoPRPJxg7ox5LUQzj8wmNQEbKnVfmzo01Bnf wWbLV4CY469re3haZ+/ylRNLYgYJD7uYu+twGuaGYBAQX1IlZ+3z9l0BFDibjI3U Hl/RVMNMpZjYX8rf94qBkKjfplCpUsI90M5TtrQYvWLtMEb06L1aA5IKDNY+baBn nN5XtVyAEvrHtFmATmAA8CrbrmZiMJNkF4j+aJaUO2kKANNXlsY8DzIfKhPNl22F IfT+jfmeiHauleVgNtO/Ssl1Oja0T9ufuQENBFXymgEBCAC04NV1B2BRBaqOLVbt mBMzj5XH9nu6XX+m7zXhX1wzi3+Y4cM6O1Ec32T+VCQcsqyoo4I2w/nn60WvTQUV 0LTaAHhRZiycnRCD0dpRAcZyNRKF+4yinsu5ZmWBsXExU/OPt0sL07vDLWat9UZV O2WXQko5kZmAbjMVoARvP+KDkgYRzDUkBaN2gBcPNEv/gqlQlvIsw4QYvg0PD+HQ C+Sp/+iwOV92Mcn1ZQmGK+yWUrGtF9JMZxAr52vql9NPsTjYQtOjgpQuGfaCYiWA pfcWNFgmBn8B6JQ1rYC1UDuEU1CKdM4UC0XszfDH1Z77YZgSM82QiODcKU8ZmMTk 2wHxABEBAAGJAR8EGAECAAkFAlXymgECGwwACgkQM1NXVcKxbQWPLQf/VbSwXCgx fXAv6hTm3dL+oEmzHgdg+4x+pPctWGXcbf9EXmK5RXlFjvtPbSdxtR4rCbGDTBvs jcQKh2Hmsqj4M4IBOS/O3oK0A5o+JTpWcjFE7XOAHi+gFESilESKGzg8Sc3BZJ3W 9ZuBFWMhrK5yDYVmP26RBTjlJUDwi6HalNBMbKidjia9M1JGsyLYvewoOoqIBA/g 5ueoscr8mDY8GDpmIvnVxcL06rLwS5sAUOqs6XjUjc1t75O7efjoIvhZcsCAIgRn 2OiI+jIJUkw3iZfAiLc8gSUqkV8hf59ovoYemDoPI9T1XNwwDmedtmFVw9uN61Mc jtxD8Y9FdYeFvA== =7i5A -----END PGP PUBLIC KEY BLOCK-----
Now send that key to someone you want to be able to communicate with securely. With your public key, they’ll be able to encrypt messages or documents, send them to you in encrypted form, and you, and only you, will be able to decrypt them using your private key.
Import a public key
You’ll need to import the public key of anyone you want to send encrypted messages to. To demonstrate the process, I booted up a Vagrant machine and created a private keypair on the VM. Then I imported the public key I created previously.
VagrantVM> gpg --import /vagrant/awolski.gpg gpg: /home/vagrant/.gnupg/trustdb.gpg: trustdb created gpg: key C2B16D05: public key "Anthony Wolski (No comment) <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Note that /vagrant on the VM is a default synced folder from my OS X host to the VM, and I’d copied the exported public key to the root of where my Vagrant file resides. And I’d also run
vagrant ssh to get into the machine.
The documentation states that once the key is imported it should be validated. See the documentation above on how to do that, but effectively run gpg with
--edit-key and then
VagrantVM> gpg --edit-key [email protected] gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. ... pub 2048R/C2B16D05 created: 2015-09-11 expires: never usage: SC trust: unknown validity: unknown sub 2048R/90BF6AD2 created: 2015-09-11 expires: never usage: E [ unknown] (1). Anthony Wolski (No comment) <[email protected]> gpg> sign pub 2048R/C2B16D05 2015-09-11 Anthony Wolski (No comment) <[email protected]> Primary key fingerprint: A510 7F0A 02A9 15DC 03FE E187 3353 5755 C2B1 6D05 ... Are you really sure that you want to sign this key with your key: "Anthony Wolski (No comment) <[email protected]>" Really sign?
Now it’s time to encrypt something to send (to yourself!).
Encrypting a document
Now I’m going to create a document that I need to send securely:
VagrantVM> echo "Really secret info" > secret.txt VagrantVM> cat secret.txt Really secret info
And then encrypt it
VagrantVM> gpg --output secret.txt.gpg --encrypt --recipient [email protected] secret.txt
We can verify the contents of the output file have indeed been encrypted:
VagrantVM> cat secret.txt.gpg �Emd=+��zKy��*�VՏɮ
Decrypting a document
I copied the encrypted file back to my host machine where I originally created my keypair. I can decrypt the file like so:
MacOSX> gpg --output secret.txt --decrypt secret.txt.gpg MacOSX> cat secret.txt Really secret info
And there you have it, there is the original contents of the secret file unencrypted.