Wiki
GNU Privacy Guard (GnuPG or GPG) is a free software replacement for Symantec's PGP cryptographic software suite. GnuPG is compliant with RFC 4880, which is the IETF standards track specification of OpenPGP. Modern versions of PGP and Veridis' Filecrypt are interoperable with GnuPG and other OpenPGP-compliant systems.
GnuPG is part of the GNU project, and has received major funding from the German government.
We can use GPG to Encrypt and Sign messages.
Setup
Install from source code.
$ ./configure $ make $ make install
Install via system package control
# Debian / Ubuntu $ sudo apt-get install gnupg # Fedora / CentOS / RedHat $ yum install gnupg
Install on OS X via Homebrew
$ brew install gnupg
Install GPG Tool application.
After install, get help information to run gpg --help command.
Generate a Key Pair
$ gpg --gen-key
This will take you through a few questions that will configure your keys.
- Please select what kind of key you want:
(1) RSA and RSA (default) - What keysize do you want?
4096 - Key is valid for?
0 - Is this correct?
y - Real name:
your real name here - Email address:
[email protected] - Comment:
Optional comment that will be visible in your signature - Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
O - Enter passphrase: Enter a secure passphrase here (upper & lower case, digits, symbols)
Create a Revocation Certificate
You need to have a way of invalidating your key pair in case there is a security breach, or in case you lose your secret key. There is an easy way of doing this with the GPG software.
This should be done as soon as you make the key pair, not when you need it. This revocation key must be generated ahead of time and kept in a secure, separate location in case your computer is compromised or inoperable. Type:
$ gpg --gen-revoke [UserID]
List the keys with gpg --list-keys command, and delete keys with gpg --delete-key [UserID] command.
Export Your Public Key
$ gpg --armor --output public-key.txt --export [UserID]
Export Your Private Key
$ gpg --armor --output private-key.txt --export-secret-keys
Upload Your Public Key
$ gpg --send-keys [UserID] --keyserver hkp://pgp.mit.edu
How To Verify and Sign Keys
While you can freely distribute your generated public key file and people can use this to contact you in an encrypted way, there is still an issue of trust in the initial public key transmission.
Verify the Other Person's Identity
How do you know that the person giving you the public key is who they say they are? In some cases, this may be simple. You may be sitting right next to the person with your laptops both open and exchanging keys. This should be a pretty secure way of identifying that you are receiving the correct, legitimate key.
But there are many other circumstances where such personal contact is not possible. You may not know the other party personally, or you may be separated by physical distance. If you never want to communicate over insecure channels, verification of the public key could be problematic.
Luckily, instead of verifying the entire public keys of both parties, you can simply compare the fingerprint derived from these keys. This will give you a reasonable assurance that you both are using the same public key information.
You can get the fingerprint of a public key by typing:
$ gpg --fingerprint [UserID]
This will produce a much more manageable string of numbers to compare. You can compare this string with the person themselves, or someone else who has access to that person.
Import Other Users' Public Keys
GPG would be pretty useless if you could not accept other public keys from people you wished to communicate with.
You can import someone's public key in a variety of ways. If you've obtained a public key from someone in a text file, GPG can import it with the following command:
$ gpg --import name_of_pub_key_file
There is also the possibility that the person you are wishing to communicate with has uploaded their key to a public key server. These key servers are used to house people's public keys from all over the world.
A popular key server that syncs its information with a variety of other servers is the MIT public key server. You can search for people by their name or email address by going here in your web browser: pgp.mit.edu.
You can also search the key server from within GPG by typing the following:
$ gpg --keyserver pgp.mit.edu --search-keys [UserID]
Encrypt File
$ gpg --recipient [UserID] --output demo.en.txt --encrypt demo.txt
Decrypt File
$ gpg --decrypt demo.en.txt --output demo.de.txt
Sign File
$ gpg --sign demo.txt
After execute that command, will generate demo.txt.gpg file with sign in binary encode, if you want to use ASCII format file, use clearsign params:
$ gpg --clearsign demo.txt
After execute that command, will generate demo.txt.asc file with sign in ASCII encode.
If you want to separate generated signature file and origion file, you can use the detach-sign parameters:
$ gpg --detach-sign demo.txt
After execute that command, will generate demo.txt.sig sign file with binary encode, if you want to use ASCII format sign file, add armor params:
$ gpg --armor --detach-sign demo.txt
Verify Sign
$ gpg --verify demo.txt.asc demo.txt
Use GPG Suite - GPG Keychain Encrypt E-mail on OS X
After GPG Suite installed will add OpenPGP services on system. You can add some shortcuts in System Preferences -> Keyboard -> Shortcuts like this:
Sign E-mail
In Mail.app select all mail content and choose OpenPGP: Sign Selection in right click menu (or use shortcuts with your custom settings). Enter password and click OK button.
E-mail Encryption
After import other user's public key, select all mail content (also include sign selection if exists) and choose OpenPGP: Encrypt Selection (or use shortcuts with your custom settings). Select mail receivers and send it.
Decryption E-mail
Select code from ----BEGIN PGP MESSAGE---- to -----END PGP MESSAGE----- of mail content, and select OpenPGP: Decrypt Selection in right click menu (or use shortcuts with your custom settings).