PGP stands for “PGP is the short form for Pretty Good Privacy”
how it works:
it is an encryption system that allows data to be encrypted with an world-known public key, then savely transported to the intended receiver and only the intended receiver (in posession of private key) should be able to decrypt the data.
the PGP GPG confusion:
“PGP can refer to two things:”
- “The Pretty Good Privacy software originally written by Phil Zimmermann, and now owned by Symantec.”
- “The formats for keys, encrypted messages and message signatures defined by that software. These have now been formalised as the OpenPGP standard.”
“The GNU Privacy Guard (GPG) software is an independent implementation of the OpenPGP standards, so you can use it to exchange encrypted messages with people using other OpenPGP implementations (e.g. Symantec’s PGP).” (src)
it is a bit confusing that there are multiple packages PGP, GPG, GNUPG and pgpgpg
- GPG: the one the user wants
- PGP -virtual-package-> GNUPG
- which is a symbolic link to pgpgpg
- pgpgpg – a wrapper around Gnu Privacy Guard that takes Pretty Good Privacy command line options
- “PGPGPG is a wrapper that allows calls to GnuPG (Gnu Privacy Guard) using the command line options of (Pretty Good Privacy). PGP and GnuPG are encryption programms with high security encryption engines. However, PGP is available without a fee but is not realy free software. GnuPG on the other hand is realy free software and has additionally features but with a different command line syntax than PGP.”
- “The goal of pgpgpg is to plug in a command line syntax in front of GnuPG equal to PGP 2.6.” (src: man.pgpgpg.txt)
lsb_release -d Description: Debian GNU/Linux 11 (bullseye) which pgp /usr/bin/pgp file /usr/bin/pgp /usr/bin/pgp: symbolic link to /etc/alternatives/pgp file /etc/alternatives/pgp /etc/alternatives/pgp: symbolic link to /usr/bin/pgpgpg
the following is a backup of this article: (just in case it magically vanishes, this stuff happens, the internet is not “fixed”)
https://spin.atomicobject.com/2013/09/25/gpg-gnu-privacy-guard/
Getting Started with GNU Privacy Guard
This is part of a series on GNU Privacy Guard:
- Getting Started with GNU Privacy Guard (this post)
- Generating More Secure GPG Keys: Rationale
- Generating More Secure GPG Keys: A Step-by-Step Guide
- Using an OpenPGP Smartcard with GnuPG
Like many others, I have recently taken a more active interest in information security. In particular, I have taken a fresh look at GNU Privacy Guard (GnuPG or GPG). This popular open-source encryption tool offers users the ability to encrypt and sign data and communications using public key cryptography.
I’ve used GPG in the past, but now that I’ve read up on it a little more, I’d like to share some of what I’ve learned. This post won’t get into the relative merits of RSA, DSA, or ECC keys, or extra measures you can take to keep your private key secure. I hope to cover those things in more detail later.
This post is intended to serve as a brief introduction to GPG and should also help to clear up some confusing vocabulary to make further reading more fruitful.
Public Key Cryptography
Encryption
I will assume you already have some familiarity with the basic concepts of public key cryptography — that messages can be encrypted using one publicly-available key that can only be decrypted by another key, one kept secret and protected. This asymmetry is powerful, and is useful in many different contexts.
Authentication
Besides encryption, public key cryptography can be used in place of passwords for authentication. Using public/private keypairs for authentication means that a user can use one private key to gain access to many different servers or services. This is in contrast to (symmetric) passwords where sharing the same password with more than one site would be a major risk. This is one reason why I prefer key-based authentication for SSH, for example.
Signing
Another use for public-private keypairs is signing. Using a private key, a sender can “sign” a message, signifying that they originated or approved its exact contents. This allows a receiver to use the sender’s public key, verifying not only that the sender holds the corresponding private part, but also that the message hasn’t been tampered with — the message is bound to the key. Any change to the message would cause the signature to be invalid.
Certification
Similar to signing messages, keys can also be used to sign other keys. This capability can either be used to denote that you claim a set of keys or that you trust someone else has control of another key.
Three Types of “Keys”
Let’s begin honing our understanding by talking about one word: “key.” I have seen this word used to denote at least three distinct (but related) things.
In the first sense, people sometimes talk about the two keys — a “public key” and a “private key” — that go into a “keypair.”
(This private key is also sometimes called a “secret key”).
private key = secret key
In the second sense, people will sometimes refer to a keypair as a “key.”
+------------------------------------------------------+ | keypair | | +------------------------+ +------------------------+| | | | | || | | private | | public || | | | | || | +------------------------+ +------------------------+| +------------------------------------------------------+
In a third sense, people will often use the word “key” to refer to an OpenPGP “key” containing a primary key (keypair) and zero or more subkeys (keypairs).
+--------------------------------------+ | OpenPGP "key" | | | | +----------------------------------+ | | | primary key | | | | +----------------+-------------+ | | | | | | | | | | | +----------------+-------------+ | | | +----------------------------------+ | | | | +----------------------------------+ | | | subkey | | | | +----------------+--------------+| | | | | | || | | | +----------------+--------------+| | | +----------------------------------+ | | | | +----------------------------------+ | | | subkey | | | | +----------------+--------------+| | | | | | || | | | +----------------+--------------+| | | +----------------------------------+ | | . . . | | +---------+-----------+------------+ | | | | | other | | | | uids | notations | metadata | | | +---------+-----------+------------+ | +--------------------------------------+
GPG Concepts
Building on these ideas, let’s look at how GPG works with keys. GPG works with keys in terms of keypairs (corresponding public and private parts). GPG also has a concept of a primary key (keypair) and subkeys (keypairs) that are bound together by signing the subkeys as belonging to the same set with the primary key.
Here’s an example (taken from the output of
gpg --list-secret-keys
):
1 2 3 |
sec 2048R/905D5761 2011-11-08 [expires: 2011-11-22] uid Mike English (Temporary Key) <mike.english@example.com> ssb 2048R/4AD85450 2011-11-08 |
Let’s go through what this means line by line.
1 |
sec 2048R/905D5761 2011-11-08 [expires: 2011-11-22] |
-
sec
– We have the secret (private) part of this primary key in our keyring.
-
2048R
– This is a 2048-bit RSA key.
-
905D5761
– This the “KeyID,” the tail end of the key’s “fingerprint.”
-
2011-11-08
– The creation date of this key.
-
[expires: 2011-11-22]
– This key should no longer be used. It expired 2011-11-22.
1 |
uid Mike English (Temporary Key) <mike.english@example.com> |
-
uid
– What follows is a uid for this key (a key may have zero or more uids).
-
Mike English
– The “Real Name”
-
(Temporary Key)
– The “Comment”
-
<mike.english@example.com>
– The e-mail address
1 |
ssb 2048R/4AD85450 2011-11-08 |
-
ssb
– This is a subkey. We have the secret part in our keyring.
-
2048R
– This subkey is another 2048-bit RSA key.
-
4AD85450
– The “KeyID” for this subkey, again derived from the key’s fingerprint.
-
2011-11-08
– The creation date of this subkey.
In the above example, the primary key is labeled
sec
(meaning we have the “secret” part) and a subkey is labeled
ssb
. The
uid
is an identifier associated with the key for convenience.
As noted above, the term “key” can designate (at least) three different things here. We could be referring to one part (public or private) of an individual keypair. We could be referring to a keypair (since they are linked, they are sometimes referred to as one “key” as when we say “primary key” or “subkey”). We might also be referring to the primary key and all of its associated uids and subkeys (a key can have more than one uid or subkey).
Here’s another example (this one taken from the output of
gpg --list-keys
):
1 2 3 4 |
pub 2048D/00D026C4 2010-08-19 [expires: 2015-08-18] uid GPGTools Project Team (Official OpenPGP Key) <gpgtools-org@lists.gpgtools.org> uid GPGMail Project Team (Official OpenPGP Key) <gpgmail-devel@lists.gpgmail.org> sub 2048g/DBCBE671 2010-08-19 [expires: 2015-08-18] |
In this example we have only the public (
pub
) part of the primary key and one subkey (
sub
). This key also demonstrates the fact that multiple
uid
s can be associated with the same key.
GPG Keyrings
When we generate our first key, we’ll see that GPG creates a new directory
~/.gnupg
and several files:
-
~/.gnupg/gpg.conf
-
~/.gnupg/secring.gpg
-
~/.gnupg/pubring.gpg
gpg.conf
contains configuration info. The other two files are keyrings. GPG holds keys in “keyrings”. By default two files are used for this:
-
~/.gnupg/secring.gpg
holds the secret (private) parts of keys where we have them (our private keys)
-
~/.gnupg/pubring.gpg
holds the public parts of keys (ours and others’)
gpg -k
is short for
gpg --list-keys
which will show public keys we have in our keyring.
gpg -K
is short for
gpg --list-secret-keys
which will show us secret keys we have in our keyring.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
$ gpg -k /Users/english/.gnupg/pubring.gpg --------------------------------- pub 2048R/810681E9 2013-09-19 uid Mike English (Junk key for blogpost) <mike.english@example.com> sub 2048R/9857CF87 2013-09-19 $ gpg -K /Users/english/.gnupg/secring.gpg --------------------------------- sec 2048R/810681E9 2013-09-19 uid Mike English (Junk key for blogpost) <mike.english@example.com> ssb 2048R/9857CF87 2013-09-19 |
Example / Getting Started
1. Installing GPG
I recommend skipping the GUI tools for now. It’s worth the effort to understand how GPG works so that you can make an informed decision about choosing wrappers that may provide added convenience. Using the command line interface will allow you to develop a better understanding of GPG’s operational model.
On a Mac, we can install
gpg
via Homebrew:
1 2 3 4 5 6 7 8 |
$ brew install gpg ==> Downloading ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.13.tar.bz2 Already downloaded: /Library/Caches/Homebrew/gnupg-1.4.13.tar.bz2 ==> ./configure --prefix=/usr/local/Cellar/gnupg/1.4.13 --disable-asm ==> make CFLAGS= -std=gnu89 -fheinous-gnu-extensions ==> make check ==> make install /usr/local/Cellar/gnupg/1.4.13: 54 files, 5.2M, built in 51 seconds |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ gpg --version gpg (GnuPG) 1.4.13 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 |
2. Generating a New Key
Here’s how to generate a new key, accepting all the defaults:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
$ gpg --gen-key gpg (GnuPG) 1.4.13; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: directory `/Users/english/.gnupg' created gpg: new configuration file `/Users/english/.gnupg/gpg.conf' created gpg: WARNING: options in `/Users/english/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/Users/english/.gnupg/secring.gpg' created gpg: keyring `/Users/english/.gnupg/pubring.gpg' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Mike English Email address: mike.english@example.com Comment: Junk key for blogpost You selected this USER-ID: "Mike English (Junk key for blogpost) <mike.english@example.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++ ............+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ........+++++ ......+++++ gpg: /Users/english/.gnupg/trustdb.gpg: trustdb created gpg: key 810681E9 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/810681E9 2013-09-19 Key fingerprint = 4ADF DB89 FC3D CC41 7CC1 FFB4 1138 9CAA 8106 81E9 uid Mike English (Junk key for blogpost) <mike.english@example.com> sub 2048R/9857CF87 2013-09-19 $ |
3. Signing
First something to sign:
1 2 3 4 5 6 7 |
$ cat > important_message.txt This is an important message. You will want to know that it is really from me. You will also want to know that it has arrived intact, without any tampering. By signing it, I can assure you (so long as you already trust that I control the private key I will use). $ |
Then we can sign it:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
$ gpg --clearsign important_message.txt You need a passphrase to unlock the secret key for user: "Mike English (Junk key for blogpost) <mike.english@example.com>" 2048-bit RSA key, ID 810681E9, created 2013-09-19 $ cat important_message.txt.asc -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an important message. You will want to know that it is really from me. You will also want to know that it has arrived intact, without any tampering. By signing it, I can assure you (so long as you already trust that I control the private key I will use). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) iQEcBAEBAgAGBQJSO73pAAoJEBE4nKqBBoHpB94H/3p5QvHi7kkVxQ6a936r+Weo Jiy+blzVsMRCQzhjtQ1dm/VZIA13gGSSatQDfPfLTwDbQ3T261W5kr3+S3AoeBEr Kf1taidyZEUlr8WXoFERJb2TefzLwL4uJTsYTh32pRjX64sc02ckyV334/o4KleU Gkxv6o3UqmsH5bj5S4wEd/8TvXvizZyhy42JdKOxFoFz47flKLkJy7wWwmIhRu/w SkNQVlSZzUBcueJmOWFY5nqW96glyiRsh4Yjg07Y5Qt257Lqkt3s+tKYkR3bF3QM kVWwzidQAllajP+a0JUgWzmsMocVQvd6Gm3lO8CpxlIpetkK1uq1NaCIcCR9RIQ= =v1O6 -----END PGP SIGNATURE----- $ |
4. Encryption
Something to encrypt:
1 2 3 4 |
$ cat > secret_message.txt This is a secret message. It is important that you be the only one to read it. I will encrypt this message with your public key so that you can decrypt it with your private key. |
Choose a recipient from our public keyring (In this case, ourselves):
1 2 3 4 5 6 |
$ gpg --list-keys /Users/english/.gnupg/pubring.gpg --------------------------------- pub 2048R/810681E9 2013-09-19 uid Mike English (Junk key for blogpost) <mike.english@example.com> sub 2048R/9857CF87 2013-09-19 |
And then encrypt the message:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
$ gpg -r mike.english@example.com --armor --encrypt secret_message.txt $ cat secret_message.txt.asc -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.13 (Darwin) hQEMAzCAW/+YV8+HAQf9GoxHtvWMtgSdRxfg+0p1foglWzbIpy2FYOziVyivmCAq 1Q/rH1FbmbqXYjwadwD03KkSsg5fTo+BpaZs6THxO9ADRj+kYp+wmJE4c7J/QXY7 TcvURbo/H9lv9CVRRrL8ovv6S1O3RHsvMF7CU7AtYoXqCmOLrDM30Du/j/kanhWF 2H9znYyfWnhJ5d7JRQ95n9ZmwU+OtloWPay3pFM++40mbSEjNvUrwDhqK+GKvoit Te3EBtLyonXwwel7coWIbL2Bz1083DzBL0b5D4nyGNEIDL3SEsnfMIHa944LZXIu OWdrioWr2ivMhR4fuV1fQuTImn710Fpb8DS8b5TRtNK/AUHrxPCXeV4WycI8nbwa KzsdO/zgjM1yvTEJUR26luEgYbd9Bcip/0FOWab18GRJMgdC4keXGPRds9Gtip5a 2QWW7KDXfYts+ODVi19juJp6kSz9D/TwMtX1gq+5J1+OGvY7FMNZQiiuxD+VXpgP B0GkJS2dmIrz+81hj7RMq1+iziyfQ3rooNW9r+Mh/B5W00I8/VKo/A65i4P1WLgJ pBvg6I30su8p8Y8RBa3EEsAEYAcpVUGe1s3lU1N+KM4= =gyNk -----END PGP MESSAGE----- $ |
5. Decryption
Since we have the matching private key…
1 2 3 4 5 6 7 8 9 10 11 |
$ gpg -d secret_message.txt.asc You need a passphrase to unlock the secret key for user: "Mike English (Junk key for blogpost) <mike.english@example.com>" 2048-bit RSA key, ID 9857CF87, created 2013-09-19 (main key ID 810681E9) gpg: encrypted with 2048-bit RSA key, ID 9857CF87, created 2013-09-19 "Mike English (Junk key for blogpost) <mike.english@example.com>" This is a secret message. It is important that you be the only one to read it. I will encrypt this message with your public key so that you can decrypt it with your private key. |
…we are able to decrypt this secret message:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
$ gpg -d secret_message.txt.asc You need a passphrase to unlock the secret key for user: "Mike English (Junk key for blogpost) <mike.english@example.com>" 2048-bit RSA key, ID 9857CF87, created 2013-09-19 (main key ID 810681E9) gpg: encrypted with 2048-bit RSA key, ID 9857CF87, created 2013-09-19 "Mike English (Junk key for blogpost) <mike.english@example.com>" This is a secret message. It is important that you be the only one to read it. I will encrypt this message with your public key so that you can decrypt it with your private key. $ |
how to export keys: (public and private)
that is used for transfer of key-pairs between programs and systems…
# list all installed keys (keys known to the system)
gpg --list-keys
Export Public Key
This command will export an ascii armored version of the public key:
gpg --output to-this-file.public.pgp.key --armor --export username@email # or KEYID=KEYID9JFFJ8DFFDS7JCU6DOU4FI2OFD gpg --output $KEYID.public.pgp.key --armor --export $KEYID
(for whatever reason it DOES NOT WORK if the –output option is put at the end of the command!? unify & simplify! simplify! simplify!)
Export Secret Key
This command will export an ascii armored version of the secret key:
gpg --output to-this-file.private.pgp.key --armor --export-secret-key username@email # or KEYID=KEYID9JFFJ8DFFDS7JCU6DOU4FI2OFD gpg --output $KEYID.private.pgp.key --armor --export-secret-key $KEYID
Security Concerns, Backup, and Storage
A PGP public key contains information about one’s email address. This is generally acceptable since the public key is used to encrypt email to your address. However, in some cases, this is undesirable.
For most use cases, the secret key need not be exported and should not distributed. If the purpose is to create a backup key, you should use the backup option:
gpg --armor --export-secret-keys --export-options export-backup user@email --output backupkeys.pgp
This will export all necessary information to restore the secrets keys including the trust database information. Make sure you store any backup secret keys off the computing platform and in a secure physical location.
If this key is important to you, I recommend printing out the key on paper using paperkey. And placing the paper key in a fireproof/waterproof safe.
Public Key Servers
In general, it’s not advisable to post personal public keys to key servers. There is no method of removing a key once it’s posted and there is no method of ensuring that the key on the server was placed there by the supposed owner of the key.
It is much better to place your public key on a website that you own or control. Some people recommend keybase.io for distribution. However, that method tracks participation in various social and technical communities which may not be desirable for some use cases.
For the technically adept, I personally recommend trying out the webkey domain level key discovery service.
- List the keys you have:
gpg --list-secret-keys
- Export the key:
gpg --export-secret-key name > ~/my-key.asc
- Copy it on another machine;
- Import the key:
gpg --import my-key.asc
To
export
SOMEKEYID public key to an
output
file:
gpg --output public.pgp --export SOMEKEYID
When working with secret keys it’s generally preferable not to write them to files and, instead, use SSH to copy them directly between machines using only
gpg
and a pipe:
gpg --export-secret-key SOMEKEYID | ssh othermachine gpg --import
If you must, however, output your secret key to a file please make sure it’s encrypted. Here’s how to accomplish that using AES encryption using the Dark Otter approach:
gpg --output public.gpg --export SOMEKEYID && \ gpg --output - --export-secret-key SOMEKEYID |\ cat public.gpg - |\ gpg --armor --output keys.asc --symmetric --cipher-algo AES256
The last approach is ideal if you want to create a physical back-up of your public and private keys to safeguard against a disk failure when no other way exists to regain access to your keys.
creditz: https://newbedev.com/how-to-export-a-gpg-private-key-and-public-key-to-a-file
manpage:
errors & troubles:
“gpg: WARNING: unsafe permissions on homedir”
chmod 600 ~/.gnupg/* chmod 700 ~/.gnupg
Links:
- https://www.gnupg.org/
- https://knowledge.broadcom.com/external/article/180118/how-to-use-pgp-command-line-to-create-an.html
- GnuPG Documentation Sources
- Alan Eliasen’s GPG Tutorial
- Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source Code in C. New York: Wiley, 1996.
- https://wiki.debian.org/OpenPGP
- https://packages.debian.org/stable/gnupg
- https://www.rfc-editor.org/rfc/rfc4880
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!