PGP stands for “PGP is the short form for Pretty Good Privacy”

how it works:

it is an encryption system that allows data to be encrypted with an world-known public key, then savely transported to the intended receiver and only the intended receiver (in posession of private key) should be able to decrypt the data.

the PGP GPG confusion:

“PGP can refer to two things:”

  • “The Pretty Good Privacy software originally written by Phil Zimmermann, and now owned by Symantec.”
  • “The formats for keys, encrypted messages and message signatures defined by that software. These have now been formalised as the OpenPGP standard.”

“The GNU Privacy Guard (GPG) software is an independent implementation of the OpenPGP standards, so you can use it to exchange encrypted messages with people using other OpenPGP implementations (e.g. Symantec’s PGP).” (src)

it is a bit confusing that there are multiple packages PGP, GPG, GNUPG and pgpgpg

  • GPG: the one the user wants
  • PGP -virtual-package-> GNUPG
    • which is a symbolic link to pgpgpg
  • pgpgpg – a wrapper around Gnu Privacy Guard that takes Pretty Good Privacy command line options
    • “PGPGPG is a wrapper that allows calls to GnuPG (Gnu Privacy Guard) using the command line options of (Pretty Good Privacy). PGP and GnuPG are encryption programms with high security encryption engines. However, PGP is available without a fee but is not realy free software. GnuPG on the other hand is realy free software and has additionally features but with a different command line syntax than PGP.”
    • “The goal of pgpgpg is to plug in a command line syntax in front of GnuPG equal to PGP 2.6.” (src: man.pgpgpg.txt)
lsb_release -d
Description:	Debian GNU/Linux 11 (bullseye)

which pgp
/usr/bin/pgp
file /usr/bin/pgp
/usr/bin/pgp: symbolic link to /etc/alternatives/pgp
file /etc/alternatives/pgp
/etc/alternatives/pgp: symbolic link to /usr/bin/pgpgpg

the following is a backup of this article: (just in case it magically vanishes, this stuff happens, the internet is not “fixed”)

https://spin.atomicobject.com/2013/09/25/gpg-gnu-privacy-guard/

Getting Started with GNU Privacy Guard

This is part of a series on GNU Privacy Guard:

  1. Getting Started with GNU Privacy Guard (this post)
  2. Generating More Secure GPG Keys: Rationale
  3. Generating More Secure GPG Keys: A Step-by-Step Guide
  4. Using an OpenPGP Smartcard with GnuPG

Like many others, I have recently taken a more active interest in information security. In particular, I have taken a fresh look at GNU Privacy Guard (GnuPG or GPG). This popular open-source encryption tool offers users the ability to encrypt and sign data and communications using public key cryptography.

I’ve used GPG in the past, but now that I’ve read up on it a little more, I’d like to share some of what I’ve learned. This post won’t get into the relative merits of RSA, DSA, or ECC keys, or extra measures you can take to keep your private key secure. I hope to cover those things in more detail later.

This post is intended to serve as a brief introduction to GPG and should also help to clear up some confusing vocabulary to make further reading more fruitful.

Public Key Cryptography

Encryption

I will assume you already have some familiarity with the basic concepts of public key cryptography — that messages can be encrypted using one publicly-available key that can only be decrypted by another key, one kept secret and protected. This asymmetry is powerful, and is useful in many different contexts.

Authentication

Besides encryption, public key cryptography can be used in place of passwords for authentication. Using public/private keypairs for authentication means that a user can use one private key to gain access to many different servers or services. This is in contrast to (symmetric) passwords where sharing the same password with more than one site would be a major risk. This is one reason why I prefer key-based authentication for SSH, for example.

Signing

Another use for public-private keypairs is signing. Using a private key, a sender can “sign” a message, signifying that they originated or approved its exact contents. This allows a receiver to use the sender’s public key, verifying not only that the sender holds the corresponding private part, but also that the message hasn’t been tampered with — the message is bound to the key. Any change to the message would cause the signature to be invalid.

Certification

Similar to signing messages, keys can also be used to sign other keys. This capability can either be used to denote that you claim a set of keys or that you trust someone else has control of another key.

Three Types of “Keys”

Let’s begin honing our understanding by talking about one word: “key.” I have seen this word used to denote at least three distinct (but related) things.

In the first sense, people sometimes talk about the two keys — a “public key” and a “private key” — that go into a “keypair.”

(This private key is also sometimes called a “secret key”).

private key = secret key

In the second sense, people will sometimes refer to a keypair as a “key.”

        +------------------------------------------------------+
        |                        keypair                       |
        | +------------------------+ +------------------------+|
        | |                        | |                        ||
        | |        private         | |         public         ||
        | |                        | |                        ||
        | +------------------------+ +------------------------+|
        +------------------------------------------------------+

In a third sense, people will often use the word “key” to refer to an OpenPGP “key” containing a primary key (keypair) and zero or more subkeys (keypairs).

                 +--------------------------------------+
                 |           OpenPGP "key"              |
                 |                                      |
                 | +----------------------------------+ |
                 | | primary key                      | |
                 | | +----------------+-------------+ | |
                 | | |                |             | | |
                 | | +----------------+-------------+ | |
                 | +----------------------------------+ |
                 |                                      |
                 | +----------------------------------+ |
                 | | subkey                           | |
                 | | +----------------+--------------+| |
                 | | |                |              || |
                 | | +----------------+--------------+| |
                 | +----------------------------------+ |
                 |                                      |
                 | +----------------------------------+ |
                 | | subkey                           | |
                 | | +----------------+--------------+| |
                 | | |                |              || |
                 | | +----------------+--------------+| |
                 | +----------------------------------+ |
                 |  . . .                               |
                 | +---------+-----------+------------+ |
                 | |         |           |   other    | |
                 | | uids    | notations |  metadata  | |
                 | +---------+-----------+------------+ |
                 +--------------------------------------+

GPG Concepts

Building on these ideas, let’s look at how GPG works with keys. GPG works with keys in terms of keypairs (corresponding public and private parts). GPG also has a concept of a primary key (keypair) and subkeys (keypairs) that are bound together by signing the subkeys as belonging to the same set with the primary key.

Here’s an example (taken from the output of

gpg --list-secret-keys

):

1
2
3
sec   2048R/905D5761 2011-11-08 [expires: 2011-11-22]
uid                  Mike English (Temporary Key) <mike.english@example.com>
ssb   2048R/4AD85450 2011-11-08

Let’s go through what this means line by line.

1
sec   2048R/905D5761 2011-11-08 [expires: 2011-11-22]
  • sec

    – We have the secret (private) part of this primary key in our keyring.

  • 2048R

    – This is a 2048-bit RSA key.

  • 905D5761

    – This the “KeyID,” the tail end of the key’s “fingerprint.”

  • 2011-11-08

    – The creation date of this key.

  • [expires: 2011-11-22]

    – This key should no longer be used. It expired 2011-11-22.

1
uid                  Mike English (Temporary Key) <mike.english@example.com>
  • uid

    – What follows is a uid for this key (a key may have zero or more uids).

  • Mike English

    – The “Real Name”

  • (Temporary Key)

    – The “Comment”

  • <mike.english@example.com>

    – The e-mail address

1
ssb   2048R/4AD85450 2011-11-08
  • ssb

    – This is a subkey. We have the secret part in our keyring.

  • 2048R

    – This subkey is another 2048-bit RSA key.

  • 4AD85450

    – The “KeyID” for this subkey, again derived from the key’s fingerprint.

  • 2011-11-08

    – The creation date of this subkey.

In the above example, the primary key is labeled

sec

(meaning we have the “secret” part) and a subkey is labeled

ssb

. The

uid

is an identifier associated with the key for convenience.

As noted above, the term “key” can designate (at least) three different things here. We could be referring to one part (public or private) of an individual keypair. We could be referring to a keypair (since they are linked, they are sometimes referred to as one “key” as when we say “primary key” or “subkey”). We might also be referring to the primary key and all of its associated uids and subkeys (a key can have more than one uid or subkey).

Here’s another example (this one taken from the output of

gpg --list-keys

):

1
2
3
4
pub   2048D/00D026C4 2010-08-19 [expires: 2015-08-18]
uid                  GPGTools Project Team (Official OpenPGP Key) <gpgtools-org@lists.gpgtools.org>
uid                  GPGMail Project Team (Official OpenPGP Key) <gpgmail-devel@lists.gpgmail.org>
sub   2048g/DBCBE671 2010-08-19 [expires: 2015-08-18]

In this example we have only the public (

pub

) part of the primary key and one subkey (

sub

). This key also demonstrates the fact that multiple

uid

s can be associated with the same key.

GPG Keyrings

When we generate our first key, we’ll see that GPG creates a new directory

~/.gnupg

and several files:

  • ~/.gnupg/gpg.conf
  • ~/.gnupg/secring.gpg
  • ~/.gnupg/pubring.gpg
gpg.conf

contains configuration info. The other two files are keyrings. GPG holds keys in “keyrings”. By default two files are used for this:

  • ~/.gnupg/secring.gpg

    holds the secret (private) parts of keys where we have them (our private keys)

  • ~/.gnupg/pubring.gpg

    holds the public parts of keys (ours and others’)

gpg -k

is short for

gpg --list-keys

which will show public keys we have in our keyring.

gpg -K

is short for

gpg --list-secret-keys

which will show us secret keys we have in our keyring.

1
2
3
4
5
6
7
8
9
10
11
12
13
$ gpg -k
/Users/english/.gnupg/pubring.gpg
---------------------------------
pub   2048R/810681E9 2013-09-19
uid                  Mike English (Junk key for blogpost) <mike.english@example.com>
sub   2048R/9857CF87 2013-09-19
 
$ gpg -K
/Users/english/.gnupg/secring.gpg
---------------------------------
sec   2048R/810681E9 2013-09-19
uid                  Mike English (Junk key for blogpost) <mike.english@example.com>
ssb   2048R/9857CF87 2013-09-19

Example / Getting Started

1. Installing GPG

I recommend skipping the GUI tools for now. It’s worth the effort to understand how GPG works so that you can make an informed decision about choosing wrappers that may provide added convenience. Using the command line interface will allow you to develop a better understanding of GPG’s operational model.

On a Mac, we can install

gpg

via Homebrew:

1
2
3
4
5
6
7
8
$ brew install gpg
==> Downloading ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.13.tar.bz2
Already downloaded: /Library/Caches/Homebrew/gnupg-1.4.13.tar.bz2
==> ./configure --prefix=/usr/local/Cellar/gnupg/1.4.13 --disable-asm
==> make CFLAGS= -std=gnu89 -fheinous-gnu-extensions
==> make check
==> make install
  /usr/local/Cellar/gnupg/1.4.13: 54 files, 5.2M, built in 51 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ gpg --version
gpg (GnuPG) 1.4.13
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
 
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

2. Generating a New Key

Here’s how to generate a new key, accepting all the defaults:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
$ gpg --gen-key
gpg (GnuPG) 1.4.13; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
 
gpg: directory `/Users/english/.gnupg' created
gpg: new configuration file `/Users/english/.gnupg/gpg.conf' created
gpg: WARNING: options in `/Users/english/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/Users/english/.gnupg/secring.gpg' created
gpg: keyring `/Users/english/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
 
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
 
Real name: Mike English
Email address: mike.english@example.com
Comment: Junk key for blogpost
You selected this USER-ID:
    "Mike English (Junk key for blogpost) <mike.english@example.com>"
 
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
 
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++
............+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
........+++++
......+++++
gpg: /Users/english/.gnupg/trustdb.gpg: trustdb created
gpg: key 810681E9 marked as ultimately trusted
public and secret key created and signed.
 
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/810681E9 2013-09-19
      Key fingerprint = 4ADF DB89 FC3D CC41 7CC1  FFB4 1138 9CAA 8106 81E9
uid                  Mike English (Junk key for blogpost) <mike.english@example.com>
sub   2048R/9857CF87 2013-09-19
 
$

3. Signing

First something to sign:

1
2
3
4
5
6
7
$ cat > important_message.txt
This is an important message.
You will want to know that it is really from me.
You will also want to know that it has arrived intact, without any tampering.
By signing it, I can assure you (so long as you already trust that I control the private key I will use).
 
$

Then we can sign it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ gpg --clearsign important_message.txt
 
You need a passphrase to unlock the secret key for
user: "Mike English (Junk key for blogpost) <mike.english@example.com>"
2048-bit RSA key, ID 810681E9, created 2013-09-19
 
$ cat important_message.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
This is an important message.
You will want to know that it is really from me.
You will also want to know that it has arrived intact, without any tampering.
By signing it, I can assure you (so long as you already trust that I control the private key I will use).
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
 
iQEcBAEBAgAGBQJSO73pAAoJEBE4nKqBBoHpB94H/3p5QvHi7kkVxQ6a936r+Weo
Jiy+blzVsMRCQzhjtQ1dm/VZIA13gGSSatQDfPfLTwDbQ3T261W5kr3+S3AoeBEr
Kf1taidyZEUlr8WXoFERJb2TefzLwL4uJTsYTh32pRjX64sc02ckyV334/o4KleU
Gkxv6o3UqmsH5bj5S4wEd/8TvXvizZyhy42JdKOxFoFz47flKLkJy7wWwmIhRu/w
SkNQVlSZzUBcueJmOWFY5nqW96glyiRsh4Yjg07Y5Qt257Lqkt3s+tKYkR3bF3QM
kVWwzidQAllajP+a0JUgWzmsMocVQvd6Gm3lO8CpxlIpetkK1uq1NaCIcCR9RIQ=
=v1O6
-----END PGP SIGNATURE-----
$

4. Encryption

Something to encrypt:

1
2
3
4
$ cat > secret_message.txt
This is a secret message.
It is important that you be the only one to read it.
I will encrypt this message with your public key so that you can decrypt it with your private key.

Choose a recipient from our public keyring (In this case, ourselves):

1
2
3
4
5
6
$ gpg --list-keys
/Users/english/.gnupg/pubring.gpg
---------------------------------
pub   2048R/810681E9 2013-09-19
uid                  Mike English (Junk key for blogpost) <mike.english@example.com>
sub   2048R/9857CF87 2013-09-19

And then encrypt the message:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ gpg -r mike.english@example.com --armor --encrypt secret_message.txt
$ cat secret_message.txt.asc
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.13 (Darwin)
 
hQEMAzCAW/+YV8+HAQf9GoxHtvWMtgSdRxfg+0p1foglWzbIpy2FYOziVyivmCAq
1Q/rH1FbmbqXYjwadwD03KkSsg5fTo+BpaZs6THxO9ADRj+kYp+wmJE4c7J/QXY7
TcvURbo/H9lv9CVRRrL8ovv6S1O3RHsvMF7CU7AtYoXqCmOLrDM30Du/j/kanhWF
2H9znYyfWnhJ5d7JRQ95n9ZmwU+OtloWPay3pFM++40mbSEjNvUrwDhqK+GKvoit
Te3EBtLyonXwwel7coWIbL2Bz1083DzBL0b5D4nyGNEIDL3SEsnfMIHa944LZXIu
OWdrioWr2ivMhR4fuV1fQuTImn710Fpb8DS8b5TRtNK/AUHrxPCXeV4WycI8nbwa
KzsdO/zgjM1yvTEJUR26luEgYbd9Bcip/0FOWab18GRJMgdC4keXGPRds9Gtip5a
2QWW7KDXfYts+ODVi19juJp6kSz9D/TwMtX1gq+5J1+OGvY7FMNZQiiuxD+VXpgP
B0GkJS2dmIrz+81hj7RMq1+iziyfQ3rooNW9r+Mh/B5W00I8/VKo/A65i4P1WLgJ
pBvg6I30su8p8Y8RBa3EEsAEYAcpVUGe1s3lU1N+KM4=
=gyNk
-----END PGP MESSAGE-----
$

5. Decryption

Since we have the matching private key…

1
2
3
4
5
6
7
8
9
10
11
$ gpg -d secret_message.txt.asc
 
You need a passphrase to unlock the secret key for
user: "Mike English (Junk key for blogpost) <mike.english@example.com>"
2048-bit RSA key, ID 9857CF87, created 2013-09-19 (main key ID 810681E9)
 
gpg: encrypted with 2048-bit RSA key, ID 9857CF87, created 2013-09-19
      "Mike English (Junk key for blogpost) <mike.english@example.com>"
This is a secret message.
It is important that you be the only one to read it.
I will encrypt this message with your public key so that you can decrypt it with your private key.

…we are able to decrypt this secret message:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ gpg -d secret_message.txt.asc
 
You need a passphrase to unlock the secret key for
user: "Mike English (Junk key for blogpost) <mike.english@example.com>"
2048-bit RSA key, ID 9857CF87, created 2013-09-19 (main key ID 810681E9)
 
gpg: encrypted with 2048-bit RSA key, ID 9857CF87, created 2013-09-19
      "Mike English (Junk key for blogpost) <mike.english@example.com>"
This is a secret message.
It is important that you be the only one to read it.
I will encrypt this message with your public key so that you can decrypt it with your private key.
 
$

how to export keys: (public and private)

that is used for transfer of key-pairs between programs and systems…

# list all installed keys (keys known to the system)
gpg --list-keys

Export Public Key

This command will export an ascii armored version of the public key:

gpg --output to-this-file.public.pgp.key --armor --export username@email
# or
KEYID=KEYID9JFFJ8DFFDS7JCU6DOU4FI2OFD
gpg --output $KEYID.public.pgp.key --armor --export $KEYID

(for whatever reason it DOES NOT WORK if the –output option is put at the end of the command!? unify & simplify! simplify! simplify!)

Export Secret Key

This command will export an ascii armored version of the secret key:

gpg --output to-this-file.private.pgp.key --armor --export-secret-key username@email
# or
KEYID=KEYID9JFFJ8DFFDS7JCU6DOU4FI2OFD
gpg --output $KEYID.private.pgp.key --armor --export-secret-key $KEYID

Security Concerns, Backup, and Storage

A PGP public key contains information about one’s email address. This is generally acceptable since the public key is used to encrypt email to your address. However, in some cases, this is undesirable.

For most use cases, the secret key need not be exported and should not distributed. If the purpose is to create a backup key, you should use the backup option:

gpg --armor --export-secret-keys --export-options export-backup user@email --output backupkeys.pgp

This will export all necessary information to restore the secrets keys including the trust database information. Make sure you store any backup secret keys off the computing platform and in a secure physical location.

If this key is important to you, I recommend printing out the key on paper using paperkey. And placing the paper key in a fireproof/waterproof safe.

Public Key Servers

In general, it’s not advisable to post personal public keys to key servers. There is no method of removing a key once it’s posted and there is no method of ensuring that the key on the server was placed there by the supposed owner of the key.

It is much better to place your public key on a website that you own or control. Some people recommend keybase.io for distribution. However, that method tracks participation in various social and technical communities which may not be desirable for some use cases.

For the technically adept, I personally recommend trying out the webkey domain level key discovery service.

 

  • List the keys you have:
    gpg --list-secret-keys
  • Export the key:
    gpg --export-secret-key name > ~/my-key.asc
  • Copy it on another machine;
  • Import the key:
    gpg --import my-key.asc

 

To

export

SOMEKEYID public key to an

output

file:

gpg --output public.pgp --export SOMEKEYID

When working with secret keys it’s generally preferable not to write them to files and, instead, use SSH to copy them directly between machines using only

gpg

and a pipe:

gpg --export-secret-key SOMEKEYID | ssh othermachine gpg --import

If you must, however, output your secret key to a file please make sure it’s encrypted. Here’s how to accomplish that using AES encryption using the Dark Otter approach:

gpg --output public.gpg --export SOMEKEYID && \
gpg --output - --export-secret-key SOMEKEYID |\
    cat public.gpg - |\
    gpg --armor --output keys.asc --symmetric --cipher-algo AES256

The last approach is ideal if you want to create a physical back-up of your public and private keys to safeguard against a disk failure when no other way exists to regain access to your keys.

creditz: https://newbedev.com/how-to-export-a-gpg-private-key-and-public-key-to-a-file

manpage:

gpg.man.txt

man.pgpgpg.txt

errors & troubles:

“gpg: WARNING: unsafe permissions on homedir”

chmod 600 ~/.gnupg/*
chmod 700 ~/.gnupg

Links:

once more: verify files with pgp – f-droid.org verify apk download gpg signature asc sig – md5sum and sha512sum linphone app

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin