GNUPG - command line tutorial

From Linuxconfig.org

This quick tutorial will cover GNUPG ( The GNU Privacy Guard ). Usage starts from generating a GNUPG public and private keys, encrypting and decrypting data, export and import GNUPG public keys, signing data or public keys with private keys. Despite the fact that Debian Linux will be used for this tutorial, you can apply the same command line syntax to other Linux distributions such as Red Hat, Mandriva, SuSe Linux and others.

Contents 1 Scenario 2 Generate GNUPG PKI pairs (Public/Private Key Pair) 2.1 Generate PKI pair for linuxconfig.local 2.2 Generate PKI pair for linuxconfig.org 3 List generated PKI pairs 3.1 List generated PKI pairs and fingerprints 4 Export and Import Public keys 4.1 Export Public key for linuxconfig.local 4.2 Import Public key on linuxconfig.org 4.3 Import public key from key server 4.4 Signing public key 4.5 Import signed key 4.6 List signatures 5 Encrypt, Decrypt and sign data 5.1 Encrypting data 5.2 Decrypting data 5.3 Sign Encrypted data 6 Signature Verification 6.1 Create detached signature 6.2 Verify detached signature 7 Increase a trust level of public key 8 Help YOURSELF by helping Others... 9 Other Topics 10 External Links

Scenario For this tutorial you will use two hosts connected via LAN. One host is named "linuxconfig.org" and second host is called linuxconfig.local. You will generate and exchange public keys between those two hosts as well as encrypted data. If you get confused about which code is being executed on which host, please refer to "linuxconfig.local" and linuxconfig.org" on the command line snapshots through out this article. Even though this scenario is written out in a step by step format, it does not mean that you cannot jump around and use this as a quick reference guide to find information that you need.

Generate GNUPG PKI pairs (Public/Private Key Pair)

Here we assume that you have already installed gnupg on your pc either from source code or you have used a package management tool which comes with your Linux distribution. To ensure that gnupg is installed on your Linux box run this command:

$ gpg --version

From the figure above we can see that gnupg is installed and that the user's directory for the gnupg keys are in hidden in the ~/.gnupg directory. Lets generate the keys for our hosts.

Generate PKI pair for linuxconfig.local

$ gpg --gen-key

Select keysize. By default there is 2048 bits.

When will this key expire? Default value is 0. Which means that this key will never expire. You can choose values such as:

• 2w - 2 weeks
• 10m - 10 months
• 20y - 20 years

Enter your desired user name and passphrase. In this example we do not use a passphrase. Using a passphrase purely depends on you and your situation. A passphrase can be change anytime, so you can keep it blank.

You can do some useful things to help gnupg generate a PKI pair. Moving a mouse browsing internet will help generate random bits.

Generate PKI pair for linuxconfig.org

$ gpg --gen-key

In this case follow the same steps as in the example above. The only difference will be Real Name and generated fingerprint.

List generated PKI pairs

$ gpg --list-keys

Generated keys for linuxconfig.org

Generated keys for linuxconfig.local

List generated PKI pairs and fingerprints

$ gpg --fingerprint

Fingerprint for linuxconfig.org

Fingerprint for linuxconfig.local

Export and Import Public keys

Here you are going to exchange public keys between linuxconfig.local and linuxconfig.org

Export Public key for linuxconfig.local

$ gpg --export --armor -o linuxconfig.local.acs.pub

You can cat the content of linuxconfig.local.acs.pub to see armored public key

Import Public key on linuxconfig.org

Since you are going to import public key, you can use any secured or unsecured method for transferring this key between the hosts. In this case you will use scp to transfer the file.

Once the pulic key file is ready on your remote host you can use gpg to import it:

$ gpg --import  /tmp/linuxconfig.local.acs.pub

Import public key from key server

You can also fetch public keys from public key servers. All you need is a internet connection and ID of a public key that you would like to import. The ID of a public key consists of the last 8 hexadecimal digits of a key fingerprint. So if a Key fingerprint = 107E E4B5 D69C F9A7 404A C291 9C9A AB18 764E B08F the ID = 764EB08F. To import this key from the key server you can use the following command:

gpg --keyserver pgp.mit.edu --recv-keys 0x764eb08f

NOTE: Key servers are synchronized which means that if you upload a key to pgp.uni-mainz.de you can fetch the same public from pgp.mit.edu, however it will take time until the servers become synchronized, so be patient.

Signing public key

Lets say that someone asked you to sign his/her public key. In this case he or she needs to provide you with a public key fingerprint or a key ID and some kind of credentials such us a drivers license or passport where you can see that the person which is asking you to sign his/her key is the person which claims to be.

IMPORTANT:

What you should NOT do! 
- you should NOT sign a key for somebody which you have never met in person. 
- you should NOT sign a key if you are not 100% sure who this person is.
- never sign a key for someone who you met on the internet 

If you do not stick with thess simple rules, you can destroy your Web Of Trust on 
which the whole pgp and gnupg mechanism is based on. 

Previously you imported the linuxconfig.local public key into the key chain on linuxconfig.org. Lets see if the key was really imported:

$ gpg --list-key

As you can see the public key for linuxconfig@linuxconfig.local was imported so now you can sign it:

$ gpg --sign-key 764EB08F

The process of signing a key is not finished yet, now you need to export a signed key and send it to the owner.

gpg --export --armor -o linuxconfig@linuxconfig.local_signed_asc.pub 764EB08F 

NOTE: Do not upload a signed key to a key server. Not every one wishes to have their public key listed on a key server. All you need to do at this stage is to send linuxconfig@linuxconfig.local_signed_asc.pub file to a public key's owner via email.

Import signed key

If someone else has signed your public key you can import it with:

$ gpg --import linuxconfig@linuxconfig.local_signed_asc.pub

Which is exactly the same process as importing any other key.

List signatures

$ gpg --list-sigs

If you can not see the user who signed your key, try to import his/her public key. Otherwise you will see that the User ID was not found. After the key is imported you can see who had signed your public key. See figure below:

All you need to do is export your new signed key to a key server which you already did in the section above.

Encrypt, Decrypt and sign data

Encrypting data

You can encrypt data with your public key, which means that only you will be able to decrypt encrypted data with use of your private key. First you need to create a file:

$ echo "Top-Secret file" > secret.txt

Here you will encrypt a secret.txt file with both public keys, and you should be able to decrypt only the file which was encrypted with linuxconfig@linuxconfig.org because you have the private key for linuxconfig@linuxconfig.org on this box. Lets prove it: You can always run

gpg --list-key

if you are not sure of the recipient ID.

• -r : which public key we want to use to encrypt data.
• -o : output file, you do not have to use same name and extension for a file as below. It can be anything.

$ gpg --encrypt -r linuxconfig@linuxconfig.local -o 764EB08F_secret.txt.gpg secret.txt

$ gpg --encrypt -r linuxconfig@linuxconfig.org -o C771CD2B_secret.txt.gpg secret.txt

Decrypting data

$ gpg --decrypt -o secret.txt 764EB08F_secret.txt.gpg

The private key is not available so you can not decrypt the file.

$ gpg --decrypt -o secret.txt C771CD2B_secret.txt.gpg

This is how a successful decryption looks like:

Sign Encrypted data

Encryption of data does not prove non-repudiation. Which means that before you completely trust the data you have received you need to be also be sure of who sent this data to you. To encrypt data with the recipient linuxconfig@linuxconfig.local and sign data with private key of linuxconfig@linuxconfig.org you can issue comamnd:

$ gpg --sign --encrypt -r linuxconfig@linuxconfig.local -o 764EB08F_secret.txt.gpg secret.txt

Now we can transfer 764EB08F_secret.txt.gpg file to linuxconfig.local to see if we can decrypt it. Note the signature statement on the figure below.

Signature Verification

Sometimes you can receive data with enclosed signature. Here you will see how to create a detached signature for a specific encrypted file and also how to verify this signature.

Create detached signature

Previously you encrypted a sign file secret.txt. Output of this file was 764EB08F_secret.txt.gpg. This is how we can create a detached signature from this file:

$ gpg -b --armor 764EB08F_secret.txt.gpg

Verify detached signature

Once you have transfered both files to the linuxconfig.local host you can verify signature against the encrypted file.

$ gpg --verify 764EB08F_secret.txt.gpg.asc 764EB08F_secret.txt.gpg

Increase a trust level of public key

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This warning message is what you get if your gpg does not trust the imported public key. You can edit the trust level with command:

$ gpg --edit C771CD2B

Lets run verify command again to see if the public key is fully trusted:

Help YOURSELF by helping Others...

<inputbox > type=create width=24 bgcolor=#f3f3f3 default= ...article name break=no </inputbox>

Other Topics

HowTo configure NFS	Debian GNU/Linux 4.0 "etch" Installation
Linux lvm - Logical Volume Manager	SSH Port Forwarding

External Links

The GNU Privacy Guard - Home Page

GNUPG on wikipedia.org

Key Signing Parties.