Scratching the surface of GPG
2015-09-11This post is just a reference really to document my beginnings with GPG so that I can refer to it in the future. The GNU Privacy Handbook is a great reference.
On OS X GPG isn’t installed by default so install it:
MacOSX> brew install gpg
Generate a new key pair
Generate yourself a new keypair:
MacOSX> gpg --gen-key
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
Accept all the defaults for now and enter your personal information when prompted:
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Anthony Wolski
Email address: anthony.wolski@email.com
Comment: No comment
You selected this USER-ID:
"Anthony Wolski (No comment) <anthony.wolski@bogusemail.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
Enter passphrase:
You can verify that the key was generated by using the --list-keys
argument:
MacOSX> gpg --list-keys
pub 2048R/C2B16D05 2015-09-11
uid Anthony Wolski (No comment) <anthony.wolski@email.com>
sub 2048R/90BF6AD2 2015-09-11
Now you should follow the instructions at the GPG manual to generate a revocation certificate. I’ll leave that as a task for you.
Export a public key
In order to communicate with others you need to generate a public key. The way GPG works is that when somebody wants to send you an encrypted message, they encrypt the document or message using your public key. Only the holder of the private key can decrypt that document or message. So first, you must export a public key.
MacOSX> gpg --armor --output awolski.gpg --export anthony.wolski@email.com
MacOSX> cat awolski.gpg
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFXymgEBCACkmLhIHh6QnC7fzql4EttTcopIeejyfHFwzLYFtBd0fsywOQOA
RhUI4B/+8QQkgJ3H0OvcITr0i/kgqZu7+9NsJL7YNDWzE4xKIj6MO+h+GdUhTq4E
ZtHgfE5vy8vGREfup0YIYAdjJjVp/LZv4mmbpCTXT/mUbcywhQ8wqs5r2xtxJZ7t
9pXmP+TlDPursQZt/MkCGxl4XSPQbrrBe9FDa8/R1YVc7SaD8R7p/EeyS2v0a/oM
DWKU4eAETsqi/GKx1B38ObKZuoRe45qQ9Zd/n4KV+++uj5yy+IvWmxDU6vQ8UQVH
3yiPC68wTsPmwvyyZw/ViN2XmaCO/5N5gKD7ABEBAAG0O0FudGhvbnkgV29sc2tp
IChObyBjb21tZW50KSA8YW50aG9ueS53b2xza2lAYm9ndXNlbWFpbC5jb20+iQE4
BBMBAgAiBQJV8poBAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAzU1dV
wrFtBa2bCACGII7PqA3tLejRDlH9r7arza3HZK/7N3MWZpErtizwT3RxgLJeZ6eg
EmT/q8k5FMtEei56pS2gpvorHc4HXoPRPJxg7ox5LUQzj8wmNQEbKnVfmzo01Bnf
wWbLV4CY469re3haZ+/ylRNLYgYJD7uYu+twGuaGYBAQX1IlZ+3z9l0BFDibjI3U
Hl/RVMNMpZjYX8rf94qBkKjfplCpUsI90M5TtrQYvWLtMEb06L1aA5IKDNY+baBn
nN5XtVyAEvrHtFmATmAA8CrbrmZiMJNkF4j+aJaUO2kKANNXlsY8DzIfKhPNl22F
IfT+jfmeiHauleVgNtO/Ssl1Oja0T9ufuQENBFXymgEBCAC04NV1B2BRBaqOLVbt
mBMzj5XH9nu6XX+m7zXhX1wzi3+Y4cM6O1Ec32T+VCQcsqyoo4I2w/nn60WvTQUV
0LTaAHhRZiycnRCD0dpRAcZyNRKF+4yinsu5ZmWBsXExU/OPt0sL07vDLWat9UZV
O2WXQko5kZmAbjMVoARvP+KDkgYRzDUkBaN2gBcPNEv/gqlQlvIsw4QYvg0PD+HQ
C+Sp/+iwOV92Mcn1ZQmGK+yWUrGtF9JMZxAr52vql9NPsTjYQtOjgpQuGfaCYiWA
pfcWNFgmBn8B6JQ1rYC1UDuEU1CKdM4UC0XszfDH1Z77YZgSM82QiODcKU8ZmMTk
2wHxABEBAAGJAR8EGAECAAkFAlXymgECGwwACgkQM1NXVcKxbQWPLQf/VbSwXCgx
fXAv6hTm3dL+oEmzHgdg+4x+pPctWGXcbf9EXmK5RXlFjvtPbSdxtR4rCbGDTBvs
jcQKh2Hmsqj4M4IBOS/O3oK0A5o+JTpWcjFE7XOAHi+gFESilESKGzg8Sc3BZJ3W
9ZuBFWMhrK5yDYVmP26RBTjlJUDwi6HalNBMbKidjia9M1JGsyLYvewoOoqIBA/g
5ueoscr8mDY8GDpmIvnVxcL06rLwS5sAUOqs6XjUjc1t75O7efjoIvhZcsCAIgRn
2OiI+jIJUkw3iZfAiLc8gSUqkV8hf59ovoYemDoPI9T1XNwwDmedtmFVw9uN61Mc
jtxD8Y9FdYeFvA==
=7i5A
-----END PGP PUBLIC KEY BLOCK-----
Now send that key to someone you want to be able to communicate with securely. With your public key, they’ll be able to encrypt messages or documents, send them to you in encrypted form, and you, and only you, will be able to decrypt them using your private key.
Import a public key
You’ll need to import the public key of anyone you want to send encrypted messages to. To demonstrate the process, I booted up a Vagrant machine and created a private keypair on the VM. Then I imported the public key I created previously.
VagrantVM> gpg --import /vagrant/awolski.gpg
gpg: /home/vagrant/.gnupg/trustdb.gpg: trustdb created
gpg: key C2B16D05: public key "Anthony Wolski (No comment) <anthony.wolski@email.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
Note that /vagrant on the VM is a default synced folder from my OS X host to the VM, and I’d copied the exported public key to the root of where my Vagrant file resides. And I’d also run vagrant ssh
to get into the machine.
The documentation states that once the key is imported it should be validated. See the documentation above on how to do that, but effectively run gpg with --edit-key
and then sign
it.
VagrantVM> gpg --edit-key anthony.wolski@email.com
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
...
pub 2048R/C2B16D05 created: 2015-09-11 expires: never usage: SC
trust: unknown validity: unknown
sub 2048R/90BF6AD2 created: 2015-09-11 expires: never usage: E
[ unknown] (1). Anthony Wolski (No comment) <anthony.wolski@bogusemail.com>
gpg> sign
pub 2048R/C2B16D05 2015-09-11 Anthony Wolski (No comment) <anthony.wolski@bogusemail.com>
Primary key fingerprint: A510 7F0A 02A9 15DC 03FE E187 3353 5755 C2B1 6D05
...
Are you really sure that you want to sign this key with your key: "Anthony Wolski (No comment) <anthony.wolski@email.com>"
Really sign?
Now it’s time to encrypt something to send (to yourself!).
Encrypting a document
Now I’m going to create a document that I need to send securely:
VagrantVM> echo "Really secret info" > secret.txt
VagrantVM> cat secret.txt
Really secret info
And then encrypt it
VagrantVM> gpg --output secret.txt.gpg --encrypt --recipient anthony.wolski@email.com secret.txt
We can verify the contents of the output file have indeed been encrypted:
VagrantVM> cat secret.txt.gpg
�Emd=+��zKy��*�VՏɮ
Decrypting a document
I copied the encrypted file back to my host machine where I originally created my keypair. I can decrypt the file like so:
MacOSX> gpg --output secret.txt --decrypt secret.txt.gpg
MacOSX> cat secret.txt
Really secret info
And there you have it, there is the original contents of the secret file unencrypted.
Your thoughts? I'd love to hear them. Please get in contact.