GnuPG: How to use it and how you can benefit from it

I just wanted to create a notes for using GnuPG which is a very cool and useful tool in dealing your privacy and secret data in the internet.

$> gpg --gen-key

// to create for your own key

$> gpg --delete-secret-keys myemail@email.com

// where your myemail@email.com is the uid of the key
// first delete the secret keys before deleting the key

$> gpg --delete-key myemail@email.com

// to delete the key

$> gpg --export -a "myemail@email.com" > public.key

// to export and create a file named public.key containing your public key signature. Your public key signature will be used by others so that they can encrypt the file/message from your key but they won't never decrypt it unless you also give them your private key. Only your private key can decrypt such encrypted message from your public key encrypted file/message.

$> gpg --export-secret-key -a "myemail@email.com" > private.key

// this will export a private key which you can use to decrypt your file/message. You must be careful to conceal this for your own safety or you must trust the person you'll be sharing this private key, if you have to and have a valid reason of sharing it.



To import the public key, do,

$ gpg --import public.key
gpg: keyring `/home/geekgogie/.gnupg/secring.gpg' created
gpg: keyring `/home/geekgogie/.gnupg/pubring.gpg' created
gpg: /home/geekgogie/.gnupg/trustdb.gpg: trustdb created
gpg: key 4136418C: public key "Geek Gogie (I am Geek) <myemail@email.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found

To import the private key, do

$ gpg --allow-secret-key-import --import private.key 
gpg: key 4136418C: secret key imported
gpg: key 4136418C: "Geek Gogie (I am Geek) <myemail@email.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1


$ gpg -o paul -d paul.gpg 

You need a passphrase to unlock the secret key for
user: "Geek Gogie (I am Geek) <myemail@email.com>"
2048-bit ELG key, ID FEAF0B10, created 2013-07-07 (main key ID 4136418C)

can't connect to `/home/geekgogie/.gnupg/S.gpg-agent': No such file or directory
pinentry-gtk2: no LC_CTYPE known - assuming UTF-8
gpg: encrypted with 2048-bit ELG key, ID FEAF0B10, created 2013-07-07
      "Geek Gogie (I am Geek) <myemail@email.com>"



Then, let's check if the the file is right

[geekgogie@localhost gpg-test]$ file testimage
testimage: JPEG image data, JFIF standard 1.01


If you can see this error below,
can't connect to `/home/geekgogie/.gnupg/S.gpg-agent': No such file or directory

which you can see in the example above, then this link would be very helpful to you, http://www.linuxquestions.org/questions/linux-security-4/gpg-gpg-agent-can't-connect-to-root-gnupg-s-gpg-agent-611843/. What this mean is that, you'll just need to run the gpg as a deamon per se, so running thru daemon would need you to execute the command below,

$> gpg-agent --daemon
GPG_AGENT_INFO=/tmp/gpg-J2Cp4U/S.gpg-agent:2523:1; export GPG_AGENT_INFO;

then you'll just have to copy at as like creating a symbolic link,

$ cp -fs /tmp/gpg-J2Cp4U/S.gpg-agent ~/.gnupg/
[geekgogie@localhost gpg-test]$ ls -alt ~/.gnupg/S.gpg-agent 
lrwxrwxrwx. 1 geekgogie geekgogie 27 Jul  7 22:52 /home/geekgogie/.gnupg/S.gpg-agent -> /tmp/gpg-J2Cp4U/S.gpg-agent

By the way, the S.gpg-agent is just a socket that the daemon has just created.


In Linux with RPM packages like RedHat or CentOS, you can verify using

$ rpm -K filename.rpm

To send your gpg public key to a HPK server,

#> gpg --send-keys --keyserver cryptonomicon.mit.edu 874DF6B1
gpg: sending key 874DF6B1 to hkp server cryptonomicon.mit.edu

Then you can search for your key,
#> gpg --search-keys --keyserver cryptonomicon.mit.edu 'Test Key'
gpg: searching for "Test Key" from hkp server cryptonomicon.mit.edu
(1) Test Key (meow meow) <myemail@email.com>
 2048 bit DSA key 874DF6B1, created: 2013-07-07
Keys 1-1 of 1 for "Test Key".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 874DF6B1 from hkp server cryptonomicon.mit.edu
gpg: key 874DF6B1: "Test Key (meow meow) <myemail@email.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1


To edit your expired key, you can do,

#> gpg --edit-key myemail@email.com
gpg (GnuPG/MacGPG2) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048D/874DF6B1  created: 2013-07-07  expires: 2013-07-09  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/8F44DA88  created: 2013-07-07  expired: 2013-07-08  usage: E   
[ultimate] (1). Test Key (meow meow) <myemail@email.com>

gpg> list
         
pub  2048D/874DF6B1  created: 2013-07-07  expires: 2013-07-09  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/8F44DA88  created: 2013-07-07  expired: 2013-07-08  usage: E   
[ultimate] (1). Test Key (meow meow) <myemail@email.com>

gpg> key 0
          
pub  2048D/874DF6B1  created: 2013-07-07  expires: 2013-07-09  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/8F44DA88  created: 2013-07-07  expired: 2013-07-08  usage: E   
[ultimate] (1). Test Key (meow meow) <myemail@email.com>

gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 4
Key expires at Sat Jul 13 05:45:34 2013 PHT
Is this correct? (y/N) y
                        
You need a passphrase to unlock the secret key for
user: "Test Key (meow meow) <myemail@email.com>"
2048-bit DSA key, ID 874DF6B1, created 2013-07-07


pub  2048D/874DF6B1  created: 2013-07-07  expires: 2013-07-12  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/8F44DA88  created: 2013-07-07  expired: 2013-07-08  usage: E   
[ultimate] (1). Test Key (meow meow) <myemail@email.com>

gpg> key 1
          
pub  2048D/874DF6B1  created: 2013-07-07  expires: 2013-07-12  usage: SC  
                     trust: ultimate      validity: ultimate
sub* 2048g/8F44DA88  created: 2013-07-07  expired: 2013-07-08  usage: E   
[ultimate] (1). Test Key (meow meow) <myemail@email.com>

gpg> expire
Changing expiration time for a subkey.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 4
Key expires at Sat Jul 13 05:46:13 2013 PHT
Is this correct? (y/N) y
                        
You need a passphrase to unlock the secret key for
user: "Test Key (meow meow) <myemail@email.com>"
2048-bit DSA key, ID 874DF6B1, created 2013-07-07


pub  2048D/874DF6B1  created: 2013-07-07  expires: 2013-07-12  usage: SC  
                     trust: ultimate      validity: ultimate
sub* 2048g/8F44DA88  created: 2013-07-07  expires: 2013-07-12  usage: E   
[ultimate] (1). Test Key (meow meow) <myemail@email.com>

gpg> save


Now, let say you wanted to encrypt a file using a public key from your friend or someone that have shared his/her public key to you and wanted to encrypt a file for her to decrypt on her end, just do,

$ gpg --import tp.asc 
gpg: key 874DF6B1: public key "Test Key (meow meow) <myemail@email.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
[geekgogie@localhost gpg-test]$ gpg -k
/home/geekgogie/.gnupg/pubring.gpg
-------------------------------
pub   2048D/874DF6B1 2013-07-07 [expires: 2013-07-12]
uid                  Test Key (meow meow) <myemail@email.com>
sub   2048g/8F44DA88 2013-07-07 [expires: 2013-07-12]




Decrypting and Encrypting

To encrypt a file, just do


[geekgogie@localhost gpg-test]$ gpg -a -e -r 'Test Key' imagefile
gpg: 8F44DA88: There is no assurance this key belongs to the named user

pub  2048g/8F44DA88 2013-07-07 Test Key (meow meow) <myemail@email.com>
 Primary key fingerprint: 3156 692F CD96 269E 8A09  7DA0 7518 F4D6 874D F6B1
      Subkey fingerprint: 3EBF CD97 973C C9E7 147B  0B93 B5BE D265 8F44 DA88

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Note that you cannot decrypt this since you don't have his/her private key.

To decrypt the file,

#> gpg -o testpic.jpg -d tp.asc




Helpful links:
http://www.gnupg.org/gph/en/manual.html
http://www.physics.purdue.edu/PCN/doc/wiki/wiki:procedures:encrypt:mac
http://www.madboa.com/geek/gpg-quickstart/
http://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/
https://www.torproject.org/docs/verifying-signatures.html.en

And a sample HPK server,
http://cryptonomicon.mit.edu/

Comments

Popular posts from this blog

Converting sectors into MB - Useful in understanding the sectors in iostat in Linux

What is Disk Contention?

Installing MySQL from source: Could NOT find Curses (missing: CURSES_LIBRARY CURSES_INCLUDE_PATH)