GPG Quickstart Guide

Gnu Privacy Guard (GPG) is an essential tool for ensuring privacy and integrity in our digital interactions, protecting sensitive information from unauthorized access, and verifying the authenticity of communications.

This guide will beriefly cover how GPG works, introduce you to the two main functions of GPG:

• privacy: encrypting and decrypting messages
• authenticity: signing and verifying messages

finally outline some best practices.¹

How GPG Works

GPG uses a system of public and private keys to facilitate secure communications:

• Public Key: Shared with others to allow them to encrypt messages to you or verify your digital signature.
• Private Key: Kept secret and used to decrypt messages sent to you and to sign messages or documents.

There are also several types of encryption and signing algorithms that GPG supports, such as RSA, DSA, and ECDSA. You can choose the appropriate algorithms based on your security requirements.

Most of the time, you will use RSA for both encryption and signing, as it is widely supported and considered secure.

Installation

First, you need to install GPG on your system. Here are the installation commands for different operating systems:

sudo apt-get install gnupg

brew install gnupg

Generating Your Key Pair

To start using GPG, you need to generate a key pair consisting of a public key and a private key. Here’s how you can do it:

1. Generate a New Key Pair:

   gpg --full-gen-key

   Follow the prompts:

   • Select the key type (typically RSA and RSA).
   • Choose the key size (2048 bits is a common choice, but 4096 bits is more secure).
   • Set an expiration date for the key (this can be changed later).
   • Enter your name, email address, and an optional comment.
   • Choose a strong passphrase to protect your private key.

2. Export Your Public Key:

   To share your public key with others, you need to export it to a file. You can then distribute this file through email, USB drives, or other secure channels.

   gpg --armor --export [email protected] > publickey.asc

   Your public key is now saved in the file publickey.asc.

3. Export Your Private Key (optional: for backup purposes):

   You might want to export your private key to a secure location for backup purposes. Keep this file secure and do not share it with others.

   gpg --armor --export-secret-keys [email protected] > privatekey.asc

Encrypting and Decrypting Messages

Now that you have your key pair, you can use GPG to encrypt and decrypt messages. This allows you to securely exchange sensitive information with others without the risk of interception or tampering.

Encrypt a File

To encrypt a file, use the --encrypt option with the --recipient flag to specify the recipient’s email address:

gpg --output encryptedfile.gpg --encrypt --recipient [email protected] plaintextfile.txt

This command will create a file named encryptedfile.gpg containing the encrypted contents of plaintextfile.txt. You can then send this encrypted file to the recipient.

Decrypt a File

To decrypt a file, use the --decrypt option:

gpg --output decryptedfile.txt --decrypt encryptedfile.gpg

This command will decrypt the contents of encryptedfile.gpg and save them to decryptedfile.txt.

Congratulations! You have successfully encrypted and decrypted a file using GPG. You can now securely exchange sensitive information with others.

Signing and Verifying Messages

GPG allows you to sign messages or files with your private key to prove their authenticity and integrity.

Sign a File

To sign a file, use the --sign option:

gpg --output signedfile.gpg --sign plaintextfile.txt

Verify a Signature

To verify a signature, use the --verify option:

gpg --verify signedfile.gpg

This command will verify the signature of signedfile.gpg and display the result. If the signature is valid, you can be confident that the file has not been tampered with and was signed by the private key associated with the public key used for verification.

Sharing Your Public Key

To enable others to send you encrypted messages or verify your digital signatures, you need to share your public key with them. Here are some common methods to distribute your public key:

Key Servers

Upload your public key to a key server for others to find and use.

gpg --send-keys

There are several public key servers available, such as pgp.mit.edu, keys.openpgp.org, keys.gnupg.net, and keyserver.ubuntu.com.

Email

Attach your public key to emails or share it through secure channels.

Best Practices

1. Key Management:

   • Regularly update and change your keys.
   • Use strong, unique passphrases for your keys.
   • Keep your private key secure; consider using a hardware security module (HSM) or smart card.

2. Key Verification:

   • Always verify the public keys of others before encrypting messages or verifying signatures.
   • Use a web of trust or key servers to validate keys.

3. Backup:

   • Regularly backup your private keys and revocation certificates in a secure location.

4. Revocation Certificate:

   • Generate a revocation certificate for your key and store it securely. This allows you to revoke your key if it is compromised.

   gpg --output revocation.crt --gen-revoke [email protected]

5. Key Expiry:

   • Set expiration dates on your keys to limit the impact of a compromised key. You can extend the expiration date if the key remains secure.

Next Steps

Now that you have a basic understanding of GPG and how to use it for encryption and signing, consider integrating GPG into your daily workflows, such as:

• Email Encryption: Most email clients support GPG plugins or extensions for encrypting and decrypting messages for effortless secure communication.

• File Encryption: Encrypt sensitive files before sharing them through cloud storage or email.

• Code Signing: Sign software releases or code commits to verify their authenticity and integrity. There are tools like git commit -S to sign commits with GPG.