skip to content
@chari

GPG 101

/ 3 min read

Last Updated:

TLDR

GPG 101: Best Practices and Quick Start Guide

Introduction

Gnu Privacy Guard (GPG) is a widely-used tool for secure communication and data encryption. It is an essential tool for ensuring privacy and integrity in our digital interactions, protecting sensitive information from unauthorized access, and verifying the authenticity of communications. This guide will introduce you to the basics of GPG, provide a quick start tutorial, and outline best practices for its use.1

What is GPG?

GPG is an open-source implementation of the OpenPGP standard. It allows users to encrypt and decrypt data, create digital signatures, and manage keys. GPG uses a system of public and private keys to facilitate secure communications:

  • Public Key: Shared with others to allow them to encrypt messages to you or verify your digital signature.
  • Private Key: Kept secret and used to decrypt messages sent to you and to sign messages or documents.

Quick Start Guide

Installation

First, you need to install GPG on your system. Here are the installation commands for different operating systems:

  • Linux:
    Terminal window
    sudo apt-get install gnupg
  • MacOS:
    Terminal window
    brew install gnupg
  • Windows: Download the installer from the GnuPG website and follow the instructions.

Generating Your Key Pair

  1. Generate a New Key Pair:

    Terminal window
    gpg --full-generate-key
  2. Follow the prompts:

    • Select the key type (typically RSA and RSA).
    • Choose the key size (2048 bits is a common choice, but 4096 bits is more secure).
    • Set an expiration date for the key (this can be changed later).
    • Enter your name, email address, and an optional comment.
    • Choose a strong passphrase to protect your private key.
  3. List Your Keys:

    Terminal window
    gpg --list-keys
  4. Export Your Public Key:

    Terminal window
    gpg --armor --export [email protected] > publickey.asc
  5. Export Your Private Key (for backup purposes):

    Terminal window
    gpg --armor --export-secret-keys [email protected] > privatekey.asc

Encrypting and Decrypting Messages

  1. Encrypt a File:

    Terminal window
    gpg --output encryptedfile.gpg --encrypt --recipient [email protected] plaintextfile.txt
  2. Decrypt a File:

    Terminal window
    gpg --output decryptedfile.txt --decrypt encryptedfile.gpg

Signing and Verifying Messages

  1. Sign a File:

    Terminal window
    gpg --output signedfile.gpg --sign plaintextfile.txt
  2. Verify a Signature:

    Terminal window
    gpg --verify signedfile.gpg

Sharing Your Public Key

  • Key Servers: Upload your public key to a key server for others to find and use.

    Terminal window
    gpg --send-keys
  • Email: Attach your public key to emails or share it through secure channels.

  • Ubuntu Keyserver

  • OpenPGP Keyserver

Best Practices

  1. Key Management:

    • Regularly update and change your keys.
    • Use strong, unique passphrases for your keys.
    • Keep your private key secure; consider using a hardware security module (HSM) or smart card.
  2. Key Verification:

    • Always verify the public keys of others before encrypting messages or verifying signatures.
    • Use a web of trust or key servers to validate keys.
  3. Backup:

    • Regularly backup your private keys and revocation certificates in a secure location.
  4. Revocation Certificate:

    • Generate a revocation certificate for your key and store it securely. This allows you to revoke your key if it is compromised.
    Terminal window
    gpg --output revocation.crt --gen-revoke [email protected]
  5. Email Encryption:

    • Use plugins for email clients (like Enigmail for Thunderbird or Gpg4win for Outlook) to simplify encrypting and decrypting email communications.
  6. Key Expiry:

    • Set expiration dates on your keys to limit the impact of a compromised key. You can extend the expiration date if the key remains secure.

Conclusion

GPG is a powerful tool for maintaining privacy and security in digital communications. By following the steps in this quick start guide and adhering to best practices, you can effectively protect your sensitive information and ensure the authenticity of your communications. Regularly update your knowledge and stay informed about the latest security practices to make the most of GPG’s capabilities.

Footnotes

  1. This guide is intended as an introduction to GPG and does not cover all aspects of its functionality. For more detailed information, consult the GnuPG website and the OpenPGP standard.