All about GPG
Oct 27, 2020
13
minutes
Contents
One guide to rule GPG all! In this noob friendly guide, we will learn how to generate, use and sign stuff with GNU Privacy Guard. After reading this guide, your private life will be much more private than ever.
GPG is one of the essential tools for your online privacy and security. It also verifies your digital identity using your public key with a public server.
Whether you use your key to encrypt your emails, sign your git commits or just verifying someone's online identity. GPG is your tool to go!
So, open your favorite *sh up and let's start generating a key for you 😄
Firstly, install pinentry package on your *nix system. This will provide a nice password entry interface. Read how to install packages.
Now append only one of the following line to your ~/.gnupg/gpg-agent.conf file, according to your user environment. Personally, I use pinentry-tty due to its minimalistic approach and compatiblity even when system is having its issues.
Do this by vi ~/.gnupg/gpg-agent.conf. Read my journal entry on intro to vim for quick refresher.
# Choose only one of the interface
# For installation environments (best for SSHing)
# If you are on basic TTYs with not much interface.
# For terminal emulators
# If you are using Linux/Mac TUI to enter the passwords.
# NOOOOO, Apple is best!! :crying_face:
# For X11/Wayland support
# If you love GTK2 for rest of your life (Mate/XFCE guys)
# If you love GNOME more than your GF (See notes below)
# If you are on KDE and hate GTK soo much.
After doing that, reload the gpg-connect-agent for configs to take effect
# It should output OK
Now here comes the fun part!
This command will open an interactive terminal menu asking for information of which key you need to generate.
The --expert mode allows us to generate keys of new algorithms. In this case an ECC algorithm
Now, let's discuss each scenario according to our needs.
Case 1: Signing
In this part, we will learn how to sign stuff with GNU Privacy Guard. After reading this guide, you will be able to digitally sign files and distribute your code with your assurance.
Firstly, we will generate ourselves an ultimate signing key. Before this, you might want to refer to earlier part here.
())
()
())
())
())
())
()
())
())
()
Select Option 10 from the menu by entering its number, it will show us another screen to select options
()
()
()
()
()
()
()
()
For this scenario, unless you are an absolute expert which most of us don't, I recommend you to visit http://safecurves.cr.yp.to/ that will help you in explaining which elliptic curve is cryptographically more secure or not. By the time of writing this entry, Curve 25519 is more trustworthy than others, so we will select Option 1.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Now generally, since the algorithm we selected is secure in long term, we shall set this to 2y to sign things for 2 years. However, if you are planning on selecting for more years, you can also do it by renewing the expired key.
Key expires at Fri Oct 23 02:41:02 2022 GMT
Is this correct? (y/N)
Now you will be greeted by a confirmation screen with the expiration date and its time, for your reference. Confirm it by entering y.
GnuPG needs to construct a user ID to identify your key.
Real name: Xenon Lucifer Diablo
Email address: code@nmnx.org
Comment: Signing key for open source projects and R&D purposes only.
This time you will be asked for your information (Name, Email and Comment) to generate the key with your corresponding email address. A comment corresponds to its purpose, so write why do you want to use this key.
)))))
For the final time, it will ask you for any changes (in case of typos). Choose (O)kay for proceeding further.
Your choosen pinentry interface will now ask for your new password. Enter the password to safeguard your keys and then press tab to <OK> and press return.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
This message screen will appear where you have to press tons of buttons on your keyboard randomly and shake your mouse like hell! Not doing so will lead you to this message.
generator a better chance to gain enough entropy.
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 281 more bytes)
This means that your system hasn't achieved the required threshold of entropy. An impromptu explaination is provided in this entry.
If all went well, then you will be greeted by the following text.
gpg: key 033A0E83209937B3 marked as ultimately trusted
gpg: revocation certificate stored as 'xxx/xxx/xxx/xxx.rev'
public and secret key created and signed.
pub ed25519 2020-10-23 [SC] [expires: 2022-10-23]
ABCDEF0123456789ABCDEF0123456789ABCDEF01
uid Xenon Lucifer Diablo (Signing key for open source projects and R&D purposes only.) <code@nmnx.org>
Congratulations! You have successfully generated your signing key. To verify and see your key,
Now export your key using the command
Here, you can see my public key ready to export
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEX7qsvBYJKwYBBAHaRw8BAQdAVtScTWmCqpQUPFgwI+Ajtaxh1fGXAlTX+uq8
iU0UZI60Ylhlbm9uIEx1Y2lmZXIgRGlhYmxvIChTaWduaW5nIGtleSBmb3Igb3Bl
biBzb3VyY2UgcHJvamVjdHMgYW5kIFImRCBwdXJwb3NlcyBvbmx5LikgPGNvZGVA
bm1ueC5vcmc+iJYEExYIAD4WIQSBXvtaJomyOdMJyiEDOg6DIJk3swUCX7qsvAIb
AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRADOg6DIJk3s41NAPoD
WhPkhqeuUwZjHhc/5YZeV3EmiSKP9yges/+iWUqeSgD9FaSyLGahqbJa8Cdtp+fY
jKu3b7TD2PKi33jLrEBKug8=
=HcnM
-----END PGP PUBLIC KEY BLOCK-----
You can verify the key by checking onto my commits of my projects at github.
Signing things
This part is ded simple, we will sign the files and documents using this simple command:
where code@nmnx.org is your email address mentioned earlier in generated signing key (if you have multiple keys in your system) whereas thelegend27.pdf is the file name (👀 don't tell anyone). Again this screen will appear before you, just enter your password:
This will create a signed document ending with extension *.gpg in your working directory which can be verified and decrypted back to original document.
Verifying things
Again, simple as shit. Just use:
and this will do the job! However there are few caveats, that I would like to mention before. Always check the signing comment before decryption. That will allow you to verify the authenticity of the issued document.
Retrieving the original
Once verified carefully, decrypt the document you have received using the command:
And you shall receive! The document you yearned for soo long. Ahh the joy! 😌
Case 2: Encryption
In this part, we will learn how to encrypt stuff with GNU Privacy Guard. After reading this guide, you will be able to encrypt/decrypt files and securely transfer your files to it.
Firstly, we will generate ourselves an ultimate signing key. Before this, you might want to refer to earlier part here.
())
()
())
())
())
())
()
())
())
()
Select Option 10 from the menu by entering its number, it will show us another screen to select options
()
()
()
()
()
()
()
()
For this scenario, unless you are an absolute expert which most of us don't, I recommend you to visit http://safecurves.cr.yp.to/ that will help you in explaining which elliptic curve is cryptographically more secure or not. By the time of writing this entry, Curve 25519 is more trustworthy than others, so we will select Option 1.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Now generally, since the algorithm we selected is secure in long term, we shall set this to 2y to sign things for 2 years. However, if you are planning on selecting for more years, you can also do it by renewing the expired key.
Key expires at Fri Oct 23 02:41:02 2022 GMT
Is this correct? (y/N)
Now you will be greeted by a confirmation screen with the expiration date and its time, for your reference. Confirm it by entering y.
GnuPG needs to construct a user ID to identify your key.
Real name: Xenon Lucifer Diablo
Email address: code@nmnx.org
Comment: Signing key for open source projects and R&D purposes only.
This time you will be asked for your information (Name, Email and Comment) to generate the key with your corresponding email address. A comment corresponds to its purpose, so write why do you want to use this key.
)))))
For the final time, it will ask you for any changes (in case of typos). Choose (O)kay for proceeding further.
Your choosen pinentry interface will now ask for your new password. Enter the password to safeguard your keys and then press tab to <OK> and press return.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
This message screen will appear where you have to press tons of buttons on your keyboard randomly and shake your mouse like hell! Not doing so will lead you to this message.
generator a better chance to gain enough entropy.
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 281 more bytes)
This means that your system hasn't achieved the required threshold of entropy. An impromptu explaination is provided in this entry.
If all went well, then you will be greeted by the following text.
gpg: key 033A0E83209937B3 marked as ultimately trusted
gpg: revocation certificate stored as 'xxx/xxx/xxx/xxx.rev'
public and secret key created and signed.
pub ed25519 2020-10-23 [SC] [expires: 2022-10-23]
ABCDEF0123456789ABCDEF0123456789ABCDEF01
uid Xenon Lucifer Diablo (Signing key for open source projects and R&D purposes only.) <code@nmnx.org>
Congratulations! You have successfully generated your signing key. To verify and see your key,
Now export your key using the command
Here, you can see my public key ready to export
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEX7qsvBYJKwYBBAHaRw8BAQdAVtScTWmCqpQUPFgwI+Ajtaxh1fGXAlTX+uq8
iU0UZI60Ylhlbm9uIEx1Y2lmZXIgRGlhYmxvIChTaWduaW5nIGtleSBmb3Igb3Bl
biBzb3VyY2UgcHJvamVjdHMgYW5kIFImRCBwdXJwb3NlcyBvbmx5LikgPGNvZGVA
bm1ueC5vcmc+iJYEExYIAD4WIQSBXvtaJomyOdMJyiEDOg6DIJk3swUCX7qsvAIb
AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRADOg6DIJk3s41NAPoD
WhPkhqeuUwZjHhc/5YZeV3EmiSKP9yges/+iWUqeSgD9FaSyLGahqbJa8Cdtp+fY
jKu3b7TD2PKi33jLrEBKug8=
=HcnM
-----END PGP PUBLIC KEY BLOCK-----
You can verify the key by checking onto my commits of my projects at github.
Signing things
This part is ded simple, we will sign the files and documents using this simple command:
where code@nmnx.org is your email address mentioned earlier in generated signing key (if you have multiple keys in your system) whereas thelegend27.pdf is the file name (👀 don't tell anyone). Again this screen will appear before you, just enter your password:
This will create a signed document ending with extension *.gpg in your working directory which can be verified and decrypted back to original document.
Verifying things
Again, simple as shit. Just use:
and this will do the job! However there are few caveats, that I would like to mention before. Always check the signing comment before decryption. That will allow you to verify the authenticity of the issued document.
Retrieving the original
Once verified carefully, decrypt the document you have received using the command:
And you shall receive! The document you yearned for soo long. Ahh the joy! 😌
That's all for today! Thank you for reading this crap. Let's see you again next time.
