GNU Privacy Guard

Philip Thomas K.

11 January 20

Back

The GPG command is a pretty useful command. It is a program written to encrypt plaintext files. So if there is any plaintext document that contains sensitive information, you can encrypt said document with the GPG command and rest safely knowing that the information is not revealed.

So what does GPG stand for?

GPG stands for GNU Privacy Guard. GPG is a program that comes shipped on most Linux and GNU/Linux distros. Now before we can actually use GPG to encrypt anything, we need to generate our keys. These are a set of public and private/secret keys that can be used to decrypt and encrypt your information. So go ahead and open up your terminal and input the following command:

gpg --full-gen-key

This will start GPGs key generation wizard. You will be prompted with the following:

gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/home/username/.gnupg' created
gpg: keybox '/home/username/.gnupg/pubring.kbx' created
Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgmal
    (3) DSA (sign only)
    (4) RSA (sign only)
Your selection?

Now unless you already know what you are doing, you will most likely need to use option 1. Type in 1, followed by Enter. Or just hit Enter. After which you will be faced with the following:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

The larger the keysize, the more secure the password becomes. But for most usage, a 2048 bit long RSA keysize is sufficient. Just hit Enter. Now the program will ask you to specify for how long you wish for your key to be valid for:

Please specify how long the key should be valid.
        0 = key does not expire
     <n>  = key expires in n days
     <n>w = key expires in n weeks
     <n>m = key expires in n months
     <n>y = key expires in n years
Key is valid for? (0)

Here you can decide how long your set of keys will be valid for. If you need more security, make your key valid for shorter periods of time. Now, GnuPG will need to bind these keys to a user ID. The rest of the setup does not need any explanation in my opinion.

My only note is that when they ask you for your email, you need not worry about getting any emails or anything. It is only used as an identifier. Now, time to put in your password. Make sure it’s a secure password. I like to use a set of 12 alphanumeric characters. You can do what you want. Now, GPG will be setting up your keys. To do this, it will do some random stuff. I am serious. It will need to “generate a lot of random bytes.” (for some reason that is beyond me) to create your keys. After which, you will be returned to your command prompt.

And now you are done. With creating a set of keys that is.

How do I encrypt now?

We have reached the stage where we can start to encrypt files with a recipient in mind, because we have a public key and a secret key. First, we need a file to encrypt. Execute the following command:

echo "Classified Information." > totallynotasecret_dontopen

Stop laughing. Now, to encrypt the following plaintext file, we need to execute the following command:

gpg -r email@address.com -e totallynotasecret_dontopen

Take note that you should put the email-id that you have bound to your email address instead. -r Denotes the recipient of the encrypted file. Usually it will be yourself. -e Denotes the encryption option.

After this if you run the ls command, you should see a new file called totallynotasecret_dontopen.gpg. This file is encrypted. Go ahead and try to open it in a text viewer. You will see a bunch of nonsense characters. But your plaintext file still exists. You can go ahead and delete it. Now for the magic bit. To decrypt the file, run the following command:

gpg -d totallynotasecret_dontopen.gpg

You will be prompted for a password. Put in the password that you used during the key generation.

You will see a one-time decrypted message in your STDOUT. Done.

I suggest you read through the man page of GPG. This implementation that I have detailed is an example of asymmetric encryption. There is also symmetric encryption which is used for different cases.

Best regards,
Philip
Back