Skip to content

Instantly share code, notes, and snippets.

@DominicBreuker

DominicBreuker/GnuPG.md

Created October 31, 2017 22:03
Show Gist options
  • Save DominicBreuker/23ea010c080dfd486311f7b7043bc811 to your computer and use it in GitHub Desktop.
Save DominicBreuker/23ea010c080dfd486311f7b7043bc811 to your computer and use it in GitHub Desktop.
Download ZIP
gpg gnupg encryption
Raw
GnuPG.md

GnuPG

Setup

Install:

brew install gnupg # on Mac OS
apt-get install gnupg # on Ubuntu/Debian
...

Create new key. Choose a name and email, if asked about crypto scheme pick RSA and 2048 bit minimum.

gpg --full-gen-key
gpg --list-keys email@example.com # check the key is there

Also create a revocation certificate. If you loose your private key or it is compromised, you can publish it to warn others. If asked for a reason, pick something generic.

gpg --output ~/revocation.crt --gen-revoke email@example.com
chmod 600 ~/revocation.crt

Export your public key and publish it somewhere for people to see

gpg --output ~/public.key --armor --export email@example.com

Back up your key and revocation certificate and store somewhere safe

gpg --output ~/private.key --armor --export-secret-key email@example.com
chmod 600 ~/private.key

mv ~/revocation.crt /path/to/safe/place/revocation.crt
mv ~/private.key /path/to/safe/place/private.key

You could restore your keys on a new machine with

gpg --import public.key
gpg --allow-secret-key-import --import private.key
gpg --edit-key email@example.com # interactive, choose "trust", then "5" (for ultimate), then "save" - "?" for help

Last step is editing the trust of the key since you know your backup is genine (not strictly necessary)

If you have to revoke your key, check out this site for some details on how to act in case you got compromised: https://www.rossde.com/PGP/pgp_keyserv.html

File encryption and decryption

Encrypt a file - make sure you have the recipient's public key imported! You also sign it with your own private key to ensure authenticity.

gpg --encrypt --sign --output /path/to/encrypted.gpg --recipient person@email.com /path/to/plaintext.txt

Decrypt the file afterwards - make sure you have the recipient's private key imported!

gpg --output /path/to/decrpyted.xyz --decrypt /path/to/encrypted.gpg
file /path/to/decrpyted.xyz # check what you got

Add flag --armor to output a text-encoded (but probably huge) file that could be sent via email/messenger.

References

Complete guide: https://gnupg.org/gph/en/manual.html DigitalOcean guide: https://www.digitalocean.com/community/tutorials/how-to-use-gpg-to-encrypt-and-sign-messages

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment