Good question. We'll assume a gpg2 install available at gpg
.
First you have to have a key-pair.
gpg --full-generate-key
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
Type 1
(RSA and RSA).
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
You want 2048.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
You don't want your key to expire. Type 0
.
Key does not expire at all
Is this correct? (y/N)
For God's sake, yes (y
)!
It prompts you for your name and email address and a comment. Use your discretion.
It asks you for a passphrase. Use your discretion. Don't forget your passphrase.
gpg --armor --export <your email address>
You can send this to people and they can encrypt things to you. You might want to publish your key fingerprint as well.
gpg --fingerprint <your email address>
As follows:
gpg --output <output file> --decrypt <input file>
You have to import the counterparty's public key. But first, you should make sure you don't have a public key with the same fingerprint because someone might be messing with you.
gpg --with-fingerprint <counterpary's public key file>
Now look at your list of imported keys:
gpg --list-keys --with-fingerprint
Make sure the fingerprint of the newly-received public key file doesn't already exist in your keyring. Then, you're good to import.
gpg --import <counterparty's public key file>
Now encrypt some data. For example, read from stdin:
echo "asdfbuttslol" | gpg --encrypt --recipient <counterparty's email address> --armor --output foo.asc -
This generates foo.asc
, with ASCII-encoded encrypted message in it.
Don't sign lightly. Don't sign messages like "Yes", "No", or anything else you don't want taken out of context. Anyway…
Clearsign your plaintext message and then encrypt it.
echo "world is a hug" | gpg --armor -u <your email address> --clearsign --output - -
Then encrypt the output.
Have the counterparty's public key imported, then:
gpg --verify <signed or clearsigned file>
Good luck, have fun, try not to die.
Check out my .bash_profile
for inspiration.