GPG can be a bit difficult to wrap your head around at first since its slightly more complex than using asymmetric encryption through SSH or OpenSSL. It can be extremely useful, however, for encrypting files, communications, or verifying digital signatures.
Linux:
sudo apt-get install gnupg
OSX (requires homebrew):
brew install gnupg
gpg --gen-key
As you are generating the key pair, it will ask you a number of questions to answer and there are a couple things to keep in mind:
- what kind of key you want: RSA and RSA (default)
- keysize: 4096 (minimum of 1024)
- expiry parameters: 0 (or choose to set an expiry)
- correct: y
- real name: it depends on the situation, but for most personal uses, it can be beneficial to use a screenname in place of your real name when prompted since it makes it easier to reference your key (real name has spaces)
whichever email address you enter when prompted will be referred to below as 'your_email@address.com'
While it is generating your key, you can help create entropy by just typing random letters on the keyboard.
Don't forget to create a revocation certificate:
gpg --gen-revoke your_email@address.com
Having the key pair won't be fully useful unless you share your public key. There are a number of ways to accomplish that task, and being able to send it as a file is one of the easiest:
gpg --armor --export your_email@address.com > public_key_file
This will export your public key to a file named public_key_file
(obviously
you will want to specify a different filename). The --armor
option tells
gpg that you want the contents of the file to be ASCII instead of binary
encoded. This makes it safe to also copy and paste the contents of the file as
an additional method of sharing your public key. If the export is binary
encoded, then information will be lost when copying and pasting the contents
without directly sharing the file.
To be able to encrypt a file to send to someone, or verify their signature, you first need to add their public key to your gpg keyring:
gpg --import someones_public_gpg_file
You can then list the keys in your public keyring:
gpg --list-keys
example:
username% gpg --list-keys /users/username/.gnupg/pubring.gpg --------------------------------------- pub 1024D/BB7576AC 2014-06-04 Bob (stuff) <things@something.com> sub 1024g/78E9A8FA 2014-06-04 pub 1024D/9E98BC16 2014-06-04 Bryce (me) <bryce@something.com> sub 1024g/5C8CBD41 2014-06-04
Unless you can be sure the key you imported is from who you think it is, you need
to validate it. You can view the key's fingerprint using the --fingerprint
option and the key name, which can be either the person's name, their email, or
their ID (e.g. either Bryce or bryce@something.com or 9E98BC16 would work). Verifying
the key's fingerprint can be done a number of ways so long as you can ensure
you're communicating with the key's owner; as long as the fingerprint you get
from the key's owner matches the command output you can be sure its a valid
copy of their key:
gpg --fingerprint name
gpg --fingerprint 9E98BC16 pub 1024D/9E98BC16 2014-06-04 Bryce (me) <bryce@something.com> Fingerprint: 268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16
Once you can verify the key you imported is trusted, you can sign the key to validate it:
gpg --sign-key bryce@something.com
tar -cJvf output_filename input_file_or_directory
example:
tar -cJvf 2014-08-22.code.tar.xz ~/code-src
-c | create a tar archive |
-J | use the xz compression library |
-v | verbose output in case something goes wrong |
-f | specify the output filename |
Now that GPG is set up, encrypting a file is very simple:
gpg -s -o output_filename --cipher-algo AES256 -e -r bryce@something.com input_filename
example:
gpg -s -o source_code.gpg --cipher-algo AES256 -e -r bryce@something.com 2014-08-22.code.tar.xz
-s | cryptographically sign the output with your key |
-o | specify the output filename |
-e | create a binary encryption of the input file |
-r | encrypt using the public key of the recipient |
--cipher-algo | AES256 for proper protection |
At this point you can now safely send the encrypted file and only the
recipient's private key will be able to decrypt the file. Additionally,
the recipient can use your public key to verify that the file is from
you since it was cryptographically signed (from the -s
option).
!important: keep in mind that only the person who has the corresponding
private key of the specified recipient will be able to decrypt the file! The
-r
switch can be used multiple times to specify more than one recipient,
and adding yourself as a recipient will allow you to decrypt the file in
addition to your intended recipient(s). If you are simply encrypting your own
files for security, then you would likely be the only recipient. Likewise,
if you have no need to be able to decrypt a file you are transmitting (e.g. you
are keeping the unencrypted original), then there is no need to specify
yourself as a recipient.