GPG vs PGP
PGP can refer to two things:
The Pretty Good Privacy software originally written by Phil Zimmermann, and now owned by Symantec. The formats for keys, encrypted messages and message signatures defined by that software. These have now been formalised as the OpenPGP standard. The GPG software is an independent implementation of the OpenPGP standards, so you can use it to exchange encrypted messages with people using other OpenPGP implementations (e.g. Symantec's PGP).
Due to its popularity on Linux systems, it is also fairly common for people to incorrectly use the term "GPG" to refer to the whole OpenPGP cryptography system (e.g. "GPG keys" or "GPG signatures"). It is usually pretty clear what they mean from the context though.
- .gpg and .pgp extensions are for binaries.
- .txt and .asc are for ASCII files (armored).
# OSX brew install gnupg # Ubuntu apt-get install gnupg # RedHat/Fedora/CentOS yum install gnupg
Generating new keys
The first key is your private (or secret) key. You must keep this private key safe at all times, and you must not share it with anyone. The private key is protected with a password. The second key is your public key, which you can safely share with other people. Anything that is encrypted using the public key can only be decrypted with the related private key.
# List private keys gpg --list-secret-keys # List public keys gpg --list-keys # Outputs: # pub 4096R/F9C3014D 2014-09-18 # uid Sepehr Lajevardi <firstname.lastname@example.org> # sub 4096R/57B451B8 2014-09-18 # # Which translates to: # - pub: Public key # - 4096R: The number of bits in the key, and the type (RSA) # - F9C3014D: The key ID # - 2014-09-18: The date of key creation # - Sepehr Lajevardi: Real name # - <email@example.com>: And the email
gpg --delete-keys firstname.lastname@example.org
gpg --edit-key email@example.com trust (invoke trust subcommand on the key) 5 (ultimate trust) y (if prompted) quit
# 1. Import # When you import a public key, you are placing it into what is commonly referred to as the "GPG keyring" gpg --import someone.asc # 2. Export someone's key gpg --export --armor > someone.asc
## 1. Export cp ~/.gnupg/pubring.gpg /path/to/backups/ cp ~/.gnupg/secring.gpg /path/to/backups/ cp ~/.gnupg/trustdb.gpg /path/to/backups/ # Or, instead of backing up the trustdb gpg --export-ownertrust > ownertrust.txt ## 2. Import cp /path/to/backups/*.gpg ~/.gnupg/ # or, if you exported the ownertrust gpg --import-ownertrust ownertrust.txt
This only really works if you don't mind losing any other keys (than your own).
# 1. Export gpg --export --armor firstname.lastname@example.org > public.asc gpg --export-secret-keys --armor email@example.com > private.asc gpg --export-ownertrust > ownertrust.txt # 2. Import # Imports the public as well gpg --import --armor private.asc gpg --import-ownertrust ownertrust.txt
# Encrypts a file to lajevardi@gmail without signing it, author will be unknown. gpg --encrypt --recipient firstname.lastname@example.org file.txt # Encrypts and signs the message with author private key gpg --encrypt --sign --recipient email@example.com file.txt # Decrypt gpg --decrypt file.gpg
Exporting public key to keyserver
gpg --send-key firstname.lastname@example.org [--keyserver sks-keyservers.net]
Generating revoke certificates
Revoke certificates are required when we need to remove our key from keyservers and literally revoking the certificate.
gpg --gen-revoke email@example.com
Here's a sample revoke certificate:
Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others! -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: A revocation certificate should follow iQIfBCABAgAJBQJSTxNSAh0AAAoJEIKHahUxGx+E15EP/1BL2pCTqSG9IYbz4CMN bCW9HgeNpb24BK9u6fAuyH8aieLVD7It80LnSg/+PgG9t4KlzUky5sOoo54Qc3rD H+JClu4oaRpq25vWd7+Vb2oOwwd/27Y1KRt6TODwK61z20XkGPU2NJ/ATPn9yIR9 4B10QxqqQSpQeB7rr2+Ahsyl5jefswwXmduDziZlZqf+g4lv8lZlJ8C3+GKv06fB FJwE6XO4Y69LNAeL+tzSE9y5lARKVMfqor/wS7lNBdFzo3BE0w68HN6iD+nDbo8r xCdQ9E2ui9os/5yf9Y3Uzky1GTLmBhTqPnl8AOyHHLTqqOT47arpwRXXDeNd4B7C DiE0p1yevG6uZGfhVAkisNfi4VrprTx73NGwyahCc3gO/5e2GnKokCde/NhOknci Wl4oSL/7a3Wx8h/XKeNvkiurInuZugFnZVKbW5kvIbHDWJOanEQnLJp3Q2tvebrr BBHyiVeQiEwOpFRvBuZW3znifoGrIc7KMmuEUPvA243xFcRTO3G1D1X9B3TTSlc/ o8jOlv6y2pcdBfp4aUkFtunE4GfXmIfCF5Vn3TkCyBV/Y2aW/fpA3Y+nUy5hPhSt tprTYmxyjzSvaIw5tjsgylMZ48+qp/Awe34UWL9AWk3DvmydAerAxLdiK/80KJp0 88qdrRRgEuw3qfBJbNZ7oM/o =isbs -----END PGP PUBLIC KEY BLOCK-----