linux-gpg

Linux GPG ###########

This document shows how to use the command line to work with PGP (GPG) for encryption.

.. contents::

Create a key pair

Use the following shell command:

.. code-block:: bash

gpg –gen-key

Answer the prompts, I typically accept all defaults which is 2048 bits and RSA. Also memorize your long passphrase and never tell anyone it, ever.

Document your new ‘KeyID’.

List all keys

This is a great way to determine a ‘KeyID’

.. code-block:: bash

gpg –list-keys

Encrypt a test message

This process may also be used to Validate a private key passphrase.

.. code-block:: bash

gpg –local-user -as

It will prompt for a passphrase three times unless a valid one is submitted, then it will allow you to write an encrypted message. press ctrl-d to end the message.

Alternatively you may encrypt any file (text or binary) using a command like this:

.. code-block:: bash

gpg –local-user -as

This will prompt for your passphrase and on success generate an ‘asc’ file.

For example, lets encrypt the fake test file ‘secret-raw-payload.txt’ using the following command:

.. code-block:: bash

gpg –local-user MYKEYID1 -as secret-raw-payload.txt

Decrypt a test message

.. code-block:: bash

gpg -d

Then paste the encrypted message into the terminal.

Optionally omit the ‘encrypted message file’ and paste the payload directly into the cmd prompt.

Export a public key

To export a public key for transportation or sharing, run this:

.. code-block:: bash

gpg –export -a

This will output the public key for a given KeyID as ascii, which may be shared and distributed to anyone.

Export a private key

To export a private key for transportation or backup, run this:

.. code-block:: bash

gpg –export-secret-key -a

This will output the private key for a given KeyID as ascii, which must be safely gaurded.

Import a public key

.. code-block:: bash

gpg –import

This adds the public key in the file to your public key ring. Alternatively you may omit the file and paste the public key directly to the command prompt.

Import a private key

.. code-block:: bash

gpg –allow-secret-key-import –import

This adds the private key in the file to your private key ring. Alternatively you may omit the file and paste the private key directly to the command prompt.

Delete a public key

.. code-block:: bash

gpg –delete-key

Delete a private key

.. code-block:: bash

gpg –delete-secret-key

Edit and Trust a key

To edit a keys trust level (for instance to completely trust your own key) do the following:

.. code-block:: bash

gpg –edit-key trust 5 y quit

Encrypt a directory

If you want to encrypt a directory instead of a file, use the gpg-zip tool:

.. code-block:: bash

gpg-zip ~/home/user/secret-files > ~/home/user/secret-files.gpg-zip

Symmetric Keys

If you want to use a single shared key use the –symmetric flag. It will prompt you for a password twice:

.. code-block:: bash

gpg-zip –symmetric ~/.password-store > password-store.gpg-zip

–list-archive: List the contents of the specified archive.

–decrypt: Decrypt the zip, pipe to a file.

.. code-block:: bash

gpg-zip –decrypt ~/.password-store > password-store.gpg-zip

Homework

1. create a gpg key pair
2. encrypt a test file
3. decrypt a test file
4. export public and private key pair
5. delete public and private key pair
6. re-import public and private key pair
7. try to decrypt test file again

Misc

• The keyring files are binary and exist in ~/.gnupg.