Linux GPG

This document shows how to use the command line to work with PGP (GPG) for encryption.

Create a key pair

Use the following shell command:

gpg --gen-key

Answer the prompts, I typically accept all defaults which is 2048 bits and RSA. Also memorize your long passphrase and never tell anyone it, ever.

Document your new 'KeyID'.

List all keys

This is a great way to determine a 'KeyID'

gpg --list-keys

Encrypt a test message

This process may also be used to Validate a private key passphrase.

gpg --local-user <KEYID> -as

It will prompt for a passphrase three times unless a valid one is submitted, then it will allow you to write an encrypted message. press ctrl-d to end the message.

Alternatively you may encrypt any file (text or binary) using a command like this:

gpg --local-user <KEYID> -as <file>

This will prompt for your passphrase and on success generate an 'asc' file.

For example, lets encrypt the fake test file 'secret-raw-payload.txt' using the following command:

gpg --local-user MYKEYID1 -as secret-raw-payload.txt

Decrypt a test message

gpg -d <encrypted asc message file>

Then paste the encrypted message into the terminal.

Optionally omit the 'encrypted message file' and paste the payload directly into the cmd prompt.

Export a public key

To export a public key for transportation or sharing, run this:

gpg --export -a <KeyID>

This will output the public key for a given KeyID as ascii, which may be shared and distributed to anyone.

Export a private key

To export a private key for transportation or backup, run this:

gpg --export-secret-key -a <KeyID>

This will output the private key for a given KeyID as ascii, which must be safely gaurded.

Import a public key

gpg --import <public key file>

This adds the public key in the file to your public key ring. Alternatively you may omit the file and paste the public key directly to the command prompt.

Import a private key

gpg --allow-secret-key-import --import <private key file>

This adds the private key in the file to your private key ring. Alternatively you may omit the file and paste the private key directly to the command prompt.

Delete a public key

gpg --delete-key <KeyID>

Delete a private key

gpg --delete-secret-key <KeyID>

Edit and Trust a key

To edit a keys trust level (for instance to completely trust your own key) do the following:

gpg --edit-key <KeyID>
trust
5
y
quit

Encrypt a directory

If you want to encrypt a directory instead of a file, use the gpg-zip tool:

gpg-zip ~/home/user/secret-files > ~/home/user/secret-files.gpg-zip

Symmetric Keys

If you want to use a single shared key use the --symmetric flag. It will prompt you for a password twice:

gpg-zip --symmetric ~/.password-store > password-store.gpg-zip

--list-archive:

List the contents of the specified archive.

--decrypt:

Decrypt the zip, pipe to a file.

gpg-zip --decrypt  ~/.password-store > password-store.gpg-zip

Homework

1. create a gpg key pair
2. encrypt a test file
3. decrypt a test file
4. export public and private key pair
5. delete public and private key pair
6. re-import public and private key pair
7. try to decrypt test file again

Misc

• The keyring files are binary and exist in ~/.gnupg.