Gpg: Difference between revisions

From charlesreid1

No edit summary
Line 33: Line 33:
=Performing Tasks=
=Performing Tasks=


==Encrypting/Decrypting Files==
==Generating a Public/Private Key Pair==
 
To generate a private key,
 
<pre>
$ gpg --gen-key
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
 
Please select what kind of key you want:
  (1) RSA and RSA (default)
  (2) DSA and Elgamal
  (3) DSA (sign only)
  (4) RSA (sign only)
Your selection?
</pre>
 
RSA is stronger than DSA, so the default is highly recommended.
 
<pre>
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
</pre>
 
This is like asking, "How long would you like it to take to crack your private-key: 100,000 years, or 15,000 eons?
 
<pre>
Requested keysize is 2048 bits 
Please specify how long the key should be valid.
        0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
</pre>
 
Then it will ask for some identifying information.  This is used to generate a public key, and it is important you give a unique name, email address, and comment, so that other people can identify your public key and distinguish it from others'.
 
<pre>
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"


This is a method for encrypting and decrypting files using GPG.  This is a handy trick if you want to store all of your usernames and passwords in a file, and want to protect it via encryption.
Real Name:
Email:
Comment:


===Encrypting With Keys===
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.   


If you are paranoid, or want very strong security, you can encrypt a file so that only someone else can open it.  To do this, you must create a GPG private key and a GPG public key (see [[#References]], and GPG Quick Start).
Enter passphrase:


===Encrypting Without Keys===
</pre>


Sometimes dealing with public and private keys to encrypt a file is just a big hassle.  Perhaps the other person has not created a public key; or perhaps they shared it with you, but you can't entirely trust their public key because a man in the middle could have changed it to their own key (thus allowing them to decrypt files that you think can only be decrypted by the intended recipient).
Then it will generate your public and private keys:


It may be advantageous, in these cases, to have a method of encrypting files that does not use public keys. This is where a handy feature called "symmetric encryption" can be used.
<pre>
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...+++++
..........+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
....+++++
..+++++
gpg: key BB63D9F1 marked as ultimately trusted
public and secret key created and signed.


Symmetric encryption uses a strong cipher, called CAST5 (see [[#References]]), to encrypt a file using a passphrase, rather than a public/private key pair. As with any passphrase-protected encryption, the passphrase is the weakest link in the process, and only a very strong passphrase can give you the confidence of a strongly-encrypted file.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:  2  signed:  0 trust: 0-, 0q, 0n, 0m, 0f, 2u
</pre>


Keep in mind that this is not as ideal as encryption using keys, but is more convenient (security and convenience are on opposite sides of the same scale).
Then it will spit out a summary of your public key information.


This can be done in gpg using the <code>-c</code> or <code>--symmetric</code> command line options:
==Export ASCII Public Key==


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg -c filename
gpg --armor --output my_pubkey.txt --export 'Your Name'
Enter passphrase:<YOUR-PASSWORD>
Repeat passphrase:<YOUR-PASSWORD>
</syntaxhighlight>
</syntaxhighlight>


The result of this command is a binary file, <code>filename.gpg</code>.
==List Keys in Your Keyring==
 
To make an armored ascii output file, use the <code>--armor</code> option:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg --symmetric --armor filename
gpg --list-keys
Enter passphrase:<YOUR-PASSWORD>
Repeat passphrase:<YOUR-PASSWORD>
</syntaxhighlight>
</syntaxhighlight>


The result of this command is an ascii file <code>filename.asc</code>.
==Encrypting/Decrypting Files==
 
This is a method for encrypting and decrypting files using GPG.  This is a handy trick if you want to store all of your usernames and passwords in a file, and want to protect it via encryption.
 
===Encrypting With Keys===
 
If you are paranoid, or want very strong security, you can encrypt a file so that only someone else can open it.  To do this, you must create a GPG private key and a GPG public key (see [[#References]], and GPG Quick Start).
 
You can also encrypt a file for yourself, so that only your public/private keys can open it.


To decrypt the gpg file:
1. Make sure you have the public key of the individual you want to send the file to, by running


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg filename.gpg
$ gpg --list-keys
gpg: CAST5 encrypted data
Enter passphrase:<YOUR-PASSWORD>
</syntaxhighlight>
</syntaxhighlight>


'''WARNING:''' This will print the contents of your file to standard output.  You definitely don't want that to happen.  Instead, use the <code>-o</code> or <code>--output</code> flags to dump the decrypted contents to a file:
2. Encrypt the file, and specify a recipient by putting their name (the one that shows up from their public key):


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg filename.gpg --output decrypted_filename.txt
$ gpg --encrypt --recipient 'Name of Person' secret.txt
gpg: CAST5 encrypted data
Enter passphrase:<YOUR-PASSWORD>
</syntaxhighlight>
</syntaxhighlight>


Similarly, for the armored ascii file, use the <code>-d</code> or <code>--decrypt</code> command-line option:
This will output a file <code>secret.txt.gpg</code>; alternatively, specify the name of the output file:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg -d filename.asc --output decrypted_filename.txt
$ gpg --encrypt --recipient 'Name of Person' secret.txt --output encrypted_secret.txt
gpg: CAST5 encrypted data
Enter passphrase:<YOUR-PASSWORD>
</syntaxhighlight>
</syntaxhighlight>


The encrypted file will look like this:


<pre>
Ö���o�∫g�ÇçÎ��


= References =
= References =

Revision as of 20:30, 16 March 2011

GPG (Gnu Privacy Gard) is a security program that can be used to do many different things; sign files, hash files, encrypt and decrypt files, etc.

Installation

Configuring

To configure GPG: 

# configure
# make
# make install

./configure \
 --prefix=$HOME/pkg/gpg/x.x.x

Some Security Theory

Public/Private Keys

Public and private keys are used to encrypt and decrypt information in a protected way, so that only the intended recipient can decrypt the file.

Let's consider the scenario where Alice is sending a file to Bob, with a middleman eavesdropper Eve.

Alice must combine her private key with Bob's public key to obtain a special combo-key. She then uses this combo-key to encrypt the file, and then she sends it to Bob.

Bob can then decrypt the file by combining his private key with Alice's public key, which creates a complimentary combo-key, and allows Bob to decrypt the file. In this way, Alice never knows Bob's private key, and Bob never knows Alice's private key, but they can still create complimentary combo-keys to encrypt/decrypt the file.

Eve can also download the file sent from Alice to Bob, but because she does not have either Alice's private key, or Bob's private key, she cannot reconstruct the same combo-key to decrypt the file.

Performing Tasks

Generating a Public/Private Key Pair

To generate a private key, 

$ gpg --gen-key
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?

RSA is stronger than DSA, so the default is highly recommended. 

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

This is like asking, "How long would you like it to take to crack your private-key: 100,000 years, or 15,000 eons? 

Requested keysize is 2048 bits   
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

Then it will ask for some identifying information. This is used to generate a public key, and it is important you give a unique name, email address, and comment, so that other people can identify your public key and distinguish it from others'. 

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real Name:
Email:
Comment:

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.    

Enter passphrase:

Then it will generate your public and private keys: 

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...+++++
..........+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
....+++++
..+++++
gpg: key BB63D9F1 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u

Then it will spit out a summary of your public key information.

Export ASCII Public Key

gpg --armor --output my_pubkey.txt --export 'Your Name'

List Keys in Your Keyring

gpg --list-keys

Encrypting/Decrypting Files

This is a method for encrypting and decrypting files using GPG. This is a handy trick if you want to store all of your usernames and passwords in a file, and want to protect it via encryption.

Encrypting With Keys

If you are paranoid, or want very strong security, you can encrypt a file so that only someone else can open it. To do this, you must create a GPG private key and a GPG public key (see #References, and GPG Quick Start).

You can also encrypt a file for yourself, so that only your public/private keys can open it.

1. Make sure you have the public key of the individual you want to send the file to, by running 

$ gpg --list-keys

2. Encrypt the file, and specify a recipient by putting their name (the one that shows up from their public key): 

$ gpg --encrypt --recipient 'Name of Person' secret.txt

This will output a file secret.txt.gpg; alternatively, specify the name of the output file: 

$ gpg --encrypt --recipient 'Name of Person' secret.txt --output encrypted_secret.txt

The encrypted file will look like this: 

Ö���o�∫g�ÇçÎ��


References

GPG Quick Start:
* http://www.madboa.com/geek/gpg-quickstart/

GPG Documentation: CAST5 (used in symmetric encryption):
* http://www.gnu.org/software/gnu-crypto/manual/api/gnu/crypto/cipher/Cast5.html

GPG at the "Security Viewpoints" blog:
* http://advosys.ca/viewpoints/tag/gpg/
Retrieved from "https://charlesreid1.com/w/index.php?title=Gpg&oldid=1623"