GnuPG {PGP Keys}

 

Index

  1. Introduction
    1. GnuPG
    2. OpenPGP
  2. Installation
  3. Use
    1. Encryption with phrase
    2. Generating Keys
      1. Adding More Information to the Keys
    3. Managing Keychain
      1. Exporting / Importing Keys
        1. Exporting
        2. Importing
    4. Encrypting files with keys
    5. Decrypting files with keys
    6. Using Servers
      1. Sending Keys
      2. Downloading Keys
  4. Conclusion
  5. References

Introduction

Gnu Privacy Guard [0] (or GnuPG, or further reduced GPG) is an implementation of OpenPGP encryption protocol messages.

On a video lesson [1], provided in Science channel Hacker, it was shown using the GPG. Here’s an article to introduce the concept and using it to the reader.

OpenPGP

OpenPGP is a widely used protocol in advance for encrypting e-mails. Based on PGP [2], came giving the world a strong method and “simple” encryption. Uses public key (asymmetric – recommend reading this article [3] to better understand the context) as engineering its encryption and defines formats to generate encrypted messages, signatures on file, certificates and other …

Here [4] can be found OpenPGP site and there is also a podcast episode Security Cool talking about it, can be accessed here [5].

Installation

As soon this part. GnuPG comes standard in most (if not all) of the * nix systems. But if you need, will some commands that may be useful:

  • Arch: sudo pacman -S gnupg --noconfirm
  • CentOS: sudo yum install gnupg -y
  • Debian: sudo apt-get install gnupg -y

Or, if you need, you can access the download page on the project website [6].

Use

The use of GPG to cover enough! It can be used from e-mail clients to exchange files. It not only works, but also using the concept of public and private keys. In other words, we can generate a key pair where the private is under our protection and the public we provide for staff. When they want to talk to me, using the public key to encrypt the data and so only I can read. When I want to sign something with my key, you can see the fingerprint, for example, that really was me who did it.

It is even common to see people passing the fingerprint code of your key contact pages, for example, so they can have a higher confidence level.

But as said, it does not work only with the use of such keys. You can create a security phrase with a friend and use it to encrypt data with it. Let’s see this in our first case. Later, we will discuss a couple of key generation and use.

Encryption with phrase

Simply have the program installed and run the command:

Where the file is the file you want to encrypt.

The security phrase will be requested. Needless to comment on the use of special characters and really strong passwords for this, right ?! After the process, a file with extension will be generated .gpg which is already protected with the sentence.

The option -c addressed to the GPG only indicates that use of only symmetric encryption process without the need for keys.

To have the clean file to be read, just type:

If you wish, you can do using the option -d but this option will only display the file contents on the screen and not create a new free file to be read. In the case of a media (picture, video …) or a binary itself, may not be so interesting.

Well, the more it helps a lot. In exchange files, crave at least by using this process.

Generating Keys

Let’s start improving the use of GPG. As stated, it uses the issue of public / private key to surface their asymmetric encryption (if you do not know what it is, I recommend you read the article again indicated [3]). So here we go!

GPG creates a keychain that is where you can manage the keys that you need. Ie simply insert the public key of someone on your keyring and when you need to encrypt / decrypt any data, you can specify who is and voila!

Come on, at first only create our key pair. To do this simply use the command:

First will be asked about the type of key you want to use. It is informed in the own menu that DSA and RSA is used only for signing and there are two other options: RSA (and RSA) and DSA (and Elgamal). By default, the first option is checked. We keep it.

Soon after comes the question about the size of RSA keys, which can be 1024 to 4096 bits. 1024 is already a legal size, but compared to the options, the weakest. 4096 On the other hand would be safer, but more time consuming. The program displays use 2048, we also accept the suggestion.

Then he asks about the time the key expiry. The number 0 means that the key does not expire. Any number represents the days of validity. The number followed w, m and y indicates weeks, months or years, respectively. How can we change the “passphrase” (later on), we can use a good 0.

After just provide some information such as name, email address and a comment. After this procedure is called for a “pass phrase”. Good to invest safely in it, using the concepts of a good password.

After that, your key is already being generated. He needs some data “random” to make it more elegantly. As a suggestion, the program asks us to do some activity like typing on the keyboard, move the mouse or use the drive. You can do as you please any of these, just provide what is asked.

Adding More Information to the Keys

If you have more than one email address that you use, it is good practice to put it as well as an identifier for your key. Simply inserting the new identifier.

To edit the key, you need the command:

This ID is something that identifies the key you want to change. You can get some information of the output: gpg --list-keys

After entering the GPG prompt can use commands such ? Or help to display a help menu and not get so lost in the first contact.

Using the command adduid you can enter the new e-mail, last name or whatever. After this step, use the command save to save changes and exit the prompt.

If you have already sent your key to a server without this new information just resend and will be updated. This step of sending to a server will be seen later.

Managing Keychain

The keychain, as has been said, is something created by GPG to store the keys that you add. Let’s see now a little key chain use.

You can list the keys that you have with the following command:

If you want to see private keys, just use:

Usually here a private key is only shown, your, or groups that still use.

Exporting / Importing Keys

If you want to export to refer to any contact, using an email client, chat, or send it to a server (if need be that way), let’s see how occurs.

Exporting

Keep in mind that for any process in this step we will need a key identifier. To get this information, list the keys that have and take a single information to them.

The basic command to export a key is --export It will display the key as it really is, and such binary format. If you want to see in ASCII format, use the option -a To save a file, you can use redirectors or else the option --output Let’s see some examples shown so far:

Keep in mind that the output in ASCII mode is the most widely used there. Therefore a good option to have exported in this format.

To export the private key, the only thing that changes is that instead of --export-key will be used --export-secret-key

Exporting its primary key, it’s good to keep it in a safe place! For your public key you have in keyservers (if you use this article to the end), as the private not.

Importing

To import a key is simple, just use:

Note: The program does not make public key distinction or private import. Or rather, does not require that you specify.

After import, you should be signing key to show authenticity. Use the command:

Where id is equal to the displayed key code. For example BC71CF75.

This code you can confirm, for example, by telephoning the key owner, speaking personally, seeing if it really says that this key is it in your site anyway.

Encrypting files with keys

Bearing in mind (or clipboard haha) some identification to the key you want to use, simply use:

Can utiilizar or not --output is stylish shopper.

After this command will request some information that identifies the key you want to use. Then place the e-mail, name, ID or something of that nature to select the correct key.

Decrypting files with keys

To decrypt is quite simple. You can use the --output or not, be my guest:

Note that it is not necessary to specify the key because the idea is that you have on your key chain. If not found, a warning is displayed on the screen, and you can use the key ID to download the server or look elsewhere.

Using Servers

Key server using the HKP protocol (HTTP keyserver Protocol), which would be a HTTP adapted for use with the transport keys.

There are several servers spread around, you just choose what you want to use. For example, the server itself PGP project [7] or GnuPG [8]. Many of these servers, after receiving a new key, replicates to partners, thus keeping the possibility to have all the keys online. Ie very likely that after sending to the server GnuPG in moments is in the PGP too, or MIT and so on.

To use a specific server in simply use the parameter --keyserver and spend the server as an argument. For example:

The 11371 port is standard in this type of server, but nothing prevents the administrator to change if you need.

Note: The parameter --search-keys will be better addressed later on.

Sending Keys

So in order to pass easily your key to friends and contacts is cool that you send to a server. It’s very simple process:

The ID is the key to identification, that code, as BC71CF75 that has already been covered here.

Note that not had to indicate a server, by default the application uses the GnuPG server.

There are some servers that feature a web interface to search or send the keys, such as PGP for example. Just use the http protocol and not hkp itself, on the same port, he responds.

Downloading Keys

Now to import the key to someone who is in a particular server is very simple. Just knowing some information that your contact has used in the key registration, for example, name, email, comment, last name or own key ID (like I said, it is common which have them on personal websites). After this, simply use the command:

This will look for my key (well, can now encrypt things if you want to talk to me, if only to test to see if understood well the concept and everything else).

A list of the keys that were found and a number representing the left at that time, the key ID is displayed. Note that there is a prompt GPG waiting for your command. Setting the key number, will add to your keychain. If you enter Q will exit the GPG.

Conclusion

We saw that article to use the command line per customer. But there are several GUI software made in order to simplify the full use of GnuPG, just a simple search and you will find some options. I will not specify here because I never used them, always preferred even CLI.

After all that has been learned in this article, it is good to know the common flow use of GPG case it was not clear:

  1. Send your public key to people. They use them to encrypt the data just for you to read after using your private key.
  2. Takes the public key people and encrypts the information with her, only that person access to your private key.

It can also be used for groups in which a member encrypt something with the public key of this group and all (and only) having the private key may access.

It is extremely important to keep your information safe! The physical risk (which can occur if you lose your phone or has the stolen notebook) is small compared to abstract damages such as reading e-mails or disclosure of his nudes.

Do not think that what is here is everything! Much more needs to be addressed. Below are links to give you a track following studies … And more, run a man gpg works great! Have fun! 😉

References

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s