GPG & its Benefits
In brief GPG (Gnu Privacy Guard) is a system for encryption of data that afterwards can be transmitted through open communication channels and kept in not protected storage. Open communication channels are email, cloud storage, instant messengers, and many others you probably use daily. These tools don’t provide any dependable data protection.
GPG is available in almost all repositories and Linux distributives. It is used for creating digital signatures and files encrypting. GPG is an open source analog of PGP (Pretty Good Privacy).
GPG shield is quite reliable. It’s not possible to hack it using simple tools since it uses 2048-bit keys and it is very resistant to the most complex hacking algorithms.
For transferring sensitive information it’s enough to compress the data using the gpg utility. After that it can be transferred using any convenient method regardless of its built-in security means. Besides compressing data GPG can also be used for files signing to confirm the file authorship.
Now let’s have a closer look at how it works and how to use it…
How to Use GPG for Transmitting Sensitive Data
Basic Workflow
In order to encrypt the file the sender should have a private open key of the person to whom the file is going to be sent. The open key is used by the sender to encrypt the data and cannot be used to decrypt it. This is why the open key can be sent using open communication channels.
The recipient can decrypt the file using his private secret key and a passphrase. It is extremely important to keep both the private key and the passphrase or you won’t be able to decrypt the file.
Keys
The main component of GPG are a private (secret) and a public (open) keys.
The private key should be safely kept only by its owner and it can be used for signing data and decryption of encrypted files. In all operations where the private key is used you should provide the passphrase as well.
A public key can be used for checking a digital signature and for encrypting files. It can be made available for various users you communicate with.
Thus if you would like to send somebody encrypted sensitive data you should take that person’s public key and use it to encrypt your data. After receiving that data the person should use his private key to decrypt it.
If you would like to send an email with your digital signature you should use your private key to generate it. The recipient of such a signed email can use your public key to validate your signature and make sure the email has been sent by you personally.
Generating & Managing Keys
Generating Keys
You can generate both the private and the public keys using the following command:
gpg –gen-key
It will ask you about the kind of key you would like to have, its length, and period of validity. For start choose defaults. Now you should enter your details:
User: Giant Leap Lab
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Passphrase: My top secret phrase for decryption
Note that in commands below where you have to refer to the keys you can either use the username “Giant Leap Lab” or the email “This email address is being protected from spambots. You need JavaScript enabled to view it.”.
Importing Keys
You can import keys from files. Later we will show how to generate such files.
Public and private:
gpg –import gll.prv.key
Public only (you also may need to change the level of trust for this key):
gpg –import gll.pub.key
Private only:
gpg –allow-secret-key-import –import gll.prv.key
Exporting Keys
Public:
gpg –export –a “Giant Leap Lab” > gll.pub.key && cat gll.pub.key
Private:
gpg –export-secret-key –a “Giant Leap Lab” > gll.prv.key && cat gll.prv.key
Checking if a Key is Installed
Show the public key:
gpg –list-key
Show all private keys:
gpg –list-secret-keys
Removing Keys
Public:
gpg –delete-keys ‘Giant Leap Lab’
Private:
gpg –delete-secret-keys ‘Giant Leap Lab’
Trust Levels
GPG allows editing level of trust for public keys. This level reflects how high is trust to a particular user and his ability to properly sign his files.
Sometimes for example when importing a key you also can get the following warning message:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
In order to fix this and set proper trust level use the following command:
gpg –edit-key ‘Giant Leap Lab’
then type:
gpg> trust
and you’ll get the following options to choose from:
1 = Don’t know
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
s = please show me more information
m = back to the main menu
As an alternative you can sign this key with your secret key. Method 1 and Method 2
Transferring an Encrypted File
Encrypting & Sending
Let’s say we have a really sensitive data in a file called top_secret_file.txt. In order to send it by email to a user whose email is This email address is being protected from spambots. You need JavaScript enabled to view it. use the following command:
gpg –r This email address is being protected from spambots. You need JavaScript enabled to view it. –e top_secret_file.txt
(We assume This email address is being protected from spambots. You need JavaScript enabled to view it. email has been used to generate the private key of the recipient that you should have. You can also use his name instead of the email after the “-r” argument).
This will create a file called top_secret_file.txt.gpg that can be sent by email or transferred using other open communication channels.
If you add the “-a” option the content of the generated encrypted file (top_secret_file.txt.asc) can be sent as text for example through an instant messenger.
Receiving & Decrypting
Keep in mind that the recipient should have the private key for the This email address is being protected from spambots. You need JavaScript enabled to view it. email address and should have the passphrase for that key. Run the following command to decrypt the received file:
gpg –o top_secret_file.txt –d top_secret_file.txt.gpg
This will restore the original top_secret_file.txt file from top_secret_file.txt.gpg.
Signing Files
Sometimes it might be necessary to add a digital signature to a file to confirm its authorship. The command below creates a digital signature for the signGLL.txt file. The signature is saved as a separate file signGLL.txt.sig (detached signature). The “-u” argument defines what key should be used for generating the signature.
gpg –u This email address is being protected from spambots. You need JavaScript enabled to view it. –detach-sign signGLL.txt
Instead of “ – detach-sign” you can also use “-b”:
gpg –u This email address is being protected from spambots. You need JavaScript enabled to view it. –b signGLL.txt
You can also compress the file so that it includes the signature:
gpg –u This email address is being protected from spambots. You need JavaScript enabled to view it. –s signGLL.txt
Then the received signGLL.txt.gpg file can be decrypted using this command:
gpg –output signGLL.txt –decrypt signGLL.txt.gpg
In order to verify a signature use the command below. Note that the original file should be in the same folder as the validated signature.
gpg –verify signGLL.txt.sig
If the file named differently you can add his name:
gpg –verify signGLL.txt.sig lincense.txt
GUI for GPG
If you are not that into Linux you can use GUI applications for other platforms. For instance GPG Suite for Mac OS X or GPG4Win for Windows OS.