Ever wonder how to send a message securely to someone, so that even the one carrying the message (such as your email service provider) can't intercept it? Ever wonder how to share an encrypted file with someone without needing any password?
You can easily do it, thanks to GPG. Welcome to the world of asymmetric encryption.
What is GPG:
GPG is the acronym for GNU Privacy Guard. GPG employs asymmetric encryption by using a key pair. It's one of the best way to maintain end to end encryption between the sender and the receiver of the data.
This article describes the basic concept of asymmetric encryption and why you should consider using GPG keys for the protecting your information.
GPG is asymmetric encryption:
In case of symmetric encryption a single key (like a password) is used for both encryption and decryption. So if you want to send some encrypted data to someone, you need to send the key as well (which may be stolen on the way just like the data itself). To avoid that problem, asymmetric encryption uses two separate keys for encryption and decryption
Asymmetric encryption is like a padlock. You can lock a padlock without the key, but to open it you will need the exact key corresponding to that padlock. In a similar way GPG comes with a pair of keys, a public key and a private key. Think of the public key as the padlock, which you can use to lock (encrypt) the data. But once locked, you can't unlock it without the key. Now the data can only be unlocked (decrypted) by the person who holds the key to that padlock.
How it works:
Suppose you are sending a message to someone. First you need to find their public key. Most people upload their public keys to the key servers. public keys are identified by the receiver's e-mail address. If you can't find it in key servers you can ask the receiver to send it to you. (As you can see it's safe to distribute the public keys to anyone, since it only encrypts the data, but never decrypts it). Now you can encrypt the data using that public key. There are lots of applications available for all platforms that can help you with the encryption (e.g. KGPG for Linux, GPG4Win for Windows etc). Now you can send the encrypted data to the receiver. The only person capable of decrypting the data is the one who holds the corresponding private key.
What do you need:
You'll need to install a GPG software in your computer. Most of the Linux distros come with pre-installed GPG, including Ubuntu. If you are using Windows, there is a nice software named GPG4Win. After you install the software you'll need to generate a key pair for yourself. Remember, you must NOT disclose your private key to anyone under any circumstances. Well, your public key must be available to anyone who want to send you an encrypted message. The best way to make sure everyone can find your public key is to upload it to a key server. It's usually a good idea to generate a revocation key as well. In case you lose your private key, or if someone else gets his/her hand on your private keys, you can use this key to revoke your key pair. Off course nothing can prevent you from generating another key pair in case of such an unfortunate event.
Why use GPG:
- Maintain perfect end-to-end secrecy. Not even your e-mail service provider can read your e-mails.
- You don't need to be worried if your email account ever gets compromised. No one will be able to read your mails.
- You can digitally sign your messages with your private key. Digital signature confirms that the message truly comes from you and is not spoofed by anyone else.
- You don't have to use separate keys/passwords for every message, you can send all the messages securely using just the receivers' public keys.
How to use on command line:
The following instructions will assume that you are using GPG on Linux command line.
Generate key pairs
After running the command the GPG wizard will guide you through the key generation process in a step-by-step fashion. You will need to use your e-mail id to create the keys.
It's also a good idea to generate a revocation key in case your private key gets compromised.
gpg --output revoke.asc --gen-revoke id
The id must be replaced with your e-mail id. You must safely store this revocation key, otherwise anyone who can access the revocation key can revoke your keys.
Upload keys to key-server
gpg --keyserver pgp.mit.edu --send-key id
The id must be replaced with your e-mail id.
Get someone's public keys
gpg --keyserver pgp.mit.edu --recv-key id
You can use these commands to get the public key of a person. Here the id must be replaced with the e-mail id of that person.
Now you can use this public key to send that person encrypted messages.
This command shows all the keys currently in your key-ring.
To get the fingerprint of the keys run—
You should always ask for the gpg key fingerprints from your intended recipients in person, so that no one can spoof their keys and hijack your data.
Backup your private keys
gpg --export-private-keys > private.asc
Keep your private keys in a safe place so that no one can access it. It's a good idea to back up your private keys in case your computer crashes or you lose your files.
Encrypt a file
gpg --encrypt file
Replace file with the name of the file you want to encrypt. You will be asked the id of the intended recipient.
Decrypt a file
Replace file with the encrypted file name.
Sign a file
gpg --clearsign file
Replace file with the file name. This command will sign the file without encrypting it.
To sign as well as encrypt a file, use—
gpg --encrypt --sign file
You can also create a detached signature, where the signature will be saved separately from the file, so that the original file remains unmodified.
gpg --detach-sign file
Verify a signature
gpg --verify file
Replace file with the signed file name or the detached signature file name.
Check out these links:
Security is a habit.
The best way to ensure security is to practice it whenever possible. Always keep in mind the following points if you want to ensure security while using GPG keys—
- NEVER disclose your private key or your revocation key.
- Make sure you back up your keys in a secure location, so that if your computer crashes you can use the backed up copies of your keys. You can't read encrypted messages sent to you without those keys.
- Always shred unencrypted messages after reading. Simple delete is not sufficient. Deleted files can often be recovered from most file-systems. There are many shredding applications available for all platforms (e.g. shred for Linux, ccleaner for Windows etc), use one of those. Alternatively consider keeping your files on an encrypted disk.
And yeah, you don't keep your home unlocked, don't leave your data unencrypted.