GPG Keys

Ever wonder how to send a message securely to someone, so that even the one carrying the message (such as your email service provider) can't intercept it? Ever wonder how to share an encrypted file with someone without needing any password?

You can easily do it, thanks to GPG. Welcome to the world of asymmetric encryption.

What is GPG:

GPG is the acronym for GNU Privacy Guard. GPG employs asymmetric encryption by using a key pair. It's one of the best way to maintain end to end encryption between the sender and the receiver of the data.

This article describes the basic concept of asymmetric encryption and why you should consider using GPG keys for the protecting your information.

GPG is asymmetric encryption:

In case of symmetric encryption a single key (like a password) is used for both encryption and decryption. So if you want to send some encrypted data to someone, you need to send the key as well (which may be stolen on the way just like the data itself). To avoid that problem, asymmetric encryption uses two separate keys for encryption and decryption

Asymmetric encryption is like a padlock. You can lock a padlock without the key, but to open it you will need the exact key corresponding to that padlock. In a similar way GPG comes with a pair of keys, a public key and a private key. Think of the public key as the padlock, which you can use to lock (encrypt) the data. But once locked, you can't unlock it without the key. Now the data can only be unlocked (decrypted) by the person who holds the key to that padlock.

How it works:

Suppose you are sending a message to someone. First you need to find their public key. Most people upload their public keys to the key servers. public keys are identified by the receiver's e-mail address. If you can't find it in key servers you can ask the receiver to send it to you. (As you can see it's safe to distribute the public keys to anyone, since it only encrypts the data, but never decrypts it). Now you can encrypt the data using that public key. There are lots of applications available for all platforms that can help you with the encryption (e.g. KGPG for Linux, GPG4Win for Windows etc). Now you can send the encrypted data to the receiver. The only person capable of decrypting the data is the one who holds the corresponding private key.

What do you need:

You'll need to install a GPG software in your computer. Most of the Linux distros come with pre-installed GPG, including Ubuntu. If you are using Windows, there is a nice software named GPG4Win. After you install the software you'll need to generate a key pair for yourself. Remember, you must NOT disclose your private key to anyone under any circumstances. Well, your public key must be available to anyone who want to send you an encrypted message. The best way to make sure everyone can find your public key is to upload it to a key server. It's usually a good idea to generate a revocation key as well. In case you lose your private key, or if someone else gets his/her hand on your private keys, you can use this key to revoke your key pair. Off course nothing can prevent you from generating another key pair in case of such an unfortunate event.

Why use GPG:

  1. Maintain perfect end-to-end secrecy. Not even your e-mail service provider can read your e-mails.
  2. You don't need to be worried if your email account ever gets compromised. No one will be able to read your mails.
  3. You can digitally sign your messages with your private key. Digital signature confirms that the message truly comes from you and is not spoofed by anyone else.
  4. You don't have to use separate keys/passwords for every message, you can send all the messages securely using just the receivers' public keys.

How to use on command line:

The following instructions will assume that you are using GPG on Linux command line.

Key management

Generate key pairs

gpg --gen-key

After running the command the GPG wizard will guide you through the key generation process in a step-by-step fashion. You will need to use your e-mail id to create the keys.

It's also a good idea to generate a revocation key in case your private key gets compromised.

gpg --output revoke.asc --gen-revoke id

The id must be replaced with your e-mail id. You must safely store this revocation key, otherwise anyone who can access the revocation key can revoke your keys.

Upload keys to key-server

gpg --keyserver pgp.mit.edu --send-key id

The id must be replaced with your e-mail id.

Get someone's public keys

gpg --keyserver pgp.mit.edu --recv-key id

You can use these commands to get the public key of a person. Here the id must be replaced with the e-mail id of that person.

Now you can use this public key to send that person encrypted messages.

List keys

gpg --list-keys

This command shows all the keys currently in your key-ring.

To get the fingerprint of the keys run—

gpg --fingerprint

You should always ask for the gpg key fingerprints from your intended recipients in person, so that no one can spoof their keys and hijack your data.

Backup your private keys

gpg --export-private-keys > private.asc

Keep your private keys in a safe place so that no one can access it. It's a good idea to back up your private keys in case your computer crashes or you lose your files.

Encrypt a file

gpg --encrypt file

Replace file with the name of the file you want to encrypt. You will be asked the id of the intended recipient.

Decrypt a file

gpg file

Replace file with the encrypted file name.

Sign a file

gpg --clearsign file

Replace file with the file name. This command will sign the file without encrypting it.

To sign as well as encrypt a file, use—

gpg --encrypt --sign file

You can also create a detached signature, where the signature will be saved separately from the file, so that the original file remains unmodified.

gpg --detach-sign file

Verify a signature

gpg --verify file

Replace file with the signed file name or the detached signature file name.

Check out these links:

The Official page of GPG

GPG from Wikipedia

A GPG tutorial for Linux

Remember:

Security is a habit.

The best way to ensure security is to practice it whenever possible. Always keep in mind the following points if you want to ensure security while using GPG keys—

  1. NEVER disclose your private key or your revocation key.
  2. Make sure you back up your keys in a secure location, so that if your computer crashes you can use the backed up copies of your keys. You can't read encrypted messages sent to you without those keys.
  3. Always shred unencrypted messages after reading. Simple delete is not sufficient. Deleted files can often be recovered from most file-systems. There are many shredding applications available for all platforms (e.g. shred for Linux, ccleaner for Windows etc), use one of those. Alternatively consider keeping your files on an encrypted disk.

And yeah, you don't keep your home unlocked, don't leave your data unencrypted.

Comments

Jon (Apr 3, 2015 02:03)

Wonderful submit, very informative. I wonder why the opposite experts of this sector don't understand this. You should continue your writing. I am sure, you have a great readers' base already!


Simon (Apr 3, 2015 02:03)

I think that is one of the most significant info for me. And I'm satisfied studying your article. However want to observation on few common things, The website style is ideal, the article is really excellent : D. Good process, cheers.


Willa (Apr 3, 2015 02:47)

That is a very good tip especially to those fresh to the blogosphere. Brief but very precise info… Many thanks for sharing this one. A must read post!


rocky hill (Jan 27, 2017 23:11)

I really like your writing style, superb information, regards for posting : D.


Copyright © 2012-2024 Dr. Agnibho Mondal
E-mail: mondal@agnibho.com