graudeejs
August 30th, 2009, 14:20
First of all Install security/gnupg and security/pinentry
Also security/gpa helps a lot managing keys in X
MAKE PRIVATE/PUBLIC KEY PAIR
$ gpg --gen-key
This is pretty straightforward
LIST KEYS
$ gpg --list-keys
Warning: using insecure memory!
/home/killasmurf86/.gnupg/pubring.gpg
-------------------------------------
pub 1024D/7ED573D3 2008-09-12 [expires: 2010-11-07]
uid Aldis Berjoza (killasmurf86) <killasmurf86@gmail.com>
uid [jpeg image of size 4667]
sub 4096g/8CF6B625 2008-09-12
Here I marked my public key ID in red, when you work with keys IDs prefix them with 0x. For example
0x7ED573D3
GET KEY FINGERPRINT
$ gpg --fingerprint 0x8CF6B625
GENERATE REVOCATION CERTIFICATE
$ gpg --output my_revoke.asc --gen-revoke 0x8CF6B625
See below how, why and when to use it.
SEND/RETRIEVE PUBLIC KEY TO KEY SERVER
Send:
$ gpg --keyserver pgp.mit.edu --send-key 0x7ED573D3
Retrieve:
$ gpg --keyserver pgp.mit.edu --recv-key 0x7ED573D3
EXPORT/IMPORT PUBLIC KEY
export (binary form):
$ gpg --output killasmurf86.gpg --export 0x7ED573D3
export (ASCII form):
$ gpg --output killasmurf86.asc --armour --export 0x7ED573D3
import:
$ gpg --import killasmurf86.gpg
or
$ gpg --import killasmurf86.asc
EDIT KEY
$ gpg --edit-key 0x7ED573D3
This will be interactive...
common commands: save, quit, sign, fpr, trust
see gpg for details
REFRESH PUBLIC KEYS
You should do this once in while.
$ gpg --keyserver pgp.mit.edu --refresh-keys
SIGN/VERIFY FILE 1
gpg --sign /path/to/file
this will create /path/to/file.gpg which will contain signature in binary form.
Now you just send /path/to/file.gpg to a friend. file.gpg is compressed and signed file, to view and verify it use:
gpg --output /path/to/file --decrypt /path/to/file.gpg
this will create /path/to/test file, that was signed, and verify signature
SIGN/VERIFY FILE 2
gpg --armour --sign /path/to/file
this will create /path/to/file.asc which will contain signature in ASCII form
Now you just send /path/to/file.asc and to a friend. file.asc is compressed and signed file, but in ascii form. To view and verify it use:
gpg --output /path/to/file --decrypt /path/to/file.asc
this will create /path/to/test file, that was signed, and verify signature
SIGN/VERIFY FILE 3
gpg --clearsign /path/to/file
this will create /path/to/file.asc which will contain content of /path/to/file and signature in ASCII form.
This is useful for sending signed emails
You don't need gnupg to read it, but you'll be able to verify it with gnupg if you want to
If you want to extract content, then use this:
gpg --output /path/to/file --decrypt /path/to/file.asc
SIGN/VERIFY FILE 4
gpg --detach-sign /path/to/file
This will create /path/to/file.sig which will contain signature for /path/to/file.
This is recommended method for binary data
keep file and file.sig together :)
To verify data use:
gpg --verify /path/to/file.sig /path/to/file
ENCRYPT/DECRYPT FILE 1
gpg --encrypt /path/to/file
This will ask for recipient, and then create encrypted file /path/to/file.gpg in binary form
To decrypt it, use:
gpg --output /path/to/file --decrypt /path/to/file.gpg
ENCRYPT/DECRYPT FILE 2
gpg --armour --encrypt /path/to/file
This will ask for recipient, and then create encrypted file /path/to/file.gpg in ASCII form
To decrypt it, use:
gpg --output /path/to/file --decrypt /path/to/file.asc
ENCRYPT/DECRYPT FILE 3
If you want to encrypt/decrypt and know recipients key ID, you can use -r switch
gpg -r 0x7ED573D3 --encrypt /path/to/file
gpg -r 0x7ED573D3 --armour --encrypt /path/to/file
Also instead of Key ID, you can use, comment, name, surname, or even email address
gpg -r killasmurf86 --encrypt /path/to/file
gpg -r Aldis --armour --encrypt /path/to/file
gpg -r Berjoza --armour --encrypt /path/to/file
gpg -r '<killasmurf86@gmail.com>' --encrypt /path/to/file
the word after -r must be key specefic
SIGN & ENCRYPT
A common practice is to sign file, and then encrypt it.
for exampel
$ gpg --armour --sign -r killasmurf86 --encrypt /path/to/file
will create signed and ecnrypted file /path/to/file.asc
and to decrypt it and verify signature, use
$ gpg --output /path/to/file --decrypt /path/to/file.asc
USING REVOCATION CERTIFICATE
$ gpg--import my_revoke.asc
$ gpg --keyserver pgp.mit.edu --send-keys 0x7ED573D3
Do this only, if you have reasons to think, that your private key got compromised, or you forgot password.
This way, nobody who download your public key, from now on won't be able to use it.
You will still be able to decrypt your data.
read more: http://www.gnupg.org/gph/en/manual.html#REVOCATION
NOTES
If you encrypt, mail, think if you'll like to read it later yourself. For this you should encrypt it for yourself as well, otherwise you don't be able to decrypt it.
I've wrote some basics, and if you're not familiar with gnupg yet, you need to read more information on web of trust and gpg
You can integrate GnuPG in may apps and scripts... http://gnupg.org/related_software/index.en.html
RESOURCES
gpg2
SEE ALSO
http://www.gnupg.org/gph/en/manual.html
http://en.wikipedia.org/wiki/Web_of_trust
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
also interesting:
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
google gnupg, gpg and pgp
P.S.
Key I used (0x7ED573D3 (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7ED573D3)) in this howto is my public key :D
UPDATE:
Added how to use revocation certificate
Also security/gpa helps a lot managing keys in X
MAKE PRIVATE/PUBLIC KEY PAIR
$ gpg --gen-key
This is pretty straightforward
LIST KEYS
$ gpg --list-keys
Warning: using insecure memory!
/home/killasmurf86/.gnupg/pubring.gpg
-------------------------------------
pub 1024D/7ED573D3 2008-09-12 [expires: 2010-11-07]
uid Aldis Berjoza (killasmurf86) <killasmurf86@gmail.com>
uid [jpeg image of size 4667]
sub 4096g/8CF6B625 2008-09-12
Here I marked my public key ID in red, when you work with keys IDs prefix them with 0x. For example
0x7ED573D3
GET KEY FINGERPRINT
$ gpg --fingerprint 0x8CF6B625
GENERATE REVOCATION CERTIFICATE
$ gpg --output my_revoke.asc --gen-revoke 0x8CF6B625
See below how, why and when to use it.
SEND/RETRIEVE PUBLIC KEY TO KEY SERVER
Send:
$ gpg --keyserver pgp.mit.edu --send-key 0x7ED573D3
Retrieve:
$ gpg --keyserver pgp.mit.edu --recv-key 0x7ED573D3
EXPORT/IMPORT PUBLIC KEY
export (binary form):
$ gpg --output killasmurf86.gpg --export 0x7ED573D3
export (ASCII form):
$ gpg --output killasmurf86.asc --armour --export 0x7ED573D3
import:
$ gpg --import killasmurf86.gpg
or
$ gpg --import killasmurf86.asc
EDIT KEY
$ gpg --edit-key 0x7ED573D3
This will be interactive...
common commands: save, quit, sign, fpr, trust
see gpg for details
REFRESH PUBLIC KEYS
You should do this once in while.
$ gpg --keyserver pgp.mit.edu --refresh-keys
SIGN/VERIFY FILE 1
gpg --sign /path/to/file
this will create /path/to/file.gpg which will contain signature in binary form.
Now you just send /path/to/file.gpg to a friend. file.gpg is compressed and signed file, to view and verify it use:
gpg --output /path/to/file --decrypt /path/to/file.gpg
this will create /path/to/test file, that was signed, and verify signature
SIGN/VERIFY FILE 2
gpg --armour --sign /path/to/file
this will create /path/to/file.asc which will contain signature in ASCII form
Now you just send /path/to/file.asc and to a friend. file.asc is compressed and signed file, but in ascii form. To view and verify it use:
gpg --output /path/to/file --decrypt /path/to/file.asc
this will create /path/to/test file, that was signed, and verify signature
SIGN/VERIFY FILE 3
gpg --clearsign /path/to/file
this will create /path/to/file.asc which will contain content of /path/to/file and signature in ASCII form.
This is useful for sending signed emails
You don't need gnupg to read it, but you'll be able to verify it with gnupg if you want to
If you want to extract content, then use this:
gpg --output /path/to/file --decrypt /path/to/file.asc
SIGN/VERIFY FILE 4
gpg --detach-sign /path/to/file
This will create /path/to/file.sig which will contain signature for /path/to/file.
This is recommended method for binary data
keep file and file.sig together :)
To verify data use:
gpg --verify /path/to/file.sig /path/to/file
ENCRYPT/DECRYPT FILE 1
gpg --encrypt /path/to/file
This will ask for recipient, and then create encrypted file /path/to/file.gpg in binary form
To decrypt it, use:
gpg --output /path/to/file --decrypt /path/to/file.gpg
ENCRYPT/DECRYPT FILE 2
gpg --armour --encrypt /path/to/file
This will ask for recipient, and then create encrypted file /path/to/file.gpg in ASCII form
To decrypt it, use:
gpg --output /path/to/file --decrypt /path/to/file.asc
ENCRYPT/DECRYPT FILE 3
If you want to encrypt/decrypt and know recipients key ID, you can use -r switch
gpg -r 0x7ED573D3 --encrypt /path/to/file
gpg -r 0x7ED573D3 --armour --encrypt /path/to/file
Also instead of Key ID, you can use, comment, name, surname, or even email address
gpg -r killasmurf86 --encrypt /path/to/file
gpg -r Aldis --armour --encrypt /path/to/file
gpg -r Berjoza --armour --encrypt /path/to/file
gpg -r '<killasmurf86@gmail.com>' --encrypt /path/to/file
the word after -r must be key specefic
SIGN & ENCRYPT
A common practice is to sign file, and then encrypt it.
for exampel
$ gpg --armour --sign -r killasmurf86 --encrypt /path/to/file
will create signed and ecnrypted file /path/to/file.asc
and to decrypt it and verify signature, use
$ gpg --output /path/to/file --decrypt /path/to/file.asc
USING REVOCATION CERTIFICATE
$ gpg--import my_revoke.asc
$ gpg --keyserver pgp.mit.edu --send-keys 0x7ED573D3
Do this only, if you have reasons to think, that your private key got compromised, or you forgot password.
This way, nobody who download your public key, from now on won't be able to use it.
You will still be able to decrypt your data.
read more: http://www.gnupg.org/gph/en/manual.html#REVOCATION
NOTES
If you encrypt, mail, think if you'll like to read it later yourself. For this you should encrypt it for yourself as well, otherwise you don't be able to decrypt it.
I've wrote some basics, and if you're not familiar with gnupg yet, you need to read more information on web of trust and gpg
You can integrate GnuPG in may apps and scripts... http://gnupg.org/related_software/index.en.html
RESOURCES
gpg2
SEE ALSO
http://www.gnupg.org/gph/en/manual.html
http://en.wikipedia.org/wiki/Web_of_trust
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
also interesting:
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
google gnupg, gpg and pgp
P.S.
Key I used (0x7ED573D3 (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7ED573D3)) in this howto is my public key :D
UPDATE:
Added how to use revocation certificate