quick & dirty gnupg

First of all Install security/gnupg and security/pinentry
Also security/gpa helps a lot managing keys in X

MAKE PRIVATE/PUBLIC KEY PAIR
Code:
$ gpg --gen-key
This is pretty straightforward

LIST KEYS
Code:
$ gpg --list-keys
Warning: using insecure memory!
/home/killasmurf86/.gnupg/pubring.gpg
-------------------------------------
pub   1024D/[color="Red"]7ED573D3[/color] 2008-09-12 [expires: 2010-11-07]
uid                  Aldis Berjoza (killasmurf86) <killasmurf86@gmail.com>
uid                  [jpeg image of size 4667]
sub   4096g/8CF6B625 2008-09-12
Here I marked my public key ID in red, when you work with keys IDs prefix them with 0x. For example
0x7ED573D3

GET KEY FINGERPRINT
Code:
$ gpg --fingerprint 0x8CF6B625

GENERATE REVOCATION CERTIFICATE
Code:
$ gpg --output my_revoke.asc --gen-revoke 0x8CF6B625
See below how, why and when to use it.

SEND/RETRIEVE PUBLIC KEY TO KEY SERVER
Send:
Code:
$ gpg --keyserver pgp.mit.edu --send-key 0x7ED573D3
Retrieve:
Code:
$ gpg --keyserver pgp.mit.edu --recv-key 0x7ED573D3

EXPORT/IMPORT PUBLIC KEY
export (binary form):
Code:
$ gpg --output killasmurf86.gpg --export 0x7ED573D3
export (ASCII form):
Code:
$ gpg --output killasmurf86.asc --armour --export 0x7ED573D3
import:
Code:
$ gpg --import killasmurf86.gpg
or
Code:
$ gpg --import killasmurf86.asc

EDIT KEY
Code:
$ gpg --edit-key 0x7ED573D3
This will be interactive...
common commands: save, quit, sign, fpr, trust
see gpg(1) for details

REFRESH PUBLIC KEYS
You should do this once in while.
Code:
$ gpg --keyserver pgp.mit.edu --refresh-keys

SIGN/VERIFY FILE 1
Code:
gpg --sign /path/to/file
this will create /path/to/file.gpg which will contain signature in binary form.
Now you just send /path/to/file.gpg to a friend. file.gpg is compressed and signed file, to view and verify it use:
Code:
gpg --output /path/to/file --decrypt /path/to/file.gpg
this will create /path/to/test file, that was signed, and verify signature

SIGN/VERIFY FILE 2
Code:
gpg --armour --sign /path/to/file
this will create /path/to/file.asc which will contain signature in ASCII form
Now you just send /path/to/file.asc and to a friend. file.asc is compressed and signed file, but in ascii form. To view and verify it use:
Code:
gpg --output /path/to/file --decrypt /path/to/file.asc
this will create /path/to/test file, that was signed, and verify signature

SIGN/VERIFY FILE 3
Code:
gpg --clearsign /path/to/file
this will create /path/to/file.asc which will contain content of /path/to/file and signature in ASCII form.
This is useful for sending signed emails
You don't need gnupg to read it, but you'll be able to verify it with gnupg if you want to
If you want to extract content, then use this:
Code:
gpg --output /path/to/file --decrypt /path/to/file.asc


SIGN/VERIFY FILE 4
Code:
gpg --detach-sign /path/to/file
This will create /path/to/file.sig which will contain signature for /path/to/file.
This is recommended method for binary data
keep file and file.sig together :)
To verify data use:
Code:
gpg --verify /path/to/file.sig /path/to/file

ENCRYPT/DECRYPT FILE 1
Code:
gpg --encrypt /path/to/file
This will ask for recipient, and then create encrypted file /path/to/file.gpg in binary form
To decrypt it, use:
Code:
gpg --output /path/to/file --decrypt /path/to/file.gpg

ENCRYPT/DECRYPT FILE 2
Code:
gpg --armour --encrypt /path/to/file
This will ask for recipient, and then create encrypted file /path/to/file.gpg in ASCII form
To decrypt it, use:
Code:
gpg --output /path/to/file --decrypt /path/to/file.asc

ENCRYPT/DECRYPT FILE 3
If you want to encrypt/decrypt and know recipients key ID, you can use -r switch
Code:
gpg -r 0x7ED573D3 --encrypt /path/to/file
gpg -r 0x7ED573D3 --armour --encrypt /path/to/file
Also instead of Key ID, you can use, comment, name, surname, or even email address
Code:
gpg -r killasmurf86 --encrypt /path/to/file
gpg -r Aldis --armour --encrypt /path/to/file
gpg -r Berjoza --armour --encrypt /path/to/file
gpg -r '<killasmurf86@gmail.com>' --encrypt /path/to/file
the word after -r must be key specefic

SIGN & ENCRYPT
A common practice is to sign file, and then encrypt it.
for exampel
Code:
$ gpg --armour --sign -r killasmurf86 --encrypt /path/to/file
will create signed and ecnrypted file /path/to/file.asc
and to decrypt it and verify signature, use
Code:
$ gpg --output /path/to/file --decrypt /path/to/file.asc

USING REVOCATION CERTIFICATE
Code:
$ gpg--import my_revoke.asc 
$ gpg --keyserver pgp.mit.edu --send-keys 0x7ED573D3
Do this only, if you have reasons to think, that your private key got compromised, or you forgot password.
This way, nobody who download your public key, from now on won't be able to use it.
You will still be able to decrypt your data.
read more:
http://www.gnupg.org/gph/en/manual.html#REVOCATION

NOTES
If you encrypt, mail, think if you'll like to read it later yourself. For this you should encrypt it for yourself as well, otherwise you don't be able to decrypt it.

I've wrote some basics, and if you're not familiar with gnupg yet, you need to read more information on web of trust and gpg

You can integrate GnuPG in may apps and scripts... http://gnupg.org/related_software/index.en.html

RESOURCES
gpg2(1)

SEE ALSO
http://www.gnupg.org/gph/en/manual.html
http://en.wikipedia.org/wiki/Web_of_trust
http://en.wikipedia.org/wiki/Pretty_Good_Privacy

also interesting:
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
google gnupg, gpg and pgp

P.S.
Key I used (0x7ED573D3) in this howto is my public key :D

UPDATE:
Added how to use revocation certificate
 
A good rule of thumb is that you should not use any security mechanism you do not understand. Human error is by far the biggest security risk and the chance for error is much greater if you do now know what you are doing.

Use this article as a reference at most. And do not blindly follow instructions or follow instructions you do not understand.
Read about PGP and how it works first.
 
Back
Top