First of all Install security/gnupg and security/pinentry
Also security/gpa helps a lot managing keys in X
MAKE PRIVATE/PUBLIC KEY PAIR
This is pretty straightforward
LIST KEYS
Here I marked my public key ID in red, when you work with keys IDs prefix them with 0x. For example
0x7ED573D3
GET KEY FINGERPRINT
GENERATE REVOCATION CERTIFICATE
See below how, why and when to use it.
SEND/RETRIEVE PUBLIC KEY TO KEY SERVER
Send:
Retrieve:
EXPORT/IMPORT PUBLIC KEY
export (binary form):
export (ASCII form):
import:
or
EDIT KEY
This will be interactive...
common commands: save, quit, sign, fpr, trust
see gpg(1) for details
REFRESH PUBLIC KEYS
You should do this once in while.
SIGN/VERIFY FILE 1
this will create /path/to/file.gpg which will contain signature in binary form.
Now you just send /path/to/file.gpg to a friend. file.gpg is compressed and signed file, to view and verify it use:
this will create /path/to/test file, that was signed, and verify signature
SIGN/VERIFY FILE 2
this will create /path/to/file.asc which will contain signature in ASCII form
Now you just send /path/to/file.asc and to a friend. file.asc is compressed and signed file, but in ascii form. To view and verify it use:
this will create /path/to/test file, that was signed, and verify signature
SIGN/VERIFY FILE 3
this will create /path/to/file.asc which will contain content of /path/to/file and signature in ASCII form.
This is useful for sending signed emails
You don't need gnupg to read it, but you'll be able to verify it with gnupg if you want to
If you want to extract content, then use this:
SIGN/VERIFY FILE 4
This will create /path/to/file.sig which will contain signature for /path/to/file.
This is recommended method for binary data
keep file and file.sig together
To verify data use:
ENCRYPT/DECRYPT FILE 1
This will ask for recipient, and then create encrypted file /path/to/file.gpg in binary form
To decrypt it, use:
ENCRYPT/DECRYPT FILE 2
This will ask for recipient, and then create encrypted file /path/to/file.gpg in ASCII form
To decrypt it, use:
ENCRYPT/DECRYPT FILE 3
If you want to encrypt/decrypt and know recipients key ID, you can use -r switch
Also instead of Key ID, you can use, comment, name, surname, or even email address
the word after -r must be key specefic
SIGN & ENCRYPT
A common practice is to sign file, and then encrypt it.
for exampel
will create signed and ecnrypted file /path/to/file.asc
and to decrypt it and verify signature, use
USING REVOCATION CERTIFICATE
Do this only, if you have reasons to think, that your private key got compromised, or you forgot password.
This way, nobody who download your public key, from now on won't be able to use it.
You will still be able to decrypt your data.
read more: http://www.gnupg.org/gph/en/manual.html#REVOCATION
NOTES
If you encrypt, mail, think if you'll like to read it later yourself. For this you should encrypt it for yourself as well, otherwise you don't be able to decrypt it.
I've wrote some basics, and if you're not familiar with gnupg yet, you need to read more information on web of trust and gpg
You can integrate GnuPG in may apps and scripts... http://gnupg.org/related_software/index.en.html
RESOURCES
gpg2(1)
SEE ALSO
http://www.gnupg.org/gph/en/manual.html
http://en.wikipedia.org/wiki/Web_of_trust
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
also interesting:
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
google gnupg, gpg and pgp
P.S.
Key I used (0x7ED573D3) in this howto is my public key
UPDATE:
Added how to use revocation certificate
Also security/gpa helps a lot managing keys in X
MAKE PRIVATE/PUBLIC KEY PAIR
Code:
$ gpg --gen-key
LIST KEYS
Code:
$ gpg --list-keys
Warning: using insecure memory!
/home/killasmurf86/.gnupg/pubring.gpg
-------------------------------------
pub 1024D/[color="Red"]7ED573D3[/color] 2008-09-12 [expires: 2010-11-07]
uid Aldis Berjoza (killasmurf86) <killasmurf86@gmail.com>
uid [jpeg image of size 4667]
sub 4096g/8CF6B625 2008-09-12
0x7ED573D3
GET KEY FINGERPRINT
Code:
$ gpg --fingerprint 0x8CF6B625
GENERATE REVOCATION CERTIFICATE
Code:
$ gpg --output my_revoke.asc --gen-revoke 0x8CF6B625
SEND/RETRIEVE PUBLIC KEY TO KEY SERVER
Send:
Code:
$ gpg --keyserver pgp.mit.edu --send-key 0x7ED573D3
Code:
$ gpg --keyserver pgp.mit.edu --recv-key 0x7ED573D3
EXPORT/IMPORT PUBLIC KEY
export (binary form):
Code:
$ gpg --output killasmurf86.gpg --export 0x7ED573D3
Code:
$ gpg --output killasmurf86.asc --armour --export 0x7ED573D3
Code:
$ gpg --import killasmurf86.gpg
Code:
$ gpg --import killasmurf86.asc
EDIT KEY
Code:
$ gpg --edit-key 0x7ED573D3
common commands: save, quit, sign, fpr, trust
see gpg(1) for details
REFRESH PUBLIC KEYS
You should do this once in while.
Code:
$ gpg --keyserver pgp.mit.edu --refresh-keys
SIGN/VERIFY FILE 1
Code:
gpg --sign /path/to/file
Now you just send /path/to/file.gpg to a friend. file.gpg is compressed and signed file, to view and verify it use:
Code:
gpg --output /path/to/file --decrypt /path/to/file.gpg
SIGN/VERIFY FILE 2
Code:
gpg --armour --sign /path/to/file
Now you just send /path/to/file.asc and to a friend. file.asc is compressed and signed file, but in ascii form. To view and verify it use:
Code:
gpg --output /path/to/file --decrypt /path/to/file.asc
SIGN/VERIFY FILE 3
Code:
gpg --clearsign /path/to/file
This is useful for sending signed emails
You don't need gnupg to read it, but you'll be able to verify it with gnupg if you want to
If you want to extract content, then use this:
Code:
gpg --output /path/to/file --decrypt /path/to/file.asc
SIGN/VERIFY FILE 4
Code:
gpg --detach-sign /path/to/file
This is recommended method for binary data
keep file and file.sig together
To verify data use:
Code:
gpg --verify /path/to/file.sig /path/to/file
ENCRYPT/DECRYPT FILE 1
Code:
gpg --encrypt /path/to/file
To decrypt it, use:
Code:
gpg --output /path/to/file --decrypt /path/to/file.gpg
ENCRYPT/DECRYPT FILE 2
Code:
gpg --armour --encrypt /path/to/file
To decrypt it, use:
Code:
gpg --output /path/to/file --decrypt /path/to/file.asc
ENCRYPT/DECRYPT FILE 3
If you want to encrypt/decrypt and know recipients key ID, you can use -r switch
Code:
gpg -r 0x7ED573D3 --encrypt /path/to/file
gpg -r 0x7ED573D3 --armour --encrypt /path/to/file
Code:
gpg -r killasmurf86 --encrypt /path/to/file
gpg -r Aldis --armour --encrypt /path/to/file
gpg -r Berjoza --armour --encrypt /path/to/file
gpg -r '<killasmurf86@gmail.com>' --encrypt /path/to/file
SIGN & ENCRYPT
A common practice is to sign file, and then encrypt it.
for exampel
Code:
$ gpg --armour --sign -r killasmurf86 --encrypt /path/to/file
and to decrypt it and verify signature, use
Code:
$ gpg --output /path/to/file --decrypt /path/to/file.asc
USING REVOCATION CERTIFICATE
Code:
$ gpg--import my_revoke.asc
$ gpg --keyserver pgp.mit.edu --send-keys 0x7ED573D3
This way, nobody who download your public key, from now on won't be able to use it.
You will still be able to decrypt your data.
read more: http://www.gnupg.org/gph/en/manual.html#REVOCATION
NOTES
If you encrypt, mail, think if you'll like to read it later yourself. For this you should encrypt it for yourself as well, otherwise you don't be able to decrypt it.
I've wrote some basics, and if you're not familiar with gnupg yet, you need to read more information on web of trust and gpg
You can integrate GnuPG in may apps and scripts... http://gnupg.org/related_software/index.en.html
RESOURCES
gpg2(1)
SEE ALSO
http://www.gnupg.org/gph/en/manual.html
http://en.wikipedia.org/wiki/Web_of_trust
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
also interesting:
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
google gnupg, gpg and pgp
P.S.
Key I used (0x7ED573D3) in this howto is my public key
UPDATE:
Added how to use revocation certificate