GNU Privacy Guard
GPG tool is one which has been over for decades but little is known about it to many. One can leverage GPG to encrypt and sign data before sending it over the network. ncryption is to make sure that if the data is found by anyone, they will not be able to read it. Signing the file is more like a natural signature, a sign separate file can be generated to make sure that the file was actually sent by the actual sender.
Let us begin by creating our keys - public and private key.
Generating a key
$gpg --generate-key
This will ask you to enter your Name, Email and passphrase as well. Passphrase can be left blank. Once this step is complete a public, private key is generated. Public key is the key which can be shared to people say on a PGP key server, who you think will like to send an encrypted or a signed message to you. Store the private key in a very safe place and may be kept forever. Each pair when create, has an expiry date for the key after which it has to be renewed ro a new pair generated.
When a key is generated, a revocation certificate is generated as well and placed in the ~/.gnupg/openpgp-revocs.d/ directory. In case one forget's the passphrase or does not require the key anymore, it can be revoked by following this
List all keys on your machine
To list the key in your system with or its keyring, you can do
$gpg --list-key `optional key id or finger print for specific key`
which will show you the keys in your system with the key ids or fingerprints
Sending a key to the key server
The key ids can be used to send that public key to a public key hosting server like below.
$gpg --keyserver pgp.mit.edu --send-keys key-id
Once your key is sent to the public server anyone can fetch that key and use it to sign or encrypt a message to you. The below shows how one can search by user name or email or directly import a key from the key server by key id.
$gpg --keyserver pgp.mit.edu --keyserver --search-keys 'key id or user name or email'
$gpg --keyserver pgp.mit.edu --recv-keys key-id
Once this step is done, the fetched public key is stored in the local key ring say for user Afce. Now in order to say send a file to Afce and your signature separately, one can do.
Signing a file
This is as simple as
$gpg --sign fileName
A fileName.gpg would be generated, which has both the file contents and the signature in it. To get the contents and verify the signature, one can follow this .
Separate signature
One can sign a file with the sign in a separate file. Both the file and the signature can be uploaded next to each other. This way the user of that file can verify if the file is from the said sender or not.
$gpg --detach-sign fileName
This will generate a fileName.sig which can be sent or hosted along with the file so that the recevier or downloader knows that this file is from a verified source. Having only the signature file will complain about the missing data file.
Checking a file with signature
The recipient has now downloaded a file say fileName.js online with its signature file like fileName.js.sig. Now he/ she can verify if the file is from the same recipient as it claims by doing below.
gpg --verify fileName.js.sig
This will make sure that the detached signature in fileName.js.sig validates the contents of ``fileName.jsfile. If the content offileName.jsis modified and error like for bad signature is shown like thisgpg: BAD signature from "User user@email.com" [ultimate]` .
Encrypting a file
To, encrypt the file, simply use --encrypt flag. This will ask for the particular receiver's name or email or id and the encrypted file say fileName.gpg is generated, which can be sent to the recepient Afce.
$gpg --encrypt fileName
Encryption, can be combined with signing ( to make sure file contents is the same ) by using the --sign flag as well.
Decrypting a file
Now, when Afce receives the encrypted file and the signature file, he can decrypt or verify the signaure by
$gpg --decrypt fileName.gpg
will decrypt to fileName and Afce can be assured that the file was securely sent to him.
Exporting the secret key
To export secret key(s) to a file for all available secret keys. This step will ask for passphrase if used for that key.
gpg --keyring ~/.gnupg/pubring.kbx --export-secret-keys > ~/secring.gpg
Disable/ Remove a key from the key server
Say, you published a key to pgp.mit.edu long time ago and you like to not have it used by anyone. If you still on the same machine or the have the secret key in your machine and remember the passphrase ( if used ). One can revoke the key only on the server by using a revocation certificate in the ~/.gnupg/openpgp-revocs.d/ directory or by freshly generating a revocation certificate in the machine like below. To generate the revocation certificate, it requires the user to remember the passphrase used to create the key like in key generation .
gpg --generate-revocation 'key-id'
If, the secret key is available on the machine, it will ask for the passphrase and generate the certificate. Like the documentation says in man gpg, this merely generates th certificate. In order to actually revoke the key, the revocation certificate has to be imported.
Once, the the revocation certificate is generated, it can be commited to really revoke the key by issuing the below command.
PS - Note that there is no confirmation when running the below command and the key will be revoked almost right away. If the key has already been published to any server, the key may have to be re-sent to update the revocation status there and others will try not to use that key any more.
Importing a key
gpg --import revoke.key
After, the key has been revoked, it can be updated in the key servers by re-sending the key like mentioned earlier .
Summary
GPG is one of the oldest evolved way of secure and reliable mechanism of data or files. One can actually look up for a person on the GPG servers and start sending signed and ecrypted messages to them. I hope this article was useful to you. You can always do man gpg to learn more. If you made it till here, I have one bonus tip for you GNU stands for GNU is not Unix.