GPG (GNU Privacy Guard) and PGP (Pretty Good Privacy) are cryptographic tools used for secure communication. They are primarily designed to encrypt messages and files and authenticate the sender using digital signatures. While PGP was developed in the 1990s, GPG is an open-source alternative that adheres to the OpenPGP standard.

How GPG/PGP Works

  1. Key Pair Generation: A user generates a pair of cryptographic keys – one private and one public.
  2. Encryption: The sender encrypts the message using the recipient’s public key.
  3. Decryption: The recipient decrypts the message using their private key.
  4. Signing: The sender can sign the message with their private key to prove authenticity.
  5. Verification: The recipient can verify the signature using the sender’s public key.

Diagram of GPG/PGP Process:

Sender's Message --> Encrypt with Recipient's Public Key --> Encrypted Message --> Sent to Recipient
Recipient --> Decrypt with Private Key --> Original Message
Sender --> Sign Message with Private Key --> Digital Signature
Recipient --> Verify Signature with Sender's Public Key --> Confirm Authenticity

Key Concepts in GPG/PGP

  • Public Key: This key is shared publicly and used to encrypt data or verify digital signatures.
  • Private Key: This key is kept secret and is used to decrypt data encrypted with the public key or to sign data.
  • Keyring: A keyring is a collection of public and private keys used for encryption and signing. It helps manage multiple keys for different contacts.
  • Keyserver: Public servers store public keys. Keyservers allow you to search and retrieve public keys for encryption or verification purposes.

Basic GPG Commands

  1. Generate a Key Pair

    gpg --full-generate-key

    This command prompts you to select the key type, key size, and expiration date. It will also ask for your name and email for the key.

  2. List Keys

    gpg --list-keys

    Shows all the public keys in your keyring.

  3. Export a Public Key

    gpg --armor --export <email>

    Exports the public key in an ASCII-armored format. Replace <email> with the key owner’s email address.

  4. Import a Public Key

    gpg --import <keyfile>

    Imports a public key from a file.

  5. Encrypt a Message

    gpg --encrypt --recipient <email> <file>

    Encrypts a file for a specific recipient (identified by email). The recipient must have a public key in your keyring.

  6. Decrypt a Message

    gpg --decrypt <file.gpg>

    Decrypts a previously encrypted file. You will need the private key to decrypt the message.

  7. Sign a File

    gpg --sign <file>

    Signs a file with your private key to verify that it was sent by you.

  8. Verify a Signed File

    gpg --verify <file.sig>

    Verifies the signature of a file using the sender’s public key.

  9. Revoke a Key

    gpg --gen-revoke <keyid>

    Generates a revocation certificate for your key, marking it as revoked if lost or compromised.

  10. Delete a Key

    gpg --delete-key <email>

    Deletes a public key from your keyring.

How to Send GPG/PGP Keys Securely

1. Keyservers

  • Public Keyservers: Keyservers are publicly accessible servers where users can upload and download public keys. When you export your public key, you can upload it to a keyserver, and anyone with your email address can retrieve it from the server.

  • Popular Keyservers:

    • hkps://keys.openpgp.org

    • hkps://keyserver.ubuntu.com

  • How to upload a public key to a keyserver:

    gpg --send-keys <keyid>

  • How to retrieve a public key from a keyserver:

    gpg --recv-keys <keyid>

2. Email

  • Sending via Email: While email is a common way to share public keys, it should be done carefully. The email itself should be encrypted (using GPG/PGP) or sent over a secure channel.

    • You can attach your public key file directly to an email, or you can copy the ASCII-armored public key (from gpg --armor --export <email>) into the email body.

  • Considerations: Email is generally insecure, so encrypting your message using GPG is highly recommended to protect both the key and any additional messages you include.

3. SSH

  • Using SSH: While SSH is primarily used for secure shell access, you can use it for securely transferring GPG public keys.

    • First, export the public key (gpg --armor --export <email>) and then securely copy it to a remote system using scp (Secure Copy Protocol) or SSH.

    • Example:

      scp mypublickey.asc user@remotehost:/path/to/destination

    • You can also use SSH to establish a secure communication channel to transfer keys.