Getting Started with GnuPG (gpg)

I’ve been meaning to spend a bit of time looking at use cases for gpg

I wasn’t aware that you don’t even need to set up any accounts. You can start using for symmetric encryption right out of the box. Symmetric encryption relies on a shared password / passphrase that is shared with recipients.

I’m using a fairly fresh installation of mxlinux in Virtual Box. GnuPG is already installed as with pretty much any distro.

As you can see below, lots of options are available.

simon@mx:~
$ gpg -h
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/simon/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data

Commands:

 -s, --sign                  make a signature
     --clear-sign            make a clear text signature
 -b, --detach-sign           make a detached signature
 -e, --encrypt               encrypt data
 -c, --symmetric             encryption only with symmetric cipher
 -d, --decrypt               decrypt data (default)
     --verify                verify a signature
 -k, --list-keys             list keys
     --list-signatures       list keys and signatures
     --check-signatures      list and check key signatures
     --fingerprint           list keys and fingerprints
 -K, --list-secret-keys      list secret keys
     --generate-key          generate a new key pair
     --quick-generate-key    quickly generate a new key pair
     --quick-add-uid         quickly add a new user-id
     --quick-revoke-uid      quickly revoke a user-id
     --quick-set-expire      quickly set a new expiration date
     --full-generate-key     full featured key pair generation
     --generate-revocation   generate a revocation certificate
     --delete-keys           remove keys from the public keyring
     --delete-secret-keys    remove keys from the secret keyring
     --quick-sign-key        quickly sign a key
     --quick-lsign-key       quickly sign a key locally
     --sign-key              sign a key
     --lsign-key             sign a key locally
     --edit-key              sign or edit a key
     --change-passphrase     change a passphrase
     --export                export keys
     --send-keys             export keys to a keyserver
     --receive-keys          import keys from a keyserver
     --search-keys           search for keys on a keyserver
     --refresh-keys          update all keys from a keyserver
     --import                import/merge keys
     --card-status           print the card status
     --edit-card             change data on a card
     --change-pin            change a card's PIN
     --update-trustdb        update the trust database
     --print-md              print message digests
     --server                run in server mode
     --tofu-policy VALUE     set the TOFU policy for a key

Options:

 -a, --armor                 create ascii armored output
 -r, --recipient USER-ID     encrypt for USER-ID
 -u, --local-user USER-ID    use USER-ID to sign or decrypt
 -z N                        set compress level to N (0 disables)
     --textmode              use canonical text mode
 -o, --output FILE           write output to FILE
 -v, --verbose               verbose
 -n, --dry-run               do not make any changes
 -i, --interactive           prompt before overwriting
     --openpgp               use strict OpenPGP behavior

(See the man page for a complete listing of all commands and options)

Examples:

 -se -r Bob [file]          sign and encrypt for user Bob
 --clear-sign [file]        make a clear text signature
 --detach-sign [file]       make a detached signature
 --list-keys [names]        show keys
 --fingerprint [names]      show fingerprints

Please report bugs to <https://bugs.gnupg.org>.

Now, we’ll take a man page (uptime as it’s nice and short) and save it to a file ready to encrypt and email to test encryption.

simon@mx:~
$ man uptime > uptime.txt

simon@mx:~
$ gpg --armor --symmetric uptime.txt

We could save some keystrokes by just typing gpg -ac <filename>

You’ll be prompted for a password (which you have to enter twice), I chose simonh

As you can see, gpg also compresses the encrypted file (uptime.txt.asc).

simon@mx:~
$ ll
total 300K
-rw-r--r--  1 simon simon  113 Apr 17 18:18 dead.letter
drwxr-xr-x  2 simon simon 4.0K Apr 15 19:17 Desktop
drwxr-xr-x  2 simon simon 4.0K Apr 15 19:25 Documents
drwxr-xr-x  2 simon simon 4.0K Apr 15 19:25 Downloads
drwx------  2 simon simon 4.0K Apr 16 15:36 mail
drwx------  5 simon simon 4.0K Apr 16 17:26 Maildir
-rw-------  1 simon simon  467 Apr 19 18:26 mbox
drwxr-xr-x  2 simon simon 4.0K Apr 15 19:25 Music
drwxr-xr-x  2 simon simon 4.0K Apr 15 19:25 Pictures
drwxr-xr-x  2 simon simon 4.0K Apr 15 19:25 Public
drwxr-xr-x  3 simon simon 4.0K Apr 17 17:53 src
drwxr-xr-x  2 simon simon 4.0K Apr 15 19:25 Templates
-rw-r--r--  1 simon simon 1.9K May 20 16:52 uptime.txt
-rw-r--r--  1 simon simon 1.4K May 20 16:52 uptime.txt.asc
drwxr-xr-x 12 simon simon 4.0K May  9 20:00 var
drwxr-xr-x  2 simon simon 4.0K Apr 15 19:25 Videos

Here is the (encrypted) contents of the uptime man page:

simon@mx:~
$ cat uptime.txt.asc 
-----BEGIN PGP MESSAGE-----

jA0ECQMCfoUA3aASbz7/0ukBogSiu3yxpUM+FfoTaCkTBqmUxYagw7ifq8R6WT4o
Za/3rgH7X7UXWuis9q+GKssabXdnZelUlUewnz5P/iHGYBP0C0KhCTHZm8r5abDg
L8E0nsLEYkSu1bcdz07Rdky0S6Pc3uqvFOJLnGBz+TUgWdzHEXtijCxYya1oasyf
izZD+QRGFcsCjh5Ji9BBK92Dza9lRRgvLeZ3PE9IDQjgtHz2qLEDJq82CRMqqzC5
Gv9xfG+sryEgWxKXjfa0XfiC9+9P1hZC4buaKxX26GS697ks2UikZ4EzOi6lpuUC
uGCwi3CdpjnrKnkkPqCixAVKmq6t81MMD1m6fbHnOJSHyRBdk+V7qgPQAq+wDbHM
BnQW4FmX5rVMPBKEezaM/HMJYjBwRjOpeBoAUF4gx8nr9YGTVJygNYgdH8P19mqf
rdxcCFf7OADpZOrxVl1aaaBC5EmEGhUO4zJ47a11m+Tg+0QNddRQOnUZQ6T76glM
Q6TvkxR/wewL3yAIfFqAYACWWyIlMsKOWi4BT8d4MQMauvRC039lQtrNb4E/DfSw
ZD4o4N28f5IrS2Icri0qpqCyK/5bhbSReXpcjgbCF61ckG8H6S6kucAidir7DCJS
gfxbTBuD+FmhN2D+tzerUV0WiMeHMBnvF24ng0zRS0bCG20yj3Kb2n4tsz64FIfj
bcDfPxjwnTNiSZUcmE75ClL9V/4M/NBIu0d1j/okdaTkbLHtsITrOSPenunhvFZp
cMcnDrvfAo+EpT4NIBJ6xrCRq/wRSSW5/cMAp3BF9RpYpmNr1MLQsVx4ax28Yid6
A2r865gPDVVyFBnIvmaFUpmGf9sGg3J2AnjcBpSAXzWnvn7nXXs84At4ZqwgBkhp
FLGWYaPv8MajifGjbjewjMJqYN/Xq8bBw+9x6HCL/AJT4XYeNhYYzHwqUhLFVJeS
PWisaW0bKx2lUYyHEMBW/+KSeTna+UiSEsnbhD+ZBrr9OBnRgPAgNlZwOUZPOVAM
RPvSJdMVkzMVDeHK7tJEUEUMHYpg/3VtVD/EjkHCRrkWStLx4IhJp4UszhH4H3Da
B/yklhNpbejjYOPFT75O/LCBM+cvzdBhO2QucsisyA6WD9fPTzR5clPsndHJSdKW
Ai8lfH5wI0D4Ci4kl2NTCEtIE/StbV4DhZx/VXVu08jSu+xuSribBGimGsAPu/lx
473lFEgjEujaXG2OvUZNBEQwqcBMd8cvkHT+9VyF1M/f8g==
=WzQF
-----END PGP MESSAGE-----

We’ll email it to ourselves now, read the email and save the message in the body to uptime

simon@computer:~$ gpg -d uptime > uptime-manual

Of course, you’ll be prompted for the password simonh and you get the original file back.

Here’s the original, decrypted text

UPTIME(1)                                 User Commands                                 UPTIME(1)

NAME
       uptime - Tell how long the system has been running.

SYNOPSIS
       uptime [options]

DESCRIPTION
       uptime  gives a one line display of the following information.  The current time, how long
       the system has been running, how many users are currently logged on, and the  system  load
       averages for the past 1, 5, and 15 minutes.

       This is the same information contained in the header line displayed by w(1).

       System  load  averages is the average number of processes that are either in a runnable or
       uninterruptable state.  A process in a runnable state is either using the CPU  or  waiting
       to  use  the  CPU.   A process in uninterruptable state is waiting for some I/O access, eg
       waiting for disk.  The averages are taken over the three time  intervals.   Load  averages
       are not normalized for the number of CPUs in a system, so a load average of 1 means a sin‐
       gle CPU system is loaded all the time while on a 4 CPU system it means it was idle 75%  of
       the time.

OPTIONS
       -p, --pretty
              show uptime in pretty format

       -h, --help
              display this help text

       -s, --since
              system up since, in yyyy-mm-dd HH:MM:SS format

       -V, --version
              display version information and exit

FILES
       /var/run/utmp
              information about who is currently logged on

       /proc  process information

AUTHORS
       uptime was written by Larry Greenfield ⟨greenfie@gauss.rutgers.edu⟩ and Michael K. Johnson
       ⟨johnsonm@sunsite.unc.edu⟩

SEE ALSO
       ps(1), top(1), utmp(5), w(1)

REPORTING BUGS
       Please send bug reports to ⟨procps@freelists.org⟩

procps-ng                                 December 2012                                 UPTIME(1)

So, just using this simple method, you can take any file, encrypt it (you can change the cipher by the way), compress it and then send it to someone who knows the key. If you accidentally send the message to someone who wasn’t expecting it, they’ll have little clue what it’s all about.

Awesome!