Skip to content

Instantly share code, notes, and snippets.

@sepehr
Last active August 8, 2024 14:06
Show Gist options
  • Save sepehr/5a2a8949afa7e74d0118 to your computer and use it in GitHub Desktop.
Save sepehr/5a2a8949afa7e74d0118 to your computer and use it in GitHub Desktop.
PGP Guide

PGP Guide

GPG vs PGP

PGP can refer to two things:

The Pretty Good Privacy software originally written by Phil Zimmermann, and now owned by Symantec. The formats for keys, encrypted messages and message signatures defined by that software. These have now been formalised as the OpenPGP standard. The GPG software is an independent implementation of the OpenPGP standards, so you can use it to exchange encrypted messages with people using other OpenPGP implementations (e.g. Symantec's PGP).

Due to its popularity on Linux systems, it is also fairly common for people to incorrectly use the term "GPG" to refer to the whole OpenPGP cryptography system (e.g. "GPG keys" or "GPG signatures"). It is usually pretty clear what they mean from the context though.

File extensions

  • .gpg and .pgp extensions are for binaries.
  • .txt and .asc are for ASCII files (armored).

Installataion

# OSX
brew install gnupg

# Ubuntu
apt-get install gnupg 

# RedHat/Fedora/CentOS
yum install gnupg

Usage

Generating new keys

gpg --gen-key

The first key is your private (or secret) key. You must keep this private key safe at all times, and you must not share it with anyone. The private key is protected with a password. The second key is your public key, which you can safely share with other people. Anything that is encrypted using the public key can only be decrypted with the related private key.

Listing keys

# List private keys 
gpg --list-secret-keys

# List public keys
gpg --list-keys

# Outputs:  
#  pub   4096R/F9C3014D 2014-09-18  
#  uid   Sep Lasemi <lasemi@nogmail.com>  
#  sub   4096R/57B451B8 2014-09-18  
#
# Which translates to:
# - pub:                  Public key  
# - 4096R:                 The number of bits in the key, and the type (RSA)  
# - F9C3014D:              The key ID  
# - 2014-09-18:            The date of key creation  
# - Sep Lasemi:            Real name  
# - <lasemi@nogmail.com>: And the email 

Deleting keys

gpg --delete-keys lasemi@nogmail.com

Trusting keys

gpg --edit-key lasemi@nogmail.com

trust (invoke trust subcommand on the key)
5 (ultimate trust)
y (if prompted)
quit

Import/Export

Others keys

# 1. Import
# When you import a public key, you are placing it into what is commonly referred to as the "GPG keyring"
gpg --import someone.asc

# 2. Export someone's key
gpg --export --armor > someone.asc

Keyrings Backup/Restore

Method 1

## 1. Export
cp ~/.gnupg/pubring.gpg /path/to/backups/
cp ~/.gnupg/secring.gpg /path/to/backups/
cp ~/.gnupg/trustdb.gpg /path/to/backups/

# Or, instead of backing up the trustdb
gpg --export-ownertrust > ownertrust.txt

## 2. Import
cp /path/to/backups/*.gpg ~/.gnupg/

# or, if you exported the ownertrust
gpg --import-ownertrust ownertrust.txt

Method 2

This only really works if you don't mind losing any other keys (than your own).

# 1. Export
gpg --export --armor lasemi@nogmail.com > public.asc
gpg --export-secret-keys --armor lasemi@nogmail.com > private.asc
gpg --export-ownertrust > ownertrust.txt

# 2. Import
# Imports the public as well
gpg --import --armor private.asc
gpg --import-ownertrust ownertrust.txt

Encrypting/Decrypting

# Encrypts a file to lasemi@nogmail without signing it, author will be unknown.
gpg --encrypt --recipient lasemi@nogmail.com file.txt

# Encrypts and signs the message with author private key
gpg --encrypt --sign --recipient lasemi@nogmail.com file.txt

# Decrypt 
gpg --decrypt file.gpg

Exporting public key to keyserver

gpg --send-key lasemi@nogmail.com [--keyserver sks-keyservers.net]

Generating revoke certificates

Revoke certificates are required when we need to remove our key from keyservers and literally revoking the certificate.

gpg --gen-revoke lasemi@nogmail.com

Here's a sample revoke certificate:

Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: A revocation certificate should follow

iQIfBCABAgAJBQJSTxNSAh0AAAoJEIKHahUxGx+E15EP/1BL2pCTqSG9IYbz4CMN
bCW9HgeNpb24BK9u6fAuyH8aieLVD7It80LnSg/+PgG9t4KlzUky5sOoo54Qc3rD
H+JClu4oaRpq25vWd7+Vb2oOwwd/27Y1KRt6TODwK61z20XkGPU2NJ/ATPn9yIR9
4B10QxqqQSpQeB7rr2+Ahsyl5jefswwXmduDziZlZqf+g4lv8lZlJ8C3+GKv06fB
FJwE6XO4Y69LNAeL+tzSE9y5lARKVMfqor/wS7lNBdFzo3BE0w68HN6iD+nDbo8r
xCdQ9E2ui9os/5yf9Y3Uzky1GTLmBhTqPnl8AOyHHLTqqOT47arpwRXXDeNd4B7C
DiE0p1yevG6uZGfhVAkisNfi4VrprTx73NGwyahCc3gO/5e2GnKokCde/NhOknci
Wl4oSL/7a3Wx8h/XKeNvkiurInuZugFnZVKbW5kvIbHDWJOanEQnLJp3Q2tvebrr
BBHyiVeQiEwOpFRvBuZW3znifoGrIc7KMmuEUPvA243xFcRTO3G1D1X9B3TTSlc/
o8jOlv6y2pcdBfp4aUkFtunE4GfXmIfCF5Vn3TkCyBV/Y2aW/fpA3Y+nUy5hPhSt
tprTYmxyjzSvaIw5tjsgylMZ48+qp/Awe34UWL9AWk3DvmydAerAxLdiK/80KJp0
88qdrRRgEuw3qfBJbNZ7oM/o
=isbs
-----END PGP PUBLIC KEY BLOCK-----

Refs

Difference between PGP and GPG

Instructions for exporting/importing (backup/restore) GPG keys

How To Use GPG to Encrypt and Sign Messages

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment