 |
Title: GPG2 cheatsheet |
|
Author: Solène |
|
Date: 06 September 2019 |
|
Tags: security |
|
Description: |
|
|
|
## Introduction |
|
|
|
I don't use gpg a lot but it seems the only tool out there for |
|
encrypting data |
|
which "works" and widely used. |
|
|
|
So this is my personal cheatsheet for everyday use of gpg. |
|
|
|
In this post, I use the command `gpg2` which is the binary to GPG |
|
version 2. |
|
On your system, "gpg" command could be gpg2 or gpg1. |
|
You can use `gpg --version `if you want to check the real version |
|
behind gpg |
|
binary. |
|
|
|
In your *~/.profile* file you may need the following line: |
|
|
|
export GPG_TTY=$(tty) |
|
|
|
|
|
## Install GPG |
|
|
|
The real name of GPG is GnuPG, so depending on your system the package |
|
can be |
|
either gpg2, gpg, gnupg, gnugp2 etc... |
|
|
|
On OpenBSD, you can install it with: `pkg_add gnupg--%gnupg2` |
|
|
|
|
|
## GPG Principle using private/public keys |
|
|
|
- YOU make a private and a public key (associated with a mail) |
|
- YOU give the public key to people |
|
- PEOPLE import your public key into they keyring |
|
- PEOPLE use your public key from the keyring |
|
- YOU will need your password everytime |
|
|
|
I think gpg can do much more, but read the manual for that :) |
|
|
|
|
|
## Initialization |
|
|
|
We need to create a public and a private key. |
|
|
|
solene$ gpg2 --gen-key |
|
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, |
|
Inc. |
|
This is free software: you are free to change and redistribute it. |
|
There is NO WARRANTY, to the extent permitted by law. |
|
|
|
generation dialog. |
|
|
|
|
|
validate |
|
with "O" if you are okay with the input. You will get ask for a |
|
passphrase |
|
after. |
|
|
|
Email address: [email protected] |
|
You selected this USER-ID: |
|
"Solene <[email protected]>" |
|
|
|
We need to generate a lot of random bytes. It is a good idea to |
|
perform |
|
some other action (type on the keyboard, move the mouse, utilize |
|
the |
|
disks) during the prime generation; this gives the random number |
|
generator a better chance to gain enough entropy. |
|
We need to generate a lot of random bytes. It is a good idea to |
|
perform |
|
some other action (type on the keyboard, move the mouse, utilize |
|
the |
|
disks) during the prime generation; this gives the random number |
|
generator a better chance to gain enough entropy. |
|
gpg: key 368E580748D5CA75 marked as ultimately trusted |
|
gpg: revocation certificate stored as |
|
'/home/solene/.gnupg/openpgp-revocs.d/7914C6A7439EADA52643933B368E58074 |
|
8D5CA75.rev' |
|
public and secret key created and signed. |
|
|
|
7914C6A7439EADA52643933B368E580748D5CA75 |
|
uid Solene <[email protected]> |
|
sub rsa2048 2019-09-06 [E] [expires: 2021-09-05] |
|
|
|
The key will expire in 2 years, but this is okay. |
|
This is a good thing, if you stop using the key, it will die silently |
|
at it |
|
expiration time. |
|
If you still use it, you will be able to extend the expiracy time and |
|
people |
|
will be able to notice you still use that key. |
|
|
|
## Export the public key |
|
|
|
If someone asks your GPG key, this is what they want: |
|
|
|
gpg2 --armor --export [email protected] > solene.asc |
|
|
|
|
|
## Import a public key |
|
|
|
Import the public key: |
|
|
|
gpg2 --import solene.asc |
|
|
|
If you want to mark this signature as trusted: |
|
|
|
gpg --edit-key FINGERPRINT_HERE |
|
> sign |
|
# do you want to sign? (y/n): y |
|
> save |
|
|
|
|
|
|
|
## Delete a public key |
|
|
|
In case someone change their public key, you will want to delete it to |
|
import a |
|
new one, replace $FINGERPRINT by the actual fingerprint of the public |
|
key. |
|
|
|
gpg2 --delete-keys $FINGERPRINT |
|
|
|
|
|
## Encrypt a file for someone |
|
|
|
If you want to send file *picture.jpg* to remote@mail then use the |
|
command: |
|
|
|
gpg2 --encrypt --recipient [email protected] picture.jpg > |
|
picture.jpg.gpg |
|
|
|
You can now send picture.jpg.gpg to remote@mail who will be able to |
|
read the |
|
file with his/her private key. |
|
|
|
You can use `--armor`` parameter to make the output plaintext, so you |
|
can put |
|
it into a mail or a text file. |
|
|
|
|
|
## Decrypt a file |
|
|
|
Easy! |
|
|
|
gpg2 --decrypt image.jpg.gpg > image.jpg |
|
|
|
|
|
## Get public key fingerprint |
|
|
|
The fingerprint is a short string made out of your public key and can |
|
be |
|
embedded in a mail (often as a signature) or anywhere. |
|
|
|
It allows comparing a public key you received from someone with the |
|
fingerprint |
|
that you may find in mailing list archives, twitter, a html page etc.. |
|
if the |
|
person spreaded it somewhere. This allow to multiple check the |
|
authenticity of |
|
the public key you received. |
|
|
|
it looks like: |
|
|
|
4398 3BAD 3EDC B35C 9B8F 2442 8CD4 2DFD 57F0 A909 |
|
|
|
This is my real key fingerprint, so if I send you my public key, you |
|
can use |
|
the fingerprint from this page to check it matches the key you |
|
received! |
|
|
|
You can obtain your fingerprint using the following command: |
|
|
|
solene@t480 ~ $ gpg2 --fingerprint |
|
pub rsa4096 2018-06-08 [SC] |
|
4398 3BAD 3EDC B35C 9B8F 2442 8CD4 2DFD 57F0 A909 |
|
uid [ ultime ] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX |
|
sub rsa4096 2018-06-08 [E] |
|
|
|
|
|
## Add a new mail / identity |
|
|
|
If for some reason, you need to add another mail to your GPG key (like |
|
personal/work keys) you can create a new identity with the new mail. |
|
|
|
Type `gpg2 --edit-key [email protected]` and then in the prompt, |
|
type `adduid` |
|
and answer questions. |
|
|
|
You can now export the public key with a different identity. |
|
|
|
|
|
## List known keys |
|
|
|
If you want to get the list of keys you imported, you can use |
|
|
|
gpg2 -k |
|
|
|
|
|
## Testing |
|
|
|
If you want to do some tests, I'd recommend making new users on your |
|
system, |
|
exchanges their keys and try to encrypt a message from one user to |
|
another. |
|
|
|
I have a few spare users on my system on which I can ssh locally for |
|
various |
|
tests, it is always useful. |
