Title: GPG2 cheatsheet | |
Author: Solène | |
Date: 06 September 2019 | |
Tags: security | |
Description: | |
## Introduction | |
I don't use gpg a lot but it seems the only tool out there for | |
encrypting data | |
which "works" and widely used. | |
So this is my personal cheatsheet for everyday use of gpg. | |
In this post, I use the command `gpg2` which is the binary to GPG | |
version 2. | |
On your system, "gpg" command could be gpg2 or gpg1. | |
You can use `gpg --version `if you want to check the real version | |
behind gpg | |
binary. | |
In your *~/.profile* file you may need the following line: | |
export GPG_TTY=$(tty) | |
## Install GPG | |
The real name of GPG is GnuPG, so depending on your system the package | |
can be | |
either gpg2, gpg, gnupg, gnugp2 etc... | |
On OpenBSD, you can install it with: `pkg_add gnupg--%gnupg2` | |
## GPG Principle using private/public keys | |
- YOU make a private and a public key (associated with a mail) | |
- YOU give the public key to people | |
- PEOPLE import your public key into they keyring | |
- PEOPLE use your public key from the keyring | |
- YOU will need your password everytime | |
I think gpg can do much more, but read the manual for that :) | |
## Initialization | |
We need to create a public and a private key. | |
solene$ gpg2 --gen-key | |
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, | |
Inc. | |
This is free software: you are free to change and redistribute it. | |
There is NO WARRANTY, to the extent permitted by law. | |
generation dialog. | |
validate | |
with "O" if you are okay with the input. You will get ask for a | |
passphrase | |
after. | |
Email address: [email protected] | |
You selected this USER-ID: | |
"Solene <[email protected]>" | |
We need to generate a lot of random bytes. It is a good idea to | |
perform | |
some other action (type on the keyboard, move the mouse, utilize | |
the | |
disks) during the prime generation; this gives the random number | |
generator a better chance to gain enough entropy. | |
We need to generate a lot of random bytes. It is a good idea to | |
perform | |
some other action (type on the keyboard, move the mouse, utilize | |
the | |
disks) during the prime generation; this gives the random number | |
generator a better chance to gain enough entropy. | |
gpg: key 368E580748D5CA75 marked as ultimately trusted | |
gpg: revocation certificate stored as | |
'/home/solene/.gnupg/openpgp-revocs.d/7914C6A7439EADA52643933B368E58074 | |
8D5CA75.rev' | |
public and secret key created and signed. | |
7914C6A7439EADA52643933B368E580748D5CA75 | |
uid Solene <[email protected]> | |
sub rsa2048 2019-09-06 [E] [expires: 2021-09-05] | |
The key will expire in 2 years, but this is okay. | |
This is a good thing, if you stop using the key, it will die silently | |
at it | |
expiration time. | |
If you still use it, you will be able to extend the expiracy time and | |
people | |
will be able to notice you still use that key. | |
## Export the public key | |
If someone asks your GPG key, this is what they want: | |
gpg2 --armor --export [email protected] > solene.asc | |
## Import a public key | |
Import the public key: | |
gpg2 --import solene.asc | |
If you want to mark this signature as trusted: | |
gpg --edit-key FINGERPRINT_HERE | |
> sign | |
# do you want to sign? (y/n): y | |
> save | |
## Delete a public key | |
In case someone change their public key, you will want to delete it to | |
import a | |
new one, replace $FINGERPRINT by the actual fingerprint of the public | |
key. | |
gpg2 --delete-keys $FINGERPRINT | |
## Encrypt a file for someone | |
If you want to send file *picture.jpg* to remote@mail then use the | |
command: | |
gpg2 --encrypt --recipient [email protected] picture.jpg > | |
picture.jpg.gpg | |
You can now send picture.jpg.gpg to remote@mail who will be able to | |
read the | |
file with his/her private key. | |
You can use `--armor`` parameter to make the output plaintext, so you | |
can put | |
it into a mail or a text file. | |
## Decrypt a file | |
Easy! | |
gpg2 --decrypt image.jpg.gpg > image.jpg | |
## Get public key fingerprint | |
The fingerprint is a short string made out of your public key and can | |
be | |
embedded in a mail (often as a signature) or anywhere. | |
It allows comparing a public key you received from someone with the | |
fingerprint | |
that you may find in mailing list archives, twitter, a html page etc.. | |
if the | |
person spreaded it somewhere. This allow to multiple check the | |
authenticity of | |
the public key you received. | |
it looks like: | |
4398 3BAD 3EDC B35C 9B8F 2442 8CD4 2DFD 57F0 A909 | |
This is my real key fingerprint, so if I send you my public key, you | |
can use | |
the fingerprint from this page to check it matches the key you | |
received! | |
You can obtain your fingerprint using the following command: | |
solene@t480 ~ $ gpg2 --fingerprint | |
pub rsa4096 2018-06-08 [SC] | |
4398 3BAD 3EDC B35C 9B8F 2442 8CD4 2DFD 57F0 A909 | |
uid [ ultime ] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | |
sub rsa4096 2018-06-08 [E] | |
## Add a new mail / identity | |
If for some reason, you need to add another mail to your GPG key (like | |
personal/work keys) you can create a new identity with the new mail. | |
Type `gpg2 --edit-key [email protected]` and then in the prompt, | |
type `adduid` | |
and answer questions. | |
You can now export the public key with a different identity. | |
## List known keys | |
If you want to get the list of keys you imported, you can use | |
gpg2 -k | |
## Testing | |
If you want to do some tests, I'd recommend making new users on your | |
system, | |
exchanges their keys and try to encrypt a message from one user to | |
another. | |
I have a few spare users on my system on which I can ssh locally for | |
various | |
tests, it is always useful. |