Squoggle
Mac's tech blog
Category Archives: PGP/GPG
GPG HowTo
Posted by on October 18, 2019
Here’s my notes on GPG
Here’s a nice GPG Cheat Sheet:
http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html
Directory:
GPG will automatically store your configs in ~/.gnupg
List Keys:
To list the keys in your public key ring. These will be public keys that you have imported already:
$ gpg --list-keys
List Private Keys:
To list the keys in your secret key ring (your private keys):
$ gpg --list-secret-keys
Typically you will only have one Private Key, your own.
List Signatures:
To list the keys and signatures:
$ gpg --list-sigs
Check Keys:
To check the keys and signatures:
$ gpg --check-sigs
I’m not exactly sure what this does. It seems to be the same as ‘List Signatures’ from my perspective.
Delete Private Key:
To delete keys in your secret key ring. This is typically going to be your private key:
$ gpg --delete-secret-keys "Jimmy McKlosky"
Delete Public Key:
To delete keys in your public key ring (your public key):
Delete Secret Key First, then:
$ gpg --delete-keys "Jimmy McKlosky"
This is how you would delete other people’s public keys from your store as well.
Help:
To get help:
$ gpg --help
Generate a new key pair:
Generate your public and private keys:
$ gpg --gen-key
You should see:
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?
Hit [ENTER] for the default or type in another number:
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
2048 should be fine. Hit [ENTER] to accept.
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
The default is to never expire. This should be fine.
Hit [ENTER] to select no expiration date.
Key does not expire at all Is this correct? (y/N) y Hit 'y' to confirm no expiration date.
GnuPG needs to construct a user ID to identify your key. Real name: Jimmy McKlosky
Enter your real name.
Email address: [email protected]
Add your email address.
Comment: Jimmy's Bar & Grill
I put my org in the comment section.
You selected this USER-ID: "Jimmy McKlosky (Jimmy's Bar & Grill) <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
Select ‘O’ to confirm this is OK.
You need a Passphrase to protect your secret key.
A dialog box may open, or you may get a text prompt to enter your private key password. Check your database for this.
A message appears about generating random data.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
If you are logged into the host remotely, see the gotcha below about generating entropy.
gpg: key E3541042 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/E3541042 2017-02-10 Key fingerprint = 8367 6BB4 9178 6D45 DF58 C2C4 2D6F 813A E354 1042 uid Jimmy McKlosky (Jimmy's Bar & Grill) <[email protected]> sub 2048R/997E61F3 2017-02-10
This completes the GPG Key Generation Process.
Gotcha: On Virtual Machines there is not a way of generating entropy via keyboard and mouse as there are no physical keyboard or mouse. The way I got around this is to generate entropy on the drive. Open another session to the server, then kick off the Key Gen as above. When it says it needs to generate entropy, go to the other session and enter this command:
$ find / -type f | xargs grep blahblahblha
In a few seconds you should have enough entropy and the Key Gen completes!
Export Keys:
List the keys to get the Key IDs:
$ gpg --list-keys /x/home/jimmy/.gnupg/pubring.gpg ------------------------------------- pub 1024D/F1ADF609 2013-05-15 Jimmy McKlosky (Trusted Master for BFD User Key Signing) <[email protected]> sub 1024g/835CFDE8 2013-05-15 [expires: 2015-05-15]
List the secret keys to make sure they exist and match:
$ gpg --list-secret-keys /x/home/jimmy/.gnupg/secring.gpg ------------------------------------- sec 1024D/F1ADF609 2013-05-15 Jimmy McKlosky (Trusted Master for BFD User Key Signing) <[email protected]> ssb 1024g/835CFDE8 2013-05-15
In this case you are simply ensuring that you are working with both your public and private keys and they match. It is possible to have more than on set of keys so this step is simply to ensure you are working with the correct set.
Export your Public Key:
$ gpg --export -a "Jimmy McKlosky" > public.key
This will result in a single file named public.key that contains your public key. The -a means –armor.
Export all the Public Keys in your public keyring:
$ gpg --export -a > public.keys
This is useful if you want to export all the public keys you have imported and move them to a new machine. This command results in a file named public.keys and contains all of the public keys you have previously imported.
Export your Private Key:
$ gpg --export-secret-key -a "Jimmy McKlosky" > private.key
The only reason you would have to export your private key would be to install it on another computer. You probably don’t want to have a private key for every computer you use. Since this is a private key, care should be taken to safeguard it like you would any other private key.
Export your Public and Private Keys using the numeric key ID:
If you have multiple keys identified by your name then the above is not a good way to do this as it will just take the first one. A better way of doing that is by using the numeric key ID. The numeric key ID is unique and is the same for both the Public and Private key. It is the number behind the “/” in this case “F1ADF609” prepended with “0x” to look like this: “0xF1ADF609”. The command to export your keys via Key ID looks like this:
$ gpg --export -a 0xF1ADF609 > public.key $ gpg --export-secret-key -a 0xF1ADF609 > private.key
You can now send your public key to someone who needs to send you some encrypted data. They can encrypt the data with your public key and when you get it you can decrypt it with your private key and read it.
Decrypt an encrypted file:
How to decrypt a file that was encrypted with your public key:
$ gpg --decrypt [file-name]
You will be prompted to enter your passphrase to decrypt it.
Encrypt a file:
$ gpg -e -u "Sender-Name" -r "Receiver-Name" [file-name]
Make the output file look nice and pretty:
$ gpg -e -u "Sender-Name" -r "Receiver-Name" --armor [file-name]
This should probably be your standard as it makes it much easier to read.
Import a public key:
Put the public key you received from someone into a file named public.key and import it like this:
$ gpg --import public.key
This adds the public key in the file public.key to your public key ring.
Import multiple public keys:
In the case where you may have exported multiple public keys, you can import them all. Put them all in a file and import like this:
$ gpg --import public.keys
Import a private key:
Typically this will only be your own private key from a different computer.
$ gpg --allow-secret-key-import --import private.key
I’ve also been able to do it simply like this:
$ gpg --import private.key
This adds the private key in the file private.key to your private key ring.
I’ve had to do it like this to actually import the secret key:
gpg --edit-key 818E4A41
Then choose trust and choose the level of trust. Then quit.
List key fingerprints:
This will show the fingerprints for keys in your key ring. This may be useful for some ways of authenticating those keys.
$ gpg --fingerprint
A fingerprint is a way you can verify with a person that they key you have for them is valid. For example you could call them and they could tell you the key fingerprint and you could validate it with this command.
Sign Public Keys:
Once you have validated the public key you can sign it so it will no longer bark at you when you attempt to encrypt data for a certain user.
Do it like this:
$ gpg --sign-key "User-Name"
Squoggle 
Recent Comments