GNU Privacy Guard

From Leo's Notes
Last edited on 27 July 2023, at 20:34.

GNU Privacy Guard (GPG or GnuPG) is a open source replacement for the original Pretty Good Privacy software suite. It is capable of encrypt and decrypt data.

Key Management

Creating a New Key

To generate a new key, run gpg --gen-key 

# gpg --gen-key
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)

Your default key can be set by setting the GPGKEY environment variable.

Listing Keys

gpg --list-keys 

# gpg --list-keys
/home/leo/.gnupg/pubring.gpg
----------------------------
pub   2048R/28AF4724 2015-11-23
uid                  Leo Leung <leo@example.com>

Deleting Keys

Delete the private key using gpg --delete-secret-keys, and the public key using gpg --delete-keys. 

# gpg --delete-secret-keys 28AF4724
sec  2048R/28AF4724 2015-11-23 Leo Leung <leo@example.com>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

# gpg --delete-keys 28AF4724
pub  2048R/28AF4724 2015-11-23 Leo Leung <leo@example.com>

Delete this key from the keyring? (y/N) y

Adding another UID

Edit the key using gpg --edit-key and run then adduid command. Exit using the save command.

Sending a key to a key server

gpg --keyserver pgp.mit.edu --send-key ###

Changing Private Key Passphrase

$ gpg --edit-key [keyID]
Command> passwd
Enter passphrase: 
Enter the new passphrase for this secret key.
Enter passphrase:
Repeat passphrase:
Command> save

Exporting Public Key

gpg --armor --export leo@example.com --output leo.steamr.pub


Basic Usage

Encrypting Files

Encrypt a file with a passphrase: 

$ gpg --output test.gpg --symmetric test.out
$ gpg -o test.gpg -c test.out

Decrypt a file. 

## Writes to test.out
$ gpg --output test.out -d test.gpg 

## while this writes to test and deletes test.gpg
$ gpg test.gpg

Signing Files

There are a few types of signatures:

Binary Signature

The input file is compressed and its binary data is signed. GPG places the signature and compressed file contents into a .gpg file.

Signing gpg --clearsign test.txt
Verifying gpg --verify test.txt.gpg
Retrieving gpg -d -o test.txt test.txt.gpg

Clear Signature

The contents of the input file is signed in clear text. The signature and the contents of the input file are placed in clear text in a .asc file. This file can be viewed with any text editor and the signature and contents are fully visible.

Signing gpg --clearsign test.txt
Verifying gpg --verify test.txt.asc
Retrieving gpg -d -o test.txt test.txt.asc

Detached Signature

A signature for the input file is created and stored in a .sig file. Typically, the signature file is bundled with the input file with the same name except with the .sig file extension.

Signing gpg --detach-sign test.txt
Verifying gpg --verify test.txt.sig test.txt

Tasks

Automating Encrypted Backups using Asymmetric Keys

#!/bin/sh

HOSTNAME=`hostname`
DATE=`date +%Y-%m-%d`

# Get the public key to encrypt with
wget -O - http://leo.home.steamr.com/public/backup_key.pub | gpg --import

# Create archive, pipe to gpg to encrypt, then send to freebsd
tar -czpf - \
        /usr/share/sickbeard/ \
        /etc/init.d/sickbeard  \
        \
        /usr/share/SABnzbd/ \
        /etc/init.d/SABnzbd  \
        \
        /home/rt \
        /var/www/html/rutorrent \
        /usr/lib64/httpd/modules/mod_scgi.so \
        /etc/httpd/conf.d \
        /etc/httpd/conf/httpd.conf \
        \
        /etc/fstab \
        /etc/passwd \
        /etc/group \
        /etc/shadow \
	| gpg --encrypt --yes --no-tty --trust-model always --recipient leo@steamr.com \
	| ssh backup@freebsd "cd /storage/backups/archived/sickbeard; cat - > $HOSTNAME.$DATE.tar.gz.gpg"

# Requires mailx, with smtp=smtp://mail.home.steamr.com set in /etc/mail.rc
echo -e "Backup Completed on `date`.\nUptime: `uptime`\n\nProcesses:\n`ps -eaf`" | mail -s "Backup Completed on `hostname`" "leo@home.steamr.com"

# delete the public backup key
gpg --batch --yes --delete-key leo@steamr.com

Verifying file signature

Some downloads include a signature.txt.gpg file. Decrypt the file first (which also shows whether its signature is valid) 

$ gpg --verify CHECKSUMS.TXT.gpg CHECKSUMS.TXT

## Verify the files with sha256sum
$ sha256sum -c --ignore-missing CHECKSUMS.TXT

## Or sum the file in question and compare it with the checksums manually
$ sha256sum [filename]


See Also

Various Linux Notes
Linux Tools and Utilites
Package Management
Linux Distributions
Networking
Containers

Recent Changes

Recent Changes under Linux

Recent Changes under Guides

Ad-Free + Tracker-Free

I respect your privacy. This site does not serve ads, use trackers/analytics, or load resources from 3rd party websites.

Cookies may be created by MediaWiki but will contain no user identifiable information.


Back to top