GNU Privacy Guard (GPG or GnuPG) is a open source replacement for the original Pretty Good Privacy software suite. It is capable of encrypt and decrypt data.
Key Management[edit | edit source]
Creating a New Key[edit | edit source]
To generate a new key, run gpg --gen-key
# gpg --gen-key
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your default key can be set by setting the GPGKEY
environment variable.
Listing Keys[edit | edit source]
gpg --list-keys
# gpg --list-keys
/home/leo/.gnupg/pubring.gpg
----------------------------
pub 2048R/28AF4724 2015-11-23
uid Leo Leung <leo@example.com>
Deleting Keys[edit | edit source]
Delete the private key using gpg --delete-secret-keys
, and the public key using gpg --delete-keys
.
# gpg --delete-secret-keys 28AF4724
sec 2048R/28AF4724 2015-11-23 Leo Leung <leo@example.com>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
# gpg --delete-keys 28AF4724
pub 2048R/28AF4724 2015-11-23 Leo Leung <leo@example.com>
Delete this key from the keyring? (y/N) y
Adding another UID[edit | edit source]
Edit the key using gpg --edit-key
and run then adduid
command. Exit using the save
command.
Sending a key to a key server[edit | edit source]
gpg --keyserver pgp.mit.edu --send-key ###
Changing Private Key Passphrase[edit | edit source]
$ gpg --edit-key [keyID]
Command> passwd
Enter passphrase:
Enter the new passphrase for this secret key.
Enter passphrase:
Repeat passphrase:
Command> save
Exporting Public Key[edit | edit source]
gpg --armor --export leo@example.com --output leo.steamr.pub
Basic Usage[edit | edit source]
Encrypting Files[edit | edit source]
Encrypt a file with a passphrase:
$ gpg --output test.gpg --symmetric test.out
$ gpg -o test.gpg -c test.out
Decrypt a file.
## Writes to test.out
$ gpg --output test.out -d test.gpg
## while this writes to test and deletes test.gpg
$ gpg test.gpg
Signing Files[edit | edit source]
There are a few types of signatures:
Binary Signature[edit | edit source]
The input file is compressed and its binary data is signed. GPG places the signature and compressed file contents into a .gpg
file.
Signing | gpg --clearsign test.txt
|
---|---|
Verifying | gpg --verify test.txt.gpg
|
Retrieving | gpg -d -o test.txt test.txt.gpg
|
Clear Signature[edit | edit source]
The contents of the input file is signed in clear text. The signature and the contents of the input file are placed in clear text in a .asc
file. This file can be viewed with any text editor and the signature and contents are fully visible.
Signing | gpg --clearsign test.txt
|
---|---|
Verifying | gpg --verify test.txt.asc
|
Retrieving | gpg -d -o test.txt test.txt.asc
|
Detached Signature[edit | edit source]
A signature for the input file is created and stored in a .sig
file. Typically, the signature file is bundled with the input file with the same name except with the .sig
file extension.
Signing | gpg --detach-sign test.txt
|
---|---|
Verifying | gpg --verify test.txt.sig test.txt
|
Tasks[edit | edit source]
Automating Encrypted Backups using Asymmetric Keys[edit | edit source]
#!/bin/sh
HOSTNAME=`hostname`
DATE=`date +%Y-%m-%d`
# Get the public key to encrypt with
wget -O - http://leo.home.steamr.com/public/backup_key.pub | gpg --import
# Create archive, pipe to gpg to encrypt, then send to freebsd
tar -czpf - \
/usr/share/sickbeard/ \
/etc/init.d/sickbeard \
\
/usr/share/SABnzbd/ \
/etc/init.d/SABnzbd \
\
/home/rt \
/var/www/html/rutorrent \
/usr/lib64/httpd/modules/mod_scgi.so \
/etc/httpd/conf.d \
/etc/httpd/conf/httpd.conf \
\
/etc/fstab \
/etc/passwd \
/etc/group \
/etc/shadow \
| gpg --encrypt --yes --no-tty --trust-model always --recipient leo@steamr.com \
| ssh backup@freebsd "cd /storage/backups/archived/sickbeard; cat - > $HOSTNAME.$DATE.tar.gz.gpg"
# Requires mailx, with smtp=smtp://mail.home.steamr.com set in /etc/mail.rc
echo -e "Backup Completed on `date`.\nUptime: `uptime`\n\nProcesses:\n`ps -eaf`" | mail -s "Backup Completed on `hostname`" "leo@home.steamr.com"
# delete the public backup key
gpg --batch --yes --delete-key leo@steamr.com
Verifying file signature[edit | edit source]
Some downloads include a signature.txt.gpg
file. Decrypt the file first (which also shows whether its signature is valid)
$ gpg --verify CHECKSUMS.TXT.gpg CHECKSUMS.TXT
## Verify the files with sha256sum
$ sha256sum -c --ignore-missing CHECKSUMS.TXT
## Or sum the file in question and compare it with the checksums manually
$ sha256sum [filename]
See Also[edit | edit source]
- https://www.gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html
- https://help.ubuntu.com/community/GnuPrivacyGuardHowto