Skip to main content

University Library, University of Illinois at Urbana-Champaign

Data Encryption: GNU Privacy Guard (GPG)

Provides information and instructions for encrypting a variety of data types.

GPG Basics

The GNU Privacy Guard is an encryption tool that allows easy access to certain symmetric and asymmetric functions. It can be used primarily for encryption of documents and email.

GPG implements the Pretty Good Privacy (PGP) protocol. For asymmetric encryption, each individual has a publicly known encryption key and a private key known only to them. One encrypts a message to send to someone else using their public key, who then decrypts it using their private key.  Both the encrypted message and the short key are sent to the receiver who first uses the receiver's private key to decrypt the short key and then uses that key to decrypt the message.

Getting Started with GPG Software

***The following commands will be used in Terminal (Mac, Linux) or PowerShell (Windows)***

 

Step 1) Download and install the GPG software suite.

Windows: http://gpg4win.org/

Macintosh: https://gpgtools.org

Linux: Use your package manager to retrieve the gpg package from your distribution's repositories.

Step 2) Generate your key

Command: gpg --gen-key

Command Explanation: The --gen-key flag tells the gpg program to create a new keypair with information you provide.

Explanation: This command takes the information which you provide to the program and generates your public/private key pair. This set of two related keys allows individuals with your public key to encrypt text and data such that only your private key can decrypt them, and allows you to digitally sign documents with your private key such that your signature can be verified with your public key.

Expected Output:

---------------------------------------

gpg (GnuPG) 2.0.21; Copyright (C) 2013 Free Software Foundation, Inc.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:

(1) RSA and RSA (default)

(2) DSA and Elgamal

(3) DSA (sign only)

(4) RSA (sign only)

Your selection? 1

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096

Requested keysize is 4096 bits

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0) 0

Key does not expire at all

Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Example Name

Email address: Example@provider.com

Comment: A short comment about this key

You selected this USER-ID:

"Example Name (A short comment about this key) <Example@provider.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

[NOTE: this message may be printed several times]

gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

gpg: depth: 0 valid: 2 signed: 7 trust: 0-, 0q, 0n, 0m, 0f, 2u

gpg: depth: 1 valid: 7 signed: 0 trust: 3-, 0q, 0n, 4m, 0f, 0u

pub 4096R/701CA524 2013-08-26

Key fingerprint = 7739 8C52 90D6 D94C F109 68D8 EA68 84E2 701C A524

uid Example Name (A short comment about this key) <Example@provider.com>

sub 4096R/23D1F37D 2013-08-26

--------------------------------------

Step 2.5) Learn how to see our key information

Command: gpg --list-keys

Command: gpg --list-keys [UniqueID]

Command explanation: The --list-keys flag will list all of the keys you currently have in your local keyring. These keys are associated with all of the information contained in them, and so in certain situations it is possible to list a subset of these keys by providing a uniquely identifying peice of information associated with that key. Often this unique identifier is the name of the person the key belongs to.

Expected Output:

-------------------------------------

$ gpg --list-keys example

pub 4096R/701CA524 2013-08-26

uid Example Name (A short comment about this key) <Example@provider.com>

sub 4096R/23D1F37D 2013-08-26

------------------------------

Step 3) Generate your revocation key

Command: gpg --output [outputfile.asc] --gen-revoke [KeyID]

Command Explanation: the --output flag tells the gpg program the file name to output the requested data to. The --gen-revoke flag lets gpg know that you would like to generate a revocation key for the provided keyID.

Explanation: Your revocation key is a small file which can be uploaded to a keyserver to let that key server know that the owner of a key believes it has been compromised, and those who have the public key should be alerted to the fact that communications may no longer be secure.

Expected Output:

---------------------------------

$ gpg --output revoke.asc --gen-revoke 701CA524

sec 4096R/701CA524 2013-08-26 Example Name (A short comment about this key) <Example@provider.com>

Create a revocation certificate for this key? (y/N) y

Please select the reason for the revocation:

0 = No reason specified

1 = Key has been compromised

2 = Key is superseded

3 = Key is no longer used

Q = Cancel

(Probably you want to select 1 here)

Your decision? 1

Enter an optional description; end it with an empty line:

>

Reason for revocation: Key has been compromised

(No description given)

Is this okay? (y/N) y

You need a passphrase to unlock the secret key for

user: "Example Name (A short comment about this key) <Example@provider.com>"

4096-bit RSA key, ID 701CA524, created 2013-08-26

ASCII armored output forced.

Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets

access to this certificate he can use it to make your key unusable.

It is smart to print this certificate and store it away, just in case

your media become unreadable. But have some caution: The print system of

your machine might store the data and make it available to others!

-----------------------------------------------

Step 4) Get your key fingerprint

Command: gpg --fingerprint

Command: gpg --fingerprint [UniqueID]

Command Explanation: The --fingerprint flag specifies that you would like gpg to output all of the fingerprints for the keys in your keyring. When a UniqueID is specified only fingerprints from keys matching that unique ID are displayed.

Explanation: Your public key itself is a rather large series of bits which can be represented as letters, numbers, and symbols. For example my public key, written longhand, looks like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v2.0.19 (GNU/Linux)

mQINBE+IreIBEADofXo+AjMNY4GHvQneCBWaaris8TxpazDdqyhacKQSXDnBizm/

yjHSGpo3wcj+Hn5Ec14pCAgR6CAsf1yibEMRrkB7LG1ZGZGcByMJE4gVo+KsxQ80

OaG42Vl2NJ/DeDeDwXh9YNosIGBTeC2RlPmAvVZcTn99zFX8ScB5pqg5pMjUqlcz

p+4wZKqEuAba02U4yFT1cJBhfqYqIQ1Ac7xBDlHu+rOQT3fNAurMcYswNWU4oYRc

yGX7Joao9+PSbZak+hn0pjtRr+gNseiHYcxN03jQ/xIFTsyZm8WqqdmwGFL+eALF

uIVlmrsvaD99mCXZvMzuj1N/4ZDjk4rjb77ryOl+8+BEehy9IcBHthF7GSsLbiy4

MBHgmQouiNXbA4HixrSUC8h5aPBgzGbv0IWQujw+NM7XJ0XUxgyvXzA1tH+aoSVP

Kbm+Rl8J9hCgers6kY/S4MWe2XEmFDmW+1X95PE5viYu0XJh7XJNAZQ3IKNBHE5Q

rxQaHdjarJB8KL6ekSzmA729kvB/lTqWl+nXyTrWdcfI5p1YN0TxFmp1DBnzPIik

o7kDfFmUEVP1irCXkgKcy13qtNkqI/oK+NisV7qUfm3o1mZNYQ78og7ywUI1shGa

WNRBcazSYZyju90H8XzXvh34IWRVXF1Ch/MH7KtEUSNEAHgb3OFlszTK6wARAQAB

tCJCcmlhbiBCYWxzYW1vIDxGYWx4NDQ0NEBnbWFpbC5jb20+iQI4BBMBAgAiBQJP

iK3iAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBUhx6ZZvJA06JiEACe

EvcINCCAFwbge+e4SUimu45jnsR+AYA/qL2oEQwS6HaHz16EuE3NrOAhSorgBS3L

QZQJSLCi4PZD7Fm1JP55d86b0KW0I/FGx+sQFvdTM0mWvUEeGWdUbi0sO19TMGSG

JqEREi/kyVBK38SJCO4ms3yN98W8yXcOYGjBAPm++R+DW5HBJ+vnWzoOcFFqPzUQ

/b+ZwD0dn7mz0/24W6jrxLz/AcovJiOhwYZRECIUimnm6exOJHrNdEnt7acOX7UQ

2Yj4b+zru9NLRkcsyCXjOqn3TgehIQA/XC1ifeB4MrRchPxgpJLm1s1UXu3sPpop

FdI5WI8Fo3kg6sYuMNKclwH+hh6kDSVE/mfNRGZpgdRvX/mTLwiNAbex6uDBEPhX

IUfUTfNYSEVy+g7nHo7UaXLoIPnt9r8SKfLkVEQ1zciiPJwiVsabedEolZYY7ueB

bvrnyDoJ5yNFOvnllmLG04gxIa25XvvI2aOK1idAE9E70aOIyvB4V9i9SsAEoHrw

J3fNilNW7fWJK5GV93Gk09V1svzOZv/O28l9zDVB6PW4n7SsXGlwZGhgPBCSDG8G

haOz9/M5UPg2pQP7DoKYA3xEhP1VDn6zpbzN5GH1Yo5xvdySEjNLCdtz78u5PiA9

pHsqMNCze+IB/4a6X0PHucxa1Wfj/OxQwAtLprESGrkCDQRPiK3iARAA228XWIwa

39imz3aEoeMHVS4O3e6+6gV1BaNnb6FgYqt5+lqkU5Say0yn92N2s0uFnlSF1bAc

u1tGRuia863P1c5CHnyX5y10LVFYBwmKHBtEqMnGkWZbf1UDwRfB16ikruyEaG2Q

Ic9V7ylCQQL2oo8k0A9xlIJEmKKux6EZj8QK7k77OzuFqasA3ikFtJpK/+moGq3l

Pr8wmm1GufnKoxfu//18YN4CH6NIB3mcOmEdQkQpoF2kM2Lgt0TU5aJzW886zPSM

UTmEDqXumybfuq8UzCbz0InntIY4uNxrdyrBY0meT9Jxq2/ZL2/LW+N1trUxoI3r

OpVdgaHQOeTpA/JaZdrHy/CKiwosa43WPtSKLL6N8THGhFLPFkifMtiPykOlOB1F

9XxGIN51Y0m6aLpi7yG7mPAYRISttuV2RBsybA/zyALfyqVadamXKAqO4xZsHCYM

QfoGdgrOqD3YxWuexDHpnTOYCmA+WmeqqVMy4qWmNf7XKXhRjSv7TdrxzjFrydx7

p+QOOPqrhsvbIf9QeE37E8liyAkprbjvSG/++JSo9raajHv+R0A76O2G0gyuTKu7

4BfKMxaFJKSyxrcDLuldmIbbF4NyfX5qsJ1ze42fOoGiQWNBOeYrBwjnarkYOnas

iXrFgAQqazu1+OrnVl7kqPR7nfL/CBFeN4sAEQEAAYkCHwQYAQIACQUCT4it4gIb

DAAKCRBUhx6ZZvJA05zcEADmbpS52ZD4LOfa6y5sznwbge8JunxsluI7muGTWn4s

Vo8OGqVJC9KhPHGnaPBUS+4yq0Nq6aH/iQx+PLcWlg5HeoOCy286ek2EeldstBGJ

nGW4S6FO/0Y97iuXLgZ860e++KfpHr5rITw6cRmwJhgfuZt86ajbLWR8FbDIxZo/

3iv/cIAg8a7TD6Sv9h2JCyE+Znx7wvit0aWEODLx6IObjnP/tgeolwNMTSP7ZMjG

LbvBlNtSyJnCl8qgzZ/jfAssVVejSrnomxGURf3WDIhFM0otJMpxc0NyUHCMWYWH

Kjs6eScDCS307c3IoGVWkrrvwKyRazqzRXpKB66MY8VpDYG4fn3ue3H3dQKJb99N

bwzb538t3MNwAlPkVm3CnYQWoOrvAaHSWS/ld55N4c+umLuvgbIpBpIfPjhjvpf3

yrHsznWTVhO0qK3T3Ysh5xMQqgXAfFX4f1Beysm+l58nSUGlL48t7n77xv3PYUyX

CRiDJEPUenZENc/HW/x+hxja77lnoFXy/UwuipB773q6p6NbgHPxmsKe3VEBm0W7

H1qyjFzqLd3YyEyFylqPXFcZfrcKpyAVd/XGppqFv6QI6+Ibn30/fChpRIlHzSv3

PAxEovzBE4Gw/pavb+2Isip2233mVJGCHnSeV4r2x9Jt9sVZAMXK7HDr8X9EjPYM

kA==

=qAKm

-----END PGP PUBLIC KEY BLOCK-----

That's quite a mouthful to read to someone else to confirm that they have the correct public key for you. Luckily we have some handy bits of math called hash functions which take files of varying lengths and generate a fixed size string of letters and numbers which can be used to verify their integrity. Key signatures are themselves a hash of public keys, and therefore allow people to verify the integrity of public keys without reading all of the ascii-armored bits.

Expected Output:

------------------------------

$ gpg --fingerprint example

pub 4096R/701CA524 2013-08-26

Key fingerprint = 7739 8C52 90D6 D94C F109 68D8 EA68 84E2 701C A524

uid Example Name (A short comment about this key) <Example@provider.com>

sub 4096R/23D1F37D 2013-08-26

----------------------------------

Step 5) Upload your public key to a keyserver.

Command: gpg --send-keys [keyID]

Command Explanation: The --send-keys flag will, when not provided with a keyID send all of the keys you have locally to the keyserver. When provided with one or multiple keyID's the command will send just those keys to the server.

Explanation: Uploading our public key to a keyserver is one method of distributing your public key to multiple other individuals. This same task could be accomplished by placing our public key file on a USB thumb drive and manually moving the file to other people's computers, but by using a keyserver we can streamline this process so long as we don't mind our public keys being publically accessible.

Expected Command Output:

----------------------------------

$ gpg --send-keys 701CA524

gpg: sending key 701CA524 to hkp server keys.gnupg.net

---------------------------------------

Step 6) Search for and Retrieve another person's key

Command: gpg --search-keys "search term(s)"

Command Explanation: The --search-keys flag followed by quoted search terms will request a list of keys which match that term from the keyserver.

Explanation: This allows us to select keys from an interactive list of keys matching our search term and download them into our local key ring in order to perform further operations with or on them.

Expected Output:

--------------------------

$ gpg --search-keys "search term(s)"

gpg: searching for "search term(s)" from hkp server keys.gnupg.net

(1) [Key Information would appear here]

(2) [More Key Information might appear here]

(3) [And perhaps even more here]

Keys 1-# of # for "search term(s)". Enter number(s), N)ext, or Q)uit > [Number of Key Desired]

----------------------------

Step 6.5) Retrieve a key from the keyserver if we already know the keyID

Command: gpg --recv-key [keyID]

Command Explanation: The --recv-key flag allows us to retrieve a key we have directly specified via its keyID

Expected Output:

---------------------------

]$ gpg --recv-key 701CA524

gpg: requesting key 701CA524 from hkp server keys.gnupg.net

gpg: key 701CA524: "Example Name (A short comment about this key) <Example@provider.com>" changed

gpg: Total number processed: 1

gpg: unchanged: 0

---------------------------

Step 7) Verify the authenticity of a retrieved key

Command: gpg --fingerprint [Retrieved Uniqe ID]

Note: This fingerprint MUST match the fingerprint provided to you securely from the individual whose key you are authenticating

Command Explanation: The --fingerprint flag specifies that you would like gpg to output all of the fingerprints for the keys in your keyring. When a UniqueID is specified only fingerprints from keys matching that unique ID are displayed.

Explanation: Because of the nature of cryptography it is essential to establish that a public key you have recieved from a third party (in this case the keyserver) is properly correlated with the private key it is meant to link to which is held by the individual or group you want to communicate with. Checking fingerprints is the crux of trusting keys, and is arguably the most important step of this entire set of instructions.

Expected Output:

------------------------------

$ gpg --fingerprint example

pub 4096R/701CA524 2013-08-26

Key fingerprint = 7739 8C52 90D6 D94C F109 68D8 EA68 84E2 701C A524

uid Example Name (A short comment about this key) <Example@provider.com>

sub 4096R/23D1F37D 2013-08-26

----------------------------------

Step 8) Sign a key

command: gpg --sign-key [Uniqe Identifier]

Command Explanation: The --sign-key flag signs the key provided via the specified unique identifier with your own private key, such that the signature can be validated with your public key.

Explanation: Signing a key's creates a trust network such that you may communicate securely with the individual whos key you have signed. On a larger scale key signing allows allows individuals who have not signed each other's keys to communicate, provided that a complete path between them can be created via other individuals signatures.

Expected Output:

-----------------------------------

$ gpg --sign-key 701CA524

pub 4096R/701CA524 created: 2013-08-26 expires: never usage: SC

trust: ultimate validity: ultimate

sub 4096R/23D1F37D created: 2013-08-26 expires: never usage: E

[ultimate] (1). Example Name (A short comment about this key) <Example@provider.com>

pub 4096R/701CA524 created: 2013-08-26 expires: never usage: SC

trust: ultimate validity: ultimate

Primary key fingerprint: 7739 8C52 90D6 D94C F109 68D8 EA68 84E2 701C A524

Example Name (A short comment about this key) <Example@provider.com>

Are you sure that you want to sign this key with your

key "Your Name <Your Email>" (Your KeyID)

Really sign? (y/N) y

You need a passphrase to unlock the secret key for

user: "Your Name <Your Email>"

4096-bit RSA key, ID Your KeyID, created creation date

-------------------------------------------

Step 9) Return the signed key to the keyserver

Command: gpg --send-keys [KeyID of newly signed key]

Command Explanation: The --send-keys flag specifies which of our keys we would like to send to the keyserver as specified by their keyID's.

Explanation: When signing a key we are only signing our own local copy. In order for the rest of our trust network to benefit from the fact that we have endorsed this key we must provide them with the updated copy which contains our signature. This is done by reuploading the now signed version of the key to the keyserver so others may view our signature and obtain the most up to date version of the key.

 

Step 10) Keeping your keyring up to date

Command: gpg --refresh-keys

Command Explanation: The --refresh-keys flag retrieves the newest version of all of the keys in our keyring from the keyserver.

Explanation: It is always beneficial to have the most recent version of all of the keys in your keyring. These new version may contain new signatures which connect you to more people in the trust network. Refreshing your keyring is also the primary way in which the keyserver can alert you that a revocation certificate for one of the keys in your keyring has been issued, allowing you to discard that key.

Created by Brian Balsamo. Used with permission.

Scholarly Commons

Scholarly Commons's picture
Scholarly Commons
Contact:
306 Main Library
Drop-ins welcome
Monday-Friday 8:30am-6:00pm
Phone: 217-244-1331
Website