Try   HackMD

Gnu Privacy Guard

tags: gpg

Use GPG for file encription and decryption and basic usage.

generate new key

ycheng@NUC10:~$ gpg --gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Yu-Jung Cheng
E-mail address: yujungcheng@email.com
You selected this USER-ID:
    "Yu-Jung Cheng <yujungcheng@email.com>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilise the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilise the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 93BDCBC4FF8E50D9 marked as ultimately trusted
gpg: revocation certificate stored as '/home/ycheng/.gnupg/openpgp-revocs.d/8EF10B87EF490909443E5C9793BDCBC4FF8E50D9.rev'
public and secret key created and signed.

pub   rsa3072 2022-05-12 [SC] [expires: 2024-05-11]
      8EF10B87EF490909443E5C9793BDCBC4FF8E50D9
uid                      Yu-Jung Cheng <yujungcheng@email.com>
sub   rsa3072 2022-05-12 [E] [expires: 2024-05-11]

you will be asked to enter passphrase twice to protect your private key.

List your keys

ycheng@NUC10:~$ gpg --list-keys
/home/ycheng/.gnupg/pubring.kbx
-------------------------------
pub   rsa3072 2022-05-12 [SC] [expires: 2024-05-11]
      8EF10B87EF490909443E5C9793BDCBC4FF8E50D9
uid           [ultimate] Yu-Jung Cheng <yujungcheng@email.com>
sub   rsa3072 2022-05-12 [E] [expires: 2024-05-11]

Generate a revocation certificate.

ycheng@NUC10:~$ gpg --output revoke.asc --gen-revoke 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9

sec  rsa3072/93BDCBC4FF8E50D9 2022-05-12 Yu-Jung Cheng <yujungcheng@email.com>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
> for testing.
> 
Reason for revocation: Key is no longer used
for testing.
Is this okay? (y/N) y
ASCII armoured output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

ycheng@NUC10:~$ ls -l revoke.asc 
-rw------- 1 ycheng ycheng 735 May 12 16:09 revoke.asc

export your public key

export key in a binary format file

ycheng@NUC10:~$ gpg --output yujungcheng-nuc10.gpg --export 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9
ycheng@NUC10:~$ ls -l ./yujungcheng-nuc10.gpg 
-rw-rw-r-- 1 ycheng ycheng 1757 May 12 16:36 ./yujungcheng-nuc10.gpg

Or, you can output in ASCII_armored format

ycheng@NUC10:~$ gpg --armor --export 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGJ8omYBDAC4R9JOVmWPM6DiPIXdk5cu66vPtb2oIBYHdTaPSYM9vrJ/y6o1
8TCKaAkQAPpt4fGYixRLeQW8YDZFYl0cqrvc8xP1odDn8xL1u3be2RX6k9I8qobw
D5u4hCd2zJfzRjwWsWSAKnjPUhtUk37g8GfkxLlr4kuntdWf6o+dDvOmlNUYG+HO
rHxcABInMqG+Xg4m7DAc2P0ja+V2NB9YmcJrz617pjgmrCLN4F2B8+Pw7cw3j7+w
VgDldxThnaMM3OO+fpigu+jQsavoiZbdZBZoNQl24UZr61Qv0r8ESMGCzTere8c2
ROXa5wTvOS/LJH66SSg/5rPvn59HW4+w7Tek+rBhdu7Fm+8spJv3lABRFQBG4RgC
usnKo5h3cMAElYPrEDOFqIdeTWPtpl/T4Bg7lDlp2N0zhFgoDV/l9zLKRzVGZGKo
DHgj6pCypibXRr6GCQFfNXadVXVwMQbXAJVTvsSqkF6Dp+akvIPIYSDePtKoTIdr
6076Gd37R5lyLx0AEQEAAbQlWXUtSnVuZyBDaGVuZyA8eXVqdW5nY2hlbmdAZW1h
aWwuY29tPokB1AQTAQoAPhYhBI7xC4fvSQkJRD5cl5O9y8T/jlDZBQJifKJmAhsD
BQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJO9y8T/jlDZaaUMAJqW
ICbGqc40MM8/L7seHg43SurHcZPk06TO8eyamumiUedkXV1/0qSRNW+Uo7h2+nBf
PrNTXLpCAuN4jyQ8VvbvGyLR+2xNCYehhf3Zy8pOaL0K+sohRr6KzgRfEFGN8E7M
Pb+HNUkyfNb1VFuLEly5IIx6Ipq9bTlN5yXXYkXn6HtutZaamBAPxByuGVCQsSSE
4jJIiswpEQM9zjFBaQ3i9CfXg+kDKa6PJZclMMriNGu/XSXPQOhK9HhBvfL8B62T
uHBUEIo/lNv7Jyw57+ySD4JI9kGBpQsUle7e2nCR/fBsKeo40JVNfiZR8MA6d9za
/eNWdIyFeKC3jXsiJ78bB2q4dZH6G1nrz8QzHzp6yo9Z+fdXt7e6IaPlPABsKn7G
D0arbR+xSqEHqinMSory4v5RQ43GKbAYU3DNVBPdhexCaiBzlV/JmEP1vfwgS8xq
OD+8XnfUkU6NehIn4iZevRhtWnE3yq86utkUuMCpxo/r1cynnqFYVG6h2fSCs7kB
jQRifKJmAQwA1fcWbb1bY4+ictxzbMjUmjO1hIQPA4CO9+Y5Ehn52MV9g75kkHGl
VeZYhvGVvTEgoZJQfyYka6h/DBAyqk7idXFYsPrs93Frk6h8bVdTNjEmeHqrvSHi
h2MoHIaB/xGmTh4e6Jnk3nrW9drIKzYNaiD50hHJZ0XusBo+Diso6Dm8EdJG97HR
eLsLN+gaJk1hpfhZ/SWXPEI9JosiSTr6A49LdmPGNpFU1iLdlzKTBQu9QabZ3wvd
E7jOU65mRMnuP7cl29z9gDnmutbvISiAvkq1SFcPG/cPRtfrpo3D0Rr4rE2YmCNu
CtNXOuYEa+1XJu7g9UcllDyKIa89waKCyeWvcgXMAMCiur7TA3dfvRGXyFov2kYH
HFXvbiJUel12qwm98T4mPNpgYdLznO3/yYGB//rjRCrfk0PrmnA3SWejiIjawAlK
pgkqPK+gmC5UFRc/BBocxLQllkHoT0fsI51hrfd+xUIMuvvwLH+7WiGV/2tg6JoX
AQDjMNVmdEmbABEBAAGJAbwEGAEKACYWIQSO8QuH70kJCUQ+XJeTvcvE/45Q2QUC
YnyiZgIbDAUJA8JnAAAKCRCTvcvE/45Q2XEZC/0cNhT4l8jjVTzhmeADjMGUhN8d
2Z4MQ6fNIl+zUIMvPMNRMUYsnwua8UWuN0XvnxmjMOiTSkfgtaKpec690yQNRKS8
KurVa1tzIpAnjkXM5ts6IMAqP2cZP596PpKTu10BTntWOvETaziid9OCpVcgjMQ8
SStiKBJG5EOidu7/QwhPjclNWakzAO+R4h38Nm60lvG++bBoiJH49itibkaJgZIg
NKiO5KjOk3QbMCmizN9KoD/bW9mTMQTH3pbIec18Hv6SUe82+e6uCnJgkklRb6ng
6etxB19r2Ub2FWflyBpzDzZDWOsB97eJ4+UlQ2DwSg5jTPoWundnIlwlFz2OqYV0
oRqh9lW6XrJOtNWjyfDuq5Fg0TmIhiWfIDZoTcsw/6ygUzyk1IPHRNHe+vCiaHzK
0V+U4Mkn2Sh9z92H/nXiOjzbMKG7m9y+ovwm9gg5oXCD1sUXJwZT41U5edi+jzjv
DNq2ANCeruBl2YbDUM5CP1nXpGibevSVbntpH4E=
=Aq4r
-----END PGP PUBLIC KEY BLOCK-----

import a public key

[20:43:31] ycheng@nuc8:~ $ gpg --import ./yujungcheng-nuc10.gpg 
gpg: key 93BDCBC4FF8E50D9: public key "Yu-Jung Cheng <yujungcheng@email.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

[20:43:31] ycheng@nuc8:~ $ gpg --list-keys
/home/ycheng/.gnupg/pubring.kbx
-------------------------------
pub   rsa3072 2022-05-12 [SC] [expires: 2024-05-11]
      8EF10B87EF490909443E5C9793BDCBC4FF8E50D9
uid           [ unknown] Yu-Jung Cheng <yujungcheng@email.com>
sub   rsa3072 2022-05-12 [E] [expires: 2024-05-11]

validate key via fingerprint

[20:43:31] ycheng@nuc8:~ $ gpg --edit-key yujungcheng@email.com
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa3072/93BDCBC4FF8E50D9
     created: 2022-05-12  expires: 2024-05-11  usage: SC  
     trust: unknown       validity: unknown
sub  rsa3072/FBBBFD945FD419F8
     created: 2022-05-12  expires: 2024-05-11  usage: E   
[ unknown] (1). Yu-Jung Cheng <yujungcheng@email.com>

gpg> fpr
pub   rsa3072/93BDCBC4FF8E50D9 2022-05-12 Yu-Jung Cheng <yujungcheng@email.com>
 Primary key fingerprint: 8EF1 0B87 EF49 0909 443E  5C97 93BD CBC4 FF8E 50D9

Or with command below to get fingerprint

ycheng@NUC10:~$ gpg --list-keys --fingerprint
/home/ycheng/.gnupg/pubring.kbx
-------------------------------
pub   rsa3072 2022-05-12 [SC] [expires: 2024-05-11]
      8EF1 0B87 EF49 0909 443E  5C97 93BD CBC4 FF8E 50D9
uid           [ultimate] Yu-Jung Cheng <yujungcheng@email.com>
sub   rsa3072 2022-05-12 [E] [expires: 2024-05-11]


ycheng@NUC10:~$ sudo apt install gnupg2 -y
ycheng@NUC10:~$ gpg2 --list-keys
/home/ycheng/.gnupg/pubring.kbx
-------------------------------
pub   rsa3072 2022-05-12 [SC] [expires: 2024-05-11]
      8EF10B87EF490909443E5C9793BDCBC4FF8E50D9
uid           [ultimate] Yu-Jung Cheng <yujungcheng@email.com>
sub   rsa3072 2022-05-12 [E] [expires: 2024-05-11]

encrypt file

encrypt file using the public key

[20:43:31] ycheng@nuc8:~ $ gpg --encrypt --recipient 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9 --output myurls.gpg ./URLs 
gpg: FBBBFD945FD419F8: There is no assurance this key belongs to the named user
sub  rsa3072/FBBBFD945FD419F8 2022-05-12 Yu-Jung Cheng <yujungcheng@email.com>
 Primary key fingerprint: 8EF1 0B87 EF49 0909 443E  5C97 93BD CBC4 FF8E 50D9
      Subkey fingerprint: 9CAB A90A B92C 13D5 6A27  2E1E FBBB FD94 5FD4 19F8

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

[20:43:31] ycheng@nuc8:~ $ ls -l ./myurls.gpg 
-rw-rw-r-- 1 ycheng ycheng 938 May 12 21:45 ./myurls.gpg

decrypt file

decrypt the encrypted file using private key

ycheng@NUC10:~$ gpg --decrypt --output myurls ./myurls.gpg 
gpg: encrypted with 3072-bit RSA key, ID FBBBFD945FD419F8, created 2022-05-12
      "Yu-Jung Cheng <yujungcheng@email.com>"

ycheng@NUC10:~$ ls -l ./myurls
-rw-rw-r-- 1 ycheng ycheng 968 May 12 21:54 ./myurls

use md5sum to compare

[20:43:31] ycheng@nuc8:~ $ md5sum ./URLs 
7f846f32df9fee5b5cd415609c3defb3  ./URLs

ycheng@NUC10:~$ md5sum ./myurls
7f846f32df9fee5b5cd415609c3defb3  ./myurls

use symmetric key encryption

[20:43:31] ycheng@nuc8:~ $ gpg --output newurls.gpg --symmetric ./URLs 
[20:43:31] ycheng@nuc8:~ $ ls -l ./newurls.gpg 
-rw-rw-r-- 1 ycheng ycheng 548 May 12 22:05 ./newurls.gpg

ycheng@NUC10:~$ gpg --decrypt --output newurls ./newurls.gpg 
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
ycheng@NUC10:~$ ls -l ./newurls
-rw-rw-r-- 1 ycheng ycheng 968 May 12 22:06 ./newurls

making and verifying signatures

make a digital signature and encrypt the file

ycheng@NUC10:~$ gpg --sign --output myurls.sig ./myurls
ycheng@NUC10:~$ ls -l ./myurls.sig 
-rw-rw-r-- 1 ycheng ycheng 1043 May 12 22:15 ./myurls.sig

to verify the signature

[20:43:31] ycheng@nuc8:~ $ gpg --verify myurls.sig 
gpg: Signature made Thu 12 May 2022 22:15:49 AEST
gpg:                using RSA key 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9
gpg: Good signature from "Yu-Jung Cheng <yujungcheng@email.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8EF1 0B87 EF49 0909 443E  5C97 93BD CBC4 FF8E 50D9
gpg: WARNING: not a detached signature; file 'myurls' was NOT verified!

to decrypt

[20:43:31] ycheng@nuc8:~ $ gpg --output myurls --decrypt myurls.sig
gpg: Signature made Thu 12 May 2022 22:15:49 AEST
gpg:                using RSA key 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9
gpg: Good signature from "Yu-Jung Cheng <yujungcheng@email.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8EF1 0B87 EF49 0909 443E  5C97 93BD CBC4 FF8E 50D9

clearsigned documents

ycheng@NUC10:~$ gpg --clearsign myurls.sig
ycheng@NUC10:~$ ls -l myurls.sig.asc
-rw-rw-r-- 1 ycheng ycheng 1752 May 12 22:27 myurls.sig.asc

detached signatures

ycheng@NUC10:~$ gpg --output ./mynewurls.sig --detach-sig ./myurls.sig
ycheng@NUC10:~$ ls -l ./mynewurls.sig 
-rw-rw-r-- 1 ycheng ycheng 438 May 12 22:30 ./mynewurls.sig

ycheng@NUC10:~$ gpg --verify mynewurls.sig ./myurls.sig
gpg: Signature made Thu 12 May 2022 22:30:18 AEST
gpg:                using RSA key 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9
gpg: Good signature from "Yu-Jung Cheng <yujungcheng@email.com>" [ultimate]

ycheng@NUC10:~$ ls -l ./my*
-rw-rw-r-- 1 ycheng ycheng  438 May 12 22:30 ./mynewurls.sig
-rw-rw-r-- 1 ycheng ycheng  968 May 12 21:54 ./myurls
-rw-rw-r-- 1 ycheng ycheng  938 May 12 21:45 ./myurls.gpg
-rw-rw-r-- 1 ycheng ycheng 1043 May 12 22:15 ./myurls.sig
-rw-rw-r-- 1 ycheng ycheng 1752 May 12 22:27 ./myurls.sig.asc

notes

you could either use key ID or email to specify the key. For examples:

$ gpg --armor --export <ID or Email>
$ gpg --edit-key <ID or Email>

to delete key

$ gpg --delete-secret-keys <key ID>
$ gpg gpg --delete-keys <key ID>

Examples to add gpg key to /etc/apt/trusted.gpg.d/

https://itsfoss.com/apt-key-deprecated/

Unpack armored key.

curl -s -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/suse-release.gpg

Get key and armor it.

$ curl -s -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | gpg --enarmor
-----BEGIN PGP ARMORED FILE-----
Comment: Use "gpg --dearmor" for unpacking

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tClZlcnNpb246IEdu
dVBHIHYxLjQuNSAoR05VL0xpbnV4KQoKbVFFTkJGdGtWMGNCQ0FEU3RTVENHNXFn
WXR6bVdmeW1IWnF4eGhmd2ZTNmZkSEpjYkdVZVhzSTVkeGplQ1docwpYYXJabTZy
... omit

reference

https://www.gnupg.org/gph/en/manual/c14.html
https://www.privex.io/articles/what-is-gpg

Last changed by 
Yu-Jung Cheng
Blog & Knowledge Base 3.0 - Here I stores collection of command usage, testing, and knowledge I used in work. Also include other topics I interested.
0
210

Read more

Setup DNS server

Setup master&amp;slave DNS servers on Rocky 8.4

Oct 21, 2024
Ueful actions and tips

Notes for couple useful actions and syntax.

Oct 10, 2024
Deploy OpenStack using Kolla-Ansible

last update: 2022-12-09

Nov 20, 2023
OverlayFS

####: reference

Nov 14, 2023
Read more from Yu-Jung Cheng
Published on HackMD