# Gnu Privacy Guard ###### tags: `gpg` Use GPG for file encription and decryption and basic usage. #### generate new key ``` ycheng@NUC10:~$ gpg --gen-key gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Note: Use "gpg --full-generate-key" for a full featured key generation dialog. You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Yu-Jung Cheng E-mail address: yujungcheng@email.com You selected this USER-ID: "Yu-Jung Cheng <yujungcheng@email.com>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilise the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilise the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 93BDCBC4FF8E50D9 marked as ultimately trusted gpg: revocation certificate stored as '/home/ycheng/.gnupg/openpgp-revocs.d/8EF10B87EF490909443E5C9793BDCBC4FF8E50D9.rev' public and secret key created and signed. pub rsa3072 2022-05-12 [SC] [expires: 2024-05-11] 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9 uid Yu-Jung Cheng <yujungcheng@email.com> sub rsa3072 2022-05-12 [E] [expires: 2024-05-11] ``` > you will be asked to enter passphrase twice to protect your private key. List your keys ``` ycheng@NUC10:~$ gpg --list-keys /home/ycheng/.gnupg/pubring.kbx ------------------------------- pub rsa3072 2022-05-12 [SC] [expires: 2024-05-11] 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9 uid [ultimate] Yu-Jung Cheng <yujungcheng@email.com> sub rsa3072 2022-05-12 [E] [expires: 2024-05-11] ``` Generate a revocation certificate. ``` ycheng@NUC10:~$ gpg --output revoke.asc --gen-revoke 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9 sec rsa3072/93BDCBC4FF8E50D9 2022-05-12 Yu-Jung Cheng <yujungcheng@email.com> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 3 Enter an optional description; end it with an empty line: > for testing. > Reason for revocation: Key is no longer used for testing. Is this okay? (y/N) y ASCII armoured output forced. Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others! ycheng@NUC10:~$ ls -l revoke.asc -rw------- 1 ycheng ycheng 735 May 12 16:09 revoke.asc ``` #### export your public key export key in a binary format file ``` ycheng@NUC10:~$ gpg --output yujungcheng-nuc10.gpg --export 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9 ycheng@NUC10:~$ ls -l ./yujungcheng-nuc10.gpg -rw-rw-r-- 1 ycheng ycheng 1757 May 12 16:36 ./yujungcheng-nuc10.gpg ``` Or, you can output in ASCII_armored format ``` ycheng@NUC10:~$ gpg --armor --export 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9 -----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBGJ8omYBDAC4R9JOVmWPM6DiPIXdk5cu66vPtb2oIBYHdTaPSYM9vrJ/y6o1 8TCKaAkQAPpt4fGYixRLeQW8YDZFYl0cqrvc8xP1odDn8xL1u3be2RX6k9I8qobw D5u4hCd2zJfzRjwWsWSAKnjPUhtUk37g8GfkxLlr4kuntdWf6o+dDvOmlNUYG+HO rHxcABInMqG+Xg4m7DAc2P0ja+V2NB9YmcJrz617pjgmrCLN4F2B8+Pw7cw3j7+w VgDldxThnaMM3OO+fpigu+jQsavoiZbdZBZoNQl24UZr61Qv0r8ESMGCzTere8c2 ROXa5wTvOS/LJH66SSg/5rPvn59HW4+w7Tek+rBhdu7Fm+8spJv3lABRFQBG4RgC usnKo5h3cMAElYPrEDOFqIdeTWPtpl/T4Bg7lDlp2N0zhFgoDV/l9zLKRzVGZGKo DHgj6pCypibXRr6GCQFfNXadVXVwMQbXAJVTvsSqkF6Dp+akvIPIYSDePtKoTIdr 6076Gd37R5lyLx0AEQEAAbQlWXUtSnVuZyBDaGVuZyA8eXVqdW5nY2hlbmdAZW1h aWwuY29tPokB1AQTAQoAPhYhBI7xC4fvSQkJRD5cl5O9y8T/jlDZBQJifKJmAhsD BQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJO9y8T/jlDZaaUMAJqW ICbGqc40MM8/L7seHg43SurHcZPk06TO8eyamumiUedkXV1/0qSRNW+Uo7h2+nBf PrNTXLpCAuN4jyQ8VvbvGyLR+2xNCYehhf3Zy8pOaL0K+sohRr6KzgRfEFGN8E7M Pb+HNUkyfNb1VFuLEly5IIx6Ipq9bTlN5yXXYkXn6HtutZaamBAPxByuGVCQsSSE 4jJIiswpEQM9zjFBaQ3i9CfXg+kDKa6PJZclMMriNGu/XSXPQOhK9HhBvfL8B62T uHBUEIo/lNv7Jyw57+ySD4JI9kGBpQsUle7e2nCR/fBsKeo40JVNfiZR8MA6d9za /eNWdIyFeKC3jXsiJ78bB2q4dZH6G1nrz8QzHzp6yo9Z+fdXt7e6IaPlPABsKn7G D0arbR+xSqEHqinMSory4v5RQ43GKbAYU3DNVBPdhexCaiBzlV/JmEP1vfwgS8xq OD+8XnfUkU6NehIn4iZevRhtWnE3yq86utkUuMCpxo/r1cynnqFYVG6h2fSCs7kB jQRifKJmAQwA1fcWbb1bY4+ictxzbMjUmjO1hIQPA4CO9+Y5Ehn52MV9g75kkHGl VeZYhvGVvTEgoZJQfyYka6h/DBAyqk7idXFYsPrs93Frk6h8bVdTNjEmeHqrvSHi h2MoHIaB/xGmTh4e6Jnk3nrW9drIKzYNaiD50hHJZ0XusBo+Diso6Dm8EdJG97HR eLsLN+gaJk1hpfhZ/SWXPEI9JosiSTr6A49LdmPGNpFU1iLdlzKTBQu9QabZ3wvd E7jOU65mRMnuP7cl29z9gDnmutbvISiAvkq1SFcPG/cPRtfrpo3D0Rr4rE2YmCNu CtNXOuYEa+1XJu7g9UcllDyKIa89waKCyeWvcgXMAMCiur7TA3dfvRGXyFov2kYH HFXvbiJUel12qwm98T4mPNpgYdLznO3/yYGB//rjRCrfk0PrmnA3SWejiIjawAlK pgkqPK+gmC5UFRc/BBocxLQllkHoT0fsI51hrfd+xUIMuvvwLH+7WiGV/2tg6JoX AQDjMNVmdEmbABEBAAGJAbwEGAEKACYWIQSO8QuH70kJCUQ+XJeTvcvE/45Q2QUC YnyiZgIbDAUJA8JnAAAKCRCTvcvE/45Q2XEZC/0cNhT4l8jjVTzhmeADjMGUhN8d 2Z4MQ6fNIl+zUIMvPMNRMUYsnwua8UWuN0XvnxmjMOiTSkfgtaKpec690yQNRKS8 KurVa1tzIpAnjkXM5ts6IMAqP2cZP596PpKTu10BTntWOvETaziid9OCpVcgjMQ8 SStiKBJG5EOidu7/QwhPjclNWakzAO+R4h38Nm60lvG++bBoiJH49itibkaJgZIg NKiO5KjOk3QbMCmizN9KoD/bW9mTMQTH3pbIec18Hv6SUe82+e6uCnJgkklRb6ng 6etxB19r2Ub2FWflyBpzDzZDWOsB97eJ4+UlQ2DwSg5jTPoWundnIlwlFz2OqYV0 oRqh9lW6XrJOtNWjyfDuq5Fg0TmIhiWfIDZoTcsw/6ygUzyk1IPHRNHe+vCiaHzK 0V+U4Mkn2Sh9z92H/nXiOjzbMKG7m9y+ovwm9gg5oXCD1sUXJwZT41U5edi+jzjv DNq2ANCeruBl2YbDUM5CP1nXpGibevSVbntpH4E= =Aq4r -----END PGP PUBLIC KEY BLOCK----- ``` #### import a public key ``` [20:43:31] ycheng@nuc8:~ $ gpg --import ./yujungcheng-nuc10.gpg gpg: key 93BDCBC4FF8E50D9: public key "Yu-Jung Cheng <yujungcheng@email.com>" imported gpg: Total number processed: 1 gpg: imported: 1 [20:43:31] ycheng@nuc8:~ $ gpg --list-keys /home/ycheng/.gnupg/pubring.kbx ------------------------------- pub rsa3072 2022-05-12 [SC] [expires: 2024-05-11] 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9 uid [ unknown] Yu-Jung Cheng <yujungcheng@email.com> sub rsa3072 2022-05-12 [E] [expires: 2024-05-11] ``` validate key via fingerprint ``` [20:43:31] ycheng@nuc8:~ $ gpg --edit-key yujungcheng@email.com gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa3072/93BDCBC4FF8E50D9 created: 2022-05-12 expires: 2024-05-11 usage: SC trust: unknown validity: unknown sub rsa3072/FBBBFD945FD419F8 created: 2022-05-12 expires: 2024-05-11 usage: E [ unknown] (1). Yu-Jung Cheng <yujungcheng@email.com> gpg> fpr pub rsa3072/93BDCBC4FF8E50D9 2022-05-12 Yu-Jung Cheng <yujungcheng@email.com> Primary key fingerprint: 8EF1 0B87 EF49 0909 443E 5C97 93BD CBC4 FF8E 50D9 ``` Or with command below to get fingerprint ``` ycheng@NUC10:~$ gpg --list-keys --fingerprint /home/ycheng/.gnupg/pubring.kbx ------------------------------- pub rsa3072 2022-05-12 [SC] [expires: 2024-05-11] 8EF1 0B87 EF49 0909 443E 5C97 93BD CBC4 FF8E 50D9 uid [ultimate] Yu-Jung Cheng <yujungcheng@email.com> sub rsa3072 2022-05-12 [E] [expires: 2024-05-11] ycheng@NUC10:~$ sudo apt install gnupg2 -y ycheng@NUC10:~$ gpg2 --list-keys /home/ycheng/.gnupg/pubring.kbx ------------------------------- pub rsa3072 2022-05-12 [SC] [expires: 2024-05-11] 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9 uid [ultimate] Yu-Jung Cheng <yujungcheng@email.com> sub rsa3072 2022-05-12 [E] [expires: 2024-05-11] ``` #### encrypt file encrypt file using the public key ``` [20:43:31] ycheng@nuc8:~ $ gpg --encrypt --recipient 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9 --output myurls.gpg ./URLs gpg: FBBBFD945FD419F8: There is no assurance this key belongs to the named user sub rsa3072/FBBBFD945FD419F8 2022-05-12 Yu-Jung Cheng <yujungcheng@email.com> Primary key fingerprint: 8EF1 0B87 EF49 0909 443E 5C97 93BD CBC4 FF8E 50D9 Subkey fingerprint: 9CAB A90A B92C 13D5 6A27 2E1E FBBB FD94 5FD4 19F8 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y ``` ``` [20:43:31] ycheng@nuc8:~ $ ls -l ./myurls.gpg -rw-rw-r-- 1 ycheng ycheng 938 May 12 21:45 ./myurls.gpg ``` #### decrypt file decrypt the encrypted file using private key ``` ycheng@NUC10:~$ gpg --decrypt --output myurls ./myurls.gpg gpg: encrypted with 3072-bit RSA key, ID FBBBFD945FD419F8, created 2022-05-12 "Yu-Jung Cheng <yujungcheng@email.com>" ``` ``` ycheng@NUC10:~$ ls -l ./myurls -rw-rw-r-- 1 ycheng ycheng 968 May 12 21:54 ./myurls ``` use md5sum to compare ``` [20:43:31] ycheng@nuc8:~ $ md5sum ./URLs 7f846f32df9fee5b5cd415609c3defb3 ./URLs ycheng@NUC10:~$ md5sum ./myurls 7f846f32df9fee5b5cd415609c3defb3 ./myurls ``` #### use symmetric key encryption ``` [20:43:31] ycheng@nuc8:~ $ gpg --output newurls.gpg --symmetric ./URLs [20:43:31] ycheng@nuc8:~ $ ls -l ./newurls.gpg -rw-rw-r-- 1 ycheng ycheng 548 May 12 22:05 ./newurls.gpg ``` ``` ycheng@NUC10:~$ gpg --decrypt --output newurls ./newurls.gpg gpg: AES256 encrypted data gpg: encrypted with 1 passphrase ycheng@NUC10:~$ ls -l ./newurls -rw-rw-r-- 1 ycheng ycheng 968 May 12 22:06 ./newurls ``` #### making and verifying signatures make a digital signature and encrypt the file ``` ycheng@NUC10:~$ gpg --sign --output myurls.sig ./myurls ycheng@NUC10:~$ ls -l ./myurls.sig -rw-rw-r-- 1 ycheng ycheng 1043 May 12 22:15 ./myurls.sig ``` to verify the signature ``` [20:43:31] ycheng@nuc8:~ $ gpg --verify myurls.sig gpg: Signature made Thu 12 May 2022 22:15:49 AEST gpg: using RSA key 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9 gpg: Good signature from "Yu-Jung Cheng <yujungcheng@email.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8EF1 0B87 EF49 0909 443E 5C97 93BD CBC4 FF8E 50D9 gpg: WARNING: not a detached signature; file 'myurls' was NOT verified! ``` to decrypt ``` [20:43:31] ycheng@nuc8:~ $ gpg --output myurls --decrypt myurls.sig gpg: Signature made Thu 12 May 2022 22:15:49 AEST gpg: using RSA key 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9 gpg: Good signature from "Yu-Jung Cheng <yujungcheng@email.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8EF1 0B87 EF49 0909 443E 5C97 93BD CBC4 FF8E 50D9 ``` clearsigned documents ``` ycheng@NUC10:~$ gpg --clearsign myurls.sig ycheng@NUC10:~$ ls -l myurls.sig.asc -rw-rw-r-- 1 ycheng ycheng 1752 May 12 22:27 myurls.sig.asc ``` detached signatures ``` ycheng@NUC10:~$ gpg --output ./mynewurls.sig --detach-sig ./myurls.sig ycheng@NUC10:~$ ls -l ./mynewurls.sig -rw-rw-r-- 1 ycheng ycheng 438 May 12 22:30 ./mynewurls.sig ``` ``` ycheng@NUC10:~$ gpg --verify mynewurls.sig ./myurls.sig gpg: Signature made Thu 12 May 2022 22:30:18 AEST gpg: using RSA key 8EF10B87EF490909443E5C9793BDCBC4FF8E50D9 gpg: Good signature from "Yu-Jung Cheng <yujungcheng@email.com>" [ultimate] ``` ``` ycheng@NUC10:~$ ls -l ./my* -rw-rw-r-- 1 ycheng ycheng 438 May 12 22:30 ./mynewurls.sig -rw-rw-r-- 1 ycheng ycheng 968 May 12 21:54 ./myurls -rw-rw-r-- 1 ycheng ycheng 938 May 12 21:45 ./myurls.gpg -rw-rw-r-- 1 ycheng ycheng 1043 May 12 22:15 ./myurls.sig -rw-rw-r-- 1 ycheng ycheng 1752 May 12 22:27 ./myurls.sig.asc ``` #### notes you could either use key ID or email to specify the key. For examples: ``` $ gpg --armor --export <ID or Email> $ gpg --edit-key <ID or Email> ``` to delete key ``` $ gpg --delete-secret-keys <key ID> $ gpg gpg --delete-keys <key ID> ``` #### Examples to add gpg key to /etc/apt/trusted.gpg.d/ https://itsfoss.com/apt-key-deprecated/ Unpack armored key. ``` curl -s -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/suse-release.gpg ``` Get key and armor it. ``` $ curl -s -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | gpg --enarmor -----BEGIN PGP ARMORED FILE----- Comment: Use "gpg --dearmor" for unpacking LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tClZlcnNpb246IEdu dVBHIHYxLjQuNSAoR05VL0xpbnV4KQoKbVFFTkJGdGtWMGNCQ0FEU3RTVENHNXFn WXR6bVdmeW1IWnF4eGhmd2ZTNmZkSEpjYkdVZVhzSTVkeGplQ1docwpYYXJabTZy ... omit ``` #### reference https://www.gnupg.org/gph/en/manual/c14.html https://www.privex.io/articles/what-is-gpg