Recently I began learning about PGP, PGP also known as Pretty Good Privacy is a encryption/cryptography tool developed by Phil Zimmermann. It is a tool which allows users to encrypt, sign and decrypt a variety of things such as text, files, emails and much more. This article will provide an overview of using PGP and present some of the key things I learned while researching PGP.
PGP is an old tool developed in 1991, and it has evolved with modern versions available through tools such as GPG (GNU Privacy Guard). GPG implements the OpenPGP standard, to ensure interoperability between PGP implementations. OpenPGP provides a formal specification for encryption, decryption and much more across different software.
GPG supports various features but I will be focusing on some of the key features. These include symmetric cryptography, asymmetric cryptography and digital signatures. If you are unfamiliar with these concepts here is a high-level overview of each:
To begin using PGP, we can install GPG, if it is not already installed on your Linux system you can install it using:
sudo apt install gpg
Now we must start by creating our keys, we can run the following command to allow us to customise our key setup:
gpg --full-gen-key
Running this command will prompt us for the following information:
Keyservers are servers which maintain a collection of public keys, they allow users to upload their public keys as well as allow users to find the public keys of others. With GPG we can upload our public key to a keyserver and from there anyone can find our public key and communicate with us.
To use GPG to upload our key to a keyserver such as https://keyserver.ubuntu.com/ we can use the following command:
gpg --keyserver KEYSERVER_URL --send-keys KEY_FINGERPRINT
Each key-pair you create will have a unique fingerprint, this fingerprint is unique 40 character hexadecimal string and can be viewed using:
gpg --list-keys
A key part of keyservers is that they often communicate and share information with each other. This means you can upload to any keyserver your public key will most likely be propagated to various other keyservers.
Once we have created our keys we may want to move the keys between different machines or even share our public key with someone, to do this we can export the public keys and private keys. GPG exports typically are handled in two main file formats:
To export private and public keys in GPG into the ASCII-armored form, we can use the following commands respectively:
gpg --export --armor > public_keys.asc
gpg --export-secret-keys --armor > private_keys.asc
To use the binary format we can remove the 'armor' flag and instead redirect output to a .gpg file.
If we have someones public key we may want to add it to our keyring, to do this we can import the keys using the following commands respectively:
gpg --import public_keys.asc
gpg --import private_keys.asc
Note: GPG also allows us to import/export specific keys by providing a key-id or key fingerprint, check the GPG man page site for more information.
During GPG key exchanges (for example, when someone gives you their public key), an additional verification step is often taken to ensure that the key you have received is genuinely from the person you intend to communicate with. This is done by verifying the fingerprint of the key. A fingerprint is a unique sequence of characters that serves as a concise representation of a GPG key.
To verify the fingerprint of a key, the owner must provide you with the fingerprint. You can then use the following command to retrieve the actual fingerprint of the key:
gpg --fingerprint KEY_EMAIL_OR_ID
With these two fingerprints, you must compare them to ensure they match exactly. If they do, you can be confident that you have a correct copy of the key.
GPG can be used to encrypt a wide range of data such as emails, files, directories, etc.
Starting off with file encryption we can encrypt a file with the following command:
gpg --output message.gpg --encrypt --recipient recipient-email@example.com message.txt
This command will encrypt the file 'message.txt' using the public key associated with the email 'recipient-email@example.com', creating an encrypted file named 'message.gpg'.
To decrypt the 'message.gpg' file we can use the following command:
gpg --decrypt message.gpg
This command will display the decrypted content to the screen or if you prefer you can use the '--output' option to write the decrypted output to a file.
Although GPG doesn't support directory encryption directly, it is possible to encrypt a directory by first converting it into a tarball or a zip archive, and then encrypting the resulting file. To start off we can create a zip archive using:
zip -r result.zip some_directory
After this, we can encrypt the resulting zip archive 'result.zip' in the same way as we would encrypt any other file, as shown above. Similarly, we can use the same decryption command to decrypt it.
gpg --output result.zip.gpg --encrypt --recipient recipient-email@example.com result.zip
gpg --output result.zip --decrypt result.zip.gpg
So far we have looked at asymmetric cryptography, where there exists a public key and a private key. Now we will take a look at GPG's support for symmetric key cryptography.
GPG supports a wide range of cryptographic algorithms to enable users to encrypt such as IDEA, 3DES, BLOWFISH, AES and much more.
GPG symmetric encryption works by prompting the user for a passphrase, this passphrase is then used to derive a secret key. To encrypt a file using symmetric key encryption we can use the following command:
gpg --output encrypted_secret.gpg --symmetric --cipher-algo AES256 secret_file
This command will encrypt the file 'secret_file' using AES-256 encryption algorithm, writing the output to a file 'encrypted_secret.gpg'. It is very important that a secure passphrase and a secure encryption algorithm is chosen.
The decryption process remains the same, users can decrypt the file by using the '--decrypt' option.
One of GPG's key features is the support for digital signatures, which involves signing data and verifying signatures on that data. Signatures are created using the private key of the signer and verified using the public key of the signer. For example, a developer could sign a software package release, and users could then use the developer's public key to verify the signature and the authenticity of the package.
GPG supports 3 main ways of signing data:
To sign a file using a standard digital signature we can use the following command:
gpg --sign some_file
This command creates a .gpg file with the signature in binary form.
To sign a file using a clearsigned digital signature we can use the following command:
gpg --clearsign some_file
This command creates a .asc file with the signature and a header with the original data that is being signed.
To sign a file using a detached digital signature we can use the following command:
gpg --detach-sign some_file
This command creates a .sig file with the signature.
Another key part of digital signatures is verifying signatures, GPG makes this very easy and it can be done using the following command:
gpg --verify signature_file
Note: when verifying detached signatures the above command will work if the original data is in the same directory as the signature file. If it is not then you need to include the path to the original data at the end of the command.
GPG is a very powerful tool for strengthening data security and privacy. While researching GPG and learning how to use it, I gained a deep understanding of its capabilities and potential applications. Moving forward, I plan to delve further into GPG to enhance my knowledge and usage. If you wish to communicate with me securely using GPG, you can find my public key in the footer of this site. If you spot any inaccuracies or have suggestions regarding this article, please feel free to reach out.