Encryption PGP and GPG
From Ever changing code
- PGP, Pretty Good Privacy, own by Symantec
- Open PGP, open-source for public use
- GnuPGP, known as GNU Privacy Guard or simply GPG. It supports OpenPGP and is interoperable with Symantec's PGP tools.
PGP or Pretty Good Privacy
- public and private key files (.pkr,.skr)
- pubring.pkr (public key ring)
- secring.skr (secret key ring)
Those files are public and private (secret in OpenPGP terminology) keyrings respectively. They contain collections of public and private keys. You usually generate a keypair (a pair of public and private key) or several keypairs for your own use, and other people do the same. Then they can give you their public keys and you create a public keyring from those keys. Public keyring is then used to encrypt data for recipients or to verify other people's daa signatures.
Private keyring is composed from your private keys which you generate. You use private keyring for signing your data, and you can give corresponding public keys to other people so that they could encrypt data for you (which you then decrypt using your private keys).
sudo apt install pgpgpg # create pubring.pkr (public keyring) and secring.skr (private keyring) file in the default keyring location pgp --create-keyrings # create a key pair pgp --gen-key [user ID] --key-type [key type] --bits [bits #] --passphrase [passphrase] pgp --gen-key "Joe User" --key-type RSA --bits 2048 --passphrase "my passphrase" # list keys pgp --list-keys # export public key, for KeyID: 0x12345678 pgp --export 0x12345678 pgp --export "Joe User" # expoert by UserID # import public key pgp --import "JoeUser.asc" # from ASCII Armor file (.asc) pgp --import "JoeUserPGP.txt" # from a text file containing the PGP key block
- PGP Command Line to Create and Manage PGP Keys Symantec docs
There are two main OpenPGP compatible tools:
dpkg -l | grep gnupg # gnupg 1.4.20-1ubuntu3.3 GNU privacy guard - a free PGP replacement # gnupg2 2.1.11-6ubuntu2.1 GNU privacy guard - a free PGP replacement (new v2.x)
sudo apt install gnupg2 # gpa - is GNU Privacy Assistant (GPA), GUI
# Generate a key pair gpg2 --full-gen-key gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 1024 Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: _acme_dev Email address: email@example.com Comment: Decrypt messages from miniSAP You selected this USER-ID: "_acme_dev (Decrypt messages from miniSAP) <support@firstname.lastname@example.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. # this step can take ~5 min # try this to speed up sudo dd if=/dev/sda of=/dev/zero find / | xargs file gpg: /home/vagrant/.gnupg/trustdb.gpg: trustdb created gpg: key 6687E4B1 marked as ultimately trusted gpg: directory '/home/vagrant/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/vagrant/.gnupg/openpgp-revocs.d/534A409E81C366A95E17B307DEDD3CD06687E4B1.rev' public and secret key created and signed. gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: PGP gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub rsa1024/6687E4B1 2019-10-08 [S] Key fingerprint = 534A 409E 81C3 66A9 5E17 B307 DEDD 3CD0 6687 E4B1 uid [ultimate] _acme_dev (Decrypt messages from miniSAP) <support@email@example.com> sub rsa1024/38C5D363 2019-10-08  vagrant@ubuntu ~/gpg2 $ tree ~/.gnupg/ /home/vagrant/.gnupg/ ├── dirmngr.conf ├── gpg.conf ├── openpgp-revocs.d │ └── 534A409E81C366A95E17B307DEDD3CD06687E4B1.rev ├── private-keys-v1.d │ ├── 76941E6C9F97E520B64659FA3C8F405BC69383CB.key │ ├── B3C3082EE0D9DD59D4D254F9752ECC207F768C83.key │ └── E52CDC45EE60CCF6C2AD34EE97FA9B7446507C61.key ├── pubring.kbx ├── pubring.kbx~ ├── S.gpg-agent └── trustdb.gpg 2 directories, 10 files # Now keys generated, you can list your own key using gpg -K gpg --list-keys # list secret key gpg --list-secret-keys