Академический Документы
Профессиональный Документы
Культура Документы
Using gpg for encryption, understanding the basic use of GPG for new users.
Recently someone asked me for a GPG or PGP public key so that they could send some
sensitive material to me by email. I understood what they meant, but inwardly I groaned
because I've just never had any reason to use public key encryption, and had no idea how to
create the key or decrypt what would be sent back to me. Looking at "man bgp" on my Linux
box didn't make me feel any better, and a Google search for gpg docs didn't immediately turn
up anything that wasn't techno gobbledy-dee-geek. Eventually (after I had figured out the
basics by trial and error), I did find GNU Privacy Guard HandBook, which probably would
have gotten me up to speed a little faster, but which still was more than I needed to know at
the moment. This, therefore, is a quick introduction so that you don't have to get a headache
from the man page as I did. After learning what is presented here, you can visit the GNU
page for more in depth coverage.
An example
You can test this all out on one computer using two (or more) user accounts. I'm going to
assume that user "tom" wants to send an encrypted message to user "marge". The first thing
Marge needs to do is generate her keys:
Because Marge has never created a key before, gpg just creates what it needs and tells her
to run it again:
because all it contains is the public key. That key is only useful for sending documents that
Marge (and only Marge) can decrypt; stealing it does not let you impersonate Marge. What
Tom has to be concerned about is someone forging email that pretends to be from Marge but
that actually contains a forged public key: if Tom used that to encrypt his data, and the forger
could intercept that transmission also, the forger could decrypt the data (and of course Marge
could not!). So what Tom probably should do (if he's really worried about this) is call Marge
on the telephone and ask her to read some of her key.
Here Marge prepares her public key:
/
JibHwSp15ZzGQivpX/Dul4/nks3xYy7iEYEGBECAAYFAjv2vMUACgkQDKY+
7fvl
uiqY4ACcCga6MsB3DhSLEO6Fse09UujGwUMAmwY9skYtEZDAFXBlcpov1wY
zFAhh
-----END PGP PUBLIC KEY BLOCK----[marge@apl marge]$
-rw-rw-r-1 tom
secrets_to_marge
[tom@apl tom]$
tom
Tom can now send "secrets_to_marge" with safety: only Marge can decrypt the data.
When Marge gets it, she'll decrypt it like this:
56 comments
Inexpensive and informative Apple related e-books:
Screen Sharing in Snow Leopard
Permissions in Leopard
Making Music with GarageBand '06
Related Articles
Peace to you also, but I have to disagree. The point of signing is as I explained: to prove that
the message in fact came from you.
I did not suggest that you "swap keys around" - the point of that section is that I'd use YOUR
public key to send you something that I want only you to be able to decript, but you'd use
your private key in the "signing" situation.
By the way:
The reason I wrote this page was because I found other web resources confusing. That
doesn't mean that they aren't well written: they probably are for a person at a certain level of
knowledge and understanding.
That's the thing, really: we all come at things from different starting points. For some people
my post here is too basic, for others it is way over their heads. For some, apparently, it's right
on the mark.
That's why I encourage people to leave comments or to even submit a whole new article
explaining things from *your* perspective ( see http://aplawrence.com/publish.html for more
on that). How *you* explain something may be exactly what someone else needs.
Thank you, Jon and I'm glad it helped you. That's what it's all about - getting our heads
pointed in the right direction.
really goood
Thank you. Your article fit me to a T. I appreciate you taking the time to help newbies.
Thank you for taking the time to leave a comment. We appreciate it!
Great Article!! I was struggling to get the relevant info on web, but for a person like me who
has very basic knowledge of security , other articles were too heavy.. This is the best one I
have seen so far..
Thank you very much for giving us explanation of gpg
just wanned to say this is a very good tutorial that saves you from loads of troubles. I found it
pretty easy and on target.
Congrats
Thank you for writing such a nice and easy to read tutorial.
Keep up.
The bit of confusion about what it means to sign a message is the difference between "sign"
(which includes message encryption) and "clearsign" (which does NOT encrypt the message;
it uses your private key to create a hash which can then be decrypted by your public key; the
message text remains in the clear). The confusion happens because a clearsigned email
begins with the line "-----BEGIN PGP SIGNED MESSAGE-----". Just my 2 cents.
hi
i have generated my keys and want to export my public key. i tried this command "gpg
--armor --export sunny@yahoo.com > mypk"
nothing comes up but when i try this "gpg --armor --export sunny@yahoo.com" public key
block starts and ends with some code in it.
what is the command to export it onto C drive.
can i do a quick test by using my public key to encrypt a file without exporting.
If some one sends me the public key, what will be the file extension? and in order to import it
do i have keep in specific directory?
i came across a .asc extension file what is this? In what format does the exported keys will
be?
please help me.
The "> mypk" put the key in a file called "mypk", in whatever directory you are working in.
You could make that any name you like if your brain dead operating system requires such.
For example, to have that able to be opened by clicking on it, you'd use "mypk.txt"
Just another example of why Windows is dumb. You won't understand why I say that, but
that's reality.
I didn't know GPG. But after reading your article, I know at least 95% how it works. this is
very good explanation.
hi
we got my legacy company publi key. My admin imported that and when he run the
command " gpg --list-keys " he is able to see it. But when i run the same command i am not
able to do it?
Are these keys user specific or role specific?
Thanks
C:
cd "\GNU\GnuPG"
"c:\GNU\GnuPG\gpg.exe" --import "SignedKeyfromBank.asc"
"c:\GNU\GnuPG\gpg.exe" --import "ExportedSignedKeySent2Bank.asc"
This creates another GNUGP folder in the root of C:\
I have tried using that folder as the GNUGPHOME.
The Local Service creates what I would call a Hidden local user represented by
"ComputerName$".
You cannot log in as this user to create and register keys.
I am at my wits end here.
Is there any way to register the keys in such a way that it is independent of the currently
logged in user?
Any other thoughts?
Thanks in advance.
AD
These steps are working for individual ID's. Any idea why it is not working for su ID?
when gpg --gen-key
it is not producing .gnupg directory or its contents.
Thanks in advance,
Swapna.
Hi,
thanks got it resolved, as home path is an alias, it created in different root dir.
But for batch processing.
When this is used.
gpg --encrypt --no-tty --recipient xxxxxx@Prex.com abc.dat.Z
it is failing saying
gpg: Sorry, no terminal at all requested - can't get input
Can you tell me what this does?
gpg --passphrase-file /home/OSUSER/.gnupg/passphrase.txt -c "FILENAME.dat"
gpg --batch --passphrase-file /home/OSUSER/.gnupg/passphrase.txt --output
"FILENAME.dat" --decrypt "FILENAME.dat.gpg"
Thanks for your article, Lawrence. It does a very great help to me to understand how gpg
basically works.
Thank you for posting such a useful information on generating public keys using GPG,
exactly what I was looking for :)
Sir,
Very detailed informative article. Thank you very much ......
i must be a slow-witted person because i STILL don't know how to get started using gpg. how
do i unzip a .tar file to get to do the gpg?
You aren't slow witted - nothing here told you how to unpack a tar file.
You might have tried googling "tar" though..
By the way, "zip" implies compression. A tar file CAN be compressed, but tar by itself is just
an archiver. Modern tars know how to use external compression tools, though, so the point is
usually unimportant.
To unpack (and uncompress if indicated) do
tar xvf whateverthefileis.tar
or
tar xvf whateverthefileis.tgz if it's been zipped.
Hi. I followed the instructions here, including importing the public key. Yet when I try to
decrypt a file I receive the message "gpg: decryption failed: secret key not available". I'm
confused. The recipient of the public key does not have to have both public and private keys,
correct? Any suggestions for correcting this problem?
Thanks.
Well, you've missed something somewhere. Hard to guess what. Read again, read someone
else's instructions, repeat your steps - you went wrong somewhere.
Thanks for for your response. I did get your example to work. Thanks. Here is our situation: a
bank has generated the private/public gpg keys. They sent the public key to us. We
successfully imported that key. Are we correct that we should now be able to decrypt a file
that the bank encrypts and send to us? If we will not send encrypted files, we do not have to
generate keys. Do we understand this correctly? Thank you!
I have been trying to understand GPG working for the past 4 hours. There have not been a
single website, including the so-called official documentation, which could say in simple
terms about how we can implement things using GPG. If these "official" sites want their
product/concepts reach people they should put things in a simplest way possible.
And your page on GPG is simply the best I have come across on this topic, as far as a
starter is concerned. I really wish this page finds a place in the official documentation.
Nothing more to say. Hats Off ..!
Don't miss responses! Subscribe to Comments by RSS or by Email
Related Articles
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and
general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
We appreciate comments and article submissions.
Publishing your articles here
Jump to Comments
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the
purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages
may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I
have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel
free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission.
Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and
referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use
information (not including your name, address, email address, or telephone number) about your visits to this and other
websites in order to provide advertisements about goods and services of interest to you. If you would like more information
about this practice and to know your choices about not having this information used by these companies, click here.
Kerio posts
Linux posts
Mac OS X posts
Shell scripting posts
Troubleshooting posts
This post tagged:
- Basics
- Cryptography
- Linux
- Popular
- Security
- Unix
Unix/Linux Consultants
Skills Tests
This site runs on Linode
My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix
systems!