GPG/PGP Basics

Using gpg for encryption, understanding the basic use of GPG for new users.
Recently someone asked me for a GPG or PGP public key so that they could send some
sensitive material to me by email. I understood what they meant, but inwardly I groaned
because I've just never had any reason to use public key encryption, and had no idea how to
create the key or decrypt what would be sent back to me. Looking at "man bgp" on my Linux
box didn't make me feel any better, and a Google search for gpg docs didn't immediately turn
up anything that wasn't techno gobbledy-dee-geek. Eventually (after I had figured out the
basics by trial and error), I did find GNU Privacy Guard HandBook, which probably would
have gotten me up to speed a little faster, but which still was more than I needed to know at
the moment. This, therefore, is a quick introduction so that you don't have to get a headache
from the man page as I did. After learning what is presented here, you can visit the GNU
page for more in depth coverage.

Public key, private key

The basic concept is this: You generate a pair of matched keys. One of these is referred to
as your "Public" key, and the other as "Private". You give the Public key to anyone who asks
for it; you can even publish it on your web site. You keep your Private key secret, locked up
on your own computer. A document (a text or binary file) can be encrypted using either key,
and is decrypted with the other. The choice of which key to use to encrypt depends upon
your purpose.
For example, if you want to send me something, you'd encrypt it using my public key. No one
else can decrypt it; only my private key will work. On the other hand, I might be concerned
that it really is you sending me a message. In that case, you'd encrypt your message using
your private key (this is called "signing"). If I can decrypt it with your public key (presumably I
somehow obtained that key and trust that it really is yours), I know that the message really
came from you.

An example
You can test this all out on one computer using two (or more) user accounts. I'm going to
assume that user "tom" wants to send an encrypted message to user "marge". The first thing
Marge needs to do is generate her keys:

[marge@apl marge]$ gpg --gen-key

gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software
Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute
it
under certain conditions. See the file COPYING for details.
gpg: Warning: using insecure memory!
gpg: /home/marge/.gnupg: directory created
gpg: /home/marge/.gnupg/options: new options file created
gpg: you have to start GnuPG again, so it can read the new
options file

Because Marge has never created a key before, gpg just creates what it needs and tells her
to run it again:

[marge@apl marge]$ gpg --gen-key

gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software
Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute
it
under certain conditions. See the file COPYING for details.
gpg: Warning: using insecure memory!
gpg: /home/marge/.gnupg/secring.gpg: keyring created
gpg: /home/marge/.gnupg/pubring.gpg: keyring created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024)
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct (y/n)? y
You need a User-ID to identify your key; the software
constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter)
<heinrichh@duesseldorf.de>"
Real name: Marge
Email address: marge@aplawrence.com
Comment: Marge's GPG key pair
You selected this USER-ID:
"Marge (Marge's GPG key pair) <marge@aplawrence.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
Enter passphrase: Sbr6wh wscartBM, iscaa2d

Repeat passphrase: Sbr6wh wscartBM, iscaa2d

We need to generate a lot of random bytes. It is a good
idea to perform
some other action (type on the keyboard, move the mouse,
utilize the
disks) during the prime generation; this gives the random
number
generator a better chance to gain enough entropy.
.+++++++++++++++++++++++++.+++++++++++++++..+++++++++++++++
+
+++++++++++++++++++....++++++++++.+++++++++++++++++++++++++
+
++++.+++++.++++++++++>++++++++++>++++++++++
public and secret key created and signed.
(See Random Numbers also)
The passphrase entered should be a tough password. It can contain spaces, there's no limit
on its length, but of course you will need to remember it. I use mnemonic aids to generate
passwords and passphrases. For example, the passphrase above comes from this:
She'll be riding six white horses when she comes around that Big Mountain, if she
comes at all today

Fairly easy for me to remember, but a good, tough passphrase.

If you are working on a single-user machine, you probably will need to switch away and
generate some activity to get the keys created. Once that's done, Marge can list her keys:

[marge@apl marge]$ gpg --list-keys

gpg: Warning: using insecure memory!
/home/marge/.gnupg/pubring.gpg
-----------------------------pub 1024D/FBE5BA2A 2001-11-17 Marge (Marge's GPG key pair)
<marge@aplawrence.com>
sub 1024g/78681206 2001-11-17
Now she's ready to create the public key that she will send to Tom. We assume for the
moment that she has a perfectly secure way of getting it to Tom so that Tom really knows it
came from her; for example, she physically hands him a CD which has the key on it. She
could also publish it on her web page (there's more information about how to do that securely
at the GNU Privacy Guard page referenced above) or (more likely), she just emails to him
(she could also use a Public Key Server; see the GNU page for more on that). Email is not
completely unreasonable: it doesn't matter if someone else intercepts and reads that email,

because all it contains is the public key. That key is only useful for sending documents that
Marge (and only Marge) can decrypt; stealing it does not let you impersonate Marge. What
Tom has to be concerned about is someone forging email that pretends to be from Marge but
that actually contains a forged public key: if Tom used that to encrypt his data, and the forger
could intercept that transmission also, the forger could decrypt the data (and of course Marge
could not!). So what Tom probably should do (if he's really worried about this) is call Marge
on the telephone and ask her to read some of her key.
Here Marge prepares her public key:

[marge@apl marge]$ gpg --armor --export

marge@aplawrence.com > mypk
gpg: Warning: using insecure memory!
[marge@apl marge]$ cat mypk
-----BEGIN PGP PUBLIC KEY BLOCK----Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDv2vMARBACPHwe3BXmJXF5dvXxGEuxYIbYoY2naOmaArFsv1Pgl3Gq
hhAP7
GTGvN4A4Xo80S8i8mrSsseHE/RD7F2PS045dzP/LbDcI7EqnfU2BDoIfEmT
sTupl
BKjOJUh7luhFbj2gdpbmmTUD/1BBKd42pIk/GPUcynMS9TG4kUyB6UdtRF7
NydYP
o4T+0fIY8mbh5VRigoVVsukX8xuI+QaS5iB/D4j36+zk/iRy171dY43OuwC
gm6rQ
a8vmmGDyCCUWFX0PVlQn5MMf97GadIAGgh1pdD7bMfB4FI84TyhNHuBDTCn
0Ysff
not_a_public_key_but_other_than_this_line_it_looks_like_thi
s_xxx
bRmMA/9E/EGJnyYWdHtTerx+H8qacP183SrRFQDqSkOM61P4iDIWcZCOqlH
Cv7Br
Rmf7Ug9I4RkD5qqWkpWY0ugcSbuoFx0f7AGckOOWWVq4ddQStAsOhlMQ4ah
Ou7mB
cmVuY2UgKExpbmRhJ3MgR1BHIGtleSBwYWlyKSA8bGluZHlAcGN1bml4LmN
vbT6I
dVJeXzVTKHnMTGUqutPpmro/txW3M4Z3/0gsOGySxlob0MOQcbQ4TGluZGE
gTGF3
VwQTEQIAFwUCO/a8wQULBwoDBAMVAwIDFgIBAheAAAoJEAymPu375boq1fk
AniuK
EAQAj8E9riM9UUI2fc3Of/5khuEi2nbT2xD2//FUVQh4uKXd4iQXW3z55Zb
JnJ1E
Nk6xIPHx0kQUEcUxdRSK0rikAJ9bB4o+oZ9wqJubKMHII1K1BunTuLkBDQQ
79rzF
bZ+TGMKFOgoxEGAeIcf/XD0/zRDOvdKuLsIZjlNl3uqChXgeznCFU4kviuG
dSeDK
vcx/cR7NgfAn2JUKnhcf/sf01WRM43TbSZP5+5ZXk7zZWZItp+STRHYUket
XwFk/
LWn2jrjbFpcBswgXZ1Vq7Hrbi027y4x6KIhKZ0rfGsXDYxsAAwUD/jCF25x
vDrU9
W5mjSmWy1f+Hn5q/RQAChIAgEEwWMpaHLXixyI+xE+kXvowDYdbmQWruJS1
BGKDF

/
JibHwSp15ZzGQivpX/Dul4/nks3xYy7iEYEGBECAAYFAjv2vMUACgkQDKY+
7fvl
uiqY4ACcCga6MsB3DhSLEO6Fse09UujGwUMAmwY9skYtEZDAFXBlcpov1wY
zFAhh
-----END PGP PUBLIC KEY BLOCK----[marge@apl marge]$

Using Marge's Public Key

To use Marge's public key, Tom first has to "import" it. Tom already has his own keys created:

[tom@apl tom]$ gpg --list-keys

gpg: Warning: using insecure memory!
/home/tom/.gnupg/pubring.gpg
---------------------------pub 1024D/16B478D3 2001-11-17 Tommy (Tommy Boy)
<tom@aplawrence.com>
sub 1024g/1E5CDE3C 2001-11-17
To add Marges public key, Tom does this (he's saved the file as "margepk"):

[tom@apl tom]$ gpg --import margepk

gpg: Warning: using insecure memory!
gpg: key FBE5BA2A: public key imported
gpg: /home/tom/.gnupg/trustdb.gpg: trustdb created
gpg: Total number processed: 1
gpg:
imported: 1
Now when he lists keys, he has Marge's:

[tom@apl tom]$ gpg --list-keys

gpg: Warning: using insecure memory!
/home/tom/.gnupg/pubring.gpg
---------------------------pub 1024D/16B478D3 2001-11-17 Tommy (Tommy Boy)
<tom@aplawrence.com>
sub 1024g/1E5CDE3C 2001-11-17
pub 1024D/FBE5BA2A 2001-11-17 Marge (Marge's GPG key pair)
<marge@aplawrence.com>
sub 1024g/78681206 2001-11-17
Tom has done all that he really needs to do. The next step is recommended but not strictly
necessary:

[tom@apl tom]$ gpg --edit-key marge@aplawrence.com

gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software
Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute
it

under certain conditions. See the file COPYING for details.

gpg: Warning: using insecure memory!
pub 1024D/FBE5BA2A created: 2001-11-17 expires: never
trust: -/q
sub 1024g/78681206 created: 2001-11-17 expires: never
(1). Marge (Marge's GPG key pair) <marge@aplawrence.com>
Command> fpr
pub 1024D/FBE5BA2A 2001-11-17 Marge (Marge's
GPG key pair) <marge@aplawrence.com>
Fingerprint: C294 A900 C769 2AEF C951 2434
0CA6 3EED FBE5 BA2A
Command> sign
pub 1024D/FBE5BA2A created: 2001-11-17 expires: never
trust: -/q
Fingerprint: C294 A900 C769 2AEF C951 2434
0CA6 3EED FBE5 BA2A
Marge (Marge's GPG key pair) <marge@aplawrence.com>
Are you really sure that you want to sign this key
with your key: "Tommy (Tommy Boy) <tom@aplawrence.com>"
Really sign? y
You need a passphrase to unlock the secret key for
user: "Tommy (Tommy Boy) <tom@aplawrence.com>"
1024-bit DSA key, ID 16B478D3, created 2001-11-17
Enter passphrase: (Tom enters his passphrase here)
Command> quit
Save changes? y
What Tom did was add Marge to his "trusted" keys- keys that he is sure came from who they
were supposed to. As I said, it's not absolutely necessary, and you can read more about it at
the GNU Privacy Guard Page.
Now Tom is ready to encrypt his data:

[tom@apl tom]$ gpg --out secrets_to_marge --encrypt secrets

gpg: Warning: using insecure memory!
You did not specify a user ID. (you may use "-r")
Enter the user ID: marge@aplawrence.com
[tom@apl tom]$ ls -l sec*
-rw-r--r-1 root
root
5940 Nov 17 15:21
secrets

-rw-rw-r-1 tom
secrets_to_marge
[tom@apl tom]$

tom

2738 Nov 17 15:22

Tom can now send "secrets_to_marge" with safety: only Marge can decrypt the data.
When Marge gets it, she'll decrypt it like this:

[marge@apl marge]$ gpg --output secrets_from_tom --decrypt

secrets_to_marge
gpg: Warning: using insecure memory!
You need a passphrase to unlock the secret key for
user: "Marge (Marge's GPG key pair) <marge@aplawrence.com>"
1024-bit ELG-E key, ID 78681206, created 2001-11-17 (main
key ID FBE5BA2A)
Enter passphrase: Sbr6wh wscartBM, iscaa2d
gpg: encrypted with 1024-bit ELG-E key, ID 78681206,
created 2001-11-17
"Marge (Marge's GPG key pair) <marge@aplawrence.com>"
[marge@apl marge]$ ls -l sec*
-rw-rw-r-1 marge
marge
5940 Nov 17 16:09
secrets_from_tom
-rw-rw-r-1 marge
marge
2738 Nov 17 16:09
secrets_to_marge
[marge@apl marge]$
That's it. GPG is actually pretty simple, and nothing to get a headache over. Please do read
the GNU Privacy Guard HandBook for a far more complete treatment of this subject.
See OS X file encryption for gpg on Mac OS X.
Technorati tags: security gpg email encryption
If this page was useful to you, please help others find it:
Share on linkedin Share on facebook Share on twitter Share on email More Sharing Services
32

56 comments
Inexpensive and informative Apple related e-books:
Screen Sharing in Snow Leopard
Permissions in Leopard
Making Music with GarageBand '06

Users & Accounts in Panther (Leopard version also available)

Recording with GarageBand '09

More Articles by Tony Lawrence - Find me on Google+

Related Articles

Click here to add your comments

Apparently, Alice and Bob are names commonly used for this sort of article. I didn't know that
when I wrote it.
See http://catb.org/~esr/jargon/html/A/Alice-and-Bob.html and
http://www.conceptlabs.co.uk/alicebob.html
--TonyLawrence
______________________________
This page is a nice short howto for using GNUPG. I feel, however,
that some points need clarification, as it is sensitive/personal
data that are being dealt with here:
1. The part about publishing one's public key contains a
rather misleading and potentially dangerous passage, as it
may create a false sense of security:
"Email is not completely unreasonable: it doesn't matter if
someone else intercepts and reads that email, because all it
contains is the public key. That key is only useful for sending
documents that Marge (and only Marge) can decrypt; stealing it
does not let you impersonate Marge."
This is not entirely true; there's always the possibility of a
"Man-in-the-Middle" Attack. Have a look at
http://www.glump.net/content/gpg_intro/html/3_Creating_Your_Personal.html#foot311
to see what I mean. Of course, this might be viewed as paranoia,
but it's still a consideration, for users who want to take no
chances.
[ I guess that's what is meant, in the passage immediately after
the one above:
"What Tom has to be concerned about is someone forging email that
pretends to be from Marge but that actually contains a forged
public key: if Tom used that to encrypt his data, and the forger
could intercept that transmission also, the forger could decrypt
the data (and of course Marge could not!)."
but it's not clear enough, IMHO -- the explanation should be more
detailed, as in the link above. ]

Also, the guide at

http://www.glump.net/content/gpg_intro/ (the above URL), which is
entitled "A Practical Introduction to GNU Privacy Guard in Windows",
is an excellent geekspeak-free guide for GPG, not only for MS-Windows.
2. The passage:
"So what Tom probably should do (if he's really worried about this)
is call Marge on the telephone and ask her to read some of her key."
describes a practice that's neither easy, nor the commonly employed;
it would be much better if the key's *fingerprint* would be verified
by both of the parties. This is the easiest and safest way of
verifying keys which were obtained via an insecure means.
3. The part between:
"Tom has done all that he really needs to do. The next step is
recommended but not strictly necessary:" and
"What Tom did was add Marge to his 'trusted' keys- keys that he is
sure came from who they were supposed to."
is not correct. A user signs a public key, to show *others* that s/he
trusts it (add an extra bit of validity to that key); this possibly
also involves the participation in a *web of trust* -- see
http://www.gnupg.org/gph/en/manual.html#AEN533 .
In order to show *him/herself* s/he trusts a key (so s/he will be
able to use it with GPG without any security prompts), one has to set
the trust level on this key. See
http://www.glump.net/content/gpg_intro/html/4_Encrypting_Decrypting_Fil.html#SECTION00
530000000000000000
(4.3.1 Importing the key).
--Doryforos (visitor)

Sat Dec 10 01:09:08 2005: 1423 anonymous

Awesome short summary. Just enough for me to remember how to use it. Thank you for post
it!

Tue Feb 14 20:07:24 2006: 1641 anonymous

Short and precise composition of GPG/PGP files.Wonderful!

Wed Mar 15 20:50:39 2006: 1794 anonymous

Thanks, followed the steps and was immediately productive. Thanks!

Fri Jun 16 21:05:13 2006: 2124 CBZ

Very nice. Thank-you!

Mon Nov 20 08:58:00 2006: 2632 vidyasagarcognizantcom

Nice. I was trying some thing more and i got stuck.
What i did was i created the public keys and exported it to a file(ex. pkeys.asc). I wanted gpg
to use this keyring and not to use the default key ring. I used gpg --armor --batch --encrypt
--keyring pkeys.asc --no-default-keyring --recipient user5 1.txt and i am getting errors. It
says,
gpg: user5: skipped: public key not found
gpg: 1.txt: encryption failed: public key not found
But when i list the keys it is showing the keys in its default keyring.
If any one knows how to do this please say to me. I am not getting help for this anywhere

Wed Jul 4 16:59:30 2007: 3052 anonymous

This tutorial is among the finest there are in the UNIX/Linux world. The combination of
readability and accuracy is perfect. I got my key generated and started encrypting/decrypting
in 10 minutes. Some day all of the useless MAN pages will be tossed in favor of material like
this. Mr. or Ms. Lawrence, we salute you.

Wed Feb 20 02:44:35 2008: 3679 anonymous

In the "Public Key,Private Key" of your article, you say ...
"In that case, you'd encrypt your message using your private key (this is called "signing")."
No. A signature is a computed summary binary string that uniquely identifies the sender's
key, and the content of the email, by creating a validity sum. Usually a sign for a message is
only a few 72-char lines long, and it is usually placed in a block near the end of the email. I'm
sure that you can edit this article, and put a non-technical explanation of "signing" that is just

as correct as what I suggested in my comment.

The only other correction that I would suggest is to explain that you cannot swap your
keypair around, making key one public at will, and making the other key private, and then
encrypt with the private key. The public key is always the one that you make public, and the
private key is always the one that you keep private.
In fact, if you don't get the public key for the person receiving the email, then you cannot
encrypt an email to them. This is also true for the person sending email to you - if they don't
have your public key, then they can't send you encrypted email.
How do you exchange public keys? Either directly, sending them to each other... or by putting
your public key on a "keyserver". You could write another article about keyservers, or you
could quickly describe it as a bulletin board on the internet where lots of people put their
public keys.
While your article is very good, there are a couple of points that you really "glossed over" at a
very high level... so much so that your story of encrypting with your private key and the
receiver decrypting with a public key is in error.
Peace, and good will.

Wed Feb 20 03:14:02 2008: 3680 TonyLawrence

Peace to you also, but I have to disagree. The point of signing is as I explained: to prove that
the message in fact came from you.
I did not suggest that you "swap keys around" - the point of that section is that I'd use YOUR
public key to send you something that I want only you to be able to decript, but you'd use
your private key in the "signing" situation.

Wed Feb 20 14:35:08 2008: 3681 TonyLawrence

By the way:
The reason I wrote this page was because I found other web resources confusing. That
doesn't mean that they aren't well written: they probably are for a person at a certain level of
knowledge and understanding.
That's the thing, really: we all come at things from different starting points. For some people
my post here is too basic, for others it is way over their heads. For some, apparently, it's right
on the mark.
That's why I encourage people to leave comments or to even submit a whole new article
explaining things from *your* perspective ( see http://aplawrence.com/publish.html for more
on that). How *you* explain something may be exactly what someone else needs.

Sun Mar 9 03:14:09 2008: 3821 JonR

This is the first time I've understood clearly how GPG basically works. I use it to encrypt my
own files, but I've never had to use it to communicate, and would have been at a loss. Now I
know how to do that. Regardless of whether some points are debatable, the main ideas
behind GPG come through and for average users I think that finding this page will be a
memorable event. Thanks very much.

Sun Mar 9 11:49:28 2008: 3823 TonyLawrence

Thank you, Jon and I'm glad it helped you. That's what it's all about - getting our heads
pointed in the right direction.

Wed Mar 26 20:56:08 2008: 3904 Arjay

Thanks for an easy to understand article! This is all I needed to use gpg.

Mon Jul 7 19:53:22 2008: 4396 anonymous

In addition to the Alice & Bob names, Eve is also used when speaking about "mitm", or manin-the-middle. You almost got into this topic when you mentioned someone sending Tom a
false public key, pretending to be Marge. Eve, as the eavesdropper, would send Tom a false
public key. Tom would encrypt using this false key, Eve would intercept the message, decrypt it with her private key from the pair that she gave to Tom, and then possibly modify the
message and encrypt it with Marge's real public key, and send it along to Marge, assuming
Eve could trick Marge as she tricked Tom. Eve is the "(wo)man in the middle" of the
conversation.

Mon Jul 7 20:20:40 2008: 4397 JonR

I happen to have been reading a couple of books recently that deal directly or indirectly with
cryptography, and as a result my mind keeps coming back to the one absolutely unbreakable
crypto method: the one-time pad. If only that system could be made practical, there would be
absolute security, subject to the limitation of identity fraud. Even a quantum computer could
not break a message encrypted with a one-time pad. The big difficulty, and what makes it
impractical to use the method on anything but a very small scale, is getting the page(s)
containing the key to the recipient. It sends the users right back to square one.

Tue Sep 22 15:55:33 2009: 6953 Jai

http://gazolinia.blogspot.com
Very cool and simple explanation of GPG .

Tue Nov 10 22:27:07 2009: 7517 Jayakumar

Really simple to understand in a single page!!! Nice one.

Thu Nov 12 11:15:02 2009: 7532 senthil

really goood

Thu Nov 26 15:00:22 2009: 7632 Merovance

Thank you. Your article fit me to a T. I appreciate you taking the time to help newbies.

Thu Nov 26 15:10:03 2009: 7633 TonyLawrence

Thank you for taking the time to leave a comment. We appreciate it!

Thu Jan 7 20:48:29 2010: 7887 MitulThakkar

Great Article!! I was struggling to get the relevant info on web, but for a person like me who
has very basic knowledge of security , other articles were too heavy.. This is the best one I
have seen so far..
Thank you very much for giving us explanation of gpg

Sun Jan 17 20:57:38 2010: 7921 ratb0y

just wanned to say this is a very good tutorial that saves you from loads of troubles. I found it
pretty easy and on target.
Congrats

Wed Jan 27 23:26:21 2010: 7958 anonymous

Thank you for writing such a nice and easy to read tutorial.
Keep up.

Wed Feb 24 08:56:01 2010: 8129 Mark

The bit of confusion about what it means to sign a message is the difference between "sign"
(which includes message encryption) and "clearsign" (which does NOT encrypt the message;
it uses your private key to create a hash which can then be decrypted by your public key; the
message text remains in the clear). The confusion happens because a clearsigned email
begins with the line "-----BEGIN PGP SIGNED MESSAGE-----". Just my 2 cents.

Wed May 5 19:02:21 2010: 8525 sunny

Hi i am struggling in generating keys in windows server 2008.

The username is sunny, so how can i modify this "[marge@apl marge]$ gpg --gen-key". what
does ' marge@apl ' means. please help me.
Thanks

Wed May 5 19:22:35 2010: 8526 TonyLawrence

Sunny@aol.com or whatever it actually is.

Wed May 5 19:24:44 2010: 8527 TonyLawrence

Oh, I see your confusion.

That stuff is just the command prompt. Nothing you would type.

Tue May 11 14:09:00 2010: 8584 anonymous

hi
i have generated my keys and want to export my public key. i tried this command "gpg
--armor --export sunny@yahoo.com > mypk"
nothing comes up but when i try this "gpg --armor --export sunny@yahoo.com" public key
block starts and ends with some code in it.
what is the command to export it onto C drive.
can i do a quick test by using my public key to encrypt a file without exporting.
If some one sends me the public key, what will be the file extension? and in order to import it
do i have keep in specific directory?
i came across a .asc extension file what is this? In what format does the exported keys will
be?
please help me.

Tue May 11 14:18:33 2010: 8585 TonyLawrence

The "> mypk" put the key in a file called "mypk", in whatever directory you are working in.
You could make that any name you like if your brain dead operating system requires such.
For example, to have that able to be opened by clicking on it, you'd use "mypk.txt"
Just another example of why Windows is dumb. You won't understand why I say that, but

that's reality.

Fri May 14 01:16:03 2010: 8589 anonymous

I didn't know GPG. But after reading your article, I know at least 95% how it works. this is
very good explanation.

Mon Jul 26 18:34:36 2010: 8858 Sunny

hi
we got my legacy company publi key. My admin imported that and when he run the
command " gpg --list-keys " he is able to see it. But when i run the same command i am not
able to do it?
Are these keys user specific or role specific?
Thanks

Sat Aug 28 08:40:01 2010: 8938 habbay

It can't be explained simpler than this. A great job done!

Tue Aug 31 18:11:54 2010: 8944 anonymous

thanks tony, exactly what I needed, very helpful, egon

Thu Sep 23 21:21:09 2010: 8995 ADubey

Mr. Lawrence, thanks for the excellent documentation.

This really helped me set up my encryption.
My issue is that I am trying to automate a process to extract data from an Oracle View, write
it to a csv file, encrypt the file and FTP it to our bank.
I am calling these procedures from an ASPX Web Application using VB.Net.
I set up the encryption with a specific User account used for Service Accounts.
When I run the Web Application and call gpg.exe to encrypt the data file, it will work fine as
long as I am logged in as the service account and am in the debug mode of Visual Studio
Web Developer.
When I then try to run the Web app from IE, the encryption fails. I have not been able to trap
the exact results to determine any messages.
When I call gpg.exe I am using a Process that allows me to pass the Service account
credentials. Equivalent to "Run As".
This does not solve the problem.
I have tried calling a batch file to launch the gpg. Same result.
I tried creating a scheduled task to run a VBS script using the Service account credentials.
Again same result.
The only way I can get it to work, is to be logged in to the IIS Server (Windows 2008 64 bit
with IIS 7.) and running the Web Application in debug mode from Visual Studio.
Anytime I run it from IE, it fails.
I have set the credentials in IIS for the site to be the Service Account.
My next step is to change the IIS Services account from Local Service to the Domain Service
account.
(For some reason, I have not been able to get Windows Server to accept the different
credentials. The service account is a local admin.)
I have tried setting the GNUPGHOME to the Service Accounts GNUGP folder. Still not luck.
Below is a sample of the Batch file I am using to launch gpg.exe.
(I have also tried to launch gpg.exe directly from the process. This is just a good example of
my syntax.)
GNUPGHOME="c:\Users\ServiceAccount\AppData\Roaming\gnupg\"
export GNUPGHOME
C:
cd "\inetpub\wwwroot\BofA_ftp\FTP\"
"c:\GNU\GnuPG\gpg.exe" -u "UserName" -r "KeyName" --always-trust --sign --passphrase-fd
0 %PPHrase% --encrypt "DataFile.csv" <PPhrase.txt
As I said, the above script works fine if I am logged in correctly.
I have also tried to import the Keys using the Local Service account by launching a batch file
as follows:

C:
cd "\GNU\GnuPG"
"c:\GNU\GnuPG\gpg.exe" --import "SignedKeyfromBank.asc"
"c:\GNU\GnuPG\gpg.exe" --import "ExportedSignedKeySent2Bank.asc"
This creates another GNUGP folder in the root of C:\
I have tried using that folder as the GNUGPHOME.
The Local Service creates what I would call a Hidden local user represented by
"ComputerName$".
You cannot log in as this user to create and register keys.
I am at my wits end here.
Is there any way to register the keys in such a way that it is independent of the currently
logged in user?
Any other thoughts?
Thanks in advance.
AD

Fri Sep 24 01:08:27 2010: 8996 TonyLawrence

I have no ideas in Windows, sorry.

Thu Jul 28 13:50:05 2011: 9657 Alex

http://www.gpgtools.org

And to use GPG/PGP/OpenPGP on Mac OS X: http://www.gpgtools.org

Wed Sep 21 16:19:31 2011: 9870 anonymous

These steps are working for individual ID's. Any idea why it is not working for su ID?
when gpg --gen-key
it is not producing .gnupg directory or its contents.

Thanks in advance,
Swapna.

Wed Sep 21 16:49:32 2011: 9871 TonyLawrence

Did you look in /root ?

Wed Sep 21 18:26:57 2011: 9872 anonymous

Hi,
thanks got it resolved, as home path is an alias, it created in different root dir.
But for batch processing.
When this is used.
gpg --encrypt --no-tty --recipient xxxxxx@Prex.com abc.dat.Z
it is failing saying
gpg: Sorry, no terminal at all requested - can't get input
Can you tell me what this does?
gpg --passphrase-file /home/OSUSER/.gnupg/passphrase.txt -c "FILENAME.dat"
gpg --batch --passphrase-file /home/OSUSER/.gnupg/passphrase.txt --output
"FILENAME.dat" --decrypt "FILENAME.dat.gpg"

Wed Sep 21 19:26:21 2011: 9873 TonyLawrence

no-tty is NOT for input. See the man page.

Thu Dec 15 06:32:12 2011: 10355 Horace

Thanks for your article, Lawrence. It does a very great help to me to understand how gpg
basically works.

Sat May 26 03:50:13 2012: 11017 BalaPolavarapu

Thank you for posting such a useful information on generating public keys using GPG,
exactly what I was looking for :)

Fri Jun 22 21:20:43 2012: 11136 anonymous

I get following message:

>> gpg --output test123.fil --decrypt test123.gpg
gpg: encrypted with 1024-bit ELG-E key, ID BE658B3D, created 2006-11-07
"TEST-MM (Test Machine) <test-mm@yahoo.com>"
gpg: Signature made Wed 20 Jun 2012 02:08:00 PM EDT using RSA key ID B734C5E2
gpg: Can't check signature: public key not found
But the public keys are present:
81: gpg --list-public-keys
/.gnupg/pubring.gpg
-----------------------pub 1024D/6F037C71 2006-11-07
uid "TEST-MM (Test Machine) <test-mm@yahoo.com>"
sub 1024g/BE658B3D 2006-11-07
Any thoughts why i get the error?

Sat Jun 23 09:53:37 2012: 11140 TonyLawrence

No, sorry. Keep Googling.

Tue Jul 10 15:27:36 2012: 11189 nb

Sir,
Very detailed informative article. Thank you very much ......

Sat Oct 6 05:20:59 2012: 11366 anonymous

i must be a slow-witted person because i STILL don't know how to get started using gpg. how
do i unzip a .tar file to get to do the gpg?

Sat Oct 6 11:16:45 2012: 11367 TonyLawrence

You aren't slow witted - nothing here told you how to unpack a tar file.
You might have tried googling "tar" though..
By the way, "zip" implies compression. A tar file CAN be compressed, but tar by itself is just
an archiver. Modern tars know how to use external compression tools, though, so the point is
usually unimportant.
To unpack (and uncompress if indicated) do
tar xvf whateverthefileis.tar
or
tar xvf whateverthefileis.tgz if it's been zipped.

Sat Oct 20 14:02:59 2012: 11392 Michael

Hi. I followed the instructions here, including importing the public key. Yet when I try to
decrypt a file I receive the message "gpg: decryption failed: secret key not available". I'm
confused. The recipient of the public key does not have to have both public and private keys,
correct? Any suggestions for correcting this problem?
Thanks.

Sat Oct 20 14:08:07 2012: 11393 TonyLawrence

Well, you've missed something somewhere. Hard to guess what. Read again, read someone
else's instructions, repeat your steps - you went wrong somewhere.

Sun Oct 21 11:26:05 2012: 11394 Michael

Thanks for for your response. I did get your example to work. Thanks. Here is our situation: a
bank has generated the private/public gpg keys. They sent the public key to us. We
successfully imported that key. Are we correct that we should now be able to decrypt a file
that the bank encrypts and send to us? If we will not send encrypted files, we do not have to
generate keys. Do we understand this correctly? Thank you!

Sun Oct 21 11:36:05 2012: 11395 TonyLawrence

Yes, and vice versa. As I said above:

For example, if you want to send me something, you'd encrypt it using my public key. No one
else can decrypt it; only my private key will work. On the other hand, I might be concerned
that it really is you sending me a message. In that case, you'd encrypt your message using
your private key (this is called "signing"). If I can decrypt it with your public key (presumably I
somehow obtained that key and trust that it really is yours), I know that the message really
came from you.

Tue Jan 1 07:50:38 2013: 11642 RajeshRS

I have been trying to understand GPG working for the past 4 hours. There have not been a
single website, including the so-called official documentation, which could say in simple
terms about how we can implement things using GPG. If these "official" sites want their
product/concepts reach people they should put things in a simplest way possible.
And your page on GPG is simply the best I have come across on this topic, as far as a
starter is concerned. I really wish this page finds a place in the official documentation.
Nothing more to say. Hats Off ..!
Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar
Why no "Digg this!" etc.?

Printer Friendly Version

Site map | Disclaimer
"GPG/PGP Basics" Copyright November 2001 Tony Lawrence

Related Articles
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and
general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
We appreciate comments and article submissions.
Publishing your articles here
Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the
purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages
may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I
have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel
free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission.
Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and
referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use
information (not including your name, address, email address, or telephone number) about your visits to this and other
websites in order to provide advertisements about goods and services of interest to you. If you would like more information
about this practice and to know your choices about not having this information used by these companies, click here.

Printer Friendly Version

Kerio posts
Linux posts
Mac OS X posts
Shell scripting posts
Troubleshooting posts
This post tagged:
- Basics
- Cryptography
- Linux
- Popular
- Security
- Unix

Unix/Linux Consultants
Skills Tests
This site runs on Linode

My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix
systems!

Buy Kerio from a dealer

who knows tech:
I sell and support
Kerio Connect Mail server, Control, Workspace and Operator licenses and subscription
renewals