GPG
by Juan Manuel González Garzón
SYNOPSIS:
gpg [--homedir dir] [--options file] [options] command [args]
- Only one command is allowed.
RETURN VALUE
The program returns 0 if everything was fine, 1 if at least a signature was bad, and other error codes for fatal errors.
Warnings:
1) Use a *good* password for your user account and a *good* passphrase to protect your secret key.
2) You should protect your "~/.gnupg/" directory very well.
3) If you are going to verify detached signatures, make sure that the program knows about it;
either give both filenames on the command line or use '-' to specify STDIN.
4) Do not use over telnet.
===============================================================================================================================
Help: gpg -h
gpg (GnuPG) 1.4.22
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
OpenPGP message can use: --cipher-algo, --digest-algo, --cert-digest-algo, --compress-algo
Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data
Commands:
-s, --sign [file] make a signature || Action
--clearsign [file] make a clear text signature || Action
-b, --detach-sign make a detached signature || Action
-e, --encrypt encrypt data || Action
-c, --symmetric encryption only with symmetric cipher || Action
-d, --decrypt decrypt data (default) || Action
--verify verify a signature || Action
--list-keys list keys || Admin
--list-sigs list keys and signatures || Admin
--check-sigs list and check key signatures || Admin
--fingerprint list keys and fingerprints || Admin
-K, --list-secret-keys list secret keys || Admin
--gen-key generate a new key pair || Setup
--delete-keys remove keys from the public keyring || Admin
--delete-secret-keys remove keys from the secret keyring || Admin
--sign-key sign a key || Action
--lsign-key sign a key locally || Action
--edit-key sign or edit a key || Admin
--gen-revoke generate a revocation certificate || Action
--export export keys || Action
--send-keys export keys to a key server || Action
--recv-keys import keys from a key server || Action
--search-keys search for keys on a key server || Action
--refresh-keys update all keys from a keyserver || Action
--import import/merge keys || Action
--card-status print the card status || Admin
--card-edit change data on a card || Admin
--change-pin change a card's PIN || Admin
--update-trustdb update the trust database || Admin
--print-md algo [files] print message digests || Action
Options:
-a, --armor create ascii armored output
-r, --recipient NAME encrypt for NAME
-u, --local-user use this user-id to sign or decrypt
-z N set compress level N (0 disables)
--textmode use canonical text mode
-o, --output use as output file
-v, --verbose verbose
-n, --dry-run do not make any changes
-i, --interactive prompt before overwriting
--openpgp use strict OpenPGP behavior
--pgp2 generate PGP 2.x compatible messages
===============================================================================================================================
FROM: info gpg
1.4 Examples
============
gpg -se -r 'Bob' 'file'
sign and encrypt for user Bob
gpg --clearsign 'file'
make a clear text signature
gpg -sb 'file'
gpg --detach-sign 'file'
make a detached signature
gpg -u 0x12345678 -sb 'file'
make a detached signature with the key 0x12345678
gpg --list-keys 'user_ID'
show keys
gpg --fingerprint 'user_ID'
show fingerprint
gpg --verify 'pgpfile'
gpg --verify 'sigfile'
Verify the signature of the file but do not output the data. The
second form is used for detached signatures, where 'sigfile' is the
detached signature (either ASCII armored or binary) and are the
signed data; if this is not given, the name of the file holding the
signed data is constructed by cutting off the extension (".asc" or
".sig") of 'sigfile' or by asking the user for the filename.
===============================================================================================================================
FILES
There are a few configuration files to control certain aspects of gpg's operation.
Unless noted, they are expected in the current home directory (see: [option --homedir]).
gpg.conf
This is the standard configuration file read by gpg on startup.
It may contain any valid long option; the leading two dashes may not be entered and the option may not be abbreviated.
This default name may be changed on the command line (see: [gpg-option --options]). You should backup this file.
Note that on larger installations, it is useful to put predefined files into the directory ‘/etc/skel/.gnupg/’ so that newly created users start up with a working con
For internal purposes gpg creates and maintains a few other files; They all live in in the current home directory (see: [option --homedir]).
Only the gpg may modify these files.
~/.gnupg/pubring.gpg # The public keyring. You should backup this file.
~/.gnupg/pubring.gpg.lock # The lock file for the public keyring.
~/.gnupg/pubring.kbx # A public keyring and its lock file used by GnuPG versions >= 2. It is ignored by GnuPG 1.x
~/.gnupg/pubring.kbx.lock
~/.gnupg/random_seed # A file used to preserve the state of the internal random pool.
~/.gnupg/secring.gpg # The secret keyring. You should backup this file.
~/.gnupg/secring.gpg.lock # The lock file for the secret keyring.
~/.gnupg/trustdb.gpg # The trust database. There is no need to backup this file; it is better to backup the ownertrust values (see: [option --export-ownertr
~/.gnupg/trustdb.gpg.lock # The lock file for the trust database.
~/.gnupg/openpgp-revocs.d/
This is the directory where gpg stores pre-generated revocation certificates.
The file name corresponds to the OpenPGP fingerprint of the respective key.
It is suggested to backup those certificates and if the primary private key is not stored on the disk to move them to an external storage device.
Anyone who can access theses files is able to revoke the corresponding key.
You may want to print them out.
You should backup all files in this directory and take care to keep this backup closed away.
/usr[/local]/share/gnupg/options.skel # The skeleton options file.
/usr[/local]/lib/gnupg/ # Default location for extensions.
The case of study use a directory
.gnupg
|--bck
| |-- gpg.conf
| |-- pubring.gpg
| |-- random_seed
| |-- secring.gpg
| |-- trustdp.gpg # This go against the recomendations
|-- gpg.conf
|-- private.key
|-- public.key
|-- pubring.gpg
|-- random_seed
|-- secring.gpg
|-- trustdb.gpg
===============================================================================================================================
OpenPGP message can use: --cipher-algo, --digest-algo, --cert-digest-algo, --compress-algo
===============================================================================================================================
GRAPHICAL INTERFACES
gpa => Is the GNU Privacy Assistant, a graphic user interface for GnuPG
seahorse => A GNOME front-end for GnuPG
Validate a configuration file
#!/bin/sh
gpg --gpgconf-list # Show the current configuration
gpg --gpgconf-test ~/.gnupg/gpg.conf && echo 'OK' || echo 'ERROR' # Show if the configuration file is valid
Gpg key generation
gpg --gen-key # The program let you put the key information
gpg --full-generate-key # To create a 4096 key
gpg --default-new-key-algo rsa4096 --key-gen # In case the previous command dosen't work
# Generate a pair of public and private keys
# Min size for the keys is 768 bytes, recomended key size is 4096 bytes (also the maximum), For DSA 1024 is a standar size (2004-08-10) ... (github use rsa4096)
# Inputs: ['names', 'comment', 'e-mail address', 'passphrase', 'Ramdom noise from computer (generation takes time)']. This info can be edited later (not the passphrase).
# Output: secret keyring, protect your "~/.gnupg/" directory very well.
# You can easily (and maybe you should - since is used so widely) use DSA/ElGamal.
# Here is an example on how to create a key using a file ('dfltKeyGeneratorFile', 'FooKeyGeneratorFile'):
gpg2 --batch --gen-key FooKeyGeneratorFile
gpg2 --dry-run --batch --gen-key FooKeyGeneratorFile
List keys
#!/bin/sh
gpg2 --no-default-keyring --secret-keyring ./foo.sec --keyring ./foo.pub --list-secret-keys
Exporting keys
#!/bin/sh
gpg --export [-o OutputFile] [-a] [UID]
# -o OutputFile: send the data to a a file instead to the normal stdout.
# -a: Write the key to a 7-bit ASCII file instead of a binary file.
# UID: If no UID has been submitted all present keys will be exported.
#
# You can export the keys using a hrough a key server like http://www.pca.dfn.de/dfnpca/pgpkserv/ or any other method you can think of.
Importing keys
#!/bin/sh
# To import someone's public key (or several public keys)
gpg --import [Filename]
Linux - gpg, move your keys between computers.
On the pc 1.
$ gpg –export-secret-keys -a keyid > my_private_key.asc $ gpg –export -a keyid > my_public_key.asc
On the pc 2.
gpg –import my_private_key.asc gpg –import my_public_key.asc
Revoke a key
#!/bin/sh
# For several reasons you may want to revoke an existing key. For instance: the secret key has been stolen or became available to the wrong people, the UID has been changed, the key is not large enough anymore, etc. In all these cases the command to revoke the key is:
gpg --gen-revoke
# This creates a revocation certificate. To be able to do this, you need a secret key, else anyone could revoke your certificate. This has one disadvantage. If I do not know the passphrase the key has become useless. But I cannot revoke the key! To overcome this problem it is wise to create a revoke license when you create a key pair. And if you do so, keep it safe! This can be on disk, paper, etc. Make sure that this certificate will not fall into wrong hands!!!! If you don't someone else can issue the revoke certificate for your key and make it useless.
Key administration
#!/bin/sh
# A) With the GnuPG system comes a file that acts as some kind of database. In this file all data regarding keys with the information that comes with the keys is stored (everything until the Ownertrust values: for more information on that read Key signing). With
gpg --list-keys
# B) To see the signatures
gpg --list-sigs
# C) You want to see "Fingerprints" to ensure that somebody is really the person they claim (like in a telephone call). This command will result in a list of relatively small numbers.
gpg --list-secret-keys
# Note: Note that listing fingerprints and signatures from private keys has no use whatsoever.
# D) To delete a public key
gpg --delete-key UID
# E) For deleting a secrete key
gpg --delete-secret-key
# F) Edit a key, the expiration date, add a fingerprint and sing your key (among other things).
gpg --edit-key UID
Key signing
#!/bin/sh
# As mentioned before in the introduction there is one major Achilles' heel in the system. This is the authenticity of public keys. If you have a wrong public key you can say bye bye to the value of your encryption. To overcome such risks there is a possibility of signing keys. In that case you place your signature over the key, so that you are absolutely positive that this key is valid. This leads to the situation where the signature acknowledges that the user ID mentioned in the key is actually the owner of that key. With that reassurance you can start encrypting.
# Using the $(gpg --edit-key UID) command for the key that needs to be signed you can sign it with the sign command.
# You should only sign a key as being authentic when you are ABSOLUTELY SURE that the key is really authentic!!!. So if you are positive you got the key yourself (like on a key signing party) or you got the key through other means and checked it (for instance by phone) using the fingerprint-mechanism. You should never sign a key based on any assumption.
# Based on the available signatures and "ownertrusts" GnuPG determines the validity of keys. Ownertrust is a value that the owner of a key uses to determine the level of trust for a certain key. The values are
# 1 = Don't know
# 2 = I do NOT trust
# 3 = I trust marginally
# 4 = I trust fully
DfltKeyGeneratorFile
%echo Generating a default key
Key-Type: default
Subkey-Type: default
Name-Real: Juan Manuel González Garzon
Name-Comment: PGP key for Juan Manuel González Garzón.
Name-Email: jmgonzalezgarzon@gmail.com
Expire-Date: 0
Passphrase: stupidPassphrase
%pubring dflt.pub
%secring dflt.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
FooKeyGeneratorFile
%echo Generating a basic OpenPGP key
Key-Type: DSA
Key-Length: 4096
Subkey-Type: ELG-E
Subkey-Length: 4096
Name-Real: Juan Manuel González Garzon
Name-Comment: PGP key for Juan Manuel González Garzón.
Name-Email: jmgonzalezgarzon@gmail.com
Expire-Date: 0
Passphrase: stupidPassphrase
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
Encrypt file
#!/bin/sh
USER_ID=''
RECIPIENT=''
# -e --encrypt
# -u --local-user; if this is not set, gpg uses the default key.
# -r --recipient
gpg -e -u $USER_ID -r $RECIPIENT original.txt
Decrypt file
#!/bin/sh
# -d --decrypt
# -o gpg uses stdout, -o redirect the output to a file
gpg -d data
Signing
#!/bin/sh
# -s --sign
gpg -s original.txt
gpg --clearsign original.txt # create a legible result
# -b --detach-sign
# TODO read more about detach signature
gpg -b original.txt
USERID=''
RECIPIENT=''
# -u --local-user
# -r --recipient
# -s --sign
#-e --encrypt
gpg -u $USER_ID -r $RECIPIENT --armor -se original.txt
gpg --verify data