Intro to gpg

Mar 27, 2016 • Matt Karmazyn
Edited: Mar 27, 2016

Encrypting and decrypting with gpg

Introduction

gpg (aka GnuPG) is software for encrypting files. Encryption is a hot topic in the media right now (2016) as criminals use encryption to transfer information so nobody else can see it. Want to be able to bank online without someone intercepting your information, encryption is used for that. It is used to secure sensitive information when sending it over the web.
As a sysadmin, you may need to encrypt files to send to another admin, typically containing passwords. If someone intercepts your database root password because you emailed it in plain text, that can destroy your business.

Installation

Red Hat/CentOS

$ yum install gnupg

Debian/Ubuntu

$ apt-get install gnupg

OSX

$ brew install gnupg

Basic Usage

Create GPG Key

$ gpg --gen-key
  Please select what kind of key you want:
    RSA and RSA
  What keysize do you want?:
    4096
  Key is valid for?
    0
  Key does not expire at all
  Is this correct? (y/N)
    y
  Real name:
    Bill Jones
  Email address:
    [email protected]
  Comment:
    insert a comment here
  You need a Passphrase to protect your secret key.
    Enter a super secret passphrase here. Don't forget it!

Export your public key. This will create a file called pubkey.asc

$ gpg --export --armor [email protected] > pubkey.asc

List the public keys in your keyring.

$ gpg --list-keys

List private keys in your keyring.

$ gpg --list-secret-keys

More Usage

Import another person’s public key.

$ gpg --import otherpubkey.asc

Trust a public key. After you import another person’s public key, you have to set the trust level of the key.

$ gpg --edit-key harry

trust (invoke trust subcommand on the key)
5 (ultimate trust)
y (if prompted)
quit

Encrypting Files

Basic file encrypting using a passphrase.
This will simply create a gpg encrypted file with a passphrase that you can share with someone else. This method only really works if you can talk to someone, otherwise you will have to send the passphrase in plain text which can be used to decrypt the file.

# This will create a new encrypted file called: file.txt.gpg
$ gpg -c file.txt
  Enter passphrase: super secret passphrase

Decrypt the file to disk.

# This will decrypt and create a new file of the original filename.
$ gpg file.txt.gpg
  Enter passphrase: super secret passphrase

Decrypt the file to standard output.

$

User/Key based encrypting of a file.
Using this method, you can encrypt files with a recipient so only that key can decrypt the message.

Options

-e, --encrypt
-r, --recipient

Encrypt a file so only your key can decrypt it.

# This will create a new encrypted file named file.txt.gpg
$ gpg -e -r myname file.txt

Encrypt a file so only you and harry can decrypt it.

# This will create a new encrypted file named file.txt.gpg
$ gpg -e -r myname -r harry file.txt

Encrypt a file so only the people in the administrators group in your gpg.conf file can decrypt it.

# This will create a new encrypted file named file.txt.gpg
$ gpg -e -r administrators file.txt

List Keys

list keys in your public key ring:

gpg --list-keys

list keys in your secret key ring:

gpg --list-secret-keys

Delete Key

Remove public key

delete-key name

Remove private key

delete-secret-key name

Config

Your configuration is located in ~/.gnupg/gpg.conf

Groups look like this

group administrators = paige joe patti