GnuPG Basics Explained with Linux GPG Command Examples

GnuPG stands for GNU Privacy Guard.

GnuPG is an open implementation of OpenPGP ( Pretty Good Privacy ) standard as defined in RFC 4880. In this article we will cover the installation and the basics of generating keys using gnupg.



This article is part of our ongoing series on Cryptography. If you are new to cryptography, refer to our earlier article on Introduction to Cryptography.

On Debian based systems, use the following command to install GnuPg tool.

# apt-get install gnupg

The first step to use GnuPg is to create the public and private key pairs. The following command is used to create the keys.

$ gpg --gen-key

The above command will act in Interactive mode. The following explains various input that needs to be given to the above gpg command.

1. Choose the algorithm to be used for key generation

gpg: directory `/home/lakshmanan/.gnupg' created gpg: new configuration file `/home/lakshmanan/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/lakshmanan/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/lakshmanan/.gnupg/secring.gpg' created gpg: keyring `/home/lakshmanan/.gnupg/pubring.gpg' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?

Each algorithm has its own advantages and disadvantages. Choose the one you prefer, or use the default RSA algorithm. Press 1 or Enter.

2. Select the key size

Once the algorithm is selected, it will ask for the key size.

RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)

In general, bigger the key size, the more secure it is. Practically 2048 should be sufficient. Type your key size or press Enter to accept the default.

3. Key validity

The next input we need to provide is how long does the key is valid.

Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0)

Type 0 if you don’t want the key to expire.

It will again ask for a confirmation. Press Y

Key does not expire at all Is this correct? (y/N) y

4. Create User ID and Password

Each key will be mapped with a user id and password. Now it asks for your name, E-Mail and passphrase

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: lakshmanan Email address: admin@thegeekstuff.com Comment: My test GPG keys You selected this USER-ID: "lakshmanan (My test GPG keys) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. Enter Passphrase

5. Final Output Keys

In-order to generate a unique key, the system needs more random bytes. So perform some operations which access the disk, network etc…, so that the system will get enough random bytes.

We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 39 more bytes) +++++ +++++

Once sufficient random bytes is available, the keys will be generated.

gpg: /home/lakshmanan/.gnupg/trustdb.gpg: trustdb created gpg: key A7344E7D marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/A7344E7D 2012-10-12 Key fingerprint = 3AE0 7948 C880 E5F7 F0A1 E16A 6EBB 3931 A734 4E7D uid lakshmanan (My test GPG keys) sub 2048R/96F8EF9B 2012-10-12

Now we have generated the key pairs to use with GnuPg. The above output provides some important information such as

Key-ID A7344E7D

We will be using this Key-Id for doing various operations as we will see later.

6. List the Key Pairs

You can list the key’s that got generated using –list-keys and –list-secret-keys option

$ gpg --list-keys /home/lakshmanan/.gnupg/pubring.gpg ----------------------------------- pub 2048R/A7344E7D 2012-10-12 uid lakshmanan (My test GPG keys) sub 2048R/96F8EF9B 2012-10-12 $ gpg --list-secret-keys /home/lakshmanan/.gnupg/secring.gpg ----------------------------------- sec 2048R/A7344E7D 2012-10-12 uid lakshmanan (My test GPG keys) ssb 2048R/96F8EF9B 2012-10-12

7. Export Your Public Keys

Now we have generated a key pair. The next step is to publish your public key in internet ( Key Servers ), so that other person can use that public key to send message to you.

$ gpg --armor --export --output lakshmanan_pubkey.gpg lakshmanan

Now the file ‘lakshmanan_pubkey.gpg’ will have my public key. You can also use your Key-Id or Mail address as argument to this command.

$ gpg --armor --export --output lakshmanan_pubkey.gpg A7344E7D or $ gpg --armor --export --output lakshmanan_pubkey.gpg admin@thegeekstuff.com

Now you can send the file to the people you converse with.

8. Submit Keys to a Key-Server

Exporting your public key and sending it to individuals will be cumbersome, if you converse with many person. In that case, you can upload your public key to a server name “Key-Sever”. So people who want your key can get that from the key server.

$ gpg --send-keys --keyserver keyserver.ubuntu.com A7344E7D

Now you should have some basic understanding of GnuPG. In the future article of this series, we will explain how to encrypt, decrypt and digitally sign your messages using GnuPG.

If you enjoyed this article, you might also like..