This document is a quick introduction for using Gnu Privacy Guard (GnuPG or GPG). GPG is a tool that allows you to secure files for exchange with other users of GPG, as well as to verify the source of a file that has been signed or encrypted using GPG. Those who are concerned about the security and authenticity of documents that they exchange over the web, email, or other electronic means should seriously consider using GPG.
In the next few sections, we'll show you how to encrypt files using GPG so that only the intended recipient may read the contents of the file. We'll also show you how to sign files, so that recipients of the file will be able to verify that you are the actual sender. In addition, you'll learn how the other side of this works: decrypting and verifying files that have been sent to you by other users of GPG.
Note that this guide is intended to get you starting using GPG as quickly as possible. It is not intended as an introduction to public key encryption or any of the other concepts that underly GPG. If you desire more information, please visit the GPG homepage, and look through the GPG manual. This document will follow the general layout of that manual, but the manual contains much additional useful information, such as tips on how to use GPG wisely and securely.
In order to perform any of GPG's functions, you'll need to have your own pair of public and private GPG keys. To do this, you'll first need to run gpg from the command line so that it can create some configuration files:
[ 1 ] homerj -: gpg
gpg: /home/homerj/.gnupg: directory created
gpg: /home/homerj/.gnupg/options: new options file created
gpg: you have to start GnuPG again, so it can read the new options file
Next, to generate your keys, run gpg with the --gen-keys option. You'll be prompted for a number of questions, which we'll go through one at a time:
[ 2 ] homerj -: gpg --gen-key
gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: keyring `/home/homerj/.gnupg/secring.gpg' created
gpg: keyring `/home/homerj/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
(5) RSA (sign only)
Your selection?
Here you'll want to select 1. The DSA key will allow you to sign documents, while the ElGamal key will be used for encryption.
Next, you'll be asked to choose a key size:
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024)
The default keysize of 1024 bits is recommended here.
The next question will be about the key's expiration:
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
It is recommended that you choose 0 here. For almost all purposes, there will be no reason to allow your key to expire. You'll be asked to confirm this choice:
Key does not expire at all
Is this correct (y/n)?
This is correct.
Now, you'll have to enter some information about yourself, which will be stored in the key:
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter)
Real name:
Enter your full name here, e.g. "Homer Simpson." You'll then need to enter your email address, e.g. "homerj@springnuc.com." Finally, you'll be prompted for a comment. This can be your position, e.g. "Nuclear Safety Engineer."
You'll be asked if you want to change any of this information. If it is correct, choose "o" for "Okay."
Finally, you'll be asked to enter a passphrase:
You need a Passphrase to protect your secret key.
Enter passphrase:
You should pick a passphrase that is easy to remember, but not easy to guess. A good passphrase has a mix of upper- and lowercase letters, as well as one or more non-alphanumeric characters. It may contain spaces and multiple words, but a good passphrase is also not a dictionary word or a grammatically correct sentence. Do not forget your passphrase, and do not let anyone else find it out! If your private key is somehow compromised, your passphrase is the only line of security that prevents a malicious user from posing as you or decrypting files meant only for you.
After you enter your passphrase, you'll be told to do some typing to help the random number generator operate. Type whatever you want. In a few seconds, GPG will exit, and your keys will be ready.
To distribute your key to other users, you'll have to export it. For example, run the command:
[ 3 ] homerj -: gpg --armor --output homerj-gpg-public-key --export homerj@springnuc.com
This will output the public key for homerj@springnuc.com to the file homerj-gpg-public-key. You can then give this file to anyone with whom you plan to exchange signed or encrypted files.
To verify files sent to you by other GPG users, as well as to encrypt files for sending to those users, you'll need to import their keys. Once they've sent you the public key, you first need to run gpg with the --import option:
[ 4 ] homerj -: gpg --import wsmithers-public-key
gpg: key D080459A: public key imported
gpg: Total number processed: 1
gpg: imported:1
Before using someone else's public key, you should verify that it has indeed come from that person. To do this, you need to find the key's fingerprint. Call gpg with the --edit-key option (note that the key is identified by either the real name or the email address of the key's owner):
[ 5 ] homerj -: gpg --edit-key wsmithers@springnuc.com
pub 1024D/D080459A created: 2002-04-10 expires: never trust: -/q
sub 1024g/6E26A186 created: 2002-04-10 expires: never
(1). Wayland Smithers (Yes Man)
Command>
At this prompt, enter "fpr" to see the key's fingerprint:
Command> fpr
pub 1024D/D080459A 2002-04-10 Wayland Smithers (Yes Man) <wsmithers@springnuc.com>
Fingerprint: 8A86 37E0 BAD5 C656 A786 535A 2088 3381 D030 789A
Once you've got the fingerprint, you'll need to contact the owner of the key. This is done preferably by phone or in person. Check that the fingerprint of his or her key matches that of the one you received. If it does, then you must sign the key in order to use it:
Command> sign
pub 1024D/D080459A created: 2002-04-10 expires: never trust: -/q
Fingerprint: 8A86 37E0 BAD5 C656 A786 535A 2088 3381 D030 789A
Wayland Smithers (Yes Man) <wsmithers@springnuc.com>
Are you really sure that you want to sign this key
with your key: "Homer Simpson (Nuclear Safety Engineer) <homerj@springnuc.com>"
Really sign?
If you're sure that the fingerprint is correct, answer "y" here. You'll then have to enter your key's passphrase. Finally, type "quit" at the next prompt to exit GPG (answer "y" when asked if you want to save changes).
There are two ways to encrypt a file: using keys and using a passphrase. The first method is best for encrypting a file meant for one person, the second can be used to encrypt a file meant for a group of people.
To encrypt a file homers-doc so that it can only be read by Wayland Smithers, run the command:
[ 6 ] homerj -: gpg --output homers-doc.gpg --encrypt --recipient wsmithers@springnuc.com homers-doc
This command outputs an encrypted file called homers-doc.gpg that can be decrypted only by using Wayland Smithers's private key. Note that in order to do this, you'll need to have already imported Wayland Smithers's public key.
If you've been sent a document that's encrypted for you, you'll have to decrypt it:
[ 7 ] homerj -: gpg --output smithers-doc --decrypt smithers-doc.gpg
You need a passphrase to unlock the secret key for
user: "Homer Simpson (Nuclear Safety Engineer) <homerj@springnuc.com>"
1024-bit ELG-E key, ID D2AB6E6A, created 2002-06-17 (main key ID 249DB93F)
Enter passphrase:
After entering your passphrase, this will decrypt the encrypted file smithers-doc.gpg and output it to smithers-doc.
To encrypt the file homers-doc using a passphrase, use the --symmetric option:
[ 8 ] homerj -: gpg --output homers-doc.gpg --symmetric homers-doc
Enter passphrase:
Choose a passphrase (not the same as your private key's passphrase!) that you'll securely distribute to anyone who you wish to be able to read the file. To decrypt it, they'll simply call gpg with the --decrypt option, as above, but use the file's passphrase instead of their own.
Signing a file is a method of ensuring other users that the file has come from you, but without encrypting the file. It has the advantage that users may read the file without having to decrypt it with their key or a passphrase, so any user who has your public key may check read the file, as well as verify its authenticity. This makes it an ideal scheme for distribution from a webpage or other shared file space, but is not adequate for sensitive material that should not be accessed by the public.
To sign the file homers-doc, issue the command:
[ 9 ] homerj -: gpg --clearsign homers-doc
You need a passphrase to unlock the secret key for
user: "Homer Simpson (Nuclear Safety Engineer) <homerj@springnuc.com>"
1024-bit ELG-E key, ID D2AB6E6A, created 2002-06-17 (main key ID 249DB93F)
Enter passphrase:
This outputs the file homers-doc.asc. A clearsigned file has the following format:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Does whiskey count as beer?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9EGru6hbv4TWbZi6RAuPVAKDhiRVaT8NiLEWBGny1FBHOtVgCg2i/+
kEGKh8bE6aZO/Je2Cv/kt+E=
=FlOA
-----END PGP SIGNATURE-----
Note that the contents of the file appear between the "Hash: ..." and "-----BEGIN PGP SIGNATURE-----" lines.
To verify a file that has been signed and sent to you, use the --verify option with gpg:
[ 10 ] homerj -: gpg --verify smithers-doc.asc
gpg: Signature made Wed Jun 19 11:28:46 2002 UTC using DSA key ID 359B67CF
gpg: Good signature from "Wayland Smithers (Yes Man) <wsmithers@springnuc.com>"
To recover the original document from the signed document file, use GPG to decrypt it, just as in the last section.
That's it! You should now have the basics to use GPG. Remember, for more
information, including other methods of encrypting and signing documents, as
well as an explanation of the concepts behind GPG, visit the GPG homepage and read the GPG manual.