GPG Quickstart

What is GPG

GNU Privacy Guard (GPG, also GnuPG) is free encryption software that’s compliant with the OpenPGP (RFC4880) standard.

OpenPGP is the standard and GPG is an implementation of the standard.

It’s a secure way to store your data that is not in some proprietary format.

Using GPG you can encrypt (and decrypt) files that contain sensitive data, (e.g. protected health information (PHI), notes…)

Anatomy of GPG key

A GPG key has 2 components: a public key and private key.

Public key is used to encrypt files. (put in a safe and spin the lock) Private key to read the encrypted file. (can’t unlock without the key)

Private key is used to

  • Decrypt files encrypted using the associated public key.
  • Sign files so they can be verified it could have only come from the private key holder.

CLI commands cheetsheet

There are tools to help faciliate gpg (e.g. GPGTools) but it’s always good to get the hang of some basic command line first.1

Assuming you already have some GPG keys 2, when all else fails, rely on CLI.

List public keys 3

gpg --list-keys

List private keys

gpg --list-secret-keys

Generate a key

gpg --gen-key

Export keys

If you want one key pair for all your computers (work/home/server), you can export a key pair from one machine to another.

Export public key

gpg --export -a "User Name" > public.key

This will create a file called public.key with the ascii representation of the public key for User Name. This is a variation on:

gpg --export 
# or 
gpg --export -a "User Name"    

which by itself is basically going to print out a bunch of crap to your screen.

Export private key

gpg --export-secret-key -a "User Name" > private.key    

This will create a file called private.key with the ascii representation of the private key for User Name. It’s pretty much like exporting a public key, but you have to override some default protections.

Using GPG

Encrypt data

gpg -e -u "Sender User Name" -r "Receiver User Name" somefile   

There are some useful options here, such as -u to specify the secret key to be used, and -r to specify the public key of the recipient.

As an example:

gpg -e -u "Charles Lockhart" -r "A Friend" mydata.tar   

This should create a file called “mydata.tar.gpg” that contains the encrypted data. I think you specify the senders username so that the recipient can verify that the contents are from that person (using the fingerprint?).

NOTE!: mydata.tar is not removed, you end up with two files, so if you want to have only the encrypted file in existance, you probably have to delete mydata.tar yourself.

Decrypt Data

gpg -d mydata.tar.gpg   

If you have multiple secret keys, it’ll choose the correct one, or output an error if the correct one doesn’t exist. You’ll be prompted to enter your passphrase.

Afterwards there will exist the file “mydata.tar”, and the encrypted “original,” mydata.tar.gpg.

NOTE: when I originally wrote this cheat sheet, that’s how it worked on my system, however it looks now like “gpg -d mydata.tar.gpg” dumps the file contents to standard output.

The working alternative (worked on my system, anyway) would be to use “gpg -o outputfile -d encryptedfile.gpg”, or using mydata.tar.gpg as an example, I’d run “gpg -o mydata.tar -d mydata.tar.gpg”.

Alternatively you could run something like “gpg -d mydata.tar.gpg > mydata.tar” and just push the output into a file. Seemed to work either way.

Ok, so what if you’re a paranoid bastard and want to encrypt some of your own files, so nobody can break into your computer and get them? Simply encrypt them using yourself as the recipient.

Integration with emacs

See Emacs with GPG2 notes.