The GNU Privacy Guard (GPG) package—a free alternative to the Pretty Good Privacy (PGP) cryptographic suit of utilities—is used to encrypt and decrypt files. With GPG, you can send an encrypted file to colleagues or friends, who can then decrypt it, provided they have the correct key.
To encrypt and decrypt files, GPG uses a pair of keys: one private key and one public key. You use the public key for encryption. You can freely distribute this key to friends and colleagues with whom you want to exchange encrypted information. The private key is used for decryption, so you need to keep it safe. When you generate a private key, GPG prompts you for a passphrase, thus providing further protection.
For example, suppose I want to exchange encrypted documents with my friend Peter. To do this, we both need to generate a pair of GPG keys and exchange our public keys with each other. I can then use Peter's public key to encrypt a document and send it to him. Peter uses his private key and passphrase to decrypt the document. After Peter amends the document, he encrypts it using my public key and sends it back to me for review. I then use my private key and passphrase to decrypt the document.
Let's take a closer look at this process. For our purposes, let's assume that both Peter and I have already downloaded and installed GPG.
Generating the Keys
The first step is for Peter and me to generate our key pairs using the command:
When you run this command, GPG will prompt you to select the security algorithm you want to use, the key length, and when you want the keys to expire (you can also accept the default options). GPG will then prompt you for your name, email address, and passphrase.
After GPG generates the keys, it places them in the .gnupg folder in your HOME directory. The public key is placed in a file named pubring.gpg, which is the public keyring (i.e., collection ofkeys). The private key is placed in a file named secring.gpg, which is the secret keyring. The .gnupg folder also holds a basic configuration file for GPG, which I'll discuss later.
Exchanging the Keys
Peter and I now need to exchange our public keys, which happens in two stages. In stage 1, I export the public key in my public keyring, and then Peter imports it into his public keyring. In stage 2, Peter exports his public key, and then I import it. In both stages, the public key is exported in ASCII mode. Let's look at the stages in more detail.
Stage 1. To begin, I list the keys in my public keyring using the command:
As you can see in Figure 1, my public key is in plaintext, so I use the --armor option with the --export option to export the david_tansley key to a file named david_t_pub.key:
Note that you can use the --armor option to email the public key.
Next, I confirm that the david_t_pub.key file has been created by using the command:
The results show that it's been created, so I notify Peter. He then imports my public key into his own public keyring in the HOME/.gnugp directory:
$ gpg --import david_t_pub.key
Next, Peter confirms that the public key has been imported by listing his keys:
As you can see in Figure 2, Peter now has my public key (david_tansley) in his public keyring.
Stage 2. Now the reverse happens. After Peter lists the keys in his public keyring, he uses the --armor and --export options to export his public key to a file named peter_pub.key:
I then import his public key into my public keyring with the command:
$ gpg --import peter_pub.key
To make sure his key is included in my public keyring, I check it:
As you can see in Figure 3, I now have Peter's public key (peter) in my public keyring.
Changing the Trust Level
Even though Peter and I have exchanged public keys, GPG will ask me whether I trust Peter's key when I decrypt his file, and vice versa. To eliminate this type of prompt, you can change the level of trust for a public key.
Assume Peter wants to give my public key the highest level of trust. To change the level of trust, he can edit the david_tansley public key:
$ gpg --edit-key david_tansley
After the Command> trust code executes, the prompt in Figure 4 appears. When Peter enters 5 (I trust ultimately), he'll be asked
When he types y, the new level of trust will be given to my public key on Peter's keyring. In effect, Peter is stating he completely trusts me.
Encrypting and Decrypting Files
Peter and I have exchanged our public keys, so we can now encrypt files using the other person's public key. For example, suppose that I create the following file:
Do not forget to bring
your GPS system on the next ride out!
The following command encrypts the file with Peter's public key; the output file is named ourfile.x:
--recipient 'peter' ourfile
As you can see, I specified the recipient's name. Note that although I'm encrypting a text file, I didn't use the --armor option. Generally, though, you should use the --armor option when using plaintext files.
The ourfile.x file is now encrypted and unreadable to the human eye. The file is then transferred to Peter, who will run the command:
$ gpg --decrypt ourfile.x
Peter will be prompted to provide his passphrase to decrypt the file. Note that if the file already exists on Peter's system, he'll be asked whether or not he wants to overwrite it.
Adding a Photo ID
You can personalize a public key by adding a photo ID to it. To view photo IDs, you need to use GPG in a graphical environment (e.g., Linux, Windows, AIXwindows). The image needs to be in a JPEG format and not too large.
To add a photo ID, edit the GPG configuration file, gpg.conf, in the HOME/.gnupg directory. In that file, uncomment these two lines:
Next, insert the full path to the image viewer you're going to use. For this example, I'm using the xv image viewer:
Note that %i will contain the name of the image file at runtime.
The last step is to add your .jpeg file to your keyring. In this example, I'm using a photo of myself, which is in the d_tansley.jpg file. So, to add the file, I use the command:
Command>add photo /home/dxtans/d_tansley.jpg
That's it. Now when you access or list your public keys in a graphical environment, the image will be shown (see Figure 5). This image will be exported when you send your public key to other users. As long as they're using GPG in a graphical environment, they'll see your photo.
An Easy-to-Use Tool
As you've seen, sharing files that have been encrypted with GPG is pretty straightforward. You can also use GPG to sign files, which proves that the file came from you. Signing files is generally done to non-encrypted files that are for distribution or download from a website.