Research and Development
Install GnuPG
sudo apt install gnupg
Optionally, install Nautilus extension:
sudo apt install seahorse-nautilus
Optionally, download The GNU Privacy Handbook.
Encrypt file using passphrase:
gpg -c –o filename.gpg filename
To verify the signature, type:
gpg --verify filename.gpg
Note: GnuPG will prompt for password from the terminal, to avoid logging the password in history.
Encrypting existing archive using the default symmetric cipher (using the same passphrase for encryption and decryption):
gpg -o fileToTar.tgz.gpg --symmetric fileToTar.tgz
Again, GnuPG will prompt for a passphrase.
To decrypt the file:
gpg fileToTar.tgz.gpg
Use the tar command to create an archive and pipe it to the gpg command for encryption and password protection.
Example using the AES-256 encryption algorithm:
tar czvpf - file1.txt file2.pdf file3.jpg | gpg --symmetric --cipher-algo aes256 -o myarchive.tar.gz.gpg
Again, GnuPG will prompt for a passphrase. The archive will be created as an encrypted archive, using a secure algorithm and protected by the given custom passphrase.
Extracting the encrypted archive:
gpg -d myarchive.tar.gz.gpg | tar xzvf -
The --full-generate-key option generates the keys in an interactive session within the terminal window. GnuPG will prompt for a passphrase.
gpg --full-generate-key
Pick an encryption type from a menu. Unless you have a good reason not to, type 1 and press Enter.
Choose a bit-length for the encryption keys (Enter to accept the default).
Specify how long the key should last. If 1y is selected, he key will last 12 months and will need renewing after one year.
Finally, GnuPG will prompt for a passphrase.
GnuPG keeps the public keys in your key ring.
Note: The key ring is simply the public keys stored in a file, but the name sounds nice because everyone has a key ring in the real world, and these keys are keys of a sort.
To list the keys in your key ring, type:
gpg --list-keys
Backup all the files stored in the ~/.gnupg folder.
Note: The private keyring is protected by a passphrase.
If needed, export an ascii armored version of the private key:
gpg --output private.pgp --armor --export-secret-key username@email.com
To revoke the key, run the following command:
gpg --output revoke.asc --gen-revoke uid
The uid will be the key user id, e.g. the email address. This will generate a revocation certificate (the passphrase used to generate the certificate will be required). A revocation reason will be required, selecting from a numbered list ranging from zero to three.
The command will output the certificate to a file (in this example: revoke.asc).
To share files, messages and/or emails with others, share the public key by exporting it.
To export the public key to a file, open a terminal and type:
gpg --armor --export your@emailaccount.com > key.asc
To export the key in a readable format (for example, as ASCII in a text file), run the following:
gpg --armor --output key.txt --export your@emailaccount.com
This file can be viewed using a standard text editor.
Type the following command to get the fingerprint of a key:
gpg --fingerprint some@email.com
If you think that the key fingerprint is good, you can sign the key and validate it. Here's the command you use to sign the key:
gpg --sign-key some@email.com
GPG asks for confirmation and then prompts you for the passphrase. After that, GPG signs the key.
Note: Because key verification and signing are potential weak links in GPG, be careful about what keys you sign. By signing a key, you say that you trust the key to be from that person or organization.
Make the public key easy to share and find by registering it to a keyserver, such as the MIT repository.
First, find the key id by opening a terminal and typing:
gpg --fingerprint
Locate the key and take note of the final eight digits of the key user ID (the user ID fingerprint). For example, B852 085C.
Using the eight-digit user ID, register the key ok keyserver:
gpg --keyserver pgp.mit.edu --send-key B852085C
The public key will be registered with the keyserver, where others can then find and import it. The public key is safe to share. It cannot be used to decrypt files or messages but can be used to encrypt them and sent to you, where only you can decrypt them.
To encrypt a file, open a terminal and run the following:
gpg --encrypt --recipient 'your@emailaccount.com' --output encryptedfile.txt.enc originalfile.txt
Optionally, replace the recipient email with your key fingerprint if you'd prefer. Replace the output and input file names with the files you’re encrypting, as well as your output file.
To decrypt the file, run the following command:
gpg --decrypt --output decrypted.txt encryptedfile.txt.enc
Provide your passphrase to allow access to your private key to be able to decrypt the file. It'll then output the decrypted contents as the file listed under the --output flag.
A PGP public key contains information about one's email address. This is generally acceptable since the public key is used to encrypt email to your address. However, in some cases, this is undesirable.
For most use cases, the secret key need not be exported and should not distributed. If the purpose is to create a backup key, use the backup option:
gpg --output backupkeys.pgp --armor --export --export-options export-backup user@email.com
This will export all necessary information to restore the secrets keys including the trust database information. Make sure you store any backup secret keys off the computing platform and in a secure physical location.
If this key is important to you, you may print out the key on paper using paperkey and place the paper key in a fireproof/waterproof safe.
In general, it's not advisable to post personal public keys to key servers.
There is no method of removing a key once it's posted and there is no method of ensuring that the key on the server was placed there by the supposed owner of the key.
It is much better to place your public key on a website that you own or control. Some recommend keybase.io for distribution. However, that method tracks participation in various social and technical communities which may not be desirable for some use cases.
For the technically adept, the webkey domain level key discovery service could be an option.