GPG, short for “GNU Privacy Guard” allows you to encrypt and sign data according to the OpenPGP (or just “PGP”) standard. It can be used to verify software downloads and encrypt email.

It can be difficult to find a single place that enumerates all the essential GPG concepts and terminology in one place. I recommend reading the website for GPG, as well as Email Self-Defense, and of course, man gpg.

Generating a GPG key

1. run gpg --full-generate-key
2. Select RSA and RSA.
3. Enter 4096 for key size.
4. Enter an expiration date, e.g. 2y for 2 years.
5. Pick a passphrase for the key.

You can edit a gpg key by running gpg --edit-key.

Reading

You can list all gpg keys with gpg --list-keys.

Uploading

Keys are uploaded to keyservers so others can have access to your public key and send you email.

1. copy the key id using gpg --list-key [your@email].
2. upload to a keyserver gpg --send-key [keyID].

Exporting

Exporting your key is necessary for importing into your email client.

1. gpg --export-secret-keys -a [keyID] > my_secret_key.asc or
2. gpg --export -a [keyID] > my_secret_key.asc

Revoking a key

If a key becomes compromised, you can generate a revocation certificate for your key with

1. gpg --gen-revoke --output revoke.asc [keyID]

To revoke your key, you then need to import the key into your keyring. Note: you can generate the revocation certificate when you create your key, and keep it in case you need to revoke it later on.

2. gpg --import revoke.asc

If you uploaded your key to a keyserver, say pgp.mit.edu, you can find the key with

3. gpg --keyserver pgp.mit.edu --search-keys [keyID]

and since yu’ve already revoked it on your keyring, you can revoke it on the server with

4. gpg --keyserver pgp.mid.edu --send-keys [keyID]

Refreshing Keys

You can update key infrmation on your keyring by doing gpg --refresh-keys.

Add to Client

You can then import your exported key file to your email client and use end-to-end encrypted email.

Managing Other Users

You can import someone else’s public key from a text file (say, called others_public_key) by doing gpg --import others_public_key. This adds them to your keyring (?). If you are importing a key from a keyserver, you can say gpg --keyserver [keyserver] --recv-keys [keyID].

You can get the fingerprint of a public key by saying gpg --fingerprint your_email@address.com.

If you trust the person, you can say, gpg --sign-key email@example.com to verify the key is trusted. You can then send this back to them with gpg --output ~/signed.key --export --armor email@example.com they can import it with gpg --import ~/signed.key and demonstrate to others that you trust that their identity is correct.

Encrypting and Decrypting

You can encrypt a message for someone using gpg --encrypt as follows

1. gpg --encrypt --sign --armor -r person@email.com name_of_file

The -r flag is for recipient. More recipients can be added with additional -r flags. This will output a new file called name_of_file.asc.

To decrypt a message received from someone else, all you have to do is call gpg on the file you received.

2. gpg name_of_file.asc

Encrypting vs Signing

Encrypting is about privacy, signing is about verification. If you want a message to be private, you encrypt it. If you want someone else to know you sent a message, you sign it. If you want both, then do both.

Keyrings

A gpg key contains cryptographic information to encrypt messages to the keyholder, and verify things signed by that keyholder. A “keyring” is a set of keys from other people that is stored on your computer, that allow you to encrypt and verify signatures for each person.