With a versatile key management system and access to several public key directories, GPG is a must-have for security-minded Linux users.
GnuPG (aka GNU Privacy Guard) is a free, open source replacement for Symantec’s PGP suite that allows you to encrypt and sign data security. With GnuPG, you can protect files on your local system and even communications with third parties. With a versatile key management system and access to several public key directories, GPG is a must-have for security-minded Linux users.
GnuPG can be used from the command line and is supported by email apps such as Thunderbird. For anyone who needs to encrypt and sign data on Linux, GnuPG is the way to go.
Let’s dive into this tool and see how you can use it to enhance the security and privacy of the data on your Linux systems. GnuPG is also available for other platforms (such as macOS and Windows) but I’ll limit this discussion to Linux only.
Why Do You Need GPG?
Using GPG ensures the secure transmission of information between parties and offers the ability to encrypt/decrypt files stored on local drives. By using this tool, the information contained within files and emails cannot be read by just anyone.
Of course, GPG uses key pairs to function. Those pairs consist of a public and private key. The private key is retained on your desktop or server and should never leave those machines (or be shared with anyone). The public key is intended to be shared with whoever needs to be able to decrypt your messages.
When using GPG with email, the process looks like this:
- The sender sends a public key to the receiver.
- The receiver sends a public key to the sender.
- The sender encrypts a message to the receiver with the receiver’s public key.
- The receiver receives the message and decrypts it with their private key.
Without the private key, the message cannot be decrypted.
The same thing holds true with local files. You can encrypt a file with GPG, using your keypair. When it comes time to decrypt the file, you’ll run the decryption command and, upon successfully typing the password associated with your key, the file will be accessible.
With that introduction out of the way, let’s see how this is implemented on Linux.
Install GPG
The first thing to do is install GPG. Since GNU PG can be found in the standard repositories of most Linux distributions, the installation is quite simple.
For example, on Ubuntu, the installation command is:
sudo apt-get install gnupg -y
If you’re using a Fedora-based distribution, the command would be:
sudo dnf install gnupg -y
You might find that GPG is already installed on your machine. If so, huzzah! One less step to take.
Creating Your First Key Pair
Now that GPG is installed, you have to generate your first key pair. There are two ways to do this, via the command line and one of the available GUIs (such as Seahorse for GNOME and KGpg for Plasma).
First, let’s create a key pair via the command line. This command will be the same, no matter the distribution you use. Generate your first key pair with:
gpg --full-generate-key
You’ll be asked to answer a few questions, such as:
- What kind of key you want
- What size key do you want
- How long the key should be valid
- Real name
- email address
- Comment (optional)
- Password
Whenever possible stick with the defaults (unless you have a reason otherwise). When the creation of the key finishes, you’ll be presented with the details, which you don’t need to save. You can then list your keys with the command:
gpg --list-keys
The list will include all keys you’ve created along with their associated name, email addresses, and creation dates.
If you opt to go the GUI route, the process of creating your first key is very simple. For example, with Seahorse, you only need to click + in the upper left corner, select the GPG key (Figure 1), and then fill out the necessary information.
Figure 1: You can create other types of keys and even straight-up passwords with Seahorse.
Encrypt a File With GPG
Now that you have your key ready, let me show you how to encrypt a file with GPG. If you want to encrypt a folder, you would first have to pack it into a file, such as you would with a command like:
tar cfz filename.tgz folder
How do you encrypt a file with GPG? Easy.
Let’s say the file in question is newstack.txt and you want to encrypt it with your own GPG key. To do that, the command would be something like this:
gpg --output newstack.tgz.gpg --encrypt --recipient RECEIVER newstack.tgz
Where RECIEVER is the email address associated with your personal GPG key pair. If you want to encrypt the file to be sent to another user, you would use the receiver’s email address. That, of course, requires you import the receiver’s public key. Here’s how to do that:
- Request the receiver’s GPG public key.
- Save that key to your local drive.
- Import the receiver’s GPG public key with the command (run within the directory housing the receiver’s public key you saved) gpg –import file.gpg (Where file.gpg is the public key file you saved from the receiver).
Now that you’ve imported the receiver’s public key, you can encrypt files using it and send the files to them, knowing only the holder of the private key that matches the public encryption key you used can open the file.
To decrypt a file encrypted with GPG, the command would be:
gpg --output newstack.tgz --decrypt newstack.tgz.gpg
The receiver of the file will be asked to enter the password for their key pair. Upon successful authentication, the command creates a new file with the name given after the –output option. Once the file has been decrypted, you can unpack it (if it’s a tgz or zip file) and view the contents.
And that’s the basics of using GPG on Linux. To find out more about how this tool works, be sure to read the official documentation, where you can read through the howtos, manuals, man pages, user guides, and more.
- phen0men4 and Adenman
- 2
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.