Gpg
From Attie's Wiki
(Difference between revisions)
m (Created page with 'How to make use of GPG (GNU Privacy Guard) <source lang="bash"> # make a key (it is often necessary to copy a large file in order to generate enough random data - roughly 2GB sh…') |
m |
||
| (9 intermediate revisions by one user not shown) | |||
| Line 2: | Line 2: | ||
<source lang="bash"> | <source lang="bash"> | ||
| − | # make a key (it is often necessary to copy a large file in order to generate enough random data - roughly | + | # make a key (it is often necessary to copy a large file in order to generate enough random data - roughly 3GB should do for a 2048-bit key) |
gpg --gen-key | gpg --gen-key | ||
| Line 10: | Line 10: | ||
# export the public key (for use by others) | # export the public key (for use by others) | ||
| − | gpg --armor --output pubkey.txt --export | + | gpg --armor --output pubkey.txt --export ${key-id} |
# export a secret key (be safe!) | # export a secret key (be safe!) | ||
| − | gpg --armor --output privkey.txt --export-secret-keys | + | gpg --armor --output privkey.txt --export-secret-keys ${key-id} |
# import a key (public or private) | # import a key (public or private) | ||
gpg --import key.asc | gpg --import key.asc | ||
| − | # send your public key to a public server | + | # send your public key to a public server - it may take a minute or two to appear, presumably there is some server-side processing to be done |
| − | gpg --send-keys | + | gpg --send-keys ${key-id} |
# retrieve a public key from a public server | # retrieve a public key from a public server | ||
gpg --search-keys 'myfriend@his.isp.com' | gpg --search-keys 'myfriend@his.isp.com' | ||
# encrypt a file | # encrypt a file | ||
| − | gpg --encrypt --recipient | + | gpg --encrypt --recipient ${key-id} foo.txt |
# decrypt a file | # decrypt a file | ||
gpg --output foo.txt --decrypt foo.txt.gpg | gpg --output foo.txt --decrypt foo.txt.gpg | ||
| Line 30: | Line 30: | ||
# verify a file's signature | # verify a file's signature | ||
gpg --verify crucial.tar.gz.asc crucial.tar.gz | gpg --verify crucial.tar.gz.asc crucial.tar.gz | ||
| + | |||
| + | # edit a key | ||
| + | gpg --edit-key ${key-id} | ||
</source> | </source> | ||
| − | {| | + | {|class="wikitable" |
! Long !! Short !! Description | ! Long !! Short !! Description | ||
|- | |- | ||
| Line 49: | Line 52: | ||
| --decrypt || -d || decrypt a file | | --decrypt || -d || decrypt a file | ||
|- | |- | ||
| − | | --detach- | + | | --detach-sig || -b || make a detached signature |
|} | |} | ||
| + | |||
| + | ==Uncertain Ownership== | ||
| + | <code>It is NOT certain that the key belongs to the person named in the user ID.</code><br> | ||
| + | This message can be caused if you import a key that was generated on another system. | ||
| + | It can be prevented by one of the following methods: | ||
| + | ===Permanently=== | ||
| + | # Run <code>gpg --edit-key ${key-id}</code> | ||
| + | # Enter the command <code>trust</code> | ||
| + | # Select the appropriate trust level | ||
| + | |||
| + | ===Every Execution=== | ||
| + | <source lang="bash"> | ||
| + | gpg --encrypt --yes --no-tty --trust-model always --recipient ${key-id} | ||
| + | </source> | ||
==key-id?== | ==key-id?== | ||
| − | The <code> | + | The <code>${key-id}</code> tags above generally mean the 32-bit identifier, in hex. |
| + | It appears that you can often use the email address to identify a key as well. | ||
<source lang="text"> | <source lang="text"> | ||
$ gpg -k | $ gpg -k | ||
| Line 62: | Line 80: | ||
sub 2048R/E8423A6F 2012-02-23 | sub 2048R/E8423A6F 2012-02-23 | ||
</source> | </source> | ||
| − | The ''fake'' key information from above has a <code> | + | The ''fake'' key information from above has a <code>${key-id}</code> of <code>0x8462FC4A</code><br> |
In some situations like the <code>--recipient</code> argument you may use the name <code>Attie Grande</code>, part of the name <code>Attie</code>, or the identifier <code>0x8462FC4A</code> | In some situations like the <code>--recipient</code> argument you may use the name <code>Attie Grande</code>, part of the name <code>Attie</code>, or the identifier <code>0x8462FC4A</code> | ||
| + | |||
| + | ==Send files via a secure channel== | ||
| + | ''Secure'' in that it is encrypted, not so much in that this example uses netcat. | ||
| + | |||
| + | The recipient is <code>${RECIPIENT}</code>, I have his public key. | ||
| + | |||
| + | ===Sender=== | ||
| + | <source lang="bash"> | ||
| + | tar -caf - -C ${SRC_DIR} ${FILES} | gzip | gpg -e -r ${RECIPIENT} - | nc -l 27015 | ||
| + | </source> | ||
| + | |||
| + | ===Receiver=== | ||
| + | <source lang="bash"> | ||
| + | nc ${SERVER} 27015 | gpg -o - -d | gzip -d | tar -xv | ||
| + | </source> | ||
Latest revision as of 14:14, 2 April 2015
How to make use of GPG (GNU Privacy Guard)
# make a key (it is often necessary to copy a large file in order to generate enough random data - roughly 3GB should do for a 2048-bit key) gpg --gen-key # view the stored keys gpg --list-keys gpg --list-secret-keys # export the public key (for use by others) gpg --armor --output pubkey.txt --export ${key-id} # export a secret key (be safe!) gpg --armor --output privkey.txt --export-secret-keys ${key-id} # import a key (public or private) gpg --import key.asc # send your public key to a public server - it may take a minute or two to appear, presumably there is some server-side processing to be done gpg --send-keys ${key-id} # retrieve a public key from a public server gpg --search-keys 'myfriend@his.isp.com' # encrypt a file gpg --encrypt --recipient ${key-id} foo.txt # decrypt a file gpg --output foo.txt --decrypt foo.txt.gpg # sign a file gpg --armor --detach-sign crucial.tar.gz # verify a file's signature gpg --verify crucial.tar.gz.asc crucial.tar.gz # edit a key gpg --edit-key ${key-id}
| Long | Short | Description |
|---|---|---|
| --list-keys | -k | list the public keys stored |
| --list-secret-keys | -K | list the private keys stored |
| --armor | -a | create ASCII armored output, the default is plain binary |
| --output | -o | write to output file |
| --recipient | -r | encrypt a file for the given recipeint |
| --encrypt | -e | encrypt a file |
| --decrypt | -d | decrypt a file |
| --detach-sig | -b | make a detached signature |
Contents |
[edit] Uncertain Ownership
It is NOT certain that the key belongs to the person named in the user ID.
This message can be caused if you import a key that was generated on another system.
It can be prevented by one of the following methods:
[edit] Permanently
- Run
gpg --edit-key ${key-id} - Enter the command
trust - Select the appropriate trust level
[edit] Every Execution
gpg --encrypt --yes --no-tty --trust-model always --recipient ${key-id}
[edit] key-id?
The ${key-id} tags above generally mean the 32-bit identifier, in hex.
It appears that you can often use the email address to identify a key as well.
$ gpg -k /home/attie/.gnupg/pubring.gpg ------------------------------ pub 2048R/8462FC4A 2012-02-23 uid Attie Grande <attie@attie.co.uk> sub 2048R/E8423A6F 2012-02-23
The fake key information from above has a ${key-id} of 0x8462FC4A
In some situations like the --recipient argument you may use the name Attie Grande, part of the name Attie, or the identifier 0x8462FC4A
[edit] Send files via a secure channel
Secure in that it is encrypted, not so much in that this example uses netcat.
The recipient is ${RECIPIENT}, I have his public key.
[edit] Sender
tar -caf - -C ${SRC_DIR} ${FILES} | gzip | gpg -e -r ${RECIPIENT} - | nc -l 27015
[edit] Receiver
nc ${SERVER} 27015 | gpg -o - -d | gzip -d | tar -xv
