Kranthi Lakum

About GNU GPG

GPG is compliant with the OpenPGP (RFC4880), the most widely used email encryption standard. It can be freely used, modified and distributed under the terms of the GNU General Public License.

To create a GPG key, make sure that you have GNU GPG installed, available, and running on your machine.

$ gpg-agent -v
gpg-agent[99806]: gpg-agent running and available

Creating a GPG Key

$ gpg --full-generate-key
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: User Name
Email address: username@users.noreply.github.com
Comment: Github GPG
You selected this USER-ID:
    "User Name (Github GPG) <username@users.noreply.github.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key C97217D2XXXXXXX marked as ultimately trusted
gpg: revocation certificate stored as
    '/Users/klakum/.gnupg/openpgp-revocs.d/41EA5DE93CCDXXXXXXXX75C97217D2XXXXXXX.rev'
public and secret key created and signed.

pub   rsa4096 2019-09-09 [SC]
      41EA5DE93CCDXXXXXXXX75C97217D2XXXXXXX
uid                      User Name (Github GPG) <username@users.noreply.github.com>
sub   rsa4096 2019-09-09 [E]

GPG relies on public key encryption technique (e.g. RSA, in this case). The GPG creates a public and a private key. The public key can be distributed over a network and forwarded to anyone, whereas the private key must remain a secret.

$ ls -l /Users/klakum/.gnupg/
total 32
srwx------  1 klakum  root     0 Sep  9 19:53 S.gpg-agent
srwx------  1 klakum  root     0 Sep  9 16:30 S.gpg-agent.browser
srwx------  1 klakum  root     0 Sep  9 16:30 S.gpg-agent.extra
srwx------  1 klakum  root     0 Sep  9 16:30 S.gpg-agent.ssh
drwx------  3 klakum  root    96 Sep  9 16:41 openpgp-revocs.d
drwx------  4 klakum  root   128 Sep  9 16:41 private-keys-v1.d
-rw-r--r--  1 klakum  root  1469 Sep  9 16:41 pubring.kbx
-rw-------  1 klakum  root    32 Sep  9 16:40 pubring.kbx~
-rw-------  1 klakum  root   600 Sep  9 16:46 random_seed
-rw-------  1 klakum  root  1280 Sep  9 16:46 trustdb.gpg

All data on the keys is stored in pubring.kbx. To list the public keys, run:

$ gpg --list-keys
/Users/klakum/.gnupg/pubring.kbx
--------------------------------
pub   rsa2048 2019-09-09 [SC] [expires: 2021-09-08]
      A3244E8AEE9869CCA317C47F5D73XXXXXXXXXXX
uid           [ultimate] Userr Name <username@email.com>
sub   rsa2048 2019-09-09 [E] [expires: 2021-09-08]

Create a sample file my_file.txt and add text to it.

$ touch my_file.txt
$ echo "Hello, GPG" > my_file.txt
$ cat my_file.txt
Hello, GPG

Encryption

To encrypt a file on the command line, enter:

$ gpg -e -r username@email.com my_file.txt
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2021-09-08

$ ls | grep my_file
my_file.txt
my_file.txt.gpg

Decryption

To decrypt a .gpg file on the command line, enter:

$ rm my_file.txt
$ gpg my_file.txt.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: encrypted with 2048-bit RSA key, ID 50F923E2FFA6D088, created 2019-09-09
      "User Name <username@email.com>"
$ cat my_file.txt
Hello, GPG

Use Case: GitHub

Generate PGP Public key block by running the below command $ gpg --armor --export <GPG Key ID>

Copy and paste the generateed GPG public key block in your GitHub settings.

Configure your Git client to sign commits $ git config --local commit.gpgsign true

Make some changes in your repository, commit the change, and push. The commit must indicate that it is GPG signed.

Delete GPG keys

$ gpg --delete-key "username@email.com"
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: there is a secret key for public key "username@email.com"!
gpg: use option "--delete-secret-keys" to delete it first.
(base) klakum@~$ gpg --delete-secret-keys "username@email.com"
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

sec  rsa2048/XXXXXXXXXXXXXXX 2019-09-09 User Name <user.name@email.com>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
(base) klakum@~$ gpg --delete-key "username@email.com"
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  rsa2048/XXXXXXXXXXXXXXX 2019-09-09 User Name <user.name@email.com>

Delete this key from the keyring? (y/N) y

Links

© 2023 Kranthi Lakum. All rights reserved.