GnuPG

What is Gnu Privacy Guard (GnuPG)?

GnuPG (GPG) is libre cryptography software that’s interoperable with Symantec’s proprietary PGP software (OpenPGP Standard).
GnuPG is used for encrypting files and communications, as well as signing and verifying them.

Asymmetric vs Symmetric encryption

GnuPG can do both asymmetric and symmetric encryption.

• Asymmetric encryption has two mathematically linked keys. A public key (for encrypting) and a private key (for decrypting).
  Only the private key can decrypt information encrypted with its public counterpart.
  If others want to encrypt data and address it to you, they can create a copy of your public key, encrypt the data, and send it to you.

• Symmetric encryption only uses one key for encryption and decryption.
  This relies on a ‘shared secret.’ (typically a password), which means anyone, regardless of who they are, can decrypt if they know that ‘shared secret’.
  It’s a lot less secure since instead of exchanging public keys, which can only encrypt (asymmetric). You exchange the encrypted information and the mode of decryption, which extends the burden of trust as well as adding more points for failure.

If you understand how things work, best practices come naturally.

Creating a key pair (Private & Public)

The following sections are primarily intended for Linux users.
If you are using Windows, you can use gpg4win or follow along using WSL.

Firstly, install GnuPG with your package manager; for me, it’s:

emerge app-crypt/gnupg

You can then create a GnuPG key pair with:

gpg --full-gen-key

If your version of GPG is up to date (gpg --version), defaults work well for most use cases;
It’s wise though to learn what’s best applicable for what you need.

Setting an expiration date of under two years is typically best practice for keys.
The expiration date can be extended, shortened, or revoked when seen fit.

Backing keys up

It’s preferable when backing up your key pair to store it offline (i.e., removable media).
You can even back up your key to physically using Paperkey.

Sharing & Adding Keys

List keys using:
gpg --list-keys

Sharing your key with others can be done with:
gpg --output example.key --armor --export example@example.org

You can import keys manually through files using the --import option.
gpg --import example.key

Key servers

One method of sharing one’s public key is a ‘key server.’.

You can search for a key using a key server with:
gpg --keyserver pgp.mit.edu --search-keys [keyid]

Some popular key servers are listed below. (WARNING: Some key servers don’t allow you to delete keys; others do.)

• pgp.mit.edu
• keys.openpgp.org

Or try hosting your own key server:

• Hagrid Key server
• Mailvelope Key server

Key trust

After you import a foreign key, you might see that it’s trust is listed as [Unknown]

This means the key is untrusted.
Anyone can make a key claiming to be anyone; it’s important to trust the source, verify the authenticity, and cross-reference key fingerprints.
You can view key fingerprints using:
gpg --fingerprint example@example.org

pub   ed25519 2025-02-03 [SC]
      20ED B890 8134 D318 0EA7  FE62 24AE 3AE7 39D5 5B60
uid           [ultimate] example <example@example.org>
sub   cv25519 2025-02-03 [E]

Trust values are used to indicate how much you trust someone and their judgment when signing other keys.

1. = I don’t know or won’t say
2. = I do NOT trust
3. = I trust marginally
4. = I trust fully
5. = I trust ultimately

You can sign other keys which trusts that key by editing the key and typing the sign command.
gpg --edit-key [keyid]
gpg> sign
gpg> save
Trust level can also be modified using the trust command after doing gpg --edit-key [keyid].

You can send back the signed public key, and the added signature adds your stamp of approval on its legitimacy.
This is a simplified explanation of ‘Web of Trust,’ in which your participation is optional.

Encrypting & Decrypting

Symmetric

You can encrypt files with symmetric encryption using:

gpg --verbose --no-symkey-cache --symmetric example.png
--no-symkey-cache is unnecessary; it just doesn’t cache the password locally after encrypting.
--symmetricuses the default cipher algorithm (version dependent); if you wish to specify another, you can use --cipher-algo name.

Decrypting is the same in reverse, taking the output of the decrypted file and copying the output onto the same file type as the previously encrypted file.

gpg --decrypt example.txt.gpg > example.png

Asymmetric

You can encrypt files with asymmetric encryption using:

gpg --local-user your@gpg.key --recipient example@example.org --encrypt example.flac
The --recipient option can be your own key if you want to require your own private key to decrypt files.

Decrypting with asymmetric is the same process as decrypting symmetric.
gpg --decrypt example.flac.gpg > example.flac

Signing

If you’re certain a key is from who it claims to be from,
Cryptographic signatures allow people to verify if signed data was tampered with by anyone.

Signing & Verifying

gpg --sign example.txt -u example@example.org
The --sign option outputs a compressed signed version of the file you signed.

Detached signing

gpg --detach-sig example.txt -u example@example.org

Detached signatures output a .sig file alongside the original uncompressed file you signed.
Which can be verified using:
gpg --verify file.txt.sig file.txt

Clearsign

If you’d like to create a clear text signed message, you can do so using the --clearsign option.

echo "Example Message." | gpg --clearsign -u your@gpg.key > message.txt
This command will output the text into GPG, sign it, and then output the signed message into a text file.

Verifying signatures can be done with the --verify option.
If you change any of the contents of the data being sent the signature won’t validate.

Example below :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is a example message by example@example.org.
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQQg7biQgTTTGA6n/mIkrjrnOdVbYAUCZ6f9pwAKCRAkrjrnOdVb
YC+KAP47cIl6dwzIEyNBTbg8Savp0Zy+Wf4XR7KGlCrK6cXYzgEAgkE0UneZSkzM
MpiHZ7XwaMNKmb6ssvLoWbpDg+9wkwQ=
=ihYn
-----END PGP SIGNATURE-----

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZ6DpxxYJKwYBBAHaRw8BAQdADSeapAfibwGeyG9cE5LQ8/cqcrWcyKtz8gWE
QXcUWMC0HWV4YW1wbGUgPGV4YW1wbGVAZXhhbXBsZS5vcmc+iJMEExYKADsWIQQg
7biQgTTTGA6n/mIkrjrnOdVbYAUCZ6f68gIbAwULCQgHAgIiAgYVCgkICwIEFgID
AQIeBwIXgAAKCRAkrjrnOdVbYA0sAP4hKTiSkMysTxhkqP8yz+vmJx0Rm6ylU1er
AkjzQrbsEwEAkwFry3PcuswbEVevZFygROELCq+bfTeSlNyZmL0KPAm4OARnoOnH
EgorBgEEAZdVAQUBAQdA/rBsRXHJFJMQWv8E/jZUQ+sIooHlX+bSlAEs4+nKZTQD
AQgHiHgEGBYKACAWIQQg7biQgTTTGA6n/mIkrjrnOdVbYAUCZ6DpxwIbDAAKCRAk
rjrnOdVbYNiHAQCAL/vkAQWw95lSFKlsbfpf/2wDcusPfMr2DJckkS/eewD9Fqo6
HptNb+K8VtAKHliPy6aLQyGxvCY6xFeJqM1TugA=
=skiv
-----END PGP PUBLIC KEY BLOCK-----

If you haven’t properly trusted the key that signed, you may get this warning even if it’s a valid signature.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Resources

Keysigning - debian.org
OpenPGP Best Practices - riseup.net
Validating other keys on your public keyring - gnupg.org
The GNU Privacy Guard Manual - gnupg.org
Web of trust - Wikipedia.org

(If information is incorrect or you wish to propose a change to the article, contact me.)