Without delving deep into concepts, let’s take a quick approach to encryption using GnuPG (also GPG). Encryption is becoming more and more essential today. We will check how GPG can be used to secure the communication between two parties. The scenario here is to share a file between two users on a public network line.
The basic requirement for encryption is that the user has a pair of public/private key using which the data is encrypted/decrypted. The user generates the key pair and distributes the public key to the general world. The private key is retained by the user and is used to decrypt the data. The public key is used by the rest of the world to encrypt and send data to the user.
In brief, the steps involving encryption are below. Assume user B wants to send a file to user A. The user B should encrypt the file with user A’s public key. User A will receive the file in an encrypted form. The file can be decrypted using only A’s private key. Since the file was exchanged in the encrypted format, there is no way for an eavesdropper to read the contents of the file. It is A’s responsibility to publish the public key for everyone to see and to secure the private key from being misused. The strength of this encryption lies in the keys. Hence the bigger the keys, more secure is the encryption. The steps can be summarized as follows:
- User A publishes the public key
- User B encrypts the file using A’s public key
- The file is shared
- User A decrypts the file using the private key
- User A now has the file (and its contents)
The only weakest link in the entire procedure is the possibility that user B gets the wrong public key. It becomes B’s responsibility to confirm if the public key belongs to user A or not. There are ways to do that too. In this post, we will follow the basic encryption/decryption cycle from a beginner’s perspective. The major steps we will focus on are below:
- Generating key pair
- Listing the keys
- Sharing the public key
- Importing the public key
- Validating the public key
- Encrypting the document
- Decrypting the document
The following commands were executed on Linux.
1. Generating key pair
The public/private key is first generated by the user A for use. The command to generate the keys is below:
$ gpg –-gen-key
This command prompts for information. Our responses are typed in Red.
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
The explanation for each option can be found in the documentation. Mostly the default values suffice.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024)1024
Requested keysize is 1024 bits
The longer keysizes enhance security.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
The above questions prompts for the expiry date of the key. We chose default.
Real name: Vikram
Email address: vsingh@sierraatlantic.com
Comment: Vikram’s GPG key pair
You selected this USER-ID:
“Vikram (Vikram’s GPG key pair) <vsingh@sierraatlantic.com>”
The prompts can again be checked when we list the key generated. We will see how in the next step. Meanwhile we need a passphrase to secure our key. The prompt is shown below
Enter passphrase:
Repeat passphrase:
You need a Passphrase to protect your secret key. Remember the key used.
The keys are now generated in the user’s $HOME/.gnupg directory.
2. Listing the keys
The keys you currently have in your key-ring can be listed using the below command:
$ gpg –list-keys
/u18/app/oracle/.gnupg/pubring.gpg
————————————-
pub 1024D/BA079D00 2010-05-25 Vikram (Vikram’s GPG key pair) <vsingh@sierraatlantic.com>
sub 1024g/2351CA0A 2010-05-25
Notice the above listing shows the Name, Email-ID and the comment we supplied in our previous step where we generated the keys. This information is stored in the user’s $HOME directory under hidden directory .gnupg. Notice there’s a dot (.) at the beginning of the directory name. In Unix, directories can be made hidden by beginning the name of that directory with a dot.
Let’s now share the public key with user B now.
3. Sharing the public key
The key information is stored in the $HOME/.gnupg directory of a user. The following command lets us export the public key into a readable format that we can share with others.
$ gpg –armor –export vsingh@sierraatlantic.com > pubkey.gpg
The above command exports the public key associated with vsingh@sierraatlantic.com into a file pubkey.gpg. This is the public key that will be shared with the world.
4. Importing the public key
Once the public key is received, user B can import the key into his key ring. The following command lets user B import user A’s public key.
$ gpg –import pubkey.gpg
gpg: /home/sadba/.gnupg: directory created
gpg: new configuration file `/home/sadba/.gnupg/gpg.conf’ created
gpg: WARNING: options in `/home/sadba/.gnupg/gpg.conf’ are not yet active during this run
gpg: keyring `/home/sadba/.gnupg/secring.gpg’ created
gpg: keyring `/home/sadba/.gnupg/pubring.gpg’ created
gpg: /home/sadba/.gnupg/trustdb.gpg: trustdb created
gpg: key 814B92F9: public key “Vikram (Vikram’s GPG key pair) <vsingh@sierraatlantic.com>” imported
gpg: Total number processed: 1
gpg: imported: 1
After the A’s public key is imported into user B’s key ring, B can encrypt the files using A’s key. The file can then be decrypted only using A’s private key.
5. Validating the public key
Once a key is imported, it should be validated. Here is how you do that:
$ gpg –edit-key pubkey.gpg
command> fpr
command> sign
Really sign? y
command> check
More on validating can be found in the documentation.
6. Encrypting the document
Let’s get to work now. We will encrypt a sample file as shown below:
$ gpg –output hello.gpg –encrypt –recipient vsingh@sierraatlantic.com hello.txt
The file hello.txt will now be encrypted under hello.gpg. This is the encrypted file that will be sent to user A. No eavesdropper will be able to decrypt this file unless (s)he obtains the private key of the user A. It’s A’s responsibility to keep the private key safe. Let’s mail the file hello.gpg to user A.
7. Decrypting the document
User A now receives the file hello.gpg in an encrypted format. A can read the file only after the file is decrypted. The file can be decrypted only with A’s private key. The command to decrypt is below:
$ gpg –output hello.txt –decrypt hello.gpg
Enter passphrase:
Isn’t it simple? The file hello.gpg is now decrypted into hello.txt. (User A can name the file anything). The command asks for the user’s passphrase. This is the most crucial part of decryption. Only user A should know the passphrase. This is the same passphrase that was given in our step (1) when we generated our keys. We laid emphasis on the word remember in that step.
In this post we saw the basic steps how to encrypt and decrypt the files using GnuPG. Our post only discusses the basics of the matter. For those interested in reading more, the GNU Privacy Handbook documentation is the right place.
Oracle Blog 