![\"public](\"https:\/\/i0.wp.com\/smarttech101.com\/wp-content\/uploads\/2023\/03\/Public_key_encryption.svg_.png?resize=500%2C489&ssl=1\")
Signature: <\/strong>One can use his\/her private key to sign a message\/file. Now, another person can use the corresponding public key to verify the massage. For example, Alice signs a message with her private key. Using Alice’s public key, Bob can verify that Alice sent the message and that the message has not been modified.<\/p>\n\n\n\n Many Linux distributions are distributed over torrents. They ensure their safety by digitally signing their distribution. You might always notice a Many password managers (ex PASS) use GPG to store your passwords in encrypted forms.<\/p>\n\n\n\n By default, gpg2 is already installed in most Linux distributions. If it is not pre-installed, just install it from your official repository. It is highly likely you will find such a famous package. But if you don’t find it there, install it manually. First, download the file(s) GnuPG\u00a0(LTS) or GnuPG from GPG Download Page<\/a>.<\/p>\n\n\n\n Download the installer from the GPG Download page<\/a>. Run the installer. Add the GPG in Windows’ PATH. Now, you can run gpg from Windows CMD. <\/p>\n\n\n\n Or Use Chocolatey:<\/p>\n\n\n\n In this article, I will mainly talk about Linux (Unix) based systems. For windows, these commands have not been tested but they should work.<\/p>\n\n\n\n Use Homebrew.<\/p>\n\n\n\n GPG, by default, uses By default, GPG uses permissions 700 ( GPG sets its configuration from To generate a key pair, use the following command. It will guide you to set up the key.<\/p>\n\n\n\n To list public keys present in your computer, use Output:<\/p>\n\n\n\n To list secret keys present in your computer, use Output:<\/p>\n\n\n\n Abbreviations used in the above outputs:<\/p>\n\n\n\n Note<\/strong>: <\/p>\n\n\n\n Observer the following output.<\/p>\n\n\n\n Here, The first word The public key has two parts – one master public key and one subordinate public key. The first two lines in the above output are corresponding to the master public key and the bottom two lines are corresponding to the subordinate public key. Similarly, The secret key has two parts – one master secret key and one subordinate secret key. <\/p>\n\n\n\n In this article, I will mainly talk about the master keys<\/strong>.<\/p>\n\n\n\n You should never share your secret keys with anyone. But you can share the public keys with anybody. Therefore, you will easily find the public key from all over the internet.<\/p>\n\n\n\n There are two fingerprints mentioned in the above output. The first one is for the public master key and the second one is for the public subordinate key. Since you get the public key from the internet, you need to verify your fingerprint as well. For that, you need to contact the key owner directly, or through mail\/internet and ask about their fingerprint. And then match with the above command’s result.<\/p>\n\n\n\n For corresponding secret keys, they are the same.<\/p>\n\n\n\n Notice some common letters in keyid and fingerprint (for example, In any command, you need to use the key identifier:<\/p>\n\n\n\n Here, <key-identifier> is the key ID, fingerprint, user-id, or part of it, etc. GPG is quite flexible in this regard. ZSH’s autocompletion also works here.<\/p>\n\n\n\n Only the people with a secret key corresponding to the user It generates Note<\/strong>: a more robust command:<\/p>\n\n\n\n Here,<\/p>\n\n\n\n To decrypt Use To decrypt it, use<\/p>\n\n\n\n To export the public key, use Now, you can email it to your friend…<\/p>\n\n\n\n To import anyone’s public key, you need to have the file public-key file. Contact the person or download it from their website. Then use Now, when you list the public key, you will have one more key in your list.<\/p>\n\n\n\n Now, you can use Keyservers are the servers used to distribute public keys. Anybody can upload and download keys from it. Some of them require you to verify your email as well. But be aware that sharing emails might promote spam in your inbox. Some allow you to delete your keys and some don’t.<\/p>\n\n\n\n Ex – https:\/\/keys.openpgp.org\/<\/a>; https:\/\/keys.mailvelope.com\/<\/a>; https:\/\/keyserver.ubuntu.com\/<\/a><\/p>\n\n\n\n Most of the distributions\/OSes use a default keyserver (for example, https:\/\/162.213.33.9:443 in Arch Linux). But you can use a desired key server instead of the default one using Or, put this in the file ![\"signature](\"https:\/\/i0.wp.com\/smarttech101.com\/wp-content\/uploads\/2023\/03\/Private_key_signing.svg_.png?resize=500%2C489&ssl=1\")
Table of Contents<\/h2>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
Benefits of GPG<\/h2>\n\n\n\n
*.sig<\/code> file along with your file *.iso<\/code>. This *.sig<\/code> file is used to verify that the *.iso<\/code> file has not been changed.<\/p>\n\n\n\nInstallation of GPG<\/h2>\n\n\n\n
Linux<\/h3>\n\n\n\n
$ tar jxf <gnupg_tar.bz2>\n$ cd <gnupg_tar_dir>\n$ .\/configure\n$ make\n$ sudo make install<\/span><\/code><\/pre>\n\n\n\nWindows<\/h3>\n\n\n\n
choco install gnupg<\/code><\/pre>\n\n\n\nMac OS<\/h3>\n\n\n\n
GPG home directory and its configuration<\/h2>\n\n\n\n
~\/.gnupg<\/code> for storing its keys and configuration. Or set the environment variable $GNUPGHOME<\/code> to overwrite the default behavior. Or use --homedir<\/code> to\u00a0use your_path instead of ~\/.gnupg<\/code> or $GNUPGHOME<\/code>.<\/p>\n\n\n\ngpg --homedir <your_path><\/code><\/pre>\n\n\n\nrwx------<\/code>) and 600 (rw-------<\/code>) on directories and files respectively. If there are other permissions, it warns you, but it does not give any errors.<\/p>\n\n\n\nGPG configuration files<\/h3>\n\n\n\n
gpg_home_dir\/{gpg.conf,dirmngr.conf,...}<\/code> and \/etc\/gnupg\/{gpg.conf,dirmngr.conf}<\/code>. For example, If you use the flags --no-default-keyring --keyring keyring-path<\/code> with gpg commands all the time, you can just put them in gpg.conf<\/code>. Now no need to supply these flags anymore.<\/p>\n\n\n\nno-default-keyring\nkeyring keyring-path<\/code><\/pre>\n\n\n\nHow to create a key pair in gpg<\/h2>\n\n\n\n
gpg --full-gen-key<\/pre>\n\n\n\n
gpg (GnuPG) 2.2.41; Copyright (C) 2022 g10 Code GmbH\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\n\nPlease select what kind of key you want:\n (1) RSA and RSA (default)\n (2) DSA and Elgamal\n (3) DSA (sign only)\n (4) RSA (sign only)\n (14) Existing key from card\nYour selection? 1\nRSA keys may be between 1024 and 4096 bits long.\nWhat keysize do you want? (3072) 3072\nRequested keysize is 3072 bits\nPlease specify how long the key should be valid.\n 0 = key does not expire\n <n> = key expires in n days\n <n>w = key expires in n weeks\n <n>m = key expires in n months\n <n>y = key expires in n years\nKey is valid for? (0) 3w\nKey expires at Sat 01 Apr 2023 06:03:44 PM IST\nIs this correct? (y\/N) y\n\nGnuPG needs to construct a user ID to identify your key.\n\nReal name: Test12345\nEmail address: test12345@gmail.com\nComment: just kidding\nYou selected this USER-ID:\n \"Test12345 (just kidding) <test12345@gmail.com>\"\n\nChange (N)ame, (C)omment, (E)mail or (O)kay\/(Q)uit? O\nWe need to generate a lot of random bytes. It is a good idea to perform\nsome other action (type on the keyboard, move the mouse, utilize the\ndisks) during the prime generation; this gives the random number\ngenerator a better chance to gain enough entropy.\nWe need to generate a lot of random bytes. It is a good idea to perform\nsome other action (type on the keyboard, move the mouse, utilize the\ndisks) during the prime generation; this gives the random number\ngenerator a better chance to gain enough entropy.\ngpg: revocation certificate stored as '\/home\/ajay\/.gnupg\/openpgp-revocs.d\/090070A730217F1FAC03E7A5D2571362EB8B21F2.rev'\npublic and secret key created and signed.\n\npub rsa3072 2023-03-11 [SC] [expires: 2023-04-01]\n 090070A730217F1FAC03E7A5D2571362EB8B21F2\nuid Test12345 (just kidding) <test12345@gmail.com>\nsub rsa3072 2023-03-11 [E] [expires: 2023-04-01]<\/code><\/pre>\n\n\n\nHow to list your keys<\/h2>\n\n\n\n
--list-keys<\/code> or --list-public-keys<\/code><\/p>\n\n\n\n$ gpg --list-public-keys<\/code><\/pre>\n\n\n\ngpg: checking the trustdb\ngpg: marginals needed: 3 completes needed: 1 trust model: pgp\ngpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u\n\/home\/ajay\/.gnupg\/pubring.kbx\n-----------------------------\npub rsa3072 2023-02-17 [SC]\n 03894010F347890A123DF87ABA7C45B7108F0083<\/span>\nuid [ultimate] Ajay Yadav <xyx1@gmail.com>\nsub rsa3072 2023-02-17 [E]\n\npub rsa3072 2023-02-17 [SC]\n 91D335983408E555CFDC47D77F192C20064C28D5<\/span>\nuid [ultimate] unblocked8888 <xyx2@gmail.com>\nsub rsa3072 2023-02-17 [E]<\/pre>\n\n\n\n--list-secret-keys<\/code>.<\/p>\n\n\n\n$ gpg --list-secret-keys<\/code><\/pre>\n\n\n\n\/home\/ajay\/.gnupg\/pubring.kbx\n-----------------------------\nsec rsa3072 2023-02-17 [SC]\n 03894010F347890A123DF87ABA7C45B7108F0083<\/span>\nuid [ultimate] Ajay Yadav <xyx1@gmail.com>\nssb rsa3072 2023-02-17 [E]\n\nsec rsa3072 2023-02-17 [SC]\n 91D335983408E555CFDC47D77F192C20064C28D5<\/span>\nuid [ultimate] unblocked8888 <xyx2@gmail.com>\nssb rsa3072 2023-02-17 [E]<\/code><\/pre>\n\n\n\n\n
\n
gpg --full-gen-key<\/code><\/li>\n\n\n\n--keyid-format <short|long|0xshort|0xlong><\/code> to print the keyid as well in the desired format.<\/li>\n<\/ol>\n\n\n\n$ gpg --list-keys --keyid-format short\n\/home\/ajay\/.gnupg\/pubring.kbx\n-----------------------------\npub rsa3072\/108F0083<\/span> 2023-02-17 [SC]\n 03894010F347890A123DF87ABA7C45B7108F0083\nuid [ultimate] Ajay Yadav <xyx1@gmail.com>\nsub rsa3072\/5814BF83<\/span> 2023-02-17 [E]\n\n$ gpg --list-keys --keyid-format long\n\/home\/ajay\/.gnupg\/pubring.kbx\n-----------------------------\npub rsa3072\/BA7C45B7108F0083<\/span> 2023-02-17 [SC]\n 03894010F347890A123DF87ABA7C45B7108F0083\nuid [ultimate] Ajay Yadav <xyx1@gmail.com>\nsub rsa3072\/79BA29CC5814BF83<\/span> 2023-02-17 [E]<\/code><\/pre>\n\n\n\nWhat are gpg keyid, secret, public, master and subordinate keys, user id, fingerprint, etc?<\/h2>\n\n\n\n
$ gpg --list-public-keys --fingerprint --with-subkey-fingerprints --keyid-format 0xlong\n\/home\/ajay\/.gnupg\/pubring.kbx\n-----------------------------\npub rsa3072\/0x7F192C20064C28D5 2023-02-17 [SC]\n Key fingerprint = 91D3 3598 3408 E555 CFDC 47D7 7F19 2C20 064C 28D5\nuid [ultimate] unblocked8888 (comment goes into the bracket) <xyx2@gmail.com>\nsub rsa3072\/0x459DA250EC6F3071 2023-02-17 [E]\n Key fingerprint = CC16 7002 5FA5 C884 0385 B4E9 459D A250 EC6F 3071<\/code><\/pre>\n\n\n\n$ gpg --list-secret-keys --fingerprint --with-subkey-fingerprints --keyid-format 0xlong \nsec rsa3072\/0x7F192C20064C28D5 2023-02-17 [SC]\n Key fingerprint = 91D3 3598 3408 E555 CFDC 47D7 7F19 2C20 064C 28D5\nuid [ultimate] unblocked8888 (comment goes into the bracket) <xyx2@gmail.com>\nssb rsa3072\/0x459DA250EC6F3071 2023-02-17 [E]\n Key fingerprint = CC16 7002 5FA5 C884 0385 B4E9 459D A250 EC6F 3071<\/code><\/pre>\n\n\n\nrsa<\/code> is the key’s type and 3072 is the key’s bit length. The values shown in the above output were set by you during the generation of the key using --full-gen-key<\/code>.<\/p>\n\n\n\nGPG keyid<\/h3>\n\n\n\n
0x...<\/code> is the primary key and the second word 0x...<\/code> is the subordinate key. 0x<\/code> tells that the keys are in a hexagonal format. Therefore the keyids are 7F192C20064C28D5<\/code> and 459DA250EC6F3071<\/code> in the above output. <\/p>\n\n\n\nGPG Public and Secret Keys<\/h3>\n\n\n\n
GPG Fingerprints<\/h3>\n\n\n\n
7F192C20064C28D5<\/code> and 91D3 3598 3408 E555 CFDC 47D7 7F19 2C20 064C 28D5<\/span><\/code>).<\/p>\n\n\n\nUserid in GPG<\/h3>\n\n\n\n
unblocked8888 (comment goes into the bracket) <xyx2@gmail.com><\/code> is your user-id. During the generation of the key (recall --full-gen-key<\/code>), you might have used some comment which goes into the bracket.<\/p>\n\n\n\ngpg <your_options> <key-identifier><\/code><\/pre>\n\n\n\nHow to encrypt a file using gpg<\/h2>\n\n\n\n
gpg -r xyx@gmail.com -e your_file.txt<\/code><\/pre>\n\n\n\n-r<\/code> or --recipient<\/code> is used to specify the user to encrypt. -e<\/code> or --encrypt<\/code> is for encryption. Now, a file called your_file.txt.gpg<\/code> will be generated. <\/p>\n\n\n\nxyx@gmail.com<\/code> will be able to open it. But you only need the public key of the user xyx@gmail.com<\/code> to encrypt the file. Because of involving two different keys, it is called ‘asymmetric cryptography’.<\/p>\n\n\n\nHow to decrypt a file using gpg<\/h2>\n\n\n\n
gpg -d your_file.txt.gpg<\/code><\/pre>\n\n\n\n-d<\/code> or --decrypt<\/code> is used to decrypt the given file. Please note that you don’t need to specify the username here. gpg will pick up that from the *.gpg<\/code> file. Now you need to input the passphrase corresponding to this user id.<\/p>\n\n\n\nSymmetric encryption in gpg<\/h2>\n\n\n\n
gpg --symmetric doc<\/code><\/pre>\n\n\n\ndoc.gpg<\/code>. Here, no key pair is needed i.e. even if you have not generated any key using gpg --full-gen-key<\/code>, you can use this command. It will ask for a passphrase using which this file will be encrypted.<\/p>\n\n\n\ngpg --symmetric --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-count 65536 doc<\/code><\/pre>\n\n\n\n\n
--version<\/code>.<\/li>\n<\/ul>\n\n\n\n$ gpg --version\ngpg (GnuPG) 2.2.40\nlibgcrypt 1.10.1-unknown\nCopyright (C) 2022 g10 Code GmbH\nLicense GNU GPL-3.0-or-later <https:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\n\nHome: \/home\/ajay\/.gnupg\nSupported algorithms:\nPubkey: RSA<\/span>, ELG, DSA, ECDH, ECDSA, EDDSA\nCipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256<\/span>, TWOFISH,\n CAMELLIA128, CAMELLIA192, CAMELLIA256\nHash: SHA1, RIPEMD160, SHA256, SHA384, SHA512<\/span>, SHA224\nCompression: Uncompressed, ZIP<\/span>, ZLIB, BZIP2<\/code><\/pre>\n\n\n\ndoc.gpg<\/code>, use --decrypt<\/code> or -d<\/code>. Input the passphrase you used to encrypt the file. You can decrypt it on another computer. There is no need for a private or public key on that computer. Just use the passphrase.<\/p>\n\n\n\ngpg -d doc.gpg<\/code><\/pre>\n\n\n\nEncrypting\/decrypting a directory<\/h3>\n\n\n\n
gpgtar<\/code><\/p>\n\n\n\ngpgtar --symmetric --output dir.gpg dir<\/code><\/pre>\n\n\n\ngpgtar -d dir.gpg<\/code><\/pre>\n\n\n\nHow to export a public key in gpg<\/h2>\n\n\n\n
--export<\/code> flag:<\/p>\n\n\n\n$ gpg --export --output public-key.gpg xyx1@gmail.com <\/code><\/pre>\n\n\n\nHow to import a public key in gpg<\/h2>\n\n\n\n
--import<\/code><\/p>\n\n\n\n$ gpg --import public-key.asc<\/code><\/pre>\n\n\n\n$ gpg --list-public-keys<\/code><\/pre>\n\n\n\ngpg: checking the trustdb\ngpg: marginals needed: 3 completes needed: 1 trust model: pgp\ngpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u\n\/home\/ajay\/.gnupg\/pubring.kbx\n-----------------------------\npub rsa3072 2023-02-17 [SC]\n 03894010F347890A123DF87ABA7C45B7108F0083<\/span>\nuid [ultimate] Ajay Yadav <xyx1@gmail.com>\nsub rsa3072 2023-02-17 [E]\n\npub rsa3072 2023-02-17 [SC]\n 91D335983408E555CFDC47D77F192C20064C28D5<\/span>\nuid [ultimate] unblocked8888 <xyx2@gmail.com>\nsub rsa3072 2023-02-17 [E]\n\n\/home\/ajay\/.gnupg\/pubring.kbx\n-----------------------------\npub rsa3072 2023-02-16 [SC]\n 28C1E1C8A559745FA162B7AE83873602785B519E<\/span>\nuid [ultimate] test123 (test) <test@gmail.com>\nsub rsa3072 2023-02-16 [E]<\/code><\/pre>\n\n\n\ngpg -r test@gmail.com -e your_file.text to encrypt it; only the user test@gmail.com<\/code> will be able to open the encrypted file, not even the user who encrypted it.<\/p>\n\n\n\nWhat is gpg keyserver<\/h2>\n\n\n\n
--keyserver<\/code><\/p>\n\n\n\n$ gpg --keyserver hkps:\/\/keys.openpgp.org\/ <further_arguments><\/code><\/pre>\n\n\n\n~\/.gnupg\/dirmngr.conf<\/code> to use this server as default:<\/p>\n\n\n\n