# quick & dirty gnupg



## graudeejs (Aug 30, 2009)

First of all Install security/gnupg and security/pinentry
Also security/gpa helps a lot managing keys in X

*MAKE PRIVATE/PUBLIC KEY PAIR*

```
$ gpg --gen-key
```
This is pretty straightforward

*LIST KEYS*

```
$ gpg --list-keys
Warning: using insecure memory!
/home/killasmurf86/.gnupg/pubring.gpg
-------------------------------------
pub   1024D/[color="Red"]7ED573D3[/color] 2008-09-12 [expires: 2010-11-07]
uid                  Aldis Berjoza (killasmurf86) <killasmurf86@gmail.com>
uid                  [jpeg image of size 4667]
sub   4096g/8CF6B625 2008-09-12
```
Here I marked my public key ID in red, when you work with keys IDs prefix them with *0x*. For example
*0x7ED573D3*

*GET KEY FINGERPRINT*

```
$ gpg --fingerprint 0x8CF6B625
```

*GENERATE REVOCATION CERTIFICATE*

```
$ gpg --output my_revoke.asc --gen-revoke 0x8CF6B625
```
See below how, why and when to use it.

*SEND/RETRIEVE PUBLIC KEY TO KEY SERVER*
Send:

```
$ gpg --keyserver pgp.mit.edu --send-key 0x7ED573D3
```
Retrieve:

```
$ gpg --keyserver pgp.mit.edu --recv-key 0x7ED573D3
```

*EXPORT/IMPORT PUBLIC KEY*
export (binary form):

```
$ gpg --output killasmurf86.gpg --export 0x7ED573D3
```
export (ASCII form):

```
$ gpg --output killasmurf86.asc --armour --export 0x7ED573D3
```
import:

```
$ gpg --import killasmurf86.gpg
```
or

```
$ gpg --import killasmurf86.asc
```

*EDIT KEY*

```
$ gpg --edit-key 0x7ED573D3
```
This will be interactive...
common commands: save, quit, sign, fpr, trust
see gpg(1) for details

*REFRESH PUBLIC KEYS*
You should do this once in while.

```
$ gpg --keyserver pgp.mit.edu --refresh-keys
```

*SIGN/VERIFY FILE 1*

```
gpg --sign /path/to/file
```
this will create /path/to/file.gpg which will contain signature in binary form.
Now you just send /path/to/file.gpg to a friend. file.gpg is compressed and signed file, to view and verify it use:

```
gpg --output /path/to/file --decrypt /path/to/file.gpg
```
this will create /path/to/test file, that was signed, and verify signature

*SIGN/VERIFY FILE 2*

```
gpg --armour --sign /path/to/file
```
this will create /path/to/file.asc which will contain signature in ASCII form
Now you just send /path/to/file.asc and to a friend. file.asc is compressed and signed file, but in ascii form. To view and verify it use:

```
gpg --output /path/to/file --decrypt /path/to/file.asc
```
this will create /path/to/test file, that was signed, and verify signature

*SIGN/VERIFY FILE 3*

```
gpg --clearsign /path/to/file
```
this will create /path/to/file.asc which will contain content of /path/to/file and signature in ASCII form.
*This is useful for sending signed emails*
You don't need gnupg to read it, but you'll be able to verify it with gnupg if you want to 
If you want to extract content, then use this:

```
gpg --output /path/to/file --decrypt /path/to/file.asc
```


*SIGN/VERIFY FILE 4*

```
gpg --detach-sign /path/to/file
```
This will create /path/to/file.sig which will contain signature for /path/to/file.
*This is recommended method for binary data*
keep file and file.sig together 
To verify data use:

```
gpg --verify /path/to/file.sig /path/to/file
```

*ENCRYPT/DECRYPT FILE 1*

```
gpg --encrypt /path/to/file
```
This will ask for recipient, and then create encrypted file /path/to/file.gpg in binary form
To decrypt it, use:

```
gpg --output /path/to/file --decrypt /path/to/file.gpg
```

*ENCRYPT/DECRYPT FILE 2*

```
gpg --armour --encrypt /path/to/file
```
This will ask for recipient, and then create encrypted file /path/to/file.gpg in ASCII form
To decrypt it, use:

```
gpg --output /path/to/file --decrypt /path/to/file.asc
```

*ENCRYPT/DECRYPT FILE 3*
If you want to encrypt/decrypt and know recipients key ID, you can use -r switch

```
gpg -r 0x7ED573D3 --encrypt /path/to/file
gpg -r 0x7ED573D3 --armour --encrypt /path/to/file
```
Also instead of Key ID, you can use, comment, name, surname, or even email address

```
gpg -r killasmurf86 --encrypt /path/to/file
gpg -r Aldis --armour --encrypt /path/to/file
gpg -r Berjoza --armour --encrypt /path/to/file
gpg -r '<killasmurf86@gmail.com>' --encrypt /path/to/file
```
the word after -r must be key specefic

*SIGN & ENCRYPT*
A common practice is to sign file, and then encrypt it.
for exampel

```
$ gpg --armour --sign -r killasmurf86 --encrypt /path/to/file
```
will create signed and ecnrypted file /path/to/file.asc
and to decrypt it and verify signature, use

```
$ gpg --output /path/to/file --decrypt /path/to/file.asc
```

*USING REVOCATION CERTIFICATE*

```
$ gpg--import my_revoke.asc 
$ gpg --keyserver pgp.mit.edu --send-keys 0x7ED573D3
```
*Do this only, if you have reasons to think, that your private key got compromised, or you forgot password.
This way, nobody who download your public key, from now on won't be able to use it.
You will still be able to decrypt your data.
read more:* http://www.gnupg.org/gph/en/manual.html#REVOCATION

NOTES
If you encrypt, mail, think if you'll like to read it later yourself. For this you should encrypt it for yourself as well, otherwise you don't be able to decrypt it.

I've wrote some basics, and if you're not familiar with gnupg yet, you need to read more information on web of trust and gpg

You can integrate GnuPG in may apps and scripts... http://gnupg.org/related_software/index.en.html

RESOURCES
gpg2(1)

SEE ALSO
http://www.gnupg.org/gph/en/manual.html
http://en.wikipedia.org/wiki/Web_of_trust
http://en.wikipedia.org/wiki/Pretty_Good_Privacy

also interesting:
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
google gnupg, gpg and pgp

P.S.
Key I used (0x7ED573D3) in this howto is my public key 

UPDATE:
Added how to use revocation certificate


----------



## vivek (Aug 30, 2009)

Nice, can you edit and fix from:

```
SERTIFICATE
```
to:

```
CERTIFICATE
```


----------



## graudeejs (Aug 30, 2009)

fixed


----------



## Carpetsmoker (Sep 15, 2009)

A good rule of thumb is that you should not use any security mechanism you do not understand. Human error is by far the biggest security risk and the chance for error is much greater if you do now know what you are doing.

Use this article as a reference at most. And do not blindly follow instructions or follow instructions you do not understand.
Read about PGP and how it works first.


----------

