Security

How to work with PGP keys using GnuPG

To encrypt email and files, you need to know how to work with PGP keys. Get up to speed on generating, exporting, and importing encryption keys with GnuPG.

Encryption should be a priority for every business. In case you need an encryption basics refresher, we're starting from the ground up and showing how to create a PGP key so you can encrypt files and folders. After all, without your PGP key, your contacts cannot send you encrypted email.

I'll walk you through the process of creating a PGP key. Then, I'll show how to export your public key and import the public keys of others.

This process will vary depending on the platform you use and the tools you employ for PGP. For this walkthrough, I'll use Elementary OS Freya and the GnuPG command line. If you wan to use this tool on Windows, install Gpg4win to enjoy the same power as GnuPG.

SEE: Encryption Policy (Tech Pro Research)

Installation

Out of the box, GnuPG should already be installed on your machine. If it's not, you can install it with the command:

sudo apt-get install gnupg

Generating your key pair

You must generate your key pair; this will create a private key and a public key.

  • The private key decrypts emails and files sent to you by those that have your public key. The private key must remain secret.
  • The public key is the key you share with others so they may encrypt messages to you.

To generate your key pair, we'll work from the command line. Open a terminal window and issue the following command:

gpg —gen-key

This fires up the process, and you'll be asked a number of questions. The first bit of interactive output looks like this:

gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?

Stick with the default here and press 1.

Next, you must select the keysize:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

Select the default (2048) by hitting Enter.

The next question wants you to define how long the key should be valid. You can select a value in days, weeks, months, or years, or you can configure the key to have no expiration date.

Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n yearsKey is valid for? (0)

Key does not expire at allIs this correct? (y/N)

You must enter user information to be associated with the key.

You need a user ID to identify your key; the software constructs the user IDfrom the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name:
Email address:
Comment:

Verify your input and enter a passphrase for the key. Make sure the passphrase is strong and one you can remember. After you do this, you'll need to go back to work so GnuPG can generate keys using entropy. When GnuPG returns you to the command prompt, you're ready to move on.

Exporting your public key

In order for your keypair to be useful, you must make your public key available to others. Export the public key, and then hand it over to those that need to send you encrypted mail or files. Export that key with the following command.

gpg —armor —export EMAIL_ADDRESS > public_key.asc (EMAIL_ADDRESS is the actual email address associated with the key)

You'll have a public key file that you can distribute to those that need to encrypt email/files for your eyes only.

You can also upload your public key to the keys.gnupg.net public key server so others can use it. Follow these steps.

  1. Open a terminal window.
  2. Issue the command gpg —list-keys.
  3. Search for the 8-digit string (the primary ID) associated with the key you want to export.
  4. Issue the command gpg —send-keys PRIMARY_ID (PRIMARY_ID is the actual ID of that key).

The key will be uploaded to the key server and be available to the public.

Once the user has acquired your public key, he or she can import it into their system and then send you encrypted messages. Because the public key they use to encrypt the messages/files is associated with your private key, you'll be able to decrypt those messages. Without your private key, you cannot decrypt (which is why you want to safeguard those private keys).

Importing other users' private keys

You need to import the private keys of other users so you can send encrypted messages. Those users have to send you their public keys. Once you receive the user's public key, save it and import it. The import process can be done from the command line as well. Here's how.

  1. Open a terminal window.
  2. Change into the directory housing the saved user key.
  3. Issue the command gpg —import PUBLIC_KEY (PUBLIC_KEY is the filename of the public key to be imported).

Now you can send encrypted email/files to the user associated with the imported key.

Easier than you thought, right?

Working with GnuPG makes the encryption process simple...even when working from the command line. Of course, there are GUIs available for those that prefer a graphical interface (Gpg4win comes with its own GUI on the Windows side and most modern Linux desktops ship with their own).

My guess is employing PGP keys is easier than you thought when we started this encryption tutorial.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox