The day has come where the security of your data—be it on a server, a work desktop, or your personal machine—is one of the single most important issues you can take on. Whether you’re hoping to secure company information or private email to clients, friends, and/or loved ones, you need to understand how to ensure your data cannot easily be read by the wrong people.
That’s where GNU Privacy Guard comes into play. GNU Privacy Guard (also called GPG or GnuPG) is an implementation of the OpenGP standard that allows you to encrypt/decrypt and sign data communications. It is one of the single most important tools you can use for secure communications on the Linux desktop.
Several applications make use of GPG and, once you have a solid understanding of how it works, you can make the most out of it. And, that’s where this article comes in. I will assume a zero sum knowledge on the subject of PGP and walk you through the process of generating the necessary keys to use to encrypt your communications. In the end, you will have a public and private key pair that can then be used from the command line, from GUI tools, and even with various email clients (to encrypt/decrypt) email communications.
NOTE: I will be demonstrating on Elementary OS Freya. The process is the same on all distributions, with the exception of the installation process.
It all begins with a key
Without a key, you cannot unlock all the wonder that is GPG. To begin with, you must ensure that GnuPG is installed on your machine (chances are, it is). To do this, open a terminal window and issue the command which gpg. You should see /usr/bin/gpg reported. If you are returned a blank prompt, GnuPG is not installed. Here are the steps to rectify that issue:
-
Open a terminal window
-
Issue the command sudo apt-get install -y gnupg
-
When prompted, type your sudo password and hit Enter
-
Allow the installation to complete
GnuPG is ready to serve. The first thing you must do is generate a keypair. As I already mentioned, the key pair is the heart and soul of GnuPG. This key pair consists of two very important pieces:
-
Private key
-
Public key
It is with these two keys that you can encrypt/decrypt information. It works in a very specific way. Let me explain. Both keys are associated with your email address. The private key is that which (as the name suggests) you keep to yourself (and do not share with anyone). The public key, on the other hand, is the key that you share with other people that want to send you encrypted messages. They, in turn, will send you their public keys (so that you can send them encrypted information). Once you’ve exchanged keys, it works like this:
Suppose you want to send an encrypted message to Britta. Britta has given you her public key and you have given her yours. You open up Thunderbird (for which you have installed the Enigmail add-on), type up your message to Britta, and click to encrypt the message. Because you have Britta’s public key, the message will encrypt (using that key) and you can send it on. When Britta opens that email, because she has the matching private key, the email will be decrypted.
In other words, only the person holding the matching private key will be able to decrypt the information within that email. That is why it is so important to safeguard your private key. It is also the reason they are called “key pairs.”
Let’s generate your key pair. Open your terminal window and issue the command gpg –gen-key. At this point, you will be asked some questions. The questions are:
-
Please select what kind of key you want (default being RSA and RSA)
-
What keysize do you want (default being 2048)
-
How long the key should be valid (default being key does not expire)
Next, you will be asked to enter information for the keyholder (you). The information required is:
-
Real name
-
Email address
-
Comment
You will then be asked to verify the information you entered. If it is correct, type O (for Okay). Once you’ve okay’d the information, you will be prompted to enter (and validate) a passphrase for the key. Make sure this passphrase is complex (a combination of alphanumeric, numbers, caps, lowercase, and symbols). Upon successful verification of your new passphrase, you will be instructed to perform other actions (web browsing, typing, reading email, etc.) so the gpg random number generator has a better chance to gain enough entropy to create the key pair. When this process completes, gpg will report the success of the key creation with the public key ID, the key fingerprint, and more. With that in hand, you are ready to begin.
Exporting your public key
This is a very important step. Without doing this, others will not be able to encrypt data for your eyes only. To export your public key, go back to your terminal window and issue the command:
gpg --armor --export EMAIL_ADDRESS > public_key.asc
Where EMAIL_ADDRESS is the actual email address associated with your key.
The file public_key.asc will contain your public key. You can now distribute that key to anyone needing to send you encrypted information. You can also upload that public key to a public key server, so anyone can obtain your public key and encrypt messages for you. To do this, go back to your terminal window and do the following:
-
Issue the command gpg –list-keys
-
Take note of the 8-digit string (the primary ID) associated with the key to be exported
-
Issue the command gpg –keyserver pgp.mit.edu –send-keys PRIMARY_ID (where PRIMARY_ID is the actual ID of your public key)
Using that command, your key will be uploaded to the MIT key server and can then be downloaded and used by anyone.
Importing public keys
Suppose Nathan wants to encrypt an email to Olivia. To do so, Nathan must have Olivia’s public key. He has obtained that key by either Olivia sending it to him or by getting it from a public key server. How does he then import that key so GnuPG is aware of it? Simple.
I’ll assume Nathan received the file olivia_public_key.asc from Olivia and has saved it in a folder he created called ~/.PUBKEYS. To import that file, Nathan would open up a terminal window and issue the command:
gpg --import ~/.PUBKEYS/olvia_public_key.asc
That’s it. Nathan can now send encrypted email to Olivia. Because Olivia has the matching private key, she can decrypt that email.
Your system knows
Once you’ve taken care of the above, anytime you use a GPG-aware application (such as the Enigmail plugin for Thunderbird), it will just know about the public and private keys. If you have multiple private keys in use, you might have to specify which one to use for your email account, but you will not have to do anything to associate public keys with email addresses.
You’re ready to go
Now that you understand the basics of GnPG, you’re ready to start using it. This information should serve as a solid guide to help you work in a much more secure environment and to be able to send and receive encrypted data.
Learn more about security and system management in the Essentials of System Administration course from The Linux Foundation.