Using PGP for Encryption and Verification: A Comprehensive Guide
This article will not go deep into the technical details of PGP or the underlying encryption algorithms used. I will be focusing specially on using PGP to encrypt messages to send to someone, as well as verifying the authenticity of PGP messages using someone's public key.
The reason for this focus is because my website uses PGP for signing the articles I write. I want readers to be able to ensure the authenticity of my blog, and potentially utilize my public key to verify my identity on other websites. Secondly, I want to give visitors of my website the ability to message me in a secure manner. By using my public PGP key, you are able to encrypt messages and send them to me without fear that a prying eye might read the message.
Goals
This tutorial will show you how to do the following using GPG in the command line:
- Install and use GPG
- Import a person's Public Key into your keyring
- Verify using the key's fingerprint from multiple sources
- Create Your Own Public/Private Key Pair
- Signing Another Person's Key
- In order to set the Trust and Validity level
- Encrypting a Message using someone's Public Key
- Verifying a PGP Signature
- Best Practices for Using GPG
Content
What is PGP
Pretty Good Privacy (also known as PGP), is an encryption algorithm used for ensuring the security, authenticity, and privacy of data communication. In other words, PGP can be used for secure communication between two parties, as well as cryptographically signing text and/or files to ensure that they originated from a particular person/organization.
Video Guide
Using a GUI
This guide will be using the command line for interacting with the GPG software, but you can also check out software that utilizes GPG but provides a GUI for better ease of use.
Check Out:
- The GNU Privacy Assistant (GPA)
- Kleopatra
- For windows: GPG4win
Instructions
GPG
The instructions for this article will use the program GNU Privacy Guard (also known as GPG). This program often runs in the command line, unless another program is used that has a gui (such as gpa or Kleopatra)
Installation
For most operating systems you can download GPG from the official website. Otherwise follow the steps below for your OS.
Mac
This usually comes preinstalled. Otherwise you can install it using Homebrew with the following command (you will need to install Homebrew before running the command):
brew install gpg
You can also download the program from the official website.
Linux
This usually comes preinstalled. Otherwise you can install it using 'apt' with the following command (for Debian based distros):
sudo apt install gpg
For other Linux distros use your preferred package manager.
Windows
Refer to the official website for downloading the program.
Using GPG
In order to encrypt and verify messages using my (or anyone else's) public key, you'll need to add the key into your keyring. Use the following steps to download my public key and add it to your keyring using GPG.
- Remember that these steps work for any person's/organization's public key
Importing the Public Key
- Download My Public Key
- Go to the directory where the .asc file was downloaded
-
- In order to set the validity level of a person's pubic key to "Full," you'll need to sign the key using your own private key. the file will be placed in your /Downloads directory.
- If you're not sure about how to navigate directories, check out this article
-
- Import the key to your keyring using GPG
gpg --import franco-lopez-public-key.asc
- After importing the key, make sure it appears in your keyring
gpg --list-keys
- Validate that the fingerprint of the key matches the fingerprint on my website, X, and any other location where it is located. Making sure this fingerprint is the same ensures that the key you imported was not tampered with in any way.
- If the fingerprints match, you can raise the trust level of the key:
gpg --edit-key "Franco Lopez"
4
(For changing the trust level to "Full")q
(To quit GPG)
- Check that everything was successful
- Run the command:
gpg --list-keys
- Verify that you see my PGP key:
Franco Lopez
- Verify the fingerprint is:
D0F7 3E1D 9AAA EB2D 3BD0 808F D22B BD5E 104A 9793
- Spacing is irrelevant
- Run the command:
Create Your Own Public/Private Key Pair
- The following steps assume that you don't already have your own public/private key pair. Only follow these instructions if you are new to PGP or haven't created your own key pair yet.
Create a Public/Private Key Pair:
- Generate your own public/private key pair
gpg --gen-key
- For more advanced options, use
gpg --full-generate-key
- With this option, follow this article and skip the following steps for creating a public/private key pair.
- Fill out the options using your real name and email
- If you are worried about privacy, you can provide a fake name and no email address.
- You will then be asked to choose a password for securing your public/private key pair
- Make sure this is a strong password
- You may want to use a password manager to generate and store this password
- You will then be asked to move your move your mouse and/or type randomly on your keyboard to generate random bytes for creating the key pair.
- Your public/private key pair has now been created
Now you can sign my public key that you imported in the previous section. This will set the validity level of my key. It is incredibly important that you verify my public key matches the fingerprint: D0F7 3E1D 9AAA EB2D 3BD0 808F D22B BD5E 104A 9793
, and check that fingerprint on multiple sources (such as on GitHub or X).
Signing Another Person's Key
- In order to set the validity level of a person's pubic key to "Full," you'll need to sign the key using your own private key.
Sign My Public Key:
- Use the following command
gpg --sign-key "Franco Lopez"
- Type
y
to confirm - Type in the password you set for your public/private key pair
- Check if the key was signed
- Use the command:
gpg --list-keys
- For my public key, you should now see 'full', indicating that my key is set at the full trust level.
[ full ] Franco Lopez <[email protected]>
- Use the command:
Encrypting a Message
Encrypting messages using a person's PGP public key will allow you to send them messages securely so only they can read the content of the message. This works because of a private and public key pairing for encrypting and decrypting messages; read about it more here.
- Create a text file containing the text that you would like to encrypt.
- Also, it doesn't necessarily have to be a text file, you can encrypt most file types and send them securely.
- Use the command:
gpg -a --encrypt random.txt
- The
-a
tag allows for the output file to be ascii friendly (basically the output will be text that can be sent through email, a text box, etc. )
- The
- You will get the following output:
You did not specify a user ID. (you may use "-r")
Current recipients:
Enter the user ID. End with an empty line:
- Type name of my key:
Enter the user ID. End with an empty line: Franco Lopez
- You should see that
"Franco Lopez <[email protected]>"
is the current recipient. - Leave the next line blank and press enter.
- This will download a file called
TheNameOfYourTextFile.txt.asc
in your current directory. - You can check the content of this file by using the command:
cat TheNameOfYourTextFile.txt.asc
- You should see a long string of text that begins with and ends with:
-----BEGIN PGP MESSAGE-----
-----END PGP MESSAGE-----
- You can now copy this text and send it to the recipient (Me) through your preferred medium. The text is fully encrypted and only the recipient will be able to decrypt and read the content of the text.
Verifying a Signature
Using PGP, you can check to make sure the things I write are were not modified, and actually came from me.
Follow the steps above for importing my public key
- This will serve as an example of verifying that a file/text was authentically signed by a person's private key. In other words, by using my public key, you can check to see if the writing on my website (or anywhere else) was actually written by me.
- Download the PGP signature for one of my articles (always at the bottom). Such as on the About Me page.
- Article signatures are named in the format:
ArticleName.md.asc
- Navigate to where the signature (.asc file) was downloaded.
- Oftentimes the file will be placed in your /Downloads directory
- If you're not sure about how to navigate directories, check out this article
- Run the following command:
- gpg --output AnyFileName.txt --verify signature-file
- Such as
gpg --output AboutMe.md --verify AboutMe.md.asc
- Such as
- gpg --output AnyFileName.txt --verify signature-file
- You my get a warning, but this is okay. You only need to check that one of the line states: gpg:
Good signature from "Franco Lopez <[email protected]>"
- In order to remove this warning, follow the Create Your Own Public/Private Key Pair instructions in the "Importing the Public Key" section.
- Having a line that says
Bad signature
means there was either an error, or the signature was not created by me (therefore you cannot verify the text was written by me).
- This will download a file based on the name chosen for the output file. Such as
AboutMe.md
for the About Me page example. You can open this file to see if the writing matches with what it appears online.
Final Thoughts
Best Practices for Using GPG
- Keep Your Private Key Secure: Your private key is your identity. Protect it with a strong passphrase and keep it confidential. You should also keep a backup of your private key stored in a secure location.
- Regularly Update Your Keyring: Regularly update your keyring to get updated keys and revocation certificates from others.
- Verify Identities: Before trusting a key, verify the owner's identity, especially in sensitive communications. This most often occurs by verifying the key fingerprint from multiple sources.
- Key Revocation: Create a revocation certificate in case your private key is compromised or lost. This lets others know that the key should no longer be used.
Conclusion
In this tutorial you learned how to do the following:
- Install and use GPG
- Import a person's Public Key into your keyring
- Verify using the key's fingerprint from multiple sources
- Create Your Own Public/Private Key Pair
- Signing Another Person's Key
- In order to set the Trust and Validity level
- Encrypting a Message using someone's Public Key
- Verifying a PGP Signature
- Best Practices for Using GPG
Comments