This article will not go deep into the technical details of PGP or the underlying encryption algorithms used. I will be focusing specially on using PGP to encrypt messages to send to someone, as well as verifying the authenticity of PGP messages using someone's public key.

The reason for this focus is because my website uses PGP for signing the articles I write. I want readers to be able to ensure the authenticity of my blog, and potentially utilize my public key to verify my identity on other websites. Secondly, I want to give visitors of my website the ability to message me in a secure manner. By using my public PGP key, you are able to encrypt messages and send them to me without fear that a prying eye might read the message.

Goals

This tutorial will show you how to do the following using GPG in the command line:

• Install and use GPG
• Import a person's Public Key into your keyring
  • Verify using the key's fingerprint from multiple sources
• Create Your Own Public/Private Key Pair
• Signing Another Person's Key
  • In order to set the Trust and Validity level
• Encrypting a Message using someone's Public Key
• Verifying a PGP Signature
• Best Practices for Using GPG

Content

• What is PGP
• Video Guide
• Using a GUI
• Instructions
  • GPG
    • Installation
      • Mac
      • Linux
      • Windows
  • Using GPG
    • Importing the Public Key
    • Create Your Own Public/Private Key Pair
    • Signing Another Person's Key
    • Encrypting a Message
    • Verifying a Signature
• Final Thoughts
  • Best Practices for Using GPG
  • Conclusion

What is PGP

Pretty Good Privacy (also known as PGP), is an encryption algorithm used for ensuring the security, authenticity, and privacy of data communication. In other words, PGP can be used for secure communication between two parties, as well as cryptographically signing text and/or files to ensure that they originated from a particular person/organization.

Video Guide

• Great guide made by the YouTube channel HackerSploit

Using a GUI

This guide will be using the command line for interacting with the GPG software, but you can also check out software that utilizes GPG but provides a GUI for better ease of use.

Check Out:

• The GNU Privacy Assistant (GPA)
• Kleopatra
• For windows: GPG4win

Instructions

GPG

The instructions for this article will use the program GNU Privacy Guard (also known as GPG). This program often runs in the command line, unless another program is used that has a gui (such as gpa or Kleopatra)

Installation

For most operating systems you can download GPG from the official website. Otherwise follow the steps below for your OS.

Mac

This usually comes preinstalled. Otherwise you can install it using Homebrew with the following command (you will need to install Homebrew before running the command):

brew install gpg

You can also download the program from the official website.

Linux

This usually comes preinstalled. Otherwise you can install it using 'apt' with the following command (for Debian based distros):

sudo apt install gpg

For other Linux distros use your preferred package manager.

Windows

Refer to the official website for downloading the program.

Using GPG

In order to encrypt and verify messages using my (or anyone else's) public key, you'll need to add the key into your keyring. Use the following steps to download my public key and add it to your keyring using GPG.

• Remember that these steps work for any person's/organization's public key

Importing the Public Key

1. Download My Public Key
2. Go to the directory where the .asc file was downloaded
   1. • In order to set the validity level of a person's pubic key to "Full," you'll need to sign the key using your own private key. the file will be placed in your /Downloads directory.
   2. If you're not sure about how to navigate directories, check out this article
3. Import the key to your keyring using GPG
   • gpg --import franco-lopez-public-key.asc
4. After importing the key, make sure it appears in your keyring
   • gpg --list-keys
5. Validate that the fingerprint of the key matches the fingerprint on my website, X, and any other location where it is located. Making sure this fingerprint is the same ensures that the key you imported was not tampered with in any way.
   1. gpg --fingerprint "Franco Lopez"
   2. Make sure it matches: 6883 044C 78FF 9CC2 6CF4 47E3 915D 45D2 28B5 8354
      • Spacing is irrelevant
   3. You can also verify the fingerprint in my GitHub or X bio.
6. If the fingerprints match, you can raise the trust level of the key:
   1. gpg --edit-key "Franco Lopez"
   2. 4 (For changing the trust level to "Full")
   3. q (To quit GPG)
7. Check that everything was successful
   1. Run the command: gpg --list-keys
   2. Verify that you see my PGP key: Franco Lopez
   3. Verify the fingerprint is: 6883 044C 78FF 9CC2 6CF4 47E3 915D 45D2 28B5 8354
      • Spacing is irrelevant

Create Your Own Public/Private Key Pair

• The following steps assume that you don't already have your own public/private key pair. Only follow these instructions if you are new to PGP or haven't created your own key pair yet.

Create a Public/Private Key Pair:

1. Generate your own public/private key pair
   • gpg --gen-key
   • For more advanced options, use gpg --full-generate-key
     • With this option, follow this article and skip the following steps for creating a public/private key pair.
2. Fill out the options using your real name and email
   • If you are worried about privacy, you can provide a fake name and no email address.
3. You will then be asked to choose a password for securing your public/private key pair
   • Make sure this is a strong password
   • You may want to use a password manager to generate and store this password
4. You will then be asked to move your move your mouse and/or type randomly on your keyboard to generate random bytes for creating the key pair.
5. Your public/private key pair has now been created

Now you can sign my public key that you imported in the previous section. This will set the validity level of my key. It is incredibly important that you verify my public key matches the fingerprint: 6883 044C 78FF 9CC2 6CF4 47E3 915D 45D2 28B5 8354, and check that fingerprint on multiple sources (such as on GitHub or X).

Signing Another Person's Key

• In order to set the validity level of a person's pubic key to "Full," you'll need to sign the key using your own private key.

Sign My Public Key:

1. Use the following command
   • gpg --sign-key "Franco Lopez"
2. Type y to confirm
3. Type in the password you set for your public/private key pair
4. Check if the key was signed
   • Use the command: gpg --list-keys
   • For my public key, you should now see 'full', indicating that my key is set at the full trust level.
     • [ full ] Franco Lopez <[email protected]>

Encrypting a Message

Encrypting messages using a person's PGP public key will allow you to send them messages securely so only they can read the content of the message. This works because of a private and public key pairing for encrypting and decrypting messages; read about it more here.

1. Create a text file containing the text that you would like to encrypt.
   • Also, it doesn't necessarily have to be a text file, you can encrypt most file types and send them securely.
2. Use the command: gpg -a --encrypt random.txt
   • The -a tag allows for the output file to be ascii friendly (basically the output will be text that can be sent through email, a text box, etc. )
3. You will get the following output:

You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line:

4. Type name of my key:
   • Enter the user ID. End with an empty line: Franco Lopez
5. You should see that "Franco Lopez <[email protected]>" is the current recipient.
6. Leave the next line blank and press enter.
7. This will download a file called TheNameOfYourTextFile.txt.asc in your current directory.
8. You can check the content of this file by using the command:
   • cat TheNameOfYourTextFile.txt.asc
   • You should see a long string of text that begins with and ends with: -----BEGIN PGP MESSAGE----- -----END PGP MESSAGE-----
9. You can now copy this text and send it to the recipient (Me) through your preferred medium. The text is fully encrypted and only the recipient will be able to decrypt and read the content of the text.

Verifying a Signature

Using PGP, you can check to make sure the things I write are were not modified, and actually came from me.

Follow the steps above for importing my public key

• This will serve as an example of verifying that a file/text was authentically signed by a person's private key. In other words, by using my public key, you can check to see if the writing on my website (or anywhere else) was actually written by me.

1. Download the PGP signature for one of my articles (always at the bottom). Such as on the About Me page.
2. Article signatures are named in the format: ArticleName.md.asc
3. Navigate to where the signature (.asc file) was downloaded.
   1. Oftentimes the file will be placed in your /Downloads directory
   2. If you're not sure about how to navigate directories, check out this article
4. Run the following command:
   1. gpg --output AnyFileName.txt --verify signature-file
      1. Such as gpg --output AboutMe.md --verify AboutMe.md.asc
5. You my get a warning, but this is okay. You only need to check that one of the line states: gpg: Good signature from "Franco Lopez <[email protected]>"
   1. In order to remove this warning, follow the Create Your Own Public/Private Key Pair instructions in the "Importing the Public Key" section.
   2. Having a line that says Bad signature means there was either an error, or the signature was not created by me (therefore you cannot verify the text was written by me).
6. This will download a file based on the name chosen for the output file. Such as AboutMe.md for the About Me page example. You can open this file to see if the writing matches with what it appears online.

Final Thoughts

Best Practices for Using GPG

1. Keep Your Private Key Secure: Your private key is your identity. Protect it with a strong passphrase and keep it confidential. You should also keep a backup of your private key stored in a secure location.
2. Regularly Update Your Keyring: Regularly update your keyring to get updated keys and revocation certificates from others.
3. Verify Identities: Before trusting a key, verify the owner's identity, especially in sensitive communications. This most often occurs by verifying the key fingerprint from multiple sources.
4. Key Revocation: Create a revocation certificate in case your private key is compromised or lost. This lets others know that the key should no longer be used.

Conclusion

In this tutorial you learned how to do the following:

• Install and use GPG
• Import a person's Public Key into your keyring
  • Verify using the key's fingerprint from multiple sources
• Create Your Own Public/Private Key Pair
• Signing Another Person's Key
  • In order to set the Trust and Validity level
• Encrypting a Message using someone's Public Key
• Verifying a PGP Signature
• Best Practices for Using GPG

Verify Authenticity

This document is signed with PGP to ensure its authenticity. Download the signature here