GnuPG, or Gnu Privacy Guard, is a software that implements the OpenPGP standard – in which PGP stands for Pretty Good Privacy.
It is a tool used for – crash the drums – privacy. By privacy, you should understand sending private messages between users, to store any data safely, being sure that a message has a given origin and others.
For those who think that privacy is a waste of time, stuff for paranoid tech guys, I suggest reading this post in Stack Exchange.
Although we live in a free era, the freedom is sometimes menaced by dictatorships and state surveillance and we do not know when these privacy knowledge will go from “nice to have” to a “must have”.
PGP was created in 1991 by Phil Zimmermann, in order to securely store messages and files, and no license was required for its non-commercial use. In 1997 it was proposed as a standard in the IETF, and thus emerged OpenPGP.
Uses for the GPG
GPG have some nice features, some used more frequently, others not so:
- Signing and verifying a commit: With this, you can always know the owner of a commit, as well as let the others be sure you wrote some piece of code. The Git Horror Story is a tale that tries to instill the sense for sign/verify commits into the greenhorn programmers. Besides it all, there are some people that have its own issues with commit signatures.
- Send and receive cryptographed messages: Remember when as a kid you created encoded messages and thought no one would never understand¹? Well, bad news, everyone could read them. But now you can create messages that no one will understand², for real.
- Checking signatures: It is possible to know (with a great confidence degree) that some file is from someone specific. For instance, consider downloading Tor, it is a secure browser, but if you download a hacked software, it will serve for the exact contrary of its purpose. But calm down, no need to cry, with GPG you can check the integrity of any software.
Come with us to learn cool stuff!
¹ No? Oh… sorry for your childhood. :‘( ² Maybe it is possible to break a 4096 RSA encryption.
Creating your key
First of all, you must download and install the GPG tools. Then you can check the installation with
> gpg --version gpg (GnuPG) 1.4.20 License GPLv3+: GNU GPL version 3 or later [...]
> gpg --gen-key
And some things you must pay attention to the creation of the key:
- I would rather choose RSA kind of key. I suggest you to read this to understand why.
- Be sure to choose the maximum bit length for your key, if you want it to be safer. At the time this article is being written, the maximum is 4096.
- It is nice to set an expiration date. It must happen to you to lose your key or die (as we all some day) and then is a good practice to let others know that key is not being used anymore.
- Avoid comments on your key, as it is redundant at almost every time.
- It is nice to use strong digest algos like SHA512. I suggest you understand and create a nice
gpg.confto assure you are using the best configuration.
Here you can find a lot of other good practices for your GPG day-to-day use.
Assuming you finished the creation of your key, you can check it all with
> gpg --list-keys pub 4096R/746F8A65 2017-05-24 [expires: 2018-05-24] Key fingerprint = 014C F6E9 C2E0 12A2 4187 F108 178A C6CD 746F 8A65 uid Lucas Almeida Aguiar <firstname.lastname@example.org> sub 4096R/AFC85A01 2017-05-24 [expires: 2018-05-24]
As a brief summary, pub stands for “public” key, then you have the key length (4096 bits) with the R from RSA, a slash, and the short fingerprint, then the creation and expiration date. The short fingerprint takes the last 8 digits from your actual fingerprint. The uid is what you wrote a few minutes ago when I told you to do not write a comment. Let’s talk about the subs later.
For now, pay attention: the uid is not enough for you to believe someone is who he/she is telling you he/she is. Anyone can create a key with any name or e-mail. To be sure someone is really who he/she is telling you, you must check its fingerprint. We will cover it deeper when discussing web of trust.
Working with keys
Generally, you have not only your keys but also other people’s public keys, that you use to verify signatures and to send them encoded stuff. You have the power to edit your key and change how you see the other’s keys with
> gpg --edit-keys 746F8A65
This hash in front of the command is just the short fingerprint of the uuid you want to edit.
> gpg --edit-keys 746F8A65 gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 4096R/746F8A65 created: 2017-05-24 expires: 2018-05-24 usage: SC trust: ultimate validity: ultimate sub 4096R/AFC85A01 created: 2017-05-24 expires: 2018-05-24 usage: E sub 4096R/B2CD6DC9 created: 2017-05-24 expires: 2018-05-24 usage: S [ultimate] (1). Lucas Almeida Aguiar <email@example.com>
Pay attencion to the letters in the usage attribute, they mean - S for sign - E for encrypt - C for certify
The certify usage is the most powerful of them because it can create, trust and revoke keys.
gpg --edit-keys allows you to change passwords, trust keys, sign keys, change expire date, and other.
The PGP have a decentralized trust model, called web of trust. It allows you to trust keys even without a central server, as it is on X.509. The kinds of trust you can set to keys are:
- Ultimate: is only used for your own keys.
- Full(I trust fully): is used for keys which you really trust. Anyone who trust you, will also trust all of your fully trusted keys. Take care with it.
- Marginal(I trust marginally): if you set a key as marginal trusted, it is like you only trust 1/3 of its trusted keys. An example took from here: If you set Alice’s, Bob’s and Peter’s key to ‘Marginal’ and they all sign Ed’s key, Ed’s key will be valid.
- Unknown: is the default state.
- Undefined(Don’t know): has the same meaning as ‘Unknown’ but actively set by the user.
- Never(I do NOT trust): same of ‘Unknown / Undefined’, but meaning you know that the key owner is not accurately verifying other keys before signing them.
To trust someone you must first import a key. You can import the raw file with the public key with
> gpg --import john_doe.asc
or download it from a keyserver
> gpg --keyserver hkp://pgp.mit.edu --search-keys "firstname.lastname@example.org"
Then when you
--list-keys, the key you imported should be there.
Trusting keys is a serious issue. If you start to trust everyone, without checking, you will probably end up being yourself trusted as “Never”. I recommend you to only trust keys when you are sure it belongs to its owner, and checked with him the key’s fingerprint.
Check the fingerprint of the key you want to trust
> gpg --fingerprint email@example.com
Edit the key you want to trust
> gpg --list-keys pub 3072D/930F2A9E 2017-06-20 [expires: 2017-06-21] Key fingerprint = ... > gpg --edit-keys 930F2A9E ... pub 4096R/930F2A9E created: 2017-06-20 expires: 2018-06-20 usage: SC ... gpg> trust
Then you must set the trust level, according to the list described above. See here with more details.
The aim of this post was to give an overview about GPG, since the links I put here can serve as a bootstrap to further learnings.