GPG/PGP Basics
GPG/PGP BasicsUsing gpg for encryption, understanding the basic
use of GPG for new users.
Recently someone asked me for a GPG or PGP public key so that
they could send some sensitive material to me by email. I
understood what they meant, but inwardly I groaned because I've
just never had any reason to use public key encryption, and had no
idea how to create the key or decrypt what would be sent back to
me. Looking at "man bgp" on my Linux box didn't make me feel any
better, and a Google search for gpg docs didn't immediately turn up
anything that wasn't techno gobbledy-dee-geek. Eventually (after I
had figured out the basics by trial and error), I did find GNU
Privacy Guard HandBook, which probably would have gotten me up to
speed a little faster, but which still was more than I needed to
know at the moment. This, therefore, is a quick introduction so
that you don't have to get a headache from the man page as I did.
After learning what is presented here, you can visit the GNU page
for more in depth coverage.Public key, private keyThe basic concept
is this: You generate a pair of matched keys. One of these is
referred to as your "Public" key, and the other as "Private". You
give the Public key to anyone who asks for it; you can even publish
it on your web site. You keep your Private key secret, locked up on
your own computer. A document (a text or binary file) can be
encrypted using either key, and is decrypted with the other. The
choice of which key to use to encrypt depends upon your purpose.For
example, if you want to send me something, you'd encrypt it using
my public key. No one else can decrypt it; only my private key will
work. On the other hand, I might be concerned that it really is you
sending me a message. In that case, you'd encrypt your message
using your private key (this is called "signing"). If I can decrypt
it with your public key (presumably I somehow obtained that key and
trust that it really is yours), I know that the message really came
from you.An exampleYou can test this all out on one computer using
two (or more) user accounts. I'm going to assume that user "tom"
wants to send an encrypted message to user "marge". The first thing
Marge needs to do is generate her keys:[marge@apl marge]$ gpg
--gen-keygpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software
Foundation, Inc.This program comes with ABSOLUTELY NO WARRANTY.This
is free software, and you are welcome to redistribute itunder
certain conditions. See the file COPYING for details.
gpg: Warning: using insecure memory!gpg: /home/marge/.gnupg:
directory createdgpg: /home/marge/.gnupg/options: new options file
createdgpg: you have to start GnuPG again, so it can read the new
options file Because Marge has never created a key before, gpg just
creates what it needs and tells her to run it again:[marge@apl
marge]$ gpg --gen-keygpg (GnuPG) 1.0.6; Copyright (C) 2001 Free
Software Foundation, Inc.This program comes with ABSOLUTELY NO
WARRANTY.This is free software, and you are welcome to redistribute
itunder certain conditions. See the file COPYING for details.
gpg: Warning: using insecure memory!gpg:
/home/marge/.gnupg/secring.gpg: keyring createdgpg:
/home/marge/.gnupg/pubring.gpg: keyring createdPlease select what
kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign
only) (4) ElGamal (sign and encrypt)Your selection? 1 DSA keypair
will have 1024 bits.About to generate a new ELG-E keypair. minimum
keysize is 768 bits default keysize is 1024 bits highest suggested
keysize is 2048 bitsWhat keysize do you want? (1024) Requested
keysize is 1024 bitsPlease specify how long the key should be
valid. 0 = key does not expire = key expires in n days w = key
expires in n weeks m = key expires in n months y = key expires in n
yearsKey is valid for? (0) Key does not expire at allIs this
correct (y/n)? y You need a User-ID to identify your key; the
software constructs the user idfrom Real Name, Comment and Email
Address in this form: "Heinrich Heine (Der Dichter) "
Real name: MargeEmail address: [email protected]:
Marge's GPG key pairYou selected this USER-ID:"Marge (Marge's GPG
key pair) "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? OYou need a
Passphrase to protect your secret key.
Enter passphrase: Sbr6wh wscartBM, iscaa2dRepeat passphrase:
Sbr6wh wscartBM, iscaa2dWe need to generate a lot of random bytes.
It is a good idea to performsome other action (type on the
keyboard, move the mouse, utilize thedisks) during the prime
generation; this gives the random numbergenerator a better chance
to gain enough
entropy..+++++++++++++++++++++++++.+++++++++++++++..+++++++++++++++++++++++++++++++++++....++++++++++.++++++++++++++++++++++++++++++.+++++.++++++++++>++++++++++>++++++++++public
and secret key created and signed. (See Random Numbers also)The
passphrase entered should be a tough password. It can contain
spaces, there's no limit on its length, but of course you will need
to remember it. I use mnemonic aids to generate passwords and
passphrases. For example, the passphrase above comes from
this:She'll be riding six white horses when she comes around that
Big Mountain, if she comes at all today
Fairly easy for me to remember, but a good, tough passphrase.If
you are working on a single-user machine, you probably will need to
switch away and generate some activity to get the keys created.
Once that's done, Marge can list her keys:[marge@apl marge]$ gpg
--list-keysgpg: Warning: using insecure
memory!/home/marge/.gnupg/pubring.gpg------------------------------pub
1024D/FBE5BA2A 2001-11-17 Marge (Marge's GPG key pair) sub
1024g/78681206 2001-11-17 Now she's ready to create the public key
that she will send to Tom. We assume for the moment that she has a
perfectly secure way of getting it to Tom so that Tom really knows
it came from her; for example, she physically hands him a CD which
has the key on it. She could also publish it on her web page
(there's more information about how to do that securely at the GNU
Privacy Guard page referenced above) or (more likely), she just
emails to him (she could also use a Public Key Server; see the GNU
page for more on that). Email is not completely unreasonable: it
doesn't matter if someone else intercepts and reads that email,
because all it contains is the public key. That key is only useful
for sending documents that Marge (and only Marge) can decrypt;
stealing it does not let you impersonate Marge. What Tom has to be
concerned about is someone forging email that pretends to be from
Marge but that actually contains a forged public key: if Tom used
that to encrypt his data, and the forger could intercept that
transmission also, the forger could decrypt the data (and of course
Marge could not!). So what Tom probably should do (if he's really
worried about this) is call Marge on the telephone and ask her to
read some of her key.Here Marge prepares her public key:[marge@apl
marge]$ gpg --armor --export [email protected] > mypkgpg:
Warning: using insecure memory![marge@apl marge]$ cat
mypk-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v1.0.6
(GNU/Linux)Comment: For info see http://www.gnupg.org
mQGiBDv2vMARBACPHwe3BXmJXF5dvXxGEuxYIbYoY2naOmaArFsv1Pgl3GqhhAP7GTGvN4A4Xo80S8i8mrSsseHE/RD7F2PS045dzP/LbDcI7EqnfU2BDoIfEmTsTuplBKjOJUh7luhFbj2gdpbmmTUD/1BBKd42pIk/GPUcynMS9TG4kUyB6UdtRF7NydYPo4T+0fIY8mbh5VRigoVVsukX8xuI+QaS5iB/D4j36+zk/iRy171dY43OuwCgm6rQa8vmmGDyCCUWFX0PVlQn5MMf97GadIAGgh1pdD7bMfB4FI84TyhNHuBDTCn0Ysffnot_a_public_key_but_other_than_this_line_it_looks_like_this_xxxbRmMA/9E/EGJnyYWdHtTerx+H8qacP183SrRFQDqSkOM61P4iDIWcZCOqlHCv7BrRmf7Ug9I4RkD5qqWkpWY0ugcSbuoFx0f7AGckOOWWVq4ddQStAsOhlMQ4ahOu7mBcmVuY2UgKExpbmRhJ3MgR1BHIGtleSBwYWlyKSA8bGluZHlAcGN1bml4LmNvbT6IdVJeXzVTKHnMTGUqutPpmro/txW3M4Z3/0gsOGySxlob0MOQcbQ4TGluZGEgTGF3VwQTEQIAFwUCO/a8wQULBwoDBAMVAwIDFgIBAheAAAoJEAymPu375boq1fkAniuKEAQAj8E9riM9UUI2fc3Of/5khuEi2nbT2xD2//FUVQh4uKXd4iQXW3z55ZbJnJ1ENk6xIPHx0kQUEcUxdRSK0rikAJ9bB4o+oZ9wqJubKMHII1K1BunTuLkBDQQ79rzFbZ+TGMKFOgoxEGAeIcf/XD0/zRDOvdKuLsIZjlNl3uqChXgeznCFU4kviuGdSeDKvcx/cR7NgfAn2JUKnhcf/sf01WRM43TbSZP5+5ZXk7zZWZItp+STRHYUketXwFk/LWn2jrjbFpcBswgXZ1Vq7Hrbi027y4x6KIhKZ0rfGsXDYxsAAwUD/jCF25xvDrU9W5mjSmWy1f+Hn5q/RQAChIAgEEwWMpaHLXixyI+xE+kXvowDYdbmQWruJS1BGKDF/JibHwSp15ZzGQivpX/Dul4/nks3xYy7iEYEGBECAAYFAjv2vMUACgkQDKY+7fvluiqY4ACcCga6MsB3DhSLEO6Fse09UujGwUMAmwY9skYtEZDAFXBlcpov1wYzFAhh-----END
PGP PUBLIC KEY BLOCK-----[marge@apl marge]$ Using Marge's Public
KeyTo use Marge's public key, Tom first has to "import" it. Tom
already has his own keys created:[tom@apl tom]$ gpg --list-keysgpg:
Warning: using insecure
memory!/home/tom/.gnupg/pubring.gpg----------------------------pub
1024D/16B478D3 2001-11-17 Tommy (Tommy Boy) sub 1024g/1E5CDE3C
2001-11-17 To add Marges public key, Tom does this (he's saved the
file as "margepk"):[tom@apl tom]$ gpg --import margepkgpg: Warning:
using insecure memory!gpg: key FBE5BA2A: public key importedgpg:
/home/tom/.gnupg/trustdb.gpg: trustdb createdgpg: Total number
processed: 1gpg: imported: 1 Now when he lists keys, he has
Marge's:[tom@apl tom]$ gpg --list-keysgpg: Warning: using insecure
memory!/home/tom/.gnupg/pubring.gpg----------------------------pub
1024D/16B478D3 2001-11-17 Tommy (Tommy Boy) sub 1024g/1E5CDE3C
2001-11-17
pub 1024D/FBE5BA2A 2001-11-17 Marge (Marge's GPG key pair) sub
1024g/78681206 2001-11-17 Tom has done all that he really needs to
do. The next step is recommended but not strictly necessary:
[tom@apl tom]$ gpg --edit-key [email protected] (GnuPG)
1.0.6; Copyright (C) 2001 Free Software Foundation, Inc.This
program comes with ABSOLUTELY NO WARRANTY.This is free software,
and you are welcome to redistribute itunder certain conditions. See
the file COPYING for details.
gpg: Warning: using insecure memory!
pub 1024D/FBE5BA2A created: 2001-11-17 expires: never trust:
-/qsub 1024g/78681206 created: 2001-11-17 expires: never (1). Marge
(Marge's GPG key pair)
Command> fpr pub 1024D/FBE5BA2A 2001-11-17 Marge (Marge's GPG
key pair) Fingerprint: C294 A900 C769 2AEF C951 2434 0CA6 3EED FBE5
BA2A
Command> sign pub 1024D/FBE5BA2A created: 2001-11-17 expires:
never trust: -/q Fingerprint: C294 A900 C769 2AEF C951 2434 0CA6
3EED FBE5 BA2A
Marge (Marge's GPG key pair)
Are you really sure that you want to sign this keywith your key:
"Tommy (Tommy Boy) "
Really sign? y You need a passphrase to unlock the secret key
foruser: "Tommy (Tommy Boy) "1024-bit DSA key, ID 16B478D3, created
2001-11-17
Enter passphrase: (Tom enters his passphrase here)Command>
quit Save changes? y What Tom did was add Marge to his "trusted"
keys- keys that he is sure came from who they were supposed to. As
I said, it's not absolutely necessary, and you can read more about
it at the GNU Privacy Guard Page.Now Tom is ready to encrypt his
data:[tom@apl tom]$ gpg --out secrets_to_marge --encrypt
secretsgpg: Warning: using insecure memory!You did not specify a
user ID. (you may use "-r")
Enter the user ID: [email protected][tom@apl tom]$ ls -l
sec*-rw-r--r-- 1 root root 5940 Nov 17 15:21 secrets-rw-rw-r-- 1
tom tom 2738 Nov 17 15:22 secrets_to_marge[tom@apl tom]$ Tom can
now send "secrets_to_marge" with safety: only Marge can decrypt the
data.When Marge gets it, she'll decrypt it like this:[marge@apl
marge]$ gpg --output secrets_from_tom --decrypt
secrets_to_margegpg: Warning: using insecure memory!
You need a passphrase to unlock the secret key foruser: "Marge
(Marge's GPG key pair) "1024-bit ELG-E key, ID 78681206, created
2001-11-17 (main key ID FBE5BA2A)
Enter passphrase: Sbr6wh wscartBM, iscaa2dgpg: encrypted with
1024-bit ELG-E key, ID 78681206, created 2001-11-17 "Marge (Marge's
GPG key pair) "[marge@apl marge]$ ls -l sec*-rw-rw-r-- 1 marge
marge 5940 Nov 17 16:09 secrets_from_tom-rw-rw-r-- 1 marge marge
2738 Nov 17 16:09 secrets_to_marge[marge@apl marge]$ That's it. GPG
is actually pretty simple, and nothing to get a headache over.
Please do read the GNU Privacy Guard HandBook for a far more
complete treatment of this subject.See OS X file encryption for gpg
on Mac OS X.
Technorati tags: security gpg email encryption
If this page was useful to you, please help others find it:
Share on linkedin Share on facebook Share on twitter Share on
email More Sharing Services 32
56 comments
Inexpensive and informative Apple related e-books:
Screen Sharing in Snow Leopard Permissions in Leopard Making
Music with GarageBand '06 Users & Accounts in Panther (Leopard
version also available) Recording with GarageBand '09
More Articles by Tony Lawrence - Find me on Google+
Related Articles
Click here to add your comments
Apparently, Alice and Bob are names commonly used for this sort
of article. I didn't know that when I wrote it. See
http://catb.org/~esr/jargon/html/A/Alice-and-Bob.html and
http://www.conceptlabs.co.uk/alicebob.html
--TonyLawrence
______________________________
This page is a nice short howto for using GNUPG. I feel,
however, that some points need clarification, as it is
sensitive/personal data that are being dealt with here:
1. The part about publishing one's public key contains a rather
misleading and potentially dangerous passage, as it may create a
false sense of security:
"Email is not completely unreasonable: it doesn't matter if
someone else intercepts and reads that email, because all it
contains is the public key. That key is only useful for sending
documents that Marge (and only Marge) can decrypt; stealing it does
not let you impersonate Marge." This is not entirely true; there's
always the possibility of a "Man-in-the-Middle" Attack. Have a look
at
http://www.glump.net/content/gpg_intro/html/3_Creating_Your_Personal.html#foot311
to see what I mean. Of course, this might be viewed as paranoia,
but it's still a consideration, for users who want to take no
chances.
[ I guess that's what is meant, in the passage immediately after
the one above: "What Tom has to be concerned about is someone
forging email that pretends to be from Marge but that actually
contains a forged public key: if Tom used that to encrypt his data,
and the forger could intercept that transmission also, the forger
could decrypt the data (and of course Marge could not!)." but it's
not clear enough, IMHO -- the explanation should be more detailed,
as in the link above. ]
Also, the guide at http://www.glump.net/content/gpg_intro/ (the
above URL), which is entitled "A Practical Introduction to GNU
Privacy Guard in Windows", is an excellent geekspeak-free guide for
GPG, not only for MS-Windows.
2. The passage:
"So what Tom probably should do (if he's really worried about
this) is call Marge on the telephone and ask her to read some of
her key." describes a practice that's neither easy, nor the
commonly employed; it would be much better if the key's
*fingerprint* would be verified by both of the parties. This is the
easiest and safest way of verifying keys which were obtained via an
insecure means.
3. The part between:
"Tom has done all that he really needs to do. The next step is
recommended but not strictly necessary:" and "What Tom did was add
Marge to his 'trusted' keys- keys that he is sure came from who
they were supposed to." is not correct. A user signs a public key,
to show *others* that s/he trusts it (add an extra bit of validity
to that key); this possibly also involves the participation in a
*web of trust* -- see
http://www.gnupg.org/gph/en/manual.html#AEN533 . In order to show
*him/herself* s/he trusts a key (so s/he will be able to use it
with GPG without any security prompts), one has to set the trust
level on this key. See
http://www.glump.net/content/gpg_intro/html/4_Encrypting_Decrypting_Fil.html#SECTION00530000000000000000
(4.3.1 Importing the key).
--Doryforos (visitor)
Sat Dec 10 01:09:08 2005: 1423 anonymous
Awesome short summary. Just enough for me to remember how to use
it. Thank you for post it!
Tue Feb 14 20:07:24 2006: 1641 anonymous
Short and precise composition of GPG/PGP files.Wonderful!
Wed Mar 15 20:50:39 2006: 1794 anonymous
Thanks, followed the steps and was immediately productive.
Thanks!
Fri Jun 16 21:05:13 2006: 2124 CBZ
Very nice. Thank-you!
Mon Nov 20 08:58:00 2006: 2632 vidyasagarcognizantcom
Nice. I was trying some thing more and i got stuck. What i did
was i created the public keys and exported it to a file(ex.
pkeys.asc). I wanted gpg to use this keyring and not to use the
default key ring. I used gpg --armor --batch --encrypt --keyring
pkeys.asc --no-default-keyring --recipient user5 1.txt and i am
getting errors. It says, gpg: user5: skipped: public key not found
gpg: 1.txt: encryption failed: public key not found
But when i list the keys it is showing the keys in its default
keyring. If any one knows how to do this please say to me. I am not
getting help for this anywhere
Wed Jul 4 16:59:30 2007: 3052 anonymous
This tutorial is among the finest there are in the UNIX/Linux
world. The combination of readability and accuracy is perfect. I
got my key generated and started encrypting/decrypting in 10
minutes. Some day all of the useless MAN pages will be tossed in
favor of material like this. Mr. or Ms. Lawrence, we salute
you.
Wed Feb 20 02:44:35 2008: 3679 anonymous
In the "Public Key,Private Key" of your article, you say ...
"In that case, you'd encrypt your message using your private key
(this is called "signing")."
No. A signature is a computed summary binary string that
uniquely identifies the sender's key, and the content of the email,
by creating a validity sum. Usually a sign for a message is only a
few 72-char lines long, and it is usually placed in a block near
the end of the email. I'm sure that you can edit this article, and
put a non-technical explanation of "signing" that is just as
correct as what I suggested in my comment.
The only other correction that I would suggest is to explain
that you cannot swap your keypair around, making key one public at
will, and making the other key private, and then encrypt with the
private key. The public key is always the one that you make public,
and the private key is always the one that you keep private.
In fact, if you don't get the public key for the person
receiving the email, then you cannot encrypt an email to them. This
is also true for the person sending email to you - if they don't
have your public key, then they can't send you encrypted email.
How do you exchange public keys? Either directly, sending them
to each other... or by putting your public key on a "keyserver".
You could write another article about keyservers, or you could
quickly describe it as a bulletin board on the internet where lots
of people put their public keys.
While your article is very good, there are a couple of points
that you really "glossed over" at a very high level... so much so
that your story of encrypting with your private key and the
receiver decrypting with a public key is in error.
Peace, and good will.
Wed Feb 20 03:14:02 2008: 3680 TonyLawrence
Peace to you also, but I have to disagree. The point of signing
is as I explained: to prove that the message in fact came from
you.
I did not suggest that you "swap keys around" - the point of
that section is that I'd use YOUR public key to send you something
that I want only you to be able to decript, but you'd use your
private key in the "signing" situation.
Wed Feb 20 14:35:08 2008: 3681 TonyLawrence
By the way:
The reason I wrote this page was because I found other web
resources confusing. That doesn't mean that they aren't well
written: they probably are for a person at a certain level of
knowledge and understanding.
That's the thing, really: we all come at things from different
starting points. For some people my post here is too basic, for
others it is way over their heads. For some, apparently, it's right
on the mark.
That's why I encourage people to leave comments or to even
submit a whole new article explaining things from *your*
perspective ( see http://aplawrence.com/publish.html for more on
that). How *you* explain something may be exactly what someone else
needs.
Sun Mar 9 03:14:09 2008: 3821 JonR
This is the first time I've understood clearly how GPG basically
works. I use it to encrypt my own files, but I've never had to use
it to communicate, and would have been at a loss. Now I know how to
do that. Regardless of whether some points are debatable, the main
ideas behind GPG come through and for average users I think that
finding this page will be a memorable event. Thanks very much.
Sun Mar 9 11:49:28 2008: 3823 TonyLawrence
Thank you, Jon and I'm glad it helped you. That's what it's all
about - getting our heads pointed in the right direction.
Wed Mar 26 20:56:08 2008: 3904 Arjay
Thanks for an easy to understand article! This is all I needed
to use gpg.
Mon Jul 7 19:53:22 2008: 4396 anonymous
In addition to the Alice & Bob names, Eve is also used when
speaking about "mitm", or man-in-the-middle. You almost got into
this topic when you mentioned someone sending Tom a false public
key, pretending to be Marge. Eve, as the eavesdropper, would send
Tom a false public key. Tom would encrypt using this false key, Eve
would intercept the message, de-crypt it with her private key from
the pair that she gave to Tom, and then possibly modify the message
and encrypt it with Marge's real public key, and send it along to
Marge, assuming Eve could trick Marge as she tricked Tom. Eve is
the "(wo)man in the middle" of the conversation.
Mon Jul 7 20:20:40 2008: 4397 JonR
I happen to have been reading a couple of books recently that
deal directly or indirectly with cryptography, and as a result my
mind keeps coming back to the one absolutely unbreakable crypto
method: the one-time pad. If only that system could be made
practical, there would be absolute security, subject to the
limitation of identity fraud. Even a quantum computer could not
break a message encrypted with a one-time pad. The big difficulty,
and what makes it impractical to use the method on anything but a
very small scale, is getting the page(s) containing the key to the
recipient. It sends the users right back to square one.
Tue Sep 22 15:55:33 2009: 6953 Jai
http://gazolinia.blogspot.com
Very cool and simple explanation of GPG .
Tue Nov 10 22:27:07 2009: 7517 Jayakumar
Really simple to understand in a single page!!! Nice one.
Thu Nov 12 11:15:02 2009: 7532 senthil
really goood
Thu Nov 26 15:00:22 2009: 7632 Merovance
Thank you. Your article fit me to a T. I appreciate you taking
the time to help newbies.
Thu Nov 26 15:10:03 2009: 7633 TonyLawrence
Thank you for taking the time to leave a comment. We appreciate
it!
Thu Jan 7 20:48:29 2010: 7887 MitulThakkar
Great Article!! I was struggling to get the relevant info on
web, but for a person like me who has very basic knowledge of
security , other articles were too heavy.. This is the best one I
have seen so far..
Thank you very much for giving us explanation of gpg
Sun Jan 17 20:57:38 2010: 7921 ratb0y
just wanned to say this is a very good tutorial that saves you
from loads of troubles. I found it pretty easy and on target.
Congrats
Wed Jan 27 23:26:21 2010: 7958 anonymous
Thank you for writing such a nice and easy to read tutorial.
Keep up.
Wed Feb 24 08:56:01 2010: 8129 Mark
The bit of confusion about what it means to sign a message is
the difference between "sign" (which includes message encryption)
and "clearsign" (which does NOT encrypt the message; it uses your
private key to create a hash which can then be decrypted by your
public key; the message text remains in the clear). The confusion
happens because a clearsigned email begins with the line
"-----BEGIN PGP SIGNED MESSAGE-----". Just my 2 cents.
Wed May 5 19:02:21 2010: 8525 sunny
Hi i am struggling in generating keys in windows server 2008.
The username is sunny, so how can i modify this "[marge@apl marge]$
gpg --gen-key". what does ' marge@apl ' means. please help me.
Thanks
Wed May 5 19:22:35 2010: 8526 TonyLawrence
[email protected] or whatever it actually is.
Wed May 5 19:24:44 2010: 8527 TonyLawrence
Oh, I see your confusion.
That stuff is just the command prompt. Nothing you would
type.
Tue May 11 14:09:00 2010: 8584 anonymous
hi
i have generated my keys and want to export my public key. i
tried this command "gpg --armor --export [email protected] > mypk"
nothing comes up but when i try this "gpg --armor --export
[email protected]" public key block starts and ends with some code in
it. what is the command to export it onto C drive.
can i do a quick test by using my public key to encrypt a file
without exporting.
If some one sends me the public key, what will be the file
extension? and in order to import it do i have keep in specific
directory? i came across a .asc extension file what is this? In
what format does the exported keys will be?
please help me.
Tue May 11 14:18:33 2010: 8585 TonyLawrence
The "> mypk" put the key in a file called "mypk", in whatever
directory you are working in.
You could make that any name you like if your brain dead
operating system requires such. For example, to have that able to
be opened by clicking on it, you'd use "mypk.txt"
Just another example of why Windows is dumb. You won't
understand why I say that, but that's reality.
Fri May 14 01:16:03 2010: 8589 anonymous
I didn't know GPG. But after reading your article, I know at
least 95% how it works. this is very good explanation.
Mon Jul 26 18:34:36 2010: 8858 Sunny
hi
we got my legacy company publi key. My admin imported that and
when he run the command " gpg --list-keys " he is able to see it.
But when i run the same command i am not able to do it? Are these
keys user specific or role specific?
Thanks
Sat Aug 28 08:40:01 2010: 8938 habbay
It can't be explained simpler than this. A great job done!
Tue Aug 31 18:11:54 2010: 8944 anonymous
thanks tony, exactly what I needed, very helpful, egon
Thu Sep 23 21:21:09 2010: 8995 ADubey
Mr. Lawrence, thanks for the excellent documentation. This
really helped me set up my encryption.
My issue is that I am trying to automate a process to extract
data from an Oracle View, write it to a csv file, encrypt the file
and FTP it to our bank. I am calling these procedures from an ASPX
Web Application using VB.Net.
I set up the encryption with a specific User account used for
Service Accounts.
When I run the Web Application and call gpg.exe to encrypt the
data file, it will work fine as long as I am logged in as the
service account and am in the debug mode of Visual Studio Web
Developer.
When I then try to run the Web app from IE, the encryption
fails. I have not been able to trap the exact results to determine
any messages.
When I call gpg.exe I am using a Process that allows me to pass
the Service account credentials. Equivalent to "Run As". This does
not solve the problem.
I have tried calling a batch file to launch the gpg. Same
result. I tried creating a scheduled task to run a VBS script using
the Service account credentials. Again same result.
The only way I can get it to work, is to be logged in to the IIS
Server (Windows 2008 64 bit with IIS 7.) and running the Web
Application in debug mode from Visual Studio. Anytime I run it from
IE, it fails.
I have set the credentials in IIS for the site to be the Service
Account.
My next step is to change the IIS Services account from Local
Service to the Domain Service account. (For some reason, I have not
been able to get Windows Server to accept the different
credentials. The service account is a local admin.) I have tried
setting the GNUPGHOME to the Service Accounts GNUGP folder. Still
not luck.
Below is a sample of the Batch file I am using to launch
gpg.exe. (I have also tried to launch gpg.exe directly from the
process. This is just a good example of my syntax.)
GNUPGHOME="c:\Users\ServiceAccount\AppData\Roaming\gnupg\"
export GNUPGHOME C: cd "\inetpub\wwwroot\BofA_ftp\FTP\"
"c:\GNU\GnuPG\gpg.exe" -u "UserName" -r "KeyName" --always-trust
--sign --passphrase-fd 0 %PPHrase% --encrypt "DataFile.csv" >
gpg --output test123.fil --decrypt test123.gpg gpg: encrypted with
1024-bit ELG-E key, ID BE658B3D, created 2006-11-07 "TEST-MM (Test
Machine) " gpg: Signature made Wed 20 Jun 2012 02:08:00 PM EDT
using RSA key ID B734C5E2 gpg: Can't check signature: public key
not found
But the public keys are present:
81: gpg --list-public-keys /.gnupg/pubring.gpg
------------------------ pub 1024D/6F037C71 2006-11-07 uid "TEST-MM
(Test Machine) " sub 1024g/BE658B3D 2006-11-07
Any thoughts why i get the error?
Sat Jun 23 09:53:37 2012: 11140 TonyLawrence
No, sorry. Keep Googling.
Tue Jul 10 15:27:36 2012: 11189 nb
Sir, Very detailed informative article. Thank you very much
......
Sat Oct 6 05:20:59 2012: 11366 anonymous
i must be a slow-witted person because i STILL don't know how to
get started using gpg. how do i unzip a .tar file to get to do the
gpg?
Sat Oct 6 11:16:45 2012: 11367 TonyLawrence
You aren't slow witted - nothing here told you how to unpack a
tar file.
You might have tried googling "tar" though..
By the way, "zip" implies compression. A tar file CAN be
compressed, but tar by itself is just an archiver. Modern tars know
how to use external compression tools, though, so the point is
usually unimportant.
To unpack (and uncompress if indicated) do
tar xvf whateverthefileis.tar
or
tar xvf whateverthefileis.tgz if it's been zipped.
Sat Oct 20 14:02:59 2012: 11392 Michael
Hi. I followed the instructions here, including importing the
public key. Yet when I try to decrypt a file I receive the message
"gpg: decryption failed: secret key not available". I'm confused.
The recipient of the public key does not have to have both public
and private keys, correct? Any suggestions for correcting this
problem? Thanks.
Sat Oct 20 14:08:07 2012: 11393 TonyLawrence
Well, you've missed something somewhere. Hard to guess what.
Read again, read someone else's instructions, repeat your steps -
you went wrong somewhere.
Sun Oct 21 11:26:05 2012: 11394 Michael
Thanks for for your response. I did get your example to work.
Thanks. Here is our situation: a bank has generated the
private/public gpg keys. They sent the public key to us. We
successfully imported that key. Are we correct that we should now
be able to decrypt a file that the bank encrypts and send to us? If
we will not send encrypted files, we do not have to generate keys.
Do we understand this correctly? Thank you!
Sun Oct 21 11:36:05 2012: 11395 TonyLawrence
Yes, and vice versa. As I said above:
For example, if you want to send me something, you'd encrypt it
using my public key. No one else can decrypt it; only my private
key will work. On the other hand, I might be concerned that it
really is you sending me a message. In that case, you'd encrypt
your message using your private key (this is called "signing"). If
I can decrypt it with your public key (presumably I somehow
obtained that key and trust that it really is yours), I know that
the message really came from you.
Tue Jan 1 07:50:38 2013: 11642 RajeshRS
I have been trying to understand GPG working for the past 4
hours. There have not been a single website, including the
so-called official documentation, which could say in simple terms
about how we can implement things using GPG. If these "official"
sites want their product/concepts reach people they should put
things in a simplest way possible.
And your page on GPG is simply the best I have come across on
this topic, as far as a starter is concerned. I really wish this
page finds a place in the official documentation. Nothing more to
say. Hats Off ..!
Don't miss responses! Subscribe to Comments by RSS or by
Email
Click here to add your comments
If you want a picture to show with your comment, go get a
Gravatar
Why no "Digg this!" etc.?
Printer Friendly VersionSite map | Disclaimer "GPG/PGP Basics"
Copyright November 2001 Tony Lawrence
Related ArticlesHave you tried Searching this
site?Unix/Linux/Mac OS X support by phone, email or on-site:
Support RatesThis is a Unix/Linux resource website. It contains
technical articles about Unix, Linux and general computing related
subjects, opinion, news, help files, how-to's, tutorials and more.
We appreciate comments and article submissions.Publishing your
articles hereJump to Comments
Many of the products and books I review are things I purchased
for my own use. Some were given to me specifically for the purpose
of reviewing them. I resell or can earn commissions from the sale
of some of these items. Links within these pages may be affiliate
links that pay me for referring you to them. That's mostly
insignificant amounts of money; whenever it is not I have made my
relationship plain. I also may own stock in companies mentioned
here. If you have any question, please do feel free to contact
me.Specific links that take you to pages that allow you to purchase
the item I reviewed are very likely to pay me a commission. Many of
the books I review were given to me by the publishers specifically
for the purpose of writing a review. These gifts and referral fees
do not affect my opinions; I often give bad reviews anyway.We use
Google third-party advertising companies to serve ads when you
visit our website. These companies may use information (not
including your name, address, email address, or telephone number)
about your visits to this and other websites in order to provide
advertisements about goods and services of interest to you. If you
would like more information about this practice and to know your
choices about not having this information used by these companies,
click here.
Printer Friendly Version
Kerio postsLinux postsMac OS X postsShell scripting
postsTroubleshooting posts
This post tagged:
- Basics- Cryptography- Linux- Popular- Security- Unix
Unix/Linux Consultants
Skills Tests
This site runs on Linode
My Troubleshooting E-Book will show you how to solve tough
problems on Linux and Unix systems!
Buy Kerio from a dealerwho knows tech: I sell and support
Kerio Connect Mail server, Control, Workspace and Operator
licenses and subscription renewals