Privacy Tools: How to use the GnuPG encryption software

One thing about modern cryptography that many people don't realize is that it is possible to encrypt communications in such a way that it is literally impossible to decrypt without a key. Symmetric and information theoretically secure schemes like large symmetric keys or one-time pads can provide encryption that is quite literally unbreakable. Without the key, the plaintext is uncorrelated with the ciphertext - the information literally does not exist without both the key and the ciphertext together.

There are other more convenient encryption schemes that are also very secure - in these cases, the amount of computational work required to break the encryption, barring supposed mathematical breakthroughs, is outrageously large. While it is supposedly possible, it is unlikely for any earthly amount of computing capacity, to be able to break the encryption without the key. One of these is RSA - a means of sending messages securely using asymmetric key encrpytion.

Asymmetric key encryption works by generating two keys - a public key which is published for others to use, and a private key which is kept securely by the owner. The public key can be used by anyone to encrypt a message which can only be decrypted using the private key. So users, on obtaining your public key, can securely send you communications. If you obtain their public key, you can then send them messages. This can happen in the open, without the need to exchange keys in private via another secure channel or meeting.

Individual average everyday computer owners and users actually have a great deal of power to secure the privacy of their communications if they want to take the time to do so. It is the intent of this how-to to help educate users on how to use some of these freely available tools to secure their communications and data.

In fact, one of the fascinating things about modern computing is that almost all of the supposedly special high-power encryption/communication/anonymizing tools that are imagined to be the province l33t hackers and super spies are actually freely available as a result of the broader open-source community. All it takes to use them is a little time to figure out how they work. The unit cost of software is zero and all computers are Turing complete. There is nothing that a super empowered agency can do with their computers that you in principle cannot with yours.

I. So, on to the software:

GnuPG was originally created for Linux. If you are on a linux system, installing and using GPG will be somewhat more straightforward. For a Windows system, the 1st thing you will need to do is choose one of the two options:

0) If you are on a Linux/Unix system:

Call your package manager to install gpg. For Debian systems, the command would be:
 sudo apt-get install gnupg
(Or something like that. I'll need to check later).

The settings and saved keys for this version of gpg live in (home)/.gnupg;. It should install to your /bin directory and already be in your path, unless you have been doing something funky with your distribution.

1) (simpler) For Windows: Install a native binary of GnuPG called GnuPG4win

(to be filled in later)

2) (I recommend) For Windows: Install Cygwin, then install the GnuPG package for Cygwin

Cygwin: http://cygwin.com/install.html

Cygwin is a unix-like environment for windows that allows native unix and some linux programs to run under windows. It comes with a great many useful command line utilities that come standard/installable with a linux operating system: Utilities like telnet, ftp, or ssh. Ssh is one that I use a lot to remotely log into linux computers and servers elsewhere at school and on the internet. Various scripting languages are also available, as well as the ability to run bash scripts. It is a very handy environment to have.

Anyway, the Gnupg program gpg is contained in the package "security/gnupg". On installing cygwin, the installer will present you with a list of optional packages to install. In order to have the gnupg program installed, select the "gnupg" package (1.4.13-1 in the version I am installing now) from the list under the "security" directory.

Once cygwin is installed (it can take a while to download and compile everything), you will have an icon on your desktop to start the cygwin command line prompt. Cygwin binaries and executables are located in the cygwin/bin directory. They are .exe files like any other windows executable exe file, and can actually run from the dos command prompt if you add the cygwin/bin directory to your path. They depend on the cygwin.dll library file. (I actually like to turn my windows command prompt into a bizarre linux-windows hybrid by including the cygwin/bin directory in the path, among many others.)

The settings and saved keys for this version of gpg will live in the /cygwin/home/Yourname/.gnupg directory.

II. Using GPG:

Once you have your version of gpg installed, of whatever flavor, you should be able to begin using the software by calling the command line program. If you are having difficulty doing this from a command line (say, the windows command line), make sure that the directory containing the gpg .exe or executable file is in the path. You can add a directory to the path by the following command:
path %path%;C:\cygwin\bin
or similar, depending on where you installed cygwin
To see if your command line sees the gpg program, type:
gpg --help
This should print out a list of common command line switches needed to use the software.

0) Creating a public/private key pair

The first step to using gpg is to create a public/private key pair for yourself.
gpg --gen-key
this calls on gpg to generate a public private keypair. It will supply you with the following options:
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?
Choose 1. It will then present you with possible key sizes. Choose the maximum key size (4096 bits) (because you can - shorter keys are less secure. 2048 bits is probably fine, but why compromise? Time isn't that big an issue on modern computers.)
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
If you are worried that the MIB are diligently trying to crack your keys with supercomputer farms buried under a mountain somewhere, you may want to regenerate your keys every so often. The expiration date on a key reminds people to get the latest version of your public key when they want to contact you. I'm not concerned with expiration dates, so I choose 0.
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
The identifier helps you and your confidants to keep various keys straight (who they go to, how to reach them, etc). I will be generating my keys with the identifying data:
Real name: MadRocketSci
Email address: ams@amssolarempire.com
Comment: Secretagentmaaaan
Now, for extra security, the algorithm will ask for a password. Without the password, you cannot use the private key. If Evil Eve calls her friends at the MIB and conducts a no-knock raid to steal your computer and all your keys, they still need the password to be able to use them.

Give it a password that you'll remember, otherwise you'll have trouble down the road decrypting the messages your friends send.

Next, the algorithm will begin talking a lot about 'entropy'. Computers, being (hopefully) deterministic devices, actually cannot generate random numbers on their own without input from an uncontrolled source. In the generating of the key, entropy from keyboard typing and mouse clicks will be used to seed the random number generator. (Another semi-paranoid security thing: if someone had nigh omniscience about the time that you generated your key, and you were using a bad psuedo-random generator, they could pull out the same random numbers that you were using when generating your key to try to generate their own keys to crack yours.)

Now you have your keys generated. They are stored in the "keyring" files that gpg keeps in the (yourhome)/.gnupg directory. The pubring.gpg and secring.gpg files.

You can list what keys your gpg has with the following commands:
gpg --list-keys
/home/Aaron/.gnupg/pubring.gpg
------------------------------
pub   4096R/2CF7B79B 2013-08-04
uid                  MadRocketSci (Secretagentmaaaan) <ams@amssolarempire.com>
sub   4096R/876A27F2 2013-08-04
This lists the public keys that you have attached to your keyring. You can use these to encrypt messages which can only be decrypted with the corresponding private keys, which you can list using:
gpg --list-secret-keys
/home/Aaron/.gnupg/secring.gpg
------------------------------
sec   4096R/2CF7B79B 2013-08-04
uid                  MadRocketSci (Secretagentmaaaan) <ams@amssolarempire.com>
ssb   4096R/876A27F2 2013-08-04

1) Exporting a public key to a text file

In order to use your public keys to enable others to send you encrypted messages, you first need a way to publish them. You can export a public key to a text file using the following command:
gpg --export --armor "Keyname" > keyname.key
for example, what I will use to eventually post my key at the end of this tutorial:
gpg --export --armor "MadRocketSci" > madrocketsci.pubkey
This dumps the key data into a plain-text file called (in my case) madrocketsci.pubkey. You can open it in notepad if you want (or other less broken text editors of your choice).
cat madrocketsci.pubkey
will spit out the contents. Cat is a linux command line utility that, among other things, displays text file contents on the command line.

The purpose of the --armor switch (or -a for short) is to "text armor" the output. The algorithm, in general, will spit out any binary ascii values for key and encrypted output, most of which are unprintable. Text armoring translates it into something that can be communicated via the common set of printable characters and communicated, say via e-mail or this blog.

2) Exporting a private key to a text file

If you have other computers with gpg on them from which you would like the ability to decrypt your messages, you will need the ability to transport your secret/private keys to these other computers and attach them to the keyring files stored there.

In order to export a private key, use the following
gpg --export-secret-key -a "User Name" > private.key
gpg --export-secret-key -a "MadRocketSci" > madrocketsci.privatekey
Warning: Don't publish your private keys. Transport them via a method which is secure (ie - don't gmail them to yourself. Take them on a thumbdrive or something!)

3) Importing someone's public key into your GPG system

Okay, suppose you have acquired a public key from your friend Alice and want to send her encrypted messages. Now you need to attach the public key to your keyring. In order to do so:
gpg --import public.key
sub in the name of the file where you have the public key stored (a plaintext file with nothing but the key-block, similar to the one you have just exported).

4) Importing one of your private keys into one of your other GPG systems

To import your private key into another gpg system on a computer that you control:
gpg --allow-secret-key-import --import private.key
This should add private.key to your keyring, allowing you to decrypt messages on this machine encrypted with the corresponding public key. private.key is in this case a plaintext file containing a private key block similar to the one you have exported in the exercise above.

5) Encrypting a binary file

Now onto actually sharing stuff. Suppose you have a zip file that you want to send to Alice. Alice and you know that Evil Eve has all your lines tapped (and backdoors in your e-mail clients, and a laser mike pointed at your window. Eve is like that.), so you want to encrypt it first to make sure she doesn't get her hands on your files. You call the encryption functions of the gpg program as follows:
gpg -r Alice -o totallyinnocent.blob -e secretsquirrel.zip
The -r switch encrypts the file according to the public key associated with the name Alice. The -e flag tells gpg to encrypt the file following the flag. The -o flag tells gpg to dump the encrypted data into the named file. There is some sensitivity to the order of the flags. I find that putting -e last tends to work, otherwise the program complains.

You can encrypt a file without the -r flag, which prompts the program to ask you for a recipient name followed by a blank line.

You can encrypt the file without the -o flag, which causes gpg to default on the naming of the encrypted file to

In my example, using the MadRocketSci public key, I would do the following:
gpg -r MadRocketSci -o totallyinnocent.blob -e secretsquirrel.zip
This scrambles the contents of secretsquirrel.zip and puts it into the totallyinnocent.blob file, which is unreadable until decrypted.

6) Decrypting a binary file

Okay, so you get a totallyinnocent.blob file back from Alice. Now you are curious to see what is inside. Alice should have used your public key to encrypt it, so you should be able to use your private key to decrypt it. Here is how you do that:
gpg -u MadRocketSci -o secretsquirrel2.zip -d totallyinnocent.blob
This (-d) decrypts totallyinnocent.blob using (-u) the private key under the name MadRocketSci and outputs (-o) the data to the secretsquirrel2.zip file. You will need to enter your password to complete the decryption key and decrypt the blob.

You should now have a readable zip file. (If it's not a zip file, but rather a shady executable or something, don't run it. Evil Eve is posing as Alice and trying to infect your computer with something.)

7) Encrypting a text file

Suppose you don't have a whole attachment to send - just some text that you want to include in another document such as a post or e-mail. Then you would use the -a flag in conjunction with the other encryption flags to ensure that what is output is in a text displayable format. Suppose you had the following text file:
This message is totally secret: Evil Eve has absolutely no business with what follows.
(whisperwhisperwhisper,blablabla)
you can encrypt it as follows

(when sending to Alice) (-r for recipient)
gpg -a -r Alice -o secretsquirrel.cipher.txt -e secretsquirrel.txt
(in my own example)
gpg -a -r MadRocketSci -o secretsquirrel.cipher.txt -e secretsquirrel.txt
this should generate something looking like this:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.13 (Cygwin)

hQIMA/SSveuHaifyAQ//eezAB/mFe8CTELqFvIjvcB05szK89ZXd0VUslFkTic2I
hMjb0cSJYkDRqBUJBx4FD08KnAnmcTm8PVR+SNp0aiV+6li88auftUg6gq1k1SQ4
ufMBXBWV2jcpyfXqRpvneR7UwZmCBd6yAVoYHDFgxL+AIAMMMhnxtZMToPl2grt0
zYFrtJ7qY4G6pYwe4Q9Cmn3XQVoMqFzdoCJRmxPKoNqiGByWrfrLAwIR+I4LIYqJ
EGy2Wjv6A4rNXPH3143yfyYq1MtMiI6XhvJKxky41g0x54NC7ul8Wzx40vX2r1TL
Yu7zbxs2kj4fOKp4PlWApr4V6SO/EsJcIjH3cSVinNfLXSMQ0hG8npDrP0/AjSzB
FEzJ9lsvXtSfSG0Fj6g0L7Xg6qMf8kBvOmK6MnN/x1aSRLD7EC/Tc+nQeta7TydH
Xw95nBOmWll9ruUXxIdYWjeea2+9IWHIL/gDaHLhBxCTPdoAN3UqGqqJheg8hiLt
l3Y6Yhk3WA6FdXE1Y0mG3OTZEAUUzClmxun/8JFCH5uWuaHVxHdaouvdMx7K9U7S
Njh/s4Jjww2be4e+CxaIV+1TZ6N+kau3CG6I2Dm44CEGiGTWhUbNcAHDOB6XSK70
+fRAOgi1ws0iw+qlPvM08ZSic2YoBO8zk571QXxkbmOFjHymYF7URyzR4aZ485PS
rQF8mTddzuokF5LyILZMWGIi4wz1XJ8Ut3A0JlQubdWpUZ8nGJR6vljqaRcTb2wH
7LwmivYVBT5RDzyRCXmM2Eha4ErKzcS/xw/xUXXPEhtrOwzdVWTbKFhHJz5INKxf
hIODID67VRFo9pAT4SH3E4Uz1SuUPWaNfIxTbzIwolswXDx7lJeh4RoKVd0kyF9F
Oh+HLk957dxM1OCVYnA5T/oD6S79Ym88x44pv72O
=DdwB
-----END PGP MESSAGE-----
which can be copied, pasted into an e-mail.

8) Decrypting a text file

And to decrypt, simply using the decryption routine shown before should work:
gpg -u MadRocketSci -o secretsquirrel2.txt -d secretsquirrel.cipher.txt
Enter your password, and you should get the message back in the file secretsquirrel2.txt. If you just want to copy and paste it from the command line, or forward it to a file, you can also do it like this:
gpg -u MadRocketSci -d secretsquirrel.cipher.txt > secretsquirrel2.txt
This message is totally secret: Evil Eve has absolutely no business with what follows.

(whisperwhisperwhisper,blablabla)
 

III. My public key:

If you ever need to contact me securely for whatever secret-squirrelly business you have in mind (or if you just want our conversation to be private), one of my public keys is listed below:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.13 (Cygwin)

mQINBFH+mKIBEAC0qg5nuYqOYkz+KPgqxCDHVO8f7GFiVxGYRX81davcLpWuDiPW
WZJ5dzKRGjcnotvcLo4qbp9R6gcxghiECMXzyRhuj3N/4GcReWp/hzfAvp8F5Q+G
znz4iTvJM0LYn+7BHGFcAlqJHVIuKrMRoO+Ub5/4K8u/AasxqkO0zSZK1hHMA0zc
WJCzhfkJyhSuHHJRqqiI5wJhhBaIXpFAbBFwmQft+963oRk+ur1xiiLPFHU9C204
qOKZNwg7LdL70a44TGPrEbAIsuOEZmjhtDoJyCKfyXTisG5mF7NMScrlGu9RR/2s
9VrPzzW1wE7dJiqRM5tvu4GdMw6gdswS1qJ0QjyZC1erxNymE2bb4Qv+O54vrdCe
17bGIpp0CyZ/gOuSQYfGpfd8RTRsxH/Byc4R6xVq5azjlvgQgxcREsPdeyGMsvij
0jqA2rpq9nZDblR0XJsmNvzNfyGTw5xirl2fi4k549Xw3OgSm8tYBPRf5P4DhtZ9
3Jik5XKe66AzEfpGgYokpFv/W8fdmHUGGOLPh9RtfNrb/ml2usLFx+YN1IMTQB/w
UoS+gal1pZJZqELr3vUuR5+XevArdYUDGGO7UWD63bepai1H9akZmWVK8H/RSrwh
fLgUU+A6QKlgxcwDfkULgN4ng6yLfs40ZIsJqQ9byUC/141gG8RSkfELhQARAQAB
tDlNYWRSb2NrZXRTY2kgKFNlY3JldGFnZW50bWFhYWFuKSA8YW1zQGFtc3NvbGFy
ZW1waXJlLmNvbT6JAjgEEwECACIFAlH+mKICGwMGCwkIBwMCBhUIAgkKCwQWAgMB
Ah4BAheAAAoJECQV6yMs97eb+VYP/3b8xzUIW6FF1AfIAO0tAP1nqMpY6xdE7SfN
yO7Ys3eb+SDYD5gVqkn3wpDNjcKe6+vQCaGw26EhXd6Qi9zJrD4eqvl/fnVTBcR9
hFcev9eDHcRiaQJJgJ2eT6UW2qUC6tfNacUaR9ByiqneXmp3G3/rVK3wyLqmTBhZ
A44KzcFZ5HUTk2MjCJ6Lv7mZEQFljTaY+VBaqDO61Sa5R71UNe+D64guleIZRUHb
6V/9swv4hoLka2x/IxsYXLlynYQskqyzVqQ4Q1X21UaXN28K0fOJP9KrLo5U5NpB
pLGeZtplCnw0sJlai336pIkCy3aJLjbU6c4ZnPEmwhVJ2N70FPBVMOoEMDK16g5d
I7Oi2j9TBBC21n0yb35SempUqyS8J5zglVfLPDGJQvkB0Y4w7uxetSdETjahBzxd
x6sExTib3BtlZBNAtVPE7WE6OzjxZG3eqYs8UH1TS61Ex8FVPv0iJim869wvqo+i
FeCFKruTIO7oSW2Y/tiextfP/63THw56a/veuF7KxXBIsP8erCOkiknTKMDcvEHD
Ui6Ky2oAEoaD/3/lbDmlVYh3DqWLhcorg6Guqg+SuJkIczYPDRGkGIAPUBj4HRmu
/ZciFtg/BTjqheKjU+Nq5KpUZG38uIc7a2z+S6RK/zwMMJHmOLdb4SMXI1wLD1Js
nZaFrwccuQINBFH+mKIBEADcbibBrWN2uyezHiVv7iYQR4I3T+wS/LLS0dzgw9hp
RVKW3GB2fvV//v0ov2QcA3hxeBEMpyslMPb7/FG2QVdufL6NyaJKzFmF0vLWRykK
lpuaGFfqGl4UufSUDnCzTAq1cxGasaCwSgxxbf57JleX3BoHg1OeW4HLyVg/fR+q
MAZ9AGGUpLijeK1Hk7shahNc9zfsq3sQZvwaC1pRd2asTP6fy3ZdJZlWldic2quk
GUP80gbnHDtY6no+kMEZEnMrG5C/iyJP/rQUVGI8eLd05sx8RphKw6tY35crjazs
ZfaPUQa0KycuA8TKVuleEL5awgdtRuHTYs6kOZCK2lTft9fd4MDb1XLOHRTltB5r
lY/PYq7J0rg7u7/6xi2ePbfrNhhNU4CiImaxW9bBBUk+H86O6lzKVm+0E8StqYKh
xoVlIrSt246+jzy1QlBYl5X8t6nBRsO2TkUP54yNNwL9+cX7qjlAyTK4IzRyaikl
yBd4E03KXenAxvQ4LtY1t1ZPdoCfW7Rmeis43buE9qPpv3ml25y2jZ4VF2bd8pzA
Sc8tsRv/EZY85dAv574docWAPmEnksqsmgsitSE+1O7XUVlNRN7r5Vlg7D7McXeI
epxysimwecv6/ALQNR/sLYYLieXdup7OX1jgGqzYTe9T1ub5UKkGHtu9teIc8YTh
SwARAQABiQIfBBgBAgAJBQJR/piiAhsMAAoJECQV6yMs97ebpq4QAIDXRp8A8mv1
wPpLiyp3scbkfGoDYDn6rkeRo7p/Q2XSRJ6SoKYU+fW/AhRNxCyy+keFMCG40Vv5
pX2oLePNNb/mUvRa7n3VZKsba8W+h5Z062qMfLXNC5+dV50jrtonjjPk6wGy/LD8
PGP1Nd46V1b+6QtY9DuwetfHechK390EFpzSpBTDPbYiiV7FIgAFsCKOBn2AmCla
g0hPD3O3mw2DmNssxOmavHu9nh8sKr23YgXZdaRZQT54KKMaV0km+uWLDbbttRqj
ZzbsSfrZeYAmCtuMJNhX4zkZ86WDlqGXqaRnCOufzziWGw0HDbpuiBbf79DA4JZ5
NawopuwYd+rGRaARcfNLOLXVx3BhZcu4Dlu0wqaoDZWABPd+wljYXiQgpXXOgVGk
+DToGEEf5CTt5hI1mNazQo+XNgZnBOiqno70h5w11ex/34NQn8nL/2SMW0dquchG
tZSA1gFoNJjy/zX8My8k3JwbGbtfm1kbooQP+0cFu82pXs0XvhSpDfXsJePowlCS
XwWrAIifiE6oXKP1uOL1v9gP9EiQzcY81M9XDBABOj6gPD1veIzuYZ/RZI+mvWby
Mr41w3kCeNZruZpMn1V4JOY7BAByc91pyV+cw3ptDQtu7YcnHbcXBINYzM2M1kHt
phxPqV2O6azjIUSwP7PX0wy/fBkWIAwW
=fPzn
-----END PGP PUBLIC KEY BLOCK-----
As an exercise, create a gpg encrypted text message and send it to me. Give me your public key too so I can reply in kind. :-)

Other uses of GPG:

Other uses of the GPG utility involve digitally signing and authenticating files. If you are deep into something secret-squirrely and need to verify that a file is coming from someone you trust without modification or tampering, you can use the GPG utility to digitally sign and verify the files. This will have to wait for another time/tutorial.

See Also:

http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/