Privacy Tools: How to use the GnuPG encryption software

One thing about modern cryptography that many people don't realize is that it is possible to encrypt communications in such a way that it is literally impossible to decrypt without a key. Symmetric and information theoretically secure schemes like large symmetric keys or one-time pads can provide encryption that is quite literally unbreakable. Without the key, the plaintext is uncorrelated with the ciphertext - the information literally does not exist without both the key and the ciphertext together.

There are other more convenient encryption schemes that are also very secure - in these cases, the amount of computational work required to break the encryption, barring supposed mathematical breakthroughs, is outrageously large. While it is supposedly possible, it is unlikely for any earthly amount of computing capacity, to be able to break the encryption without the key. One of these is RSA - a means of sending messages securely using asymmetric key encrpytion.

Asymmetric key encryption works by generating two keys - a public key which is published for others to use, and a private key which is kept securely by the owner. The public key can be used by anyone to encrypt a message which can only be decrypted using the private key. So users, on obtaining your public key, can securely send you communications. If you obtain their public key, you can then send them messages. This can happen in the open, without the need to exchange keys in private via another secure channel or meeting.

Individual average everyday computer owners and users actually have a great deal of power to secure the privacy of their communications if they want to take the time to do so. It is the intent of this how-to to help educate users on how to use some of these freely available tools to secure their communications and data.

In fact, one of the fascinating things about modern computing is that almost all of the supposedly special high-power encryption/communication/anonymizing tools that are imagined to be the province l33t hackers and super spies are actually freely available as a result of the broader open-source community. All it takes to use them is a little time to figure out how they work. The unit cost of software is zero and all computers are Turing complete. There is nothing that a super empowered agency can do with their computers that you in principle cannot with yours.

I. So, on to the software:

GnuPG was originally created for Linux. If you are on a linux system, installing and using GPG will be somewhat more straightforward. For a Windows system, the 1st thing you will need to do is choose one of the two options:

0) If you are on a Linux/Unix system:

Call your package manager to install gpg. For Debian systems, the command would be:
 sudo apt-get install gnupg
(Or something like that. I'll need to check later).

The settings and saved keys for this version of gpg live in (home)/.gnupg;. It should install to your /bin directory and already be in your path, unless you have been doing something funky with your distribution.

1) (simpler) For Windows: Install a native binary of GnuPG called GnuPG4win

(to be filled in later)

2) (I recommend) For Windows: Install Cygwin, then install the GnuPG package for Cygwin


Cygwin is a unix-like environment for windows that allows native unix and some linux programs to run under windows. It comes with a great many useful command line utilities that come standard/installable with a linux operating system: Utilities like telnet, ftp, or ssh. Ssh is one that I use a lot to remotely log into linux computers and servers elsewhere at school and on the internet. Various scripting languages are also available, as well as the ability to run bash scripts. It is a very handy environment to have.

Anyway, the Gnupg program gpg is contained in the package "security/gnupg". On installing cygwin, the installer will present you with a list of optional packages to install. In order to have the gnupg program installed, select the "gnupg" package (1.4.13-1 in the version I am installing now) from the list under the "security" directory.

Once cygwin is installed (it can take a while to download and compile everything), you will have an icon on your desktop to start the cygwin command line prompt. Cygwin binaries and executables are located in the cygwin/bin directory. They are .exe files like any other windows executable exe file, and can actually run from the dos command prompt if you add the cygwin/bin directory to your path. They depend on the cygwin.dll library file. (I actually like to turn my windows command prompt into a bizarre linux-windows hybrid by including the cygwin/bin directory in the path, among many others.)

The settings and saved keys for this version of gpg will live in the /cygwin/home/Yourname/.gnupg directory.

II. Using GPG:

Once you have your version of gpg installed, of whatever flavor, you should be able to begin using the software by calling the command line program. If you are having difficulty doing this from a command line (say, the windows command line), make sure that the directory containing the gpg .exe or executable file is in the path. You can add a directory to the path by the following command:
path %path%;C:\cygwin\bin
or similar, depending on where you installed cygwin
To see if your command line sees the gpg program, type:
gpg --help
This should print out a list of common command line switches needed to use the software.

0) Creating a public/private key pair

The first step to using gpg is to create a public/private key pair for yourself.
gpg --gen-key
this calls on gpg to generate a public private keypair. It will supply you with the following options:
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?
Choose 1. It will then present you with possible key sizes. Choose the maximum key size (4096 bits) (because you can - shorter keys are less secure. 2048 bits is probably fine, but why compromise? Time isn't that big an issue on modern computers.)
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
If you are worried that the MIB are diligently trying to crack your keys with supercomputer farms buried under a mountain somewhere, you may want to regenerate your keys every so often. The expiration date on a key reminds people to get the latest version of your public key when they want to contact you. I'm not concerned with expiration dates, so I choose 0.
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <>"
The identifier helps you and your confidants to keep various keys straight (who they go to, how to reach them, etc). I will be generating my keys with the identifying data:
Real name: MadRocketSci
Email address:
Comment: Secretagentmaaaan
Now, for extra security, the algorithm will ask for a password. Without the password, you cannot use the private key. If Evil Eve calls her friends at the MIB and conducts a no-knock raid to steal your computer and all your keys, they still need the password to be able to use them.

Give it a password that you'll remember, otherwise you'll have trouble down the road decrypting the messages your friends send.

Next, the algorithm will begin talking a lot about 'entropy'. Computers, being (hopefully) deterministic devices, actually cannot generate random numbers on their own without input from an uncontrolled source. In the generating of the key, entropy from keyboard typing and mouse clicks will be used to seed the random number generator. (Another semi-paranoid security thing: if someone had nigh omniscience about the time that you generated your key, and you were using a bad psuedo-random generator, they could pull out the same random numbers that you were using when generating your key to try to generate their own keys to crack yours.)

Now you have your keys generated. They are stored in the "keyring" files that gpg keeps in the (yourhome)/.gnupg directory. The pubring.gpg and secring.gpg files.

You can list what keys your gpg has with the following commands:
gpg --list-keys
pub   4096R/2CF7B79B 2013-08-04
uid                  MadRocketSci (Secretagentmaaaan) <>
sub   4096R/876A27F2 2013-08-04
This lists the public keys that you have attached to your keyring. You can use these to encrypt messages which can only be decrypted with the corresponding private keys, which you can list using:
gpg --list-secret-keys
sec   4096R/2CF7B79B 2013-08-04
uid                  MadRocketSci (Secretagentmaaaan) <>
ssb   4096R/876A27F2 2013-08-04

1) Exporting a public key to a text file

In order to use your public keys to enable others to send you encrypted messages, you first need a way to publish them. You can export a public key to a text file using the following command:
gpg --export --armor "Keyname" > keyname.key
for example, what I will use to eventually post my key at the end of this tutorial:
gpg --export --armor "MadRocketSci" > madrocketsci.pubkey
This dumps the key data into a plain-text file called (in my case) madrocketsci.pubkey. You can open it in notepad if you want (or other less broken text editors of your choice).
cat madrocketsci.pubkey
will spit out the contents. Cat is a linux command line utility that, among other things, displays text file contents on the command line.

The purpose of the --armor switch (or -a for short) is to "text armor" the output. The algorithm, in general, will spit out any binary ascii values for key and encrypted output, most of which are unprintable. Text armoring translates it into something that can be communicated via the common set of printable characters and communicated, say via e-mail or this blog.

2) Exporting a private key to a text file

If you have other computers with gpg on them from which you would like the ability to decrypt your messages, you will need the ability to transport your secret/private keys to these other computers and attach them to the keyring files stored there.

In order to export a private key, use the following
gpg --export-secret-key -a "User Name" > private.key
gpg --export-secret-key -a "MadRocketSci" > madrocketsci.privatekey
Warning: Don't publish your private keys. Transport them via a method which is secure (ie - don't gmail them to yourself. Take them on a thumbdrive or something!)

3) Importing someone's public key into your GPG system

Okay, suppose you have acquired a public key from your friend Alice and want to send her encrypted messages. Now you need to attach the public key to your keyring. In order to do so:
gpg --import public.key
sub in the name of the file where you have the public key stored (a plaintext file with nothing but the key-block, similar to the one you have just exported).

4) Importing one of your private keys into one of your other GPG systems

To import your private key into another gpg system on a computer that you control:
gpg --allow-secret-key-import --import private.key
This should add private.key to your keyring, allowing you to decrypt messages on this machine encrypted with the corresponding public key. private.key is in this case a plaintext file containing a private key block similar to the one you have exported in the exercise above.

5) Encrypting a binary file

Now onto actually sharing stuff. Suppose you have a zip file that you want to send to Alice. Alice and you know that Evil Eve has all your lines tapped (and backdoors in your e-mail clients, and a laser mike pointed at your window. Eve is like that.), so you want to encrypt it first to make sure she doesn't get her hands on your files. You call the encryption functions of the gpg program as follows:
gpg -r Alice -o totallyinnocent.blob -e
The -r switch encrypts the file according to the public key associated with the name Alice. The -e flag tells gpg to encrypt the file following the flag. The -o flag tells gpg to dump the encrypted data into the named file. There is some sensitivity to the order of the flags. I find that putting -e last tends to work, otherwise the program complains.

You can encrypt a file without the -r flag, which prompts the program to ask you for a recipient name followed by a blank line.

You can encrypt the file without the -o flag, which causes gpg to default on the naming of the encrypted file to

In my example, using the MadRocketSci public key, I would do the following:
gpg -r MadRocketSci -o totallyinnocent.blob -e
This scrambles the contents of and puts it into the totallyinnocent.blob file, which is unreadable until decrypted.

6) Decrypting a binary file

Okay, so you get a totallyinnocent.blob file back from Alice. Now you are curious to see what is inside. Alice should have used your public key to encrypt it, so you should be able to use your private key to decrypt it. Here is how you do that:
gpg -u MadRocketSci -o -d totallyinnocent.blob
This (-d) decrypts totallyinnocent.blob using (-u) the private key under the name MadRocketSci and outputs (-o) the data to the file. You will need to enter your password to complete the decryption key and decrypt the blob.

You should now have a readable zip file. (If it's not a zip file, but rather a shady executable or something, don't run it. Evil Eve is posing as Alice and trying to infect your computer with something.)

7) Encrypting a text file

Suppose you don't have a whole attachment to send - just some text that you want to include in another document such as a post or e-mail. Then you would use the -a flag in conjunction with the other encryption flags to ensure that what is output is in a text displayable format. Suppose you had the following text file:
This message is totally secret: Evil Eve has absolutely no business with what follows.
you can encrypt it as follows

(when sending to Alice) (-r for recipient)
gpg -a -r Alice -o secretsquirrel.cipher.txt -e secretsquirrel.txt
(in my own example)
gpg -a -r MadRocketSci -o secretsquirrel.cipher.txt -e secretsquirrel.txt
this should generate something looking like this:
Version: GnuPG v1.4.13 (Cygwin)

which can be copied, pasted into an e-mail.

8) Decrypting a text file

And to decrypt, simply using the decryption routine shown before should work:
gpg -u MadRocketSci -o secretsquirrel2.txt -d secretsquirrel.cipher.txt
Enter your password, and you should get the message back in the file secretsquirrel2.txt. If you just want to copy and paste it from the command line, or forward it to a file, you can also do it like this:
gpg -u MadRocketSci -d secretsquirrel.cipher.txt > secretsquirrel2.txt
This message is totally secret: Evil Eve has absolutely no business with what follows.


III. My public key:

If you ever need to contact me securely for whatever secret-squirrelly business you have in mind (or if you just want our conversation to be private), one of my public keys is listed below:
Version: GnuPG v1.4.13 (Cygwin)

As an exercise, create a gpg encrypted text message and send it to me. Give me your public key too so I can reply in kind. :-)

Other uses of GPG:

Other uses of the GPG utility involve digitally signing and authenticating files. If you are deep into something secret-squirrely and need to verify that a file is coming from someone you trust without modification or tampering, you can use the GPG utility to digitally sign and verify the files. This will have to wait for another time/tutorial.

See Also: