Quick and dirty introduction to GnuPG (GPG) on Linux
It’s a few simple steps to create GPG encryption keys and use these for signing and encrypting files and emails.
GPG Key Creation
1. Create a new pair of public/private cryptographic keys:user@yourhost:~$ gpg --gen-key
…
follow the prompts use the defaults if unsure, Enter your name and email address.
2. List Keys
tom@tomsalmon:~$ gpg --list-keys
pub 1024D/C96ACE6A 2025-03-30 [expires: 2030-03-29]
uid Tom Salmon <tom@tomsalmon.com>
sub 4096g/2BEF6E4A 2025-03-30 [expires: 2030-03-29]
3. Upload the Public Key to one of the Key serversgpg --keyserver hkp://keys.gnupg.net --send-keys C96ACE6A
The key ID is retrieved using the above list keys function.
4. Export the Public Key in ASCIItom@tomsalmon:~$ gpg --export -a C96ACE6A
5. Import a Public Key in ASCII format
gpg --import < key.asc gpg --edit-key C96ACE6A … run the commands: 'trust', 'sign', 'save', 'quit'
GPG with Email
Mutt comes with built-in GPG support and integrates perfectly with the system’s GPG setup
File Encryption
Encryptinggpg -r your@emailaddress.org -e intheclear.txt
Creates a new file intheclear.txt.gpg which is encrypted with your public key. Only your private key can decrypt this file.
Decryptinggpg [-d] secret.txt.gpg
(requires that you enter your passphrase) creates the unencrypted file ‘secret.txt’, if the ‘-d’ flag is used the unencrypted data is displayed on the command line
You may encrypt files for other people if you have imported their Public Key. Only their Private Key will be able to decrypt the file.
Key Signing
1. Search the Keyserver:gpg --keyserver hkp://keys.gnupg.net --search-keys tom@tomsalmon.com
… select the most recent key that matches, find the Key ID
To make life easier, add the following line to your .bashrc file:alias gpgsearch='gpg --keyserver hkp://keys.gnupg.net --search-keys'
restart your shell, and run ‘gpgsearch user@example.com’
2. Verify the Key fingerprint with its owner (manually, in person)gpg --fingerprint KEY_ID
3. Set the trust level and sign the keygpg --edit-key KEY_ID
4. Upload the signed key to the keyservergpg --keyserver hkp://keys.gnupg.net --send-keys KEY_ID
Checking signatures on new keys
1. Search the keyserver and download the matching key
2. Check to see if the key has been signed by any trusted keysgpg --check-sigs KEY_ID
3. Based on this result, you can determine if the key belongs to the user