GPG keys

Table of Contents

GPG Keys (OpenPGP/GNU Privacy Guard)

Purpose

Used for encryption, decryption, and digital signing of data and communications.

Mechanism

A GPG key is a more complex structure that can include multiple subkeys for different purposes (e.g., signing, encryption, authentication). It also consists of a public/private key pair.

Usage

  1. Encrypting and Decrypting: Securing emails or files so only the intended recipient with the corresponding private key can decrypt them.
  2. Digital Signatures: Verifying the authenticity and integrity of data, such as signing Git commits and tags to prove authorship and ensure the content has not been tampered with.
  3. Authentication (Optional): GPG keys can also be configured to act as SSH authentication agents, allowing you to use your GPG key for SSH logins. This can be beneficial for managing fewer keys, especially when using hardware security tokens like YubiKeys.

Why Linux computers use and may ask for GPG files

Linux systems, and increasingly other platforms, frequently utilize GPG (GNU Privacy Guard) files for various security and data integrity purposes. GPG is a powerful open-source implementation of the OpenPGP standard, which allows users to encrypt, decrypt, and sign data.

In essence, GPG files and operations are a fundamental aspect of security and trust within the Linux ecosystem, allowing for secure communication, verified software, and protection of sensitive data.

Here’s why you might encounter requests or interactions with GPG files on a Linux machine:

  1. Encryption and Decryption: GPG employs a system of public and private key pairs for encrypting and decrypting information. If someone sends you a file encrypted with your public key, your Linux system, specifically GPG software, will need your corresponding private key to decrypt and access the content.
  2. Digital Signatures and Authentication: GPG is crucial for verifying the authenticity and integrity of files and messages. When someone digitally signs a file with their private key, others can use their public key to verify that the file originated from the claimed sender and hasn’t been tampered with. This is particularly important for software packages and updates to prevent malicious modifications.
  3. Secure Software Distribution: Many software repositories and projects use GPG to sign their packages and releases. When you install or update software on a Linux system, the package manager often checks the GPG signature to ensure the authenticity and integrity of the downloaded files. If the signature cannot be verified due to a missing or untrusted public key, you might encounter an error message.
  4. Sensitive Data Exchange: GPG enables secure communication and file transfers, especially when dealing with unencrypted protocols like FTP and HTTP. Organizations in regulated industries like finance and healthcare often rely on GPG for protecting sensitive data at rest and in motion.
  5. Secure Email Communication: GPG can be used for end-to-end email encryption, ensuring that only the intended recipient can read the messages. This is particularly useful as not all email clients or servers offer built-in encryption.

Getting started with GPG keys in Linux distributions

  1. Install GPG (if not already present):

    Most Linux distributions come with GPG (GNU Privacy Guard) pre-installed. To verify its presence, execute:

    gpg --version

    If GPG is not found, install it using your distribution’s package manager. For example:

    1. Debian/Ubuntu: sudo apt install gnupg
    2. Fedora/CentOS/RHEL: sudo dnf install gnupg2
    3. Arch Linux: sudo pacman -S gnupg

  2. Generate a GPG Key Pair:

    A GPG key pair consists of a public key (for sharing) and a private key (kept secret). Generate a new key pair by running:

    gpg --full-generate-key

    Follow the prompts, which will guide you through selecting key type, key size, expiration date, user ID information (name and email), and a strong passphrase to protect your private key.

  3. List Your Keys:

    After generation, you can view your newly created key and any other keys in your keyring using:

    gpg --list-keys

  4. Export Your Public Key:

    To share your public key with others so they can encrypt data for you or verify your signatures, export it:

    gpg --export -a "Your Name or Email" > public_key.asc

    Replace “Your Name or Email” with the user ID you provided during key generation. The public key will be saved to public_key.asc.

  5. Import Public Keys:

    To encrypt data for others or verify their signatures, you need their public keys. Import a public key from a file (e.g., their_public_key.asc) using:

    gpg --import their_public_key.asc

  6. Encrypting and Decrypting Files:

    Encrypt: Encrypt a file for a recipient using their public key:

    gpg --encrypt --recipient "Recipient's Name or Email" filename.txt

    This creates an encrypted file (e.g., filename.txt.gpg).

    Decrypt: Decrypt an encrypted file using your private key:

    gpg --decrypt filename.txt.gpg

    You will be prompted for your passphrase.

  7. Signing and Verifying Files:

    Sign: Create a detached signature for a file:

    gpg --detach-sign filename.txt

    This creates filename.txt.sig.

    Verify: Verify a signed file and its signature:

    gpg --verify filename.txt.sig filename.txt

Read

TODO

  1. Getting started with GPG (GnuPG): https://www.redhat.com/en/blog/getting-started-gpg
  2. GnuPG: https://www.gnupg.org/
  3. Whats the point of GnuPG aka GPG? https://www.reddit.com/r/linux/comments/3xm5dw/whats_the_point_of_gnupg_aka_gpg/
  4. [Tutorial for beginners] How to install and use GnuPG on GNU/Linux https://www.reddit.com/r/linux/comments/creb29/tutorial_for_beginners_how_to_install_and_use/
  5. GPG Passphrase and Security https://forums.linuxmint.com/viewtopic.php?t=170540

Links to this note