The GNU Privacy Guard [ A Quick Reference Guide ]

GNUPG is a powerful tool that provides cryptographic privacy and authentication for your data communication. It allows you to sign, encrypt, and decrypt programs, disks, and even emails.

Generating and Managing Keys

• Generate a key pair: Use gpg --full-generate-key to create a unique pair of keys for encryption and signing.

• List key pairs: View all your available keys with gpg --list-keys --keyid-format=long.

• Display your public key: Share your public key with others using gpg -a --export <Your Key ID>. Never share your private key!

• Add a subkey: Subkeys enhance security. Use gpg --edit-key [Your Key ID] followed by addkey and save to add one.

• Display subkeys: After listing keys with gpg --list-keys, edit a key using gpg --edit-key <Your Key ID>. Copy the subkey ID and use gpg -a --export <KEY ID> to display it.

Sharing and Revoking Keys

• Send your public key to a public server: Public keys are meant to be shared. Use gpg --send-keys <Your KEY ID> to upload it.

• Generate a revocation certificate: If your key is compromised, create a revocation certificate with gpg --output revoke.asc --gen-revoke <Your Key ID>. Import it and upload it again to revoke the key.

Searching for and Importing Public Keys

• Search for a public key: Find a key using its ID with gpg --search-keys <KEY ID>.

• Import a public key: Once found, import the key with gpg --recv-keys <Key ID>.

Understanding Trust

• Beware of key impersonation: Anyone can create a key with your email address. To verify a key's authenticity, compare fingerprints.

• Verify fingerprints: Use gpg --fingerprint <Person's KEY ID> to see a key's fingerprint. Contact the person and confirm it matches.

The Web of Trust

The web of trust allows you to trust others based on established trust relationships.

• Trust a key: Use gpg --edit-key <Person's Key ID>, then trust and save to trust someone's key.

• Sign a key: Signing a key verifies its ownership. Edit the key with gpg --ask-cert-level --edit-key <Person's Key ID>. Look for "Full" trust on the left side of the user ID. Use check to see who signed the key and sign to add your signature. Upload the signed key again to the public server.

• Revoke your signature: If a signed key becomes invalid, use gpg --edit-key <Person's Key ID>, then revsig and save to revoke your signature. Upload the updated key information.

Encryption vs. Signing

• Encryption uses the receiver's public key to scramble the message. Only their private key can decrypt it. Share your public key beforehand for them to receive encrypted messages.

• Signing uses your private key to create a digital signature that verifies the message's origin and integrity. The receiver uses your public key to confirm the signature.

Using GPG with Git

• Signed commits: Add your GPG public key to your GitHub account.

  Go to: https://github.com/settings/keys

  Scroll to the bottom. You'll find Add GPG Key button in the GPG keys section.

  Export your public key using this command:

  gpg --export --armor <KEY ID>

  Replace <KEY ID> with your actual KEY ID which you can find by listing your keys using this command: gpg --list-keys.

  If you have not created a gpg key yet, check this out: Generating and Managing Keys

  Copy the exported public key content and paste it in the Github and save.

  Note: The email associated to your key should match the primary email in your github and email in your local git.

• Sign a single commit: Use git commit -S <Your Key ID> -m "message" to create signed commits.

• Global configuration: Set global Git settings with:

  • git config --global user.signingkey "<Your KEY ID>"

  • git config --global commit.gpgsign true

  • git config --global tag.gpgsign true

• Commit email: Ensure the primary email in your key matches your Git commit email. Set it with:

  • git config --global user.email "<Email associated to your Key>"

• Verify signed commits: Use git log --show-signature to see which commits are signed.

Using GPG to Encrypt Emails

GPG keys can encrypt emails. Upload your private key to a trusted email client like Thunderbird. You can then choose to digitally sign or encrypt emails based on the recipient's public key availability.