Security

GPG - Getting Started 1/2

The world is full of signing and encryption methods. There is one, that is especially useful in Open Source software. GPG can be used to sign mails, Git commits, container image encryption and much more. Let's set it up!

Daniel Schier

Daniel Schier

6 min read
GPG - Getting Started 1/2
Photo by Lucas van Oort / Unsplash

The world is full of signing and encryption methods. There is one, that is especially useful in Open Source software. GPG can be used to sign mails, Git commits, container image encryption and much more. Let's set it up!

GPG

GPG or GNUPG (GNU Privacy Guard) is an Open Source implementation of the OpenPGP standard is refined in RFC4880. PGP itself is an implantation of software systems, that enables a user to sign and encrypt data via private-public-key cryptography. It was initially designed by Phil Zimmermann.

GPG can be used for E-mail communication, chat programs, signing packages, Git commits, and much more. GNUPG itself also supports a set of applications and libraries, that can be used to interact with PGP.

Manage GPG Keys

One of the highest barriers to get GPG use cases going is the creation and management of keys. There are hundreds of articles out there. Most of them just tackle a simple "create" and go on. This article should give you some more insights.

Dependencies

Most Linux distributions will have GPG already installed. But, to ensure that everything is there, I recommend checking this beforehand.

⚠️
This guide was tested on Fedora 37 with GnuPG 2.3.8.
# check GPG command
$ gpg --version

gpg (GnuPG) 2.3.8
libgcrypt 1.10.1-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /var/home/dschier/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

In case you get something like command not found, you need to install the desired packages. In Fedora, this can be done via:

# Install GNUPG (dnf)
$ dnf install gnupg2

In case you want to have a graphical frontend, you might like Seahorse (Passwords and Keys), a GTK implementation to manage GPG, SSH keys and other credentials in GNOME. It is available via Flathub, for example.

# Install seahorse via flatpak
flatpak install flathub org.gnome.seahorse.Application

That's already it. Let's create some keys.

Create

Before creating a new key, let's check if there is already one.

# List all keys
$ gpg --list-keys

If this output is empty, you don't have a key. If there is already one, I would recommend remembering it, so you don't get confused later on. Generating a new key is nondestructive, so we can continue.

# Create a new key
$ gpg --gen-key
Real Name: Daniel Schier
Email address: dschier@while-true-do.io
You selected this USER-ID:
    "Daniel Schier <dschier@while-true-do.io>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O

[...]

public and secret key created and signed.

pub   ed25519 2023-02-12 [SC] [expires: 2025-02-11]
      84AFA996AE578D69A7E1E299351CDEEBC00CF944
uid                      Daniel Schier <dschier@while-true-do.io>
sub   cv25519 2023-02-12 [E] [expires: 2025-02-11]

Tadaaa, we got our GPG key. A key pair, to be precise. Let's inspect these a bit before continuing.

Inspect

OK, let's see what we just created. There are some commands that may help you find out more about the freshly created stuff.

As I stated, we created a key pair, but that was not entirely true. First, fire the below commands, to get a better impression.

# List keys
$ gpg --list-keys

/var/home/dschier/.gnupg/pubring.kbx
------------------------------------
pub   ed25519 2023-02-12 [SC] [expires: 2025-02-11]
      84AFA996AE578D69A7E1E299351CDEEBC00CF944
uid           [ultimate] Daniel Schier <dschier@while-true-do.io>
sub   cv25519 2023-02-12 [E] [expires: 2025-02-11]


# List keys with more details
$ gpg --list-keys --keyid-format=long

/var/home/dschier/.gnupg/pubring.kbx
------------------------------------
pub   ed25519/351CDEEBC00CF944 2023-02-12 [SC] [expires: 2025-02-11]
      84AFA996AE578D69A7E1E299351CDEEBC00CF944
uid                 [ultimate] Daniel Schier <dschier@while-true-do.io>
sub   cv25519/E44CEC6FBDBFA040 2023-02-12 [E] [expires: 2025-02-11]

The output can be read like this:

type  key_method/keyname create-date [usage] [expiry date]

We can see three types here, one type named pub, one named uid and one named sub. Another, more important part is written in brackets, namely [SC], [E] and [ultimate], this is the usage of our keys. So what happened here?

The gpg --gen-key command generated a user ID (uid) for us. This user ID is attached to your new key pair and indicates your identity. The user ID is always attached to the key pair itself, but you can add more or edit it, if you want.

The other two entries are more interesting, though. The [SC] key is meant for signing, the [E] key is meant for encryption. Therefore, it should be clear what is needed to sign a commit or encrypt a file.

But wait, wasn't there something about private and public keys? Well, yes. Let's inspect these.

# Get public keys
$ gpg --list-public-keys --keyid-format=long

/var/home/dschier/.gnupg/pubring.kbx
------------------------------------
pub   ed25519/351CDEEBC00CF944 2023-02-12 [SC] [expires: 2025-02-11]
      84AFA996AE578D69A7E1E299351CDEEBC00CF944
uid                 [ultimate] Daniel Schier <dschier@while-true-do.io>
sub   cv25519/E44CEC6FBDBFA040 2023-02-12 [E] [expires: 2025-02-11]


# Get secret keys
$ gpg --list-secret-keys --keyid-format=long

/var/home/dschier/.gnupg/pubring.kbx
------------------------------------
sec   ed25519/351CDEEBC00CF944 2023-02-12 [SC] [expires: 2025-02-11]
      84AFA996AE578D69A7E1E299351CDEEBC00CF944
uid                 [ultimate] Daniel Schier <dschier@while-true-do.io>
ssb   cv25519/E44CEC6FBDBFA040 2023-02-12 [E] [expires: 2025-02-11]

As you can see, there are two identical entries for the signing key and the encryption key. The content of both is massively different, though. Let's check it.

⚠️
You should never share your secret keys with somebody! These are meant to kept secret, as the name suggests.

First, let's remember the names.

# List the keys
$ gpg --list-keys --keyid-format=long

/var/home/dschier/.gnupg/pubring.kbx
------------------------------------
pub   ed25519/351CDEEBC00CF944 2023-02-12 [SC] [expires: 2025-02-11]
      84AFA996AE578D69A7E1E299351CDEEBC00CF944
uid                 [ultimate] Daniel Schier <dschier@while-true-do.io>
sub   cv25519/E44CEC6FBDBFA040 2023-02-12 [E] [expires: 2025-02-11]

As stated above, the name is written right behind the key method. in our case, it is 351CDEEBC00CF944. Let's inspect this even further.

# Show public signing key
$ gpg --export -a E44CEC6FBDBFA040

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEY+kbsRYJKwYBBAHaRw8BAQdAIHjfcIRu7ycN2AMfBG06k3JCChexpae6D7au
CDlirQa0KERhbmllbCBTY2hpZXIgPGRzY2hpZXJAd2hpbGUtdHJ1ZS1kby5pbz6I
mQQTFgoAQRYhBISvqZauV41pp+HimTUc3uvADPlEBQJj6RuxAhsDBQkDwmcABQsJ
CAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEDUc3uvADPlEu/8BAKu9Ul+LN7Pb
pnzCBL3dkM4P4ZUGqRIb5TMH1iqj6f+wAP4kmP1vtfjtRnegc7EVDjkA8PWZEQvf
GGna002xXzuHALg4BGPpG7ESCisGAQQBl1UBBQEBB0BcqYxd475MjI6nBhFgGUdP
J16qKbM3PW1Ku1QNJFZGLwMBCAeIfgQYFgoAJhYhBISvqZauV41pp+HimTUc3uvA
DPlEBQJj6RuxAhsMBQkDwmcAAAoJEDUc3uvADPlEU5kA/REPTMoaKmJCGSF/j8HO
gc5Ty0MreyBa0MPEIn14Yen+AQCI5DJKLyYO8H2cDy/PnJFbLhLlucjpJiuiJlkU
qNVuBg==
=H0KS
-----END PGP PUBLIC KEY BLOCK-----

# Show secret signing key (you will be prompted for your passphrase)
$ gpg --export-secret-keys -a E44CEC6FBDBFA040

-----BEGIN PGP PRIVATE KEY BLOCK-----

lIYEY+kbsRYJKwYBBAHaRw8BAQdAIHjfcIRu7ycN2AMfBG06k3JCChexpae6D7au
CDlirQb+BwMCAeRX2lSGnI/2AkoYmGKIw7uMMiS5fdwJJ8uXs/VxAEuWVQ2sLMWT
yP1GOyYzh4HvUPkPn9Y1VUxM2RhjQ6K7JQ0Tj7Dz2GOA3fdWXb09vLQoRGFuaWVs
IFNjaGllciA8ZHNjaGllckB3aGlsZS10cnVlLWRvLmlvPoiZBBMWCgBBFiEEhK+p
lq5XjWmn4eKZNRze68AM+UQFAmPpG7ECGwMFCQPCZwAFCwkIBwICIgIGFQoJCAsC
BBYCAwECHgcCF4AACgkQNRze68AM+US7/wEAq71SX4s3s9umfMIEvd2Qzg/hlQap
EhvlMwfWKqPp/7AA/iSY/W+1+O1Gd6BzsRUOOQDw9ZkRC98YadrTTbFfO4cAnIsE
Y+kbsRIKKwYBBAGXVQEFAQEHQFypjF3jvkyMjqcGEWAZR08nXqopszc9bUq7VA0k
VkYvAwEIB/4HAwKsy41VISEDpvYJWR1bbYIHCGyXs/GKG1WOzNmoIQWprnE62FtS
0SUAZjMSSDGSU38AQc6za3dzlpFUhC1LQtY9kehCTPduoDKM7pfFp5aqiH4EGBYK
ACYWIQSEr6mWrleNaafh4pk1HN7rwAz5RAUCY+kbsQIbDAUJA8JnAAAKCRA1HN7r
wAz5RFOZAP0RD0zKGipiQhkhf4/BzoHOU8tDK3sgWtDDxCJ9eGHp/gEAiOQySi8m
DvB9nA8vz5yRWy4S5bnI6SYroiZZFKjVbgY=
=23Ll
-----END PGP PRIVATE KEY BLOCK-----

Now that we know this, I hope we can agree, that gen-key has created:

  • a key pair (secret + private) for signing
  • a key pair (secret + private) for encryption
  • a user ID, meant to identify the keys

Give all of them a closer look, inspect them in different tools and you will get the idea pretty fast.

End of Part 1

For now, this should be it. The article is already over a thousand words long. So, I decided to split it. In the next article, we will have a closer look at exporting, importing and other operations that might be interesting for you.

GPG is one of the best documented software systems out there. But, this also makes it hard to find the right information at the right time. Let me link some beginner stuff here.

The GNU Privacy Handbook
Top (Using the GNU Privacy Guard)
Top (Using the GNU Privacy Guard)
Getting started with GPG (GnuPG)
A brief introduction to encrypting files with the GNU Privacy Guard (GPG, or GnuPG).
Enable Sysadminslauber

Conclusion

Now that we have GPG/PGP keys created, we can have a look of importing, exporting, sharing, renewing and more.

But before doing this, I am curious about your experience. Did you know GPG already? What are you using it for or planning to use it for? Let me know, I really want to know about your use cases.

Read more