gpg2 – using the OpenPGP encryption and signing tool to encrypt and decrypt

most standard versions of linux distro’s come with the newer gpg2 command comes by default. the previous version of gpg is linked to the newer gpg2 packages. this means you may use the gpg and gpg2 command and it will always run the gpg2 command. an excerpt from a centos 7 below explains that

[root@terminaltwister ~]# ls -l /usr/bin/gpg*
 lrwxrwxrwx. 1 root root      4 Aug  2 19:05 /usr/bin/gpg -> gpg2
 -rwxr-xr-x. 1 root root 749976 Jul 13  2018 /usr/bin/gpg2
 -rwxr-xr-x. 1 root root 296696 Jul 13  2018 /usr/bin/gpg-agent
 -rwxr-xr-x. 1 root root 143680 Jul 13  2018 /usr/bin/gpgconf
 -rwxr-xr-x. 1 root root 156352 Jul 13  2018 /usr/bin/gpg-connect-agent
 -rwxr-xr-x. 1 root root  23736 Jun 10  2014 /usr/bin/gpg-error
 -rwxr-xr-x. 1 root root  24272 Jul 13  2018 /usr/bin/gpgparsemail
 -rwxr-xr-x. 1 root root  50056 Jul 13  2018 /usr/bin/gpgsplit
 lrwxrwxrwx. 1 root root      5 Aug  2 19:05 /usr/bin/gpgv -> gpgv2
 -rwxr-xr-x. 1 root root 353672 Jul 13  2018 /usr/bin/gpgv2
 -rwxr-xr-x. 1 root root   3307 Jul 13  2018 /usr/bin/gpg-zip
 [root@terminaltwister ~]# 

disclaimer: this document covers the encryption and decryption part of gpg2 only. but this incredible tool can also be used to sign documents/emails. i will note the details for signing the documents in another post later.

let’s begin by setting up the gpg2 first

generating a key!

all begins by generating a key! this key would be identified by your email address, also known as the recipient for the command. begin by typing the following in your terminal

gpg2 --gen-key

when invoked from the command line, this command will ask a couple of questions, like
– what kind of key you want? (i use the default here)
– what should be the bit size for the new key? (i choose 4098 bits, just to get the max level)
– how long these GPG keys are going to be valid for? (i select 1 year, select 365 or 1y)
– now the command is going to ask you for your personal information, enter that
– gpg2 will now demand you enter a passphrase. enter a strong passphrase and save it in your password manager (good)/memorise it (bad)

it is suggested that you use the defaults unless you want something very specific.
once you choose these options the command will then generate a key for you and add it to your gpg keyring .
once they key has been generated, you can then use this key to encrypt the documents and do whatever. below is the excerpt from a centos 7 terminal demonstrating the above points

[root@terminaltwister ~]# gpg2 --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Fri 21 Aug 2020 08:02:37 UTC
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: terminaltwister
Email address: email@address.com
Comment: test user for demo
You selected this USER-ID:
    "terminaltwister (test user for demo) <email@address.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key D37A732F marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-08-21
pub   4096R/D37A732F 2019-08-22 [expires: 2020-08-21]
      Key fingerprint = F291 ACC3 DE95 D407 EC18  D7DB 6934 32D7 D37A 732F
uid                  terminaltwister (test user for demo) <email@address.com>
sub   4096R/7C7D2187 2019-08-22 [expires: 2020-08-21]

[root@terminaltwister ~]# 

viewing the keys!

to view all the public keys, type in

[root@terminaltwister ~]# gpg2 --list-keys
 /root/.gnupg/pubring.gpg
 ------------------------
 pub   4096R/D37A732F 2019-08-22 [expires: 2020-08-21]
 uid                  terminaltwister (test user for demo) <email@address.com>
 sub   4096R/7C7D2187 2019-08-22 [expires: 2020-08-21]

to view all the secret keys, type in

[root@terminaltwister ~]# gpg2 --list-secret-keys
 /root/.gnupg/secring.gpg
 ------------------------
 sec   4096R/D37A732F 2019-08-22 [expires: 2020-08-21]
 uid                  terminaltwister (test user for demo) <email@address.com>
 ssb   4096R/7C7D2187 2019-08-22

using the gpg2

you should know that you’ve got 2 different options to encrypt here
– binary, and
– ascii.
the binary files will have a .gpg extension and will print strange characters on the terminal if you cat this file. also it is not the choice if you want to read the keys programatically. you must use the ascii option for that.
the ascii option will make an encrypted file with .asc extension. this file can be used as an input in any program since it is just a text file, encrypted of course.

to encrypt a document – in binary

say you have a text file, with your password or an api key with the name hello.txt. you would not want to keep this file on your disk in plain text. huge security risk here! idea here is to encrypt the plaintext to ciphertext and then delete the plaintext.
lets begin the encryption!

gpg2 --recipient "your_email@email.com" --encrypt "plaintext_filename"

for our example here, i am going to use a dummy email address – email@address.com to encrypt the hello.txt file.

[root@terminaltwister ~]# ls -lh
total 4.0K
-rw-r--r-- 1 root root 13 Aug 22 08:14 hello.txt
[root@terminaltwister ~]# cat hello.txt 
hello world!
[root@terminaltwister ~]# gpg2 --recipient "email@address.com" --encrypt hello.txt 
[root@terminaltwister ~]# ls -lh
total 8.0K
-rw-r--r-- 1 root root  13 Aug 22 08:14 hello.txt
-rw-r--r-- 1 root root 607 Aug 22 08:16 hello.txt.gpg
[root@terminaltwister ~]# file hello.txt.gpg
hello.txt.gpg: GPG encrypted data
[root@terminaltwister ~]#

to encrypt a document – in ascii

this is the most commonly used option everywhere because you can read the encrypted text programatically. so this is the one you should be using to create encrypted files if you want to automate stuff! you just need to add an additional parameter to the above command.

gpg2 --recipient "your_email@email.com" --encrypt --armor "plaintext_filename"

an example using the above text file – hello.txt with the dummy email email@address.com would be:

[root@terminaltwister ~]# gpg2 --recipient "email@address.com" --encrypt --armor hello.txt 
[root@terminaltwister ~]# ls -lh
total 12K
-rw-r--r-- 1 root root  13 Aug 22 08:14 hello.txt
-rw-r--r-- 1 root root 921 Aug 22 08:17 hello.txt.asc
-rw-r--r-- 1 root root 607 Aug 22 08:16 hello.txt.gpg

yay! now you’ve got your text file encrypted! at this time, you can proceed to delete the plain text file from your disk forever! now we would be dealing with the encrypted file only. you can decrypt this cipher text file anytime with your gpg2 key and retrieve the text anytime. we got rid of the plain text file. we may also remove the .gpg file because we would be dealing with ascii files in our programs, but i’ve kept it in my directory just for demonstration purpose for now

[root@terminaltwister ~]# rm hello.txt
rm: remove regular file ‘hello.txt’? y
[root@terminaltwister ~]# ls -lh
total 8.0K
-rw-r--r-- 1 root root 921 Aug 22 08:17 hello.txt.asc
-rw-r--r-- 1 root root 607 Aug 22 08:16 hello.txt.gpg
[root@terminaltwister ~]#

now to the next part – decrypting!

decrypt a file

decrypting doesn’t require you to know what method the file is encrypted with – ascii or binary. just enter this command and you will get the plain text back!

gpg2 --recipient "your_email@email.com" --output example.txt --decrypt filename.txt.gpg

i will use the filename from the above example, just for consistency!
– encrypted ascii filename – hello.txt.asc
– email address – email@address.com

[root@terminaltwister ~]# gpg2 --recipient "email@address.com" --decrypt hello.txt.asc 
 
 You need a passphrase to unlock the secret key for
 user: "terminaltwister (test user for demo) <email@address.com>"
 4096-bit RSA key, ID 7C7D2187, created 2019-08-22 (main key ID D37A732F)
 
 gpg: encrypted with 4096-bit RSA key, ID 7C7D2187, created 2019-08-22
       "terminaltwister (test user for demo) <email@address.com>"
 hello world!
 [root@terminaltwister ~]#

faq’s

q. can I add multiple public keys to my gpg2 keyring?

of course! gpg2 was created with having multiple public keys in its keyring in mind. you can have as many public key files in your personal gpg2 keyring as you want. you use the recipient switch to tell gpg2 whose public key you wish to use to encrypt the document. this way only the recipient with their private key can decrypt the document intended just for them! check my other document to know more about importing and exporting the keys here

q. can i share my public keys with the world?

yes. this is how the intended audience will verify that the encrypted text is coming from the real you and not an imposter!

q. what are the other options supported by gpg2?

check the man page or type in gpg2 --help at the command line
#rtfm

q. how do i sign my emails/documents with my gpg2 key?

i’ll explain it in my another post coming soon! \m/

Join the Conversation

1 Comment

Leave a comment

Your email address will not be published. Required fields are marked *