GPG (GNU Privacy Guard)

Table Of Content

• Create your own keys and encrypt file with it

• Decrypt file with someone else public key

• Setup with GitHub

• Bonus : Setup gpg-agent to avoid

Definition

GPG (also known as GnuPG) stands for GNU Privacy Guard. It is a free open source version of PGP (Pretty Good Privacy) encryption software.

Create your own keys and encrypt file with it

1) Install it

On Unix

you can download gpg with the following command:

$ apt-get install gnupg       // Ubuntu 
$ yum install gnupg           // CentOS

On Windows

Install the TODO

2) Create your GPG key

That is, you will generate both a private and a public key with a single command. Enter your name and email address at the prompts, but accept the default options otherwise.

$ gpg --gen-key

You can also run it with the --full-generate-key option if you want to have full control over the algorithm used, etc. before entering the same information that the previous command.

By doing this, you will allow people to encrypt files / messages with the public key you generated.

3) Encrypt a file

You can encrypt a file in many different ways which will served differents needs.

$ gpg --recipient "[name/group]" --encrypt filename.txt
$ gpg -r "[name/group]" -e filename.txt

This will create a new encrypted file named filename.txt.gpg. [name/group] parameters will depends on who you want to share this file with. If you want to share to a collegue, then you should put his name here. If you want to share with you then put your name. If you want to share with both add two --recipient for each person.

Note: This might take a couple minutes so don't loose hope.clear

Known issue: If you Pexecute this command remotly, you can log in to another shell and perform the following command in order to generate entropy needed for the generation :

dd if=/dev/sda of=/dev/zero

Source : Stack Exchange

4) Export your public key

You can export your public key in different ways. You can either use your email adresse which if more convenient, or the GPG key ID which will correspond to a well identified key. You can find your GPG key ID by running the gpg --list-secret-keys --keyid-format LONG command and look for this field :

sec   4096R/<GPG_key_ID> 2016-03-10 [expires: 2017-03-10]

Then, you're ready to run either one :

$ gpg --export --armor youremail@example.com > mypubkey.asc
$ gpg --export --armor <GPG_key_ID> > mypubkey.asc

This will generate an .asc file containing your public key. Share this file in order to allow users addind this key to their known keys.

Decrypt file with someone else public key

You can decrypt your .gpg file by running the following command. It will print directly the ASCII text in the console for you :

$ gpg --decrypt filename.txt.gpg

So if you know this file doesn't contains ASCII, you better omit the --decrypt option and only run this command which will save filename.txt in your disk :

$ gpg filename.txt.gpg

Setup with GitHub

To set your GPG signing key in Git, paste the command below, substituting in the GPG key ID you'd like to use.

$ git config --global user.signingkey <GPG_key_ID>

You can then add the -S option when committing in order to sign the commit :

$ git commit -S -m <commit_message>

Keep in mind you will need to provide your passphrase in that case. You can also sign tags

$ git tag -s mytag      // Creates a signed tag
$ git tag -v mytag      // Verifies the signed tag

Bonus : Setup gpg-agent to avoid

If you're tired of entering your passphrase everytime you do something with gpg, you should consider using the gpg-agent. Indeed it will allow you to enter it once and use it until it expire. The expiration time will be up to you.

You simply have to create the file .gnupg/gpg-agent.conf and insert into it :

default-cache-ttl 34560000  
max-cache-ttl 34560000      // use maximum-cache-ttl if you use GnuPG 2 or under version

This will tell the cache to last around a year (34560000 seconds = 400 days). Like I said, it's up to you and your needs.

Useful commands

• To know if you gpg-agent is running, do the following :

  $ eval (&gpg-agent)

• List all the known public keys in your keyring, as well as the name and email address associated with each key :

  $ gpg --list-keys

• List all the known private keys in your keyring :

  $ gpg --list-keys

• List all GPG keys for which you have both a public and private key

  $ gpg --list-secret-keys --keyid-format LONG        // This will print more info

• Create group of people to share easily. You need to add the group option in your ~/.gnupg/gpg.conf file :

  group  journalists  =  glenn  laura  ewan  barton

Known issues

• "gpg: can't connect to the agent: IPC connect call failed" : This means that a ggp-agent is already running running in your system and you're enable to connect to it. Simply runs those commands to kill and restart the agent :

  pkill -9 gpg-agent         // Kill the gpg-agent
  source <(gpg-agent --daemon)    // Restart the gpg-agent

• Make sure that your .gnupg/.gpg.conf file contains only gpg options. you can take a look at the file at the end of this document for example : link.

Acknowledgements

Config links

• gpg - blog.ghostinthemachines.com

• gpg - digitalocean.com

• gpg - help.github.com

• Keep GnuPG credentials cached for entire user session - superuser

  Known issues link

• gpg: can't connect to the agent - stackoverflow