gpg_keys - dwilson2547/wiki_demo GitHub Wiki

GPG (GNU Privacy Guard) is a free and open-source implementation of the OpenPGP standard, which is used for encrypting, decrypting, signing, and verifying data. GPG keys are a fundamental part of this system, enabling secure communication and data integrity. Here’s a detailed explanation of GPG keys:

1. What Are GPG Keys?

  • GPG keys are cryptographic key pairs used for public-key encryption and digital signatures.
  • Each key pair consists of:
    • A private key: Kept secret and used to decrypt messages and sign data.
    • A public key: Shared openly and used to encrypt messages and verify signatures.

2. Types of GPG Keys

A. RSA Keys

  • RSA is the most common type of GPG key.
  • Key sizes typically range from 2048 to 4096 bits (larger keys are more secure but slower).
  • Used for both encryption and signing.

B. DSA/ElGamal Keys

  • DSA (Digital Signature Algorithm): Used only for signing.
  • ElGamal: Used only for encryption.
  • Often used together (DSA for signing, ElGamal for encryption).

C. ECC (Elliptic Curve Cryptography) Keys

  • ECC keys are smaller and faster than RSA keys while providing equivalent security.
  • Common ECC curves: NIST P-256, Curve25519.
  • Used for both encryption and signing.

3. Structure of a GPG Key Pair

A GPG key pair consists of the following components:

Component Description
Private Key A secret key used to decrypt messages and sign data.
Public Key A key shared openly to encrypt messages and verify signatures.
Key ID A unique identifier for the key (e.g., 0xABCDEF1234567890).
Fingerprint A longer, unique identifier for the key (e.g., A3C3 5B1D 6E2F 7C8D 9E0F 1A2B 3C4D 5E6F).
User ID (UID) Information associated with the key (e.g., name and email address).
Subkeys Additional keys linked to the primary key (e.g., separate keys for signing and encryption).

4. How GPG Keys Work

A. Key Generation

  • GPG keys are generated using the gpg --gen-key command.
  • The user selects the key type (e.g., RSA, ECC), key size, and expiration date.
  • The user provides a User ID (name and email) and a passphrase to protect the private key.

B. Encryption

  1. Sender Encrypts a Message:

    • The sender uses the recipient’s public key to encrypt the message.
    • The encrypted message can only be decrypted using the recipient’s private key.

  2. Recipient Decrypts the Message:

    • The recipient uses their private key (protected by a passphrase) to decrypt the message.

C. Signing and Verification

  1. Sender Signs a Message:

    • The sender uses their private key to create a digital signature for the message.
    • The signature ensures the message’s authenticity and integrity.

  2. Recipient Verifies the Signature:

    • The recipient uses the sender’s public key to verify the signature.
    • If the signature is valid, the message is confirmed to be from the sender and unaltered.

5. Generating GPG Keys

A. Install GPG

  • Install GPG on your system:
    • Linux: sudo apt install gnupg (Debian/Ubuntu) or sudo yum install gnupg (RHEL/CentOS).
    • macOS: brew install gnupg.
    • Windows: Download from Gpg4win.

B. Generate a Key Pair

Run the following command to generate a key pair:

gpg --full-generate-key
  • Follow the prompts to select the key type, size, and expiration date.
  • Provide your name and email address for the User ID.
  • Set a passphrase to protect your private key.

C. Example Key Generation

gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) default
   (10) ECC (sign only)
   (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key doesn't expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Sat Oct 29 12:34:56 2025 EDT
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Alice Smith
Email address: [email protected]
Comment:
You selected this USER-ID:
    "Alice Smith <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a Passphrase to protect your secret key.

6. Managing GPG Keys

A. List Your Keys

gpg --list-keys

Example output:

pub   rsa4096 2023-10-29 [SC] [expires: 2025-10-29]
      ABCDEF1234567890ABCDEF1234567890ABCDEF12
uid           [ultimate] Alice Smith <[email protected]>
sub   rsa4096 2023-10-29 [E] [expires: 2025-10-29]

B. Export Your Public Key

gpg --export --armor [email protected] > alice_public_key.asc
  • --armor: Outputs the key in ASCII format (easier to share).

C. Export Your Private Key

gpg --export-secret-keys --armor [email protected] > alice_private_key.asc
  • Warning: Private keys should be kept secure and never shared.

D. Import a Public Key

gpg --import bob_public_key.asc

E. Delete a Key

gpg --delete-key [email protected]

7. Encrypting and Decrypting Messages

A. Encrypt a Message

gpg --encrypt --sign --armor -r [email protected] message.txt
  • --encrypt: Encrypts the message.
  • --sign: Signs the message with your private key.
  • -r [email protected]: Specifies the recipient’s public key.
  • message.txt: The file to encrypt.

B. Decrypt a Message

gpg --decrypt message.txt.asc
  • The recipient uses their private key to decrypt the message.

8. Signing and Verifying Messages

A. Sign a Message

gpg --sign --armor message.txt
  • Creates a detached signature file (message.txt.asc).

B. Verify a Signature

gpg --verify message.txt.asc
  • Verifies the signature using the sender’s public key.

9. Revoking a GPG Key

  • If a private key is compromised, it should be revoked to prevent misuse.
  • Generate a revocation certificate when creating the key: 
    gpg --gen-revoke [email protected] > revoke.asc
  • Import the revocation certificate to revoke the key: 
    gpg --import revoke.asc

10. Best Practices for GPG Keys

Practice Description
Use Strong Key Sizes Use 4096-bit RSA or 256-bit ECC keys for better security.
Protect Your Private Key Use a strong passphrase and store the private key securely.
Backup Your Keys Export and store your private key and revocation certificate in a secure location.
Regularly Update Keys Set an expiration date for your keys and update them periodically.
Use Subkeys Create subkeys for signing and encryption to limit the exposure of your primary key.
Share Public Keys Securely Share your public key via secure channels (e.g., encrypted email or key servers).

11. GPG Key Servers

  • Key servers are public repositories where users can upload and share their public keys.
  • Example key servers: keys.openpgp.org, pgp.mit.edu.
  • Upload your public key to a key server: 
    gpg --keyserver keys.openpgp.org --send-keys ABCDEF1234567890
  • Search for a public key: 
    gpg --keyserver keys.openpgp.org --search-keys [email protected]

12. Example: Encrypting and Signing an Email

  1. Generate a Key Pair:

    gpg --full-generate-key

  2. Export Your Public Key:

    gpg --export --armor [email protected] > alice_public_key.asc

  3. Share Your Public Key:

    • Send alice_public_key.asc to your contacts or upload it to a key server.

  4. Encrypt and Sign an Email:

    gpg --encrypt --sign --armor -r [email protected] email.txt

  5. Send the Encrypted Email:

    • Attach the encrypted file (email.txt.asc) to your email.

  6. Recipient Decrypts the Email:

    gpg --decrypt email.txt.asc

13. Summary Table: GPG Keys

Aspect Description
Purpose Encrypt, decrypt, sign, and verify data.
Key Types RSA, DSA/ElGamal, ECC.
Key Components Private key, public key, key ID, fingerprint, User ID, subkeys.
Key Generation gpg --full-generate-key.
Encryption gpg --encrypt -r [email protected] file.txt.
Decryption gpg --decrypt file.txt.gpg.
Signing gpg --sign file.txt.
Verification gpg --verify file.txt.asc.
Key Management List, export, import, delete, and revoke keys.
Best Practices Use strong key sizes, protect private keys, backup keys, and use subkeys.

Why Are GPG Keys Important?

GPG keys are essential for secure communication, data integrity, and authentication. They enable users to encrypt sensitive data, verify the authenticity of messages, and protect their digital identity from unauthorized access.

Would you like to explore how to use GPG with email clients, how to set up a GPG key server, or how to integrate GPG with other tools?

⚠️ **GitHub.com Fallback** ⚠️