PGP? GPG? Say what?
gpg isn’t the most easy to use
CLI’s. It doesn’t really behave as you expect, at least not for me.
I won’t go into the concepts of PGP or
GPG. Read about them on wikipedia if you don’t know.
This is more of a reminder of the different commands you can use with
gpg. I’m using version
in those examples.
If lazy: check out cheatsheet for option explanation 👇.
Find key fingerprint to be able to target key
You can list private keys with:
but that won’t give you a fingerprint. It doesn’t mention that at all. The easiest choice I think is to use the key’s fingerprint as it’s widely used.
Get the fingerprint by listing the public keys with a lower cased
k instead of an upper cased.
The fingerprint is next to the
pub, after specifying the algorithm used and the expire date of the key.
gpg -k # ... # pub rsa4096 2018-01-13 [SC] [går ut: 2019-01-13] # 2E3B489DC7BEBCD185F598E9CD01DE5C59082A78 # uid [förbehållslös] Joel Larsson (Key for 2018) <[email protected]> # sub rsa4096 2018-01-13 [E] [går ut: 2019-01-13] # ...
2E3B489DC7BEBCD185F598E9CD01DE5C59082A78 is the complete fingerprint. Usually shorter ones are used.
64-bit, that look like this:
CD01DE5C59082A78. It’s grabbed from the back. Called the lower
bits. So this is called the lower 64 bits. Even though this is
Easy rule to remember: one hex pair equals to one byte. So divide the number of characters by two
and then multiply it by eight (
one byte = eight bits) and there you go. You have the number of bits.
You can use an even shorter one.
32-bit. Just take half of them:
# Complete fingerprint gpg -e -r 2E3B489DC7BEBCD185F598E9CD01DE5C59082A78 file.txt # 64 bit fingerprint gpg -e -r CD01DE5C59082A78 file.txt # 32 bit fingerprint gpg -e -r 59082A78 file.txt
gpg creates the same filename suffixed with
.gpg as the original file. So the above
command created the file
Encrypt and sign
Add the option
-s as well to sign the encrypted message:
gpg -se -r 59082A78 file.txt
Encrypt, sign and make it portable
Without adding the option
--armor, the encrypted result is binary. That’s not very portable between
different system. When you apply
-a you wrap the binary data in a text format. It’s
encoded and begins with
-----BEGIN and ends with
-----END. Often it looks like this. It contains line breaks, yes.
-----BEGIN PGP MESSAGE----- jA0EBwMC+msxmoPOCyDl0oMBcXr/EVXQo8X2475MPptiFR7HwOPLDfG4J779KSj4 xBkHYZQzX4kKbinNdTZ1elwIvRub7EFRcLQnAJNJFsU+uw7MocZlBbDDADHDy4N4 Y0CVHhu/I+K2mimSzqX17Y45wvp4vHEiD08icdttKY47/9FjH/1qMh3lokJ3Rn1k o2Tifg== =HjoL -----END PGP MESSAGE-----
This particular message is protected with
symmetric encryption. Guess the password! Clue: It’s six characters long and rated the most common by several sources. Learn how to decrypt it here.
To encrypt data as text you do it like this, it will create a file with a
.asc instead of a
gpg -sea -r 59082A78 file.txt
Change output with
-o. The value
- makes it output to
gpg -sea -o - -r 59082A78 file.txt
I don’t think of symmetric encryption when I think of PGP/GPG. But it is valid. You do it by adding
gpg -ca file.txt
echo "Hello 👋" | gpg -ca
Enter password. Then enter content to encrypt. When done, use
Ctrl + D
To decrypt a file you use
-d. This works the same with symmetric encryption content
as well as with asymmetric encryption.
gpg -d file.txt.gpg
You don’t have to specify the key since it will find it automatically, if you have it. Otherwise it will print an error. If it’s symmetric encrypted, you will be prompted for a passphrase.
Paste encrypted content. It will automatically decrypt it and display it. To exit, use
Ctrl + D.
Options / commands cheatsheet
List public keys
--list-public-keys, --list-keys, -k
Lists secret keys, same as private keys
Encrypt, used together with
Encrypt with a symmetric cipher. Change it with
Sign, sign message
Recipient, encrypt for this user name (or fingerprint)
Export (defaults to binary)
Export in ascii (usually base64)