GnuPG Small Guide

GnuPG, or Gnu Privacy Guard, is a software that implements the OpenPGP standard -- in which PGP stands for Pretty Good Privacy.

It is a tool used for -- crash the drums -- privacy. By privacy, you should understand sending private messages between users, to store any data safely, being sure that a message has a given origin and others.

For those who think that privacy is a waste of time, stuff for paranoid tech guys, I suggest reading this post in Stack Exchange.

Although we live in a free era, the freedom is sometimes menaced by dictatorships and state surveillance and we do not know when these privacy knowledge will go from "nice to have" to a "must have".

PGP was created in 1991 by Phil Zimmermann, in order to securely store messages and files, and no license was required for its non-commercial use. In 1997 it was proposed as a standard in the IETF, and thus emerged OpenPGP.

Uses for the GPG

GPG have some nice features, some used more frequently, others not so:

• Signing and verifying a commit: With this, you can always know the owner of a commit, as well as let the others be sure you wrote some piece of code. The Git Horror Story is a tale that tries to instill the sense for sign/verify commits into the greenhorn programmers. Besides it all, there are some people that have its own issues with commit signatures.

• Send and receive cryptographed messages: Remember when as a kid you created encoded messages and thought no one would ever understand? Well, bad news, everyone could read them. But now you can create messages that no one will understand, for real.

• Checking signatures: It is possible to know (with a great confidence degree) that some file is from someone specific. For instance, consider downloading Tor, it is a secure browser, but if you download a hacked software, it will serve for the exact contrary of its purpose. But calm down, no need to cry, with GPG you can check the integrity of any software.

Come with us to learn cool stuff!

Creating Your Key

First of all, you must download and install the GPG tools. Then you can check the installation with

gpg --version
# gpg (GnuPG) 1.4.20
# License GPLv3+: GNU GPL version 3 or later [...]

The next step is to create a key for your use, which is very easy! Briefly, it is

gpg --gen-key

And some things you must pay attention to the creation of the key:

• I would rather choose RSA kind of key. I suggest you to read more to understand why.
• Be sure to choose the maximum bit length for your key, if you want it to be safer. At the time this article is being written, the maximum is 4096.
• It is nice to set an expiration date. It must happen to you to lose your key or die (as we all some day) and then is a good practice to let others know that key is not being used anymore.
• Avoid comments on your key, as it is redundant at almost every time.
• It is nice to use strong digest algos like SHA512. I suggest you understand and create a nice gpg.conf to assure you are using the best configuration.

Assuming you finished the creation of your key, you can check it all with

gpg --list-keys
# pub   4096R/746F8A65 2017-05-24 [expires: 2018-05-24]
#       Key fingerprint = 014C F6E9 C2E0 12A2 4187  F108 178A C6CD 746F 8A65
#       uid                  Lucas Almeida Aguiar <lucas.tamoios@gmail.com>
#       sub   4096R/AFC85A01 2017-05-24 [expires: 2018-05-24]

As a brief summary, pub stands for "public" key, then you have the key length (4096 bits) with the R from RSA, a slash, and the short fingerprint, then the creation and expiration date. The short fingerprint takes the last 8 digits from your actual fingerprint. The uid is what you wrote a few minutes ago when I told you to do not write a comment. Let's talk about the subs later.

For now, pay attention: the uid is not enough for you to believe someone is who he/she is telling you he/she is. Anyone can create a key with any name or e-mail. To be sure someone is really who he/she is telling you, you must check its fingerprint. We will cover it deeper when discussing web of trust.

Working with Keys

Generally, you have not only your keys but also other people's public keys, that you use to verify signatures and to send them encoded stuff. You have the power to edit your key and change how you see the other's keys with

gpg --edit-keys 746F8A65

This hash in front of the command is just the short fingerprint of the uuid you want to edit.

gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/746F8A65  created: 2017-05-24  expires: 2018-05-24  usage: SC
                     trust: ultimate      validity: ultimate
sub  4096R/AFC85A01  created: 2017-05-24  expires: 2018-05-24  usage: E
sub  4096R/B2CD6DC9  created: 2017-05-24  expires: 2018-05-24  usage: S
[ultimate] (1). Lucas Almeida Aguiar <lucas.tamoios@gmail.com>

Pay attention to the letters in the usage attribute, they mean:

• S for sign
• E for encrypt
• C for certify

The certify usage is the most powerful of them because it can create, trust and revoke keys.

The gpg --edit-keys allows you to change passwords, trust keys, sign keys, change expire date, and other.

Trusting Keys

The PGP have a decentralized trust model, called web of trust. It allows you to trust keys even without a central server, as it is on X.509. The kinds of trust you can set to keys are:

• Ultimate: is only used for your own keys.
• Full (I trust fully): is used for keys which you really trust. Anyone who trusts you, will also trust all of your fully trusted keys. Take care with it.
• Marginal (I trust marginally): if you set a key as marginal trusted, it is like you only trust 1/3 of its trusted keys. An example: If you set Alice's, Bob's and Peter's key to 'Marginal' and they all sign Ed's key, Ed's key will be valid.
• Unknown: is the default state.
• Undefined (Don't know): has the same meaning as 'Unknown' but actively set by the user.
• Never (I do NOT trust): same of 'Unknown / Undefined', but meaning you know that the key owner is not accurately verifying other keys before signing them.

To trust someone you must first import a key. You can import the raw file with the public key with

gpg --import john_doe.asc

or download it from a keyserver

gpg --keyserver hkp://pgp.mit.edu --search-keys "john_doe@example.com"

Then when you --list-keys, the key you imported should be there.

Trusting keys is a serious issue. If you start to trust everyone, without checking, you will probably end up being yourself trusted as "Never". I recommend you to only trust keys when you are sure it belongs to its owner, and checked with him the key's fingerprint.

Check the fingerprint of the key you want to trust

gpg --fingerprint john_doe@example.com

Edit the key you want to trust

gpg --edit-keys 930F2A9E
# Then use the `trust` command to set the trust level.

Conclusion

The aim of this post was to give an overview about GPG, since the links I put here can serve as a bootstrap to further learnings.