Introduction to GPG keys
|image courtesy techmagy.com|
It's Tutorial Tuesday! And today, we're going to be learning all about what an electronic key is, what GPG keys are. and how to sign them.
What exactly is an electronic key
As used in common day to day language, a key is basically something that is used to unlock something. Now, that 'something' can be a lock in real life, or in terms of software it can be like a document, an email, or an account for that matter.
Types of electronic keys
Electronic keys can be of two types
Software keys : These are basically used in computer programms to maybe encrypt or decryptsomething . We are going to talk more about these in just a second .
Hardware keys : These are physical keys which are meant to be connected to a usb port, popularly known as a usb dongle. They have several purposes ranging from licensing software, to using as a means of two factor authentication to add an extra layer of security.
As described above, software keys are mainly used for stuff like encryption and decryption. Today, more specifically, we are going to talk about gpg keys and ssh keys.
Gpg here stands for GNU Privacy Gaurd which is basically an open and free implementation of the openpgp standard defined by RFC4880 .
Gpg basically uses symmetric and asymetric cryptography to encrypt messages and send them out. Which basically means that it is a hybrid encryption software. For people that aren't into cryptography, symmetric encryption basically means that the same key is shared within a small group of two to three people who are supposed to communicate among each other .
Asymmetric encryption means that two seperate keys are generated, one of them is private and the other one is public. Gpg combines both of these to give you a super secure environment wherein you have a public key, a private key and a session key. Now, the session key is temporary in nature, which means that it is only used once per sesion. So, it is a form of symmetric encryption having a public. And private key is a form of asymmetric encryption.
As the name tells you, you are supposed to give out the public key and secure your private key.
GnuPG encrypts messages using assymetric key pairs which are generated at an individual level by each person. Now, this public key can be shared in a lot of ways, some of which include stuff like internet key servers. You should always carefully share them to prevent identity spoofing.
The concept of web of trust and signing GPG keys
Now wanting to use gpg yourself isn't enough. You need to have a bunch of people who have your public key and you have theirs so that you can use gpg encryption with them as well. This is called a web of trust. So in the beginnning, you should start out with two or three close people. Exchange keys with them and sign their keys and get yours signed. This will teach you about being cautious when expanding your web of trust and eventually as you become comfortable while using gpg, you start increasing your web of trust to others as well
Now Lets get our hands dirty
- Start by Installing gpg on your machine , if you are on linux or on mac chances are that it is already installed and if you are on windows, install gpg4win .
- Now get to the command line and type in
$ gpg --gen-key
The program will ask you a bunch of questions, if you don't know what a question means, just press enter and the program will select the default option for you automatically. Now, at the end you are going to have a gpg key generated.
Now go ahead and type in
$ gpg --list-keys
This will list all the keys that you currently have on your system. You should see an output similar to this
pub rsa2048 2020-05-16 [SC] [expires: 2022-05-16] B27561095B6B3DC15182CD75453432554F506A4B uid [ultimate] Manav Sethi <email@example.com> sub rsa2048 2020-05-16 [E] [expires: 2022-05-16]
This means that your key has been successfully generated and now you can start using it encrypt or decrypt any documents that you like .
Now lets say you have a friend called Ramlal, who is openly using gpg and either has his public key on a server or has given it to you then you can encrypt a document for Ramlal using this
$ gpg --output doc.gpg --encrypt --recipient firstname.lastname@example.org
Now if ramlal has this document called doc.gpg he can go ahead and decrypt this by typing in
$ gpg --output doc.txt --decrypt doc.gpg
Next, you can also export a public key from a public key server. For example lets say you have to encrypt a document for Ramlal but you dont have his public key. However, he has his public key exported to a key server then you can search for his key using
$ gpg --search-keys email@example.com
Now you can export Ramlal's key using
$ gpg --armor --export firstname.lastname@example.org
That's all folks. This should be enough to get started and up and running with GPG.
Next week on Tutorial Tuesday
How to sign your git commits using gpg keys
Also stay tuned because this thursday we will be talking about The android wallpaper that can brick your phone.