Introduction to GPG keys

image courtesy techmagy.com

Arguing that you don't care about the right to privacy because you have nothing to hide is no different from saying you don't care about free speech because you have nothing to say. – Edward Snowden

It's Tutorial Tuesday! And today, we're going to be learning all about what an electronic key is, what GPG keys are. and how to sign them.

What exactly is an electronic key

As used in common day to day language, a key is basically something that is used to unlock something. Now, that 'something' can be a lock in real life, or in terms of software it can be like a document, an email, or an account for that matter.

Types of electronic keys

Electronic keys can be of two types

• Software keys : These are basically used in computer programms to maybe encrypt or decryptsomething . We are going to talk more about these in just a second .

• Hardware keys : These are physical keys which are meant to be connected to a usb port, popularly known as a usb dongle. They have several purposes ranging from licensing software, to using as a means of two factor authentication to add an extra layer of security.

Software Keys

As described above, software keys are mainly used for stuff like encryption and decryption. Today, more specifically, we are going to talk about gpg keys and ssh keys.

Gpg keys

Gpg here stands for GNU Privacy Gaurd which is basically an open and free implementation of the openpgp standard defined by RFC4880 .

Gpg basically uses symmetric and asymetric cryptography to encrypt messages and send them out. Which basically means that it is a hybrid encryption software. For people that aren't into cryptography, symmetric encryption basically means that the same key is shared within a small group of two to three people who are supposed to communicate among each other .

Asymmetric encryption means that two seperate keys are generated, one of them is private and the other one is public. Gpg combines both of these to give you a super secure environment wherein you have a public key, a private key and a session key. Now, the session key is temporary in nature, which means that it is only used once per sesion. So, it is a form of symmetric encryption having a public. And private key is a form of asymmetric encryption.

As the name tells you, you are supposed to give out the public key and secure your private key.

GnuPG encrypts messages using assymetric key pairs which are generated at an individual level by each person. Now, this public key can be shared in a lot of ways, some of which include stuff like internet key servers. You should always carefully share them to prevent identity spoofing.

The concept of web of trust and signing GPG keys

Now wanting to use gpg yourself isn't enough. You need to have a bunch of people who have your public key and you have theirs so that you can use gpg encryption with them as well. This is called a web of trust. So in the beginnning, you should start out with two or three close people. Exchange keys with them and sign their keys and get yours signed. This will teach you about being cautious when expanding your web of trust and eventually as you become comfortable while using gpg, you start increasing your web of trust to others as well

Now Lets get our hands dirty

1. Start by Installing gpg on your machine , if you are on linux or on mac chances are that it is already installed and if you are on windows, install gpg4win .
2. Now get to the command line and type in

$ gpg --gen-key

The program will ask you a bunch of questions, if you don't know what a question means, just press enter and the program will select the default option for you automatically. Now, at the end you are going to have a gpg key generated.

Now go ahead and type in

$ gpg --list-keys

This will list all the keys that you currently have on your system. You should see an output similar to this

pub   rsa2048 2020-05-16 [SC] [expires: 2022-05-16]
      B27561095B6B3DC15182CD75453432554F506A4B
uid           [ultimate] Manav Sethi <manav.sethi@outlook.in>
sub   rsa2048 2020-05-16 [E] [expires: 2022-05-16]

This means that your key has been successfully generated and now you can start using it encrypt or decrypt any documents that you like .

Now lets say you have a friend called Ramlal, who is openly using gpg and either has his public key on a server or has given it to you then you can encrypt a document for Ramlal using this

$ gpg --output doc.gpg --encrypt --recipient ramlal@domain.org

Now if ramlal has this document called doc.gpg he can go ahead and decrypt this by typing in

$ gpg --output doc.txt --decrypt doc.gpg

Next, you can also export a public key from a public key server. For example lets say you have to encrypt a document for Ramlal but you dont have his public key. However, he has his public key exported to a key server then you can search for his key using

$ gpg --search-keys ramlal@domain.org

Now you can export Ramlal's key using

$ gpg --armor --export ramlal@domain.org

That's all folks. This should be enough to get started and up and running with GPG.

Next week on Tutorial Tuesday

How to sign your git commits using gpg keys

Also stay tuned because this thursday we will be talking about The android wallpaper that can brick your phone.