Linux gnupg command (message encryption)

The GnuPG Command on Linux is an application from the GNU project that implements OpenPGP as defined by RFC4880. GnuPG allows you to encrypt and sign your data and messages using public and private keys.

The idea is for you to make your public key available to the world and keep your private key confidential.

Anyone with a copy of your public key can encrypt information and send it to you, because only you can access the messages. It is also possible to sign files, so that anyone with your public key is able to attest that a particular file or message came from you.

The latest version of GnuPG can be installed through your distribution’s gnupg package.

Once the installation is complete, it is necessary to generate the user’s keys with the “—gen-key” option of the gpg command:

$ gpg --gen-key

Figure 22 - gpg --gen-keys

![](https://learnlinux.com.br/editor/files/gnupg_pt.jpg) Once the key pair is created, you must export the public key to give it to other people, so that they can send you messages or verify the signature of the messages you sent. To export the public key, use the “--export” option:

$ gpg --export [email protected] > uira.pub

If you want to check the created file:

$ file uira.pub <br></br>uira.pub: PGP/GPG public ring key (v4) created Wed Oct 23 11:28:11 2019 RSA (Encrypt or Sign) 3072 bits MPI=0xbfa4300b374fd596...

To import someone else’s key, use] the “—import” option:

$ gpg --import key.pub

You will be able to see the keys that were created with the “—list-keys” argument

$ gpg --list-keys
/home/uiraribeiro/.gnupg/pubring.kbx
------------------------------------
pub rsa3072 2019-10-23 [SC] [expires: 2021-10-22]
E725EE3678AB3C99D51C625646BFCC17E483A6E0
uid [ultimate] Uira Ribeiro
sub rsa3072 2019-10-23 [E] [expires: 2021-10-22]

You can place your public key on your site, or send it to your friends.

Once a public key from another person has been imported, it can be validated by verifying your digital signature:

$ gpg --edit-key [email protected] <br></br>pub 1024D/9E98BC16 created: 1999-06-04 expires: never trust: -/q <br></br>sub 1024g/5c8cbd41 created: 1999-06-04 expires: never <br></br>(1) Carla Cruz  <br></br>Command> fpr <br></br>pub 1024D/9E98BC16 1999-06-04 Carla Cruz

Fingerprint: 268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16 The “fingerprint” signature must then be verified with the owner of the public key, in order to ensure that that public key really belongs to its true owner. This prevents someone from creating a public key pretending to be someone else.

Sometimes you can just accept that the key really belongs to the person who sent it to you, even without verifying the signature.

Either way, you can sign the imported public key with your key:

$ gpg —edit-key [email protected] <br></br>pub 1024D/9E98BC16 created: 1999-06-04 expires: never trust: -/q <br></br>sub 1024g/5c8cbd41 created: 1999-06-04 expires: never <br></br>(1) Carla Cruz  <br></br>Command> sign <br></br>pub ; 1024D/9E98BC16 created: 1999-06-04 expires: never trust: -/q

Fingerprint: 268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16 #### File Encryption with GPG

To encrypt a file to send to a certain person, you must have the person’s public key imported and verified.

The “—encrypt” option is used to encrypt the data:

$ gpg --output document.gpg --encrypt --recipient [email protected] documento.pdf

In this way, the documento.pdf was encrypted and saved under the name documento.gpg, which can only be read by Carla Cruz, who holds the private key.

This way, Carla, and only Carla, will be able to view the contents of the document.gpg file with the “—decrypt” option:

Carla: ~ # gpg --output arquivo.pdf --decrypt document.gpg

Document Signing

You can also digitally sign documents, so that people can verify that a file actually came from you and hasn’t been changed by anyone.

To digitally sign a file, use the “—sign” option:

$ gpg --output document.sig --sign documento.pdf

This way, the file will be compressed and your signature will be added.

With the “—sign” option, the file is not encrypted and anyone with your public key will be able to view its content and verify your signature.

To verify a signature and read the signed document, the “—decrypt” option must be used:

$ gpg --output documento.pdf --decrypt document.sig

You can also sign emails with a text signature using the “—clearsign” option:

$ gpg --clearsign email.txt

This way the text will be signed with a hash:

Jicajgem
=TPYZ
-----END PGP SIGNATURE----- The same “—decrypt” option can be used to verify that the message is authentic and hasn’t changed:

$ gpg --decrypt email.asc <br></br>This is a test email.

Hugs,
Prof. Uira Ribeiro
gpg: Signature made Wed 23 Oct 2019 11:55:13 AM -03
gpg: using RSA key E725EE3678AB3C99D51C625646BFCC17E483A6E0
gpg: Good signature from “Uira Ribeiro ” [ultimate] #### Revoke Chaves

If you’ve lost your private key, or if someone has gained access to your private key, or you’ve even forgotten your passphrase, you can generate a key revocation.

Key revocation generates a certificate that must be distributed alerting users that their current key and signature are no longer valid.

$ gpg --output revoke.asc --gen-revoke my key

The mykey argument can be the key ID, or the UserID that identifies your key.

This revocation certificate is quite small. It is recommended to print it out and store it in a safe place and delete it from the computer.

GnuPG files reside in the users’ HOME directory, with the name of ~/.gnupg/

Learn much more about Linux in our online course. You can register here. If you already have an account, or want to create one, just log in or create your user here.

Linux gnupg command (message encryption)

Document Signing

Did you like it?