FA+
Shop
First steps in GnuPG
9 years ago
General
Once you understand the basics about public-key cryptography you can use the GnuPG (gpg) client. In case you are using gpg on a Windows® system your fist steps may look like this:
First of all:
(I) I tried to foolproof this thing for inexperienced Windows® users... so readability is somewhat sub-optimal for geeks.
(II) You don't have to use the command line stuff explained in this tutorial, if you resort to graphic user interfaces like Gpg4win or use gpg based tools like the Enigmail add-on for Thunderbird or the OTR plug-in for Pidgin.
(III) However, it may be nice to understand how things actually work and if you're not the fastest typist, you can always paste pre-written command lines into command windows (see below) by right clicking at the end of the current line and selecting »Paste« from the context menu.
Let's get this party started!
The basics
While installing GnuPG make sure you remember its installation directory. Restarting your laptop or PC after the installation will help prevent errors.
In order to pass commands to gpg you will have to open a command window and tell it where gpg.exe can be found. There are two ways to do this:
(1st way) Open the GnuPG installation directory in the windows explorer and go to the »bin« subfolder. Then hold down the shift key, right click on a blank space in that folder and choose from the appearing context menu »Open command window here«.
(2nd way) Hold down the windows key and press R. This will open the run-window. Type in »cmd.exe« and press enter. A new window will open and display a directory. Change that directory to the folder in which gpg.exe can be found, by typing in »cd« and a blank space followed by the directory; something like »cd C:\program files\GnuPG\bin«
You can pass commands to gpg now.
Creating your first key pair
To create your first key pair, type in
»gpg --full-gen-key«
then press enter.
(In some older gpg versions only »gpg --gen-key« will work.)
Gpg will initiate the key generation dialogue in the command window and ask you what kind of key you want (»RSA and RSA« is the recommended option -> type in »1« and press enter). As keysize you should select 4096 bits (type in »4096« and press enter). Next you will be asked how long the key should be valid - aka the key's expiration date. I'll leave that one to you (for example to create a key that lasts for one year type in »1y« and press enter). Confirm the expiration date (type in »y« and press enter). Next you will be asked for your name. In case you're still practicing a pseudonym will do (type in »Testing Tiger« and press enter). Your email adress is next (to practice this, type in »testing@tiger.com« and press enter). You can then add a comment describing what the key pair is for (type in »Practicing key generation« and press enter). You will then be asked to confirm your input (type in »o« and press enter).
Gpg will then start to create a key by generating lots of random numbers. You can help gpg do this by moving around your mouse. Next a dialogue window will open and ask you to type in a passphrase. Create a secure passphrase by making it more than ten characters long, using capital letters, small letters and numbers and not just words, that can be found in a dictionary. For testing purposes something simpler will do (type in »testphrase123« and press enter). You will be asked to confirm the passphrase by typing it in again (type in »testphrase123« and press enter). Key generation may take a few minutes.
The pair of keys is now encrypted and stored in the pgp home directory. Exporting your public key is important to share it with others. Make a simple enough directory on your hard disk for key export (for example »C:\Workbench«). In our example you can then export your public key by typing in
»gpg --armor --output "C:\Workbench\TestingTigerPubKey.asc" --export "Testing Tiger"«
and pressing enter
There are some more things you can do with keys like generating a certificate which allows you to revoke them and backing up your private key. However the resulting files can both be used to compromise your safe communication efforts and have to be kept in a safe place.
Bearing that in mind a revocation certificate can be created by typing in
»gpg --armor --output "C:\Workbench\TestingTigerRevoke.asc" --gen-revoke "Testing Tiger"«
then pressing enter, confirming it again (type in »y« and press enter) and selecting a revocation reason from a list (to choose »Key has been compromised« type in »1« and press enter). You then have the opportunity to add a personal message to the revocation certificate (type in »Uncle Kage tweeted my passphrase« and press enter twice) Confirm your input (type »y« and press enter). A dialogue window will open and ask you to type in the passphrase (type »testphrase123« and press enter).
Private keys can be exported by typing in
»gpg --armor --output "C:\Workbench\TestingTigerPrivateKey.asc" --export-secret-keys "Testing Tiger"«
and pressing enter. A dialogue window will open and ask you to type in the passphrase (type »testphrase123« and press enter).
Keys you generate and export in gpg can also be imported to Enigmail, an elegant Add-on for Thunderbird to encode emails. Enigmail itself can also generate keys, but with more limited options.
Encrypting messages
If you have received the public key from another lifeform and made sure it has not been tampered with (for example by comparing hash-values (tool for that) before and after transmission or using a network of trust) you can encrypt a message to them.
We haven't received any public keys yet. But let's say we did exchange keys with Prancing Puma, got his public key file, saved it to »C:\Workbench\« as »PrancingPuma.asc«, checked its integrity and now want to send him a message. What would we have to do? Import the key to gpg by typing in
»gpg --import "C:\Workbench\PrancingPuma.asc"«
and pressing enter.
As we can't do that yet, we will encrypt a message to ourselves for practicing purposes. To do so you can either send your message to pgp directly via the command line by typing in
»gpg --armor --output "C:\Workbench\practicecypher.asc" --recipient "Testing Tiger" --encrypt«
then pressing enter. After that, you can type in your message and let gpg know, when you are finished by holding down CTRL and pressing C, then releasing CTRL and pressing enter (CTRL+D for Linux users ;).
A more comfortable way to have pgp encrypt a message is to put it in a text file. To do so via notepad, hold down the windows key and press R. Type »notepad« in the appearing window and press enter. Enter your message and save it as »practiceclear.txt« in a directory of your choosing, for example »C:\Workbench«. To encode this message type in
»gpg --armor --output "C:\Workbench\practicecypher.asc" --recipient "Testing Tiger" --encrypt "C:\Workbench\practiceclear.txt"«
and press enter.
Decrypting messages
Say someone has encrypted a message to you with your public key and you want to read it. For practicing purposes we will decrypt »practicecypher.asc« to »practicedecrypted.txt«. In the previous section, we put »practicecypher.asc« in the »C:\Workbench\« directory. So we can now type
»gpg --armor --output "C:\Workbench\practicedecrypted.txt" --decrypt "C:\Workbench\practicecypher.asc"«
and press enter. To confirm we really are the recipient "Testing Tiger", gpg asks us for the passphrase again (type in »testphrase123« and press enter).
Cheers.
First of all:
(I) I tried to foolproof this thing for inexperienced Windows® users... so readability is somewhat sub-optimal for geeks.
(II) You don't have to use the command line stuff explained in this tutorial, if you resort to graphic user interfaces like Gpg4win or use gpg based tools like the Enigmail add-on for Thunderbird or the OTR plug-in for Pidgin.
(III) However, it may be nice to understand how things actually work and if you're not the fastest typist, you can always paste pre-written command lines into command windows (see below) by right clicking at the end of the current line and selecting »Paste« from the context menu.
Let's get this party started!
The basics
While installing GnuPG make sure you remember its installation directory. Restarting your laptop or PC after the installation will help prevent errors.
In order to pass commands to gpg you will have to open a command window and tell it where gpg.exe can be found. There are two ways to do this:
(1st way) Open the GnuPG installation directory in the windows explorer and go to the »bin« subfolder. Then hold down the shift key, right click on a blank space in that folder and choose from the appearing context menu »Open command window here«.
(2nd way) Hold down the windows key and press R. This will open the run-window. Type in »cmd.exe« and press enter. A new window will open and display a directory. Change that directory to the folder in which gpg.exe can be found, by typing in »cd« and a blank space followed by the directory; something like »cd C:\program files\GnuPG\bin«
You can pass commands to gpg now.
Creating your first key pair
To create your first key pair, type in
»gpg --full-gen-key«
then press enter.
(In some older gpg versions only »gpg --gen-key« will work.)
Gpg will initiate the key generation dialogue in the command window and ask you what kind of key you want (»RSA and RSA« is the recommended option -> type in »1« and press enter). As keysize you should select 4096 bits (type in »4096« and press enter). Next you will be asked how long the key should be valid - aka the key's expiration date. I'll leave that one to you (for example to create a key that lasts for one year type in »1y« and press enter). Confirm the expiration date (type in »y« and press enter). Next you will be asked for your name. In case you're still practicing a pseudonym will do (type in »Testing Tiger« and press enter). Your email adress is next (to practice this, type in »testing@tiger.com« and press enter). You can then add a comment describing what the key pair is for (type in »Practicing key generation« and press enter). You will then be asked to confirm your input (type in »o« and press enter).
Gpg will then start to create a key by generating lots of random numbers. You can help gpg do this by moving around your mouse. Next a dialogue window will open and ask you to type in a passphrase. Create a secure passphrase by making it more than ten characters long, using capital letters, small letters and numbers and not just words, that can be found in a dictionary. For testing purposes something simpler will do (type in »testphrase123« and press enter). You will be asked to confirm the passphrase by typing it in again (type in »testphrase123« and press enter). Key generation may take a few minutes.
The pair of keys is now encrypted and stored in the pgp home directory. Exporting your public key is important to share it with others. Make a simple enough directory on your hard disk for key export (for example »C:\Workbench«). In our example you can then export your public key by typing in
»gpg --armor --output "C:\Workbench\TestingTigerPubKey.asc" --export "Testing Tiger"«
and pressing enter
There are some more things you can do with keys like generating a certificate which allows you to revoke them and backing up your private key. However the resulting files can both be used to compromise your safe communication efforts and have to be kept in a safe place.
Bearing that in mind a revocation certificate can be created by typing in
»gpg --armor --output "C:\Workbench\TestingTigerRevoke.asc" --gen-revoke "Testing Tiger"«
then pressing enter, confirming it again (type in »y« and press enter) and selecting a revocation reason from a list (to choose »Key has been compromised« type in »1« and press enter). You then have the opportunity to add a personal message to the revocation certificate (type in »Uncle Kage tweeted my passphrase« and press enter twice) Confirm your input (type »y« and press enter). A dialogue window will open and ask you to type in the passphrase (type »testphrase123« and press enter).
Private keys can be exported by typing in
»gpg --armor --output "C:\Workbench\TestingTigerPrivateKey.asc" --export-secret-keys "Testing Tiger"«
and pressing enter. A dialogue window will open and ask you to type in the passphrase (type »testphrase123« and press enter).
Keys you generate and export in gpg can also be imported to Enigmail, an elegant Add-on for Thunderbird to encode emails. Enigmail itself can also generate keys, but with more limited options.
Encrypting messages
If you have received the public key from another lifeform and made sure it has not been tampered with (for example by comparing hash-values (tool for that) before and after transmission or using a network of trust) you can encrypt a message to them.
We haven't received any public keys yet. But let's say we did exchange keys with Prancing Puma, got his public key file, saved it to »C:\Workbench\« as »PrancingPuma.asc«, checked its integrity and now want to send him a message. What would we have to do? Import the key to gpg by typing in
»gpg --import "C:\Workbench\PrancingPuma.asc"«
and pressing enter.
As we can't do that yet, we will encrypt a message to ourselves for practicing purposes. To do so you can either send your message to pgp directly via the command line by typing in
»gpg --armor --output "C:\Workbench\practicecypher.asc" --recipient "Testing Tiger" --encrypt«
then pressing enter. After that, you can type in your message and let gpg know, when you are finished by holding down CTRL and pressing C, then releasing CTRL and pressing enter (CTRL+D for Linux users ;).
A more comfortable way to have pgp encrypt a message is to put it in a text file. To do so via notepad, hold down the windows key and press R. Type »notepad« in the appearing window and press enter. Enter your message and save it as »practiceclear.txt« in a directory of your choosing, for example »C:\Workbench«. To encode this message type in
»gpg --armor --output "C:\Workbench\practicecypher.asc" --recipient "Testing Tiger" --encrypt "C:\Workbench\practiceclear.txt"«
and press enter.
Decrypting messages
Say someone has encrypted a message to you with your public key and you want to read it. For practicing purposes we will decrypt »practicecypher.asc« to »practicedecrypted.txt«. In the previous section, we put »practicecypher.asc« in the »C:\Workbench\« directory. So we can now type
»gpg --armor --output "C:\Workbench\practicedecrypted.txt" --decrypt "C:\Workbench\practicecypher.asc"«
and press enter. To confirm we really are the recipient "Testing Tiger", gpg asks us for the passphrase again (type in »testphrase123« and press enter).
Cheers.
