Thoughts/Tips/Tricks/Tutorial on Pgp

Table of Contents


I will write stuff here soon c:

What is Pgp?

Pgp or Pretty Good Privacy is an encryption program, It is most commonly used for signing, encrypting, decrypting Emails but it can be used to encrypt/decrypt files and sign text also.

The Public Key

The Public key is the key you share with others so that they can encrypt stuff to you and verify the things you signed, you can even share the public key in an insecure way because it is a public key

Public Key Fingerprint

The Public key fingerprint is a shorter version of the actual public key, it is used to verify if the public key has not been tampered with.

The Private Key

The Private key is the key that you use to decrypt/sign things. This key should not be shared with others under any circumstances. You should set a strong password for this key because if someone gets access to your private key they still can’t use it without your password

Revocation Certificate

Getting Started

Installing GnuPG

GnuPG is the most popular implementation of the OpenPGP standard which is why we will be using it. Here is how to install it
Arch: # pacman -S gnupg
Debian: # apt-get install gnupg
Void: # xbps-install gnupg
Fedora: # dnf install gnupg
FreeBsd: # pkg install gnupg

These commands require to be run with root permission eg. sudo/doas or running the command as root

Generating a key pair

To use PGP you must generate a key pair which contains a public key and a private key. To do that run this command:
$ gpg --full-gen-key

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1
  RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
 Requested keysize is 4096 bits
Please specify how long the key should be valid.
	 0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Your-online-username-or-alias
Email address: yourealemail@random.tld
Comment: Random comment
You selected this USER-ID:
    "Your-online-user (Random comment) <yourealemail@random.tld>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy. 

After this enter a strong and secure password to protect your private key. You will prompted to enter this password, when you try to do things such as signing and decrypting stuff.

Sharing/Exporting your public key

To export your public key run this command:
$ gpg --armor --export youremail@random.tld > my_email_public_key.asc
You can now share this file with your friends and they can encrypt things to you c:

Importing other people’s public key

To import your friends public key just run this command:
$ gpg --import bob_public_key.asc

Verifying public key fingerprint

To make sure the public key that your friend(Bob) sent you, has not been tampered with run the following command.
$ gpg --fingerprint bob@random.tld
The output will look something like this:

pub   rsa3072 2022-06-04 [SC]
      53C8 E08C 0D90 2A15 6F70  E60F 3B3A 149C 22E3 F797 # this line is the fingerprint
uid           [ultimate] Bob (comment) <bob@random.tld>
sub   rsa3072 2022-06-05 [E]

Now note down the fingerprint and then ask your friend to run the same command and tell you the fingerprint. If the fingerprints match the public key has not been tampered with and you may trust it.

Editing public key trust level

Coming soon™

Encrypting Stuff

Now that you have verified that your friend’s key has not been tampered with, you can encrypt files to them :D

To encrypt files run this command:
$ gpg --encrypt --armor -r bob@random.tld top_secret_message.txt
This will turn your file into an .asc file which you will send to Bob. This file can only be decrypted by Bob (or the person with Bob’s private key). Therfore not even you cannot decrypt the file after encrypting it

Decrypting Stuff

Bob has recieved the encrypted file you sent them, to decrypt it they will just run:
$ gpg --decrypt top_secret_message.txt.asc

Signing Files

Signing Plaintext

Signing Keys/Web Of Trust (Advanced)

Software using PGP

Claws Mail



Gui clients