Getting Started with PGP and GPG
PGP is the best way of getting started with digital security, as it is the most well used and espablished form of encryption. It is often used by journalists and whistleblowers to communicate securely. It is based around a network of trust where Bob creates a key, and becasue Alice knows him in person, and so does Robby, and because Sarah trusts Alice, she trusts that the key signed by her does really belong to Bob.
We are going to be using GPG2 in this guide, which is an open source implementation of the PGP standard.
Getting started with PGP is easy. First things first though, we need to get everything installed.
First, install GPG:
On Windows, you should install GPG4Win which installs everything you need and more. It also includes Kleopatra, however I won’t be going into how to use that (primarily because I don’t really like it). You will want to use GPG through the Powershell for this guide.
If things don’t work well for you on Windows (I have had so many issues getting all of this working on Windows) try contacting me on Twitter @benjaminboxler or google it.
On MacOS, your best option is to install GPGTools which includes lots of useful things, including a Mail plugin, a solid Pinentry tool and a nice keychain tool. However for the purposes of this tutorial, we are just going to use the terminal for everything.
On Debian and Ubuntu, it is availale in the universe repository by default:
sudo apt install gpg2
It’s important to install the GPG2 package, as just install the gpg package will install GPG 1.4 which is no longer secure and is missing some important features we will be using later.
You might need to restart or open your terminal or shell session before continuing.
Next you need to generate your first set of encryption keys using
gpg --generate-key, where you will be prompted for your real name, then your email address you want associated with your key. You’ll be able to add another email address later. It will ask you to confirm your details - if they are all OK type
O. You’ll want to move your mouse around and use your computer whilst the key generates. You should see output like this when it is complete:
$ gpg --generate-key gpg (GnuPG) 2.2.1; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: John Doe Email address: firstname.lastname@example.org You selected this USER-ID: "John Doe <email@example.com>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 831F8A116F2624AF marked as ultimately trusted gpg: revocation certificate stored as '/Users/benboxler/.gnupg/openpgp-revocs.d/912212B2842647CD6966A0C3831F8A116F2624AF.rev' public and secret key created and signed. pub rsa2048 2019-01-28 [SC] [expires: 2021-01-27] 912212B2842647CD6966A0C3831F8A116F2624AF uid John Doe <firstname.lastname@example.org> sub rsa2048 2019-01-28 [E] [expires: 2021-01-27]
Now you have your first set of keys!
Adding a subkey
To edit the key, you will need to run
gpg --edit-key <KeyID> where
<KeyId> is the ID of the key you just generated. In the above example the ID is
831F8A116F2624AF. You can bring the ID back up by calling
gpg -K. In this example I would call
gpg --edit-key 831F8A116F2624AF. This should display your key details and provide you a list of options. The ones we care about are
addkey. If you have a second email address, use
adduid and then follow the prompts to add another email address. What we now need to do is add another signing subkey so we can move the primary key off the computer and somewhere more secure.
addkey will ask you to choose what the subkey is for, and here we will want to type
4 for RSA: Sign Only. This will generate a subkey. Type
save to save all the changes and exit the editor.
Uploading to a keyserver
What we need to do now is upload your public key to a keyserver. Most of the public servers all mirror the data between themselves, so if you upload to a keyserver, within 24 hours it will be available on all the other servers. This means that no matter what server you use, people will be able to find and contact you on it.
gpg --send-key <KeyID>
You should receive some output like this:
gpg: sending key 43BF0FED54D604EB to hkps://hkps.pool.sks-keyservers.net
and you will know your key is being distributed online correctly.
For added security, I keep a txt document on my website from a signed commit on my website easily accessible here: https://boxler.me/54D604EB.txt
Generating a revocation certificate
YOu need to generate a revocation certificate and keep it somewhere safe, you will need it if your master secret key gets compromised and you can upload your revocaition certificate to a keyserver and it will instruct users that it is no longer secure.
gpg --generate-revocation -a <KeyId> > <KeyId>.revocation.asc
Now you have to keep this one very safe - anyone who gets hold of this certificate can use it to revoke your certificate, making your certificates invalid. I reccomend putting it on an encrypted thumb drive somewhere safe.
To use it all you have to do is import it to your keychain and uplaod it to the keyserver.
gpg --import <KeyId>.revocation.asc gpg --send-key <KeyId>
Creating your everyday keychain
Now that you have created your subkeys, you will need to export them. Once we have done this you can move these subkeys onto any other devices that you want to be able to use to encrypt or sign documents with.
You can export it by using
gpg --export-secret-subkeys <KeyID> > <KeyID>.subkeys.asc
and then using something like
scp or a memory stick to move it onto another computer or device. You probably shouldn’t email that file, either.
You will then be able to import it on another device with GPG installed using
gpg --import <KeyID>.subkeys.asc, replacing keyID with your KeyID and ensuring your shell is in the same directory as the file.
Moving your master key somewhere safer.
It’s not very safe to be leaving your master key on your computer, especially if you are using a laptop. Your master key is required to sign other people’s keys, or to create new subkeys for yourself. If your master key is compromised, you will need to revoke that entire identity key, burning it down and starting from scratch (which is really inconvenient).
The first thing to do is export your secret key. Once your export it you will need to move it somewhere safe. I’ll leave that up to you. I have one copy of my master key I keep at home on a memory stick, and another I have on an encrypted memory stick with someone that I trust.
To export it all we have to do is run
gpg -a --export-secret-key <KeyID> > <KeyID>.master.asc
<KeyID> is the ID of your key that we found earlier. You can open this file in any text editor and you should see a file that looks somwhat like this:
-----BEGIN PGP PRIVATE KEY BLOCK----- // lots of random characters... -----END PGP PRIVATE KEY BLOCK-----
Now we can remove the master key from your system BUT ONLY IF YOU ARE CERTAIN THAT YOU HAVE BACKED IT UP. If you lose your master key you will be unable to revoke your subkeys, generate new subkeys, sign other people’s keys.
Deleting the master key can be achieved with
gpg --delete-secret-key <KeyID>. Once this is deleted, you can reimport the subkeys that you exported earlier, again with
gpg --import <KeyID>.subkey.asc. Ensure your keys are there by typing
gpg -K and seeing the key printed. Ensure the first line begins
sec# (the # tells us the master key is not on the system), and if it doesn’t ensure you are importing the subkeys and not the master key.
Testing your keys
You can test your key works for encryption and signing by trying to encrypt and decrypt something for yourself:
echo "Hello world!!" | gpg -e -a -r <email> | gpg -d where <email is the email address you used to create your encryption keys. If your output looks something like this your encryption subkey is working!
~$ echo "Hello world" | gpg -a -e -r email@example.com | gpg -d gpg: automatically retrieved 'firstname.lastname@example.org' via Local gpg: encrypted with 2048-bit RSA key, ID B470770583B4730F, created 2019-01-25 "Ben Boxler <email@example.com>" Hello world
To test the signing subkey, we can do something very similar:
~$ echo "Hello world" | gpg -a --clearsign | gpg --verify gpg: using "C2C3E54703912E3642F0ADED43BF0FED54D604EB" as default secret key for signing gpg: Signature made Thu 31 Jan 00:31:29 2019 GMT gpg: using RSA key 3A1A690F27296E2CA4F81F4B79FB2769D32052E7 gpg: Good signature from "Ben Boxler <firstname.lastname@example.org>" [ultimate] gpg: aka "Benjamin Boxler <email@example.com>" [ultimate] gpg: aka "Ben Boxler (protonmail.com) <firstname.lastname@example.org>" [ultimate]
If both of those worked, you can now use your keys as you wish!
Adding Other People’s Keys
The best way to add someone elses key is to get it directly from them, sneakernet or other means. Following that is to get their private key from a trusted source - for example I host my private key on this website which is verifyable as mine by a signed git commit here. Failing that, you can use their full fingerprint (preferred), short fingerprint (can be exploited), or email address (you probably just shouldn’t) along with gpg’s
$ gpg --search-keys 54d604eb gpg: data source: http://pgpkeys.uk:11371 (1) Ben Boxler <email@example.com> Benjamin Boxler <firstname.lastname@example.org> Ben Boxler (protonmail.com) <email@example.com> 2048 bit RSA key 43BF0FED54D604EB, created: 2017-10-30, expires: 2019-10-30 Keys 1-1 of 1 for "54d604eb". Enter number(s), N)ext, or Q)uit >
You now have my keys, and can verify my signature or encrypt things for me! Give it a go and send me an encrypted email at firstname.lastname@example.org and let me know how it goes!
In a part two of this, I’m going to go through using Yubikey and SSH with your new GPG credentials.