All shell commands will be in code tags. Output from GPG to the terminal will be in quote tags. My comments are simply text.
To use GPG you need to generate a key pair. This consists of a public key and a private key. It is safe to give the public key to anyone who you correspond with, the private key should not be shared with anyone else. You can think of the public key as being an open lock, which you give to the people who you want to be able to communicate securely with you. You can image it as the people you have shared your open lock (public key) with putting their messages to you in a secure box and locking it shut by closing your open lock on it. Now even they can not open the lock. You keep the private key yourself, in a combination safe. The combination to the safe is your passphrase. After providing your passphrase, the combination safe is opened and the private key is used to unlock you closed lock and take the message out. GPG doesn't actually require that you understand much of this, simply that you know the basics of public and private keys.
Let's generate a key pair from the command line:
gpg --gen-key
you will be presented with a series of questions regarding the key you are generating
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
This is simply asking you which encryption algorithms you would like to use for session key encryption and signature. It doesn't particularly matter the selection you make as all of the options are secure, however you will want to select either option one or two as three and four are used for signatures only. I will go with the default of RSA and RSA, so I enter 1 and press enter.
1
Now you will be asked the strength you would like to make the keys.
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Generally you will want to go with the strongest possible choice, 1,024 bit keys are currently considered to be somewhat secure but they are probably crackable by agencies such as NSA and will not be secure against less powerful attackers for very long. I will select 4,096, which should remain secure for quite a long time.
4096
Now you will be asked how long the key should remain valid for
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Chances are that you want your key to always be recognized as valid by the people you communicate with. I always put 0 here, as I have thus far never desired a key that expires.
0
Key does not expire at all
Is this correct? (y/N)
y
Now you will be asked the name and email address characteristics you would like associated with the key
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name:
For real name you should absolutely put the same thing as the pseudonym you use the key for. Failure to do this will result in pissed off vendors and may very well end up with you being ignored, as nobody wants to spend the time required to figure out which key belongs to you.
kmfkewm
Email address:
For email address you can either put a legitimate (anonymous) email address that you can be reached at, or something made up. I generally make something up, although using a real email address is a good way to keep in touch in case your regular channel of communication is ever compromised.
kmfkewm@silkroad.onion
You will be asked for any additional comment that you would like to be associated with your key
comment:
the email address is fake
now you will be presented with the choices you have selected and given a chance to change them if you desire to do so.
Real name: kmfkewm
Email address: kmfkewm@silkroad.onion
Comment: the email address is fake
You selected this USER-ID:
"kmfkewm (the email address is fake) <kmfkewm@silkroad.onion>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
I am happy with all of this so I will select O.
O
You need a passphrase to protect your secret key.
Additionally, a GUI input box may pop up. You will need to enter your passphrase twice. Your passphrase should, at a bare minimum, be longer than eight characters. ideally, it will be an entire random sentence consisting of multiple words with out care being taken for grammatical correctness or making sense.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
At this point it is wise to randomly type on your keyboard into the terminal to help speed up the entropy gathering process. This is especially important if you are in a virtual machine, as there is not a mechanical hard drive to be used a source of randomness. During the process of gathering entropy, mathematic symbols are printed to the screen, seemingly for your amusement.
........+++++
Eventually your key will be generated, as signaled by something like this
note: this doesn't match the key I actually generated because my terminal fucked up. This doesn't usually happen
.
gpg: ~/.gnupg/trustdb.gpg: trustdb created
gpg: key 396C7744 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 4096R/396C7744 2012-09-11
Key fingerprint = 8D9E AFFC C6C9 2BEA 514E 265E 3CF3 2A29 396C 7744
uid kmfkewm (the email address is fake) <kmfkewm@silkroad.onion>
sub 4096R/66BDC3F7 2012-09-11
Now that you have generated your keys, you need to be able to get your public key to give to the people who you would like to be able to securely communicate with you. Remember, you use peoples public keys to encrypt messages to them, and they use your public key to encrypt messages to you. Private keys are used in the message decryption process.
let's export the public key
gpg -a --export kmfkewm@silkroad.onion
-a signals that the output is ascii armored and --export is the flag to export a public key. You need to make sure to specify the e-mail address of the public key you would like to export or else it will export all of your public keys as one huge ascii armor block. I believe it is also possible to do it by username, however it seems to easily be confused, as when I specified it export kmfkewm it was exporting my real key which has the username of KmfkeWm, but when I specify by email address it works as expected.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQINBFBPGkYBEAC+ORsJzjE3AhgWXS9MplXQMYe8JqCjmIzp9tTu5t+v8OlS2ibx
WqFPCsP/gD+lumnPy9zhwC1TnspcXdU8kfepK5xsrKBfGzBJ17kdkdsgAR5yQOj3
uO1thsI8e9diJaSPfJofNpsWHi93gNUNRyp+W128QebwOIMnMkF35s3X2nqKlY4O
NBXEIUBtEiI7D+qVWONLrdH9OXpOAJVYXBqFA+azF+isebLZ2TC1wrU5edMPGt1d
K9DPn7BSc3fOsIj6eR316if7Qu6dG2By9jG6ZVV7Ffvovw0tgeiQbm2aJMHdm3MU
NMrALmb6mxhgn3nYqkNFqX7UfKY3QF2ewaynseqliBEUtEDLHzD+93PT6+/jDyjS
LOc8ZUDIobfeUlk8TxwBGf6XG/o3Jca/6Ae3oRuFyLYM+yYmaQwldEaaVHn1AQPx
GpxEvoJ7Yfl7tbafCA5RBZ79x7kaslJiC+bh9yEzconof56H/awNHBrQUJB+vGjT
VjaErCsTOgE2vjPIwRvaZKo71s/tFXpw0wUd3owxoKr29dvQKgJRXycuikk8kJWF
G7WFpHlpYBiuLCKNFIIzeBX2FsvK3JVywMVlPXO1nkNJcjzTOpmhSm4Rei2btgql
aiKUax+elHE0aEGrt/zuAKkRVtaOQ483ZH+jkssaAuduAnoAX5ANfgp/ZwARAQAB
tDxrbWZrZXdtICh0aGUgZW1haWwgYWRkcmVzcyBpcyBmYWtlKSA8a21ma2V3bUBz
aWxrcm9hZC5vbmlvbj6JAjgEEwECACIFAlBPGkYCGwMGCwkIBwMCBhUIAgkKCwQW
AgMBAh4BAheAAAoJEGReY/Kkoi17n4kQAI505WN2FodXMZlU+aOfNep9k4bIeV41
NRMqOLDqip0nzL05ZsbP9cvpHdsMlSZ7DHwQ9L7ms7EhKACeHK1X6Ens13N1RNOH
cVGuiZERMKM/Jpc7M3GEIfhSK0tTzGKVi33Iwc0EGYkqYGAGFSfx0awhs/qVBxDp
ja0/cf+PeBkGOeb3DgHnQBJ+JG/l3KmQIa0T4/e1g71pL1InvSdA0YsLuxglCrMZ
T+hDo1lPdmuUjLRahrHw29eNtJsH6wkyfC7fmpDwdwwy9bfE9H0tI9zFnrJ7xyy2
yMWxaoPIkrWHXuAqHqXpCqljy4J+Yi85o2KbnZwRiKFVj9kYQYyjEEa4C/WMkYxp
6JLGaNpReK0KurJiSBa0fpjRvMN8zaEdkHNEtSwbJV2c8aFuHYvlA8ForjPT3kZ7
qrDGMVe7b8BkF82XTLvTyFZ6n+1T9fXTZjTlwHWr3xjrXoRjNH4Y/sgwWEU681WV
Ct9Q5l1ecyq3NrhVQWsZp3Mfm9EwFxN1i55uccQtZSomEsQ+e7XsExSB6fPtdPHA
WU4Hcphjyx5T4rRats4Mj3B+KH5lRNRJdGM9s9nX/1c/CQ+vg1eqifJvyjI2jvYW
HXW/J3iOSp4woRNPKPJy0YMbDMFevMOQ4M9JFkOoH+CQ4VLWTdMKPaaIosPRofm+
7JpQGJeAH1b2uQINBFBPGkYBEAD5+/TrHjszZzX58ajyJEedU1AB53P3yPrwKmH8
jnU6cLtn4mj4hhothKckVSReJkr6nuHc6CfWG1AUBxhcS4PNg8Otn/HK6/HvWnL9
hsqXxs9D9h0j5TNzoCNCGsYmjDWkClOHqSwZBvrROvmzAbMbIYWQls8JXRyArF4U
Fb7szRSfuQUEAgHkqBV54bUm/Dt5SIZgp1DhIIoeXaQptvE13pnBnuE4en0hBqTI
ZcYb+eyCjeAnXjztl6JX418k4GRbWMIYjK3Gu1QHKLhyhaFpk5awGkHUAwmPk1wd
hdiQacBQKrv2//23Qx6Ad7W+RtpsjlcxoMivrHJbZ4m54zqlP/ZJDSUcq9zLo/+/
r3eo7nv8qTUUNDKOL0VJUgH2a+th1RwFqxjf+q4BSRwg+YzQwMVlX9EUntj1ZW7o
c2K1AXciVb4cov5m6xUz8pSrVXhCEkLixaNfYGv14dCwJFVszIMAwTi5Lrdo+g/4
P1Nj8Ttg32lq5gyCNgKj4wrkCDGeaj7o32AwhfhB9hTPJQfLi6D3N7XtNS6e2YME
a5+WXklgxbWgMJvu4+zBNvgzzNNxMpgZVp3ScPKSPQI6ehLzuXtRcH8xUGPS/02b
tSoFz24bXS+kzzM7YraV+opy7g0Vrq++CeUKLg83qafscc6UW235VjTkc6UzVFHu
KHLtiwARAQABiQIfBBgBAgAJBQJQTxpGAhsMAAoJEGReY/Kkoi17Rl0P/jeafez9
vRVQYLi/7cuxXC25Shiu/D3/19ucaOTQRmWEYXbLYTqS7IaeI80POh+FwTqye7gg
3zW1O3cBGTyups44vvDJWbwTl8G3sMK/dSP3QWoThq1ooNzi9+MWahXWtmj2qJBn
UJh0fnFMzPEK0EYWWdwX+crffiUmM9fNC2qDP/WZXMWbXEHqFcjDrrq3mFWYKMSD
5jUM8o3yMngUoa4+VN4G9KbqbF91CzSnOSlwpVUIkwFOv1C3iBcAgj8lHGD+Zv18
V+uayZSSwek7w84w1oiTtfRPxPUrsuexA07jkh0F4YQFkbWaIPUFuekRwwl1thT5
nRe/IsxIXh/Qfcnrf5uuxM0gVjNh1RvgyqgmCo361odX329hL4wY/OKcppVXbmnr
kUEQROvbPIZYG5mJlr12HXvZ67hQlWLUVw/w6zoPSkq2+pP+x72WCwnodwLXw6Uw
vMSz0ZDSDAVJ6kSGuxp/nvsMMQA004rIJInbDx4f/uGbUm0GbTpbMxb/SWPRqgcn
KRn0ZtkY9e+nTvGRMiahNQ/p2F77jVgVZYTM7QC2sDdQYFeJHQDGEX3HZANK51/5
FcUwaMMUYbDZFfrLL6aLUbJvVX/vl+qIUMmZTKhqNQSICIWD2NJ8VqdMhfgIviFQ
BTMSc5GKuWYmpdkX4xwW+hWbPY0ZTP8F0wsa
=IZ3p
-----END PGP PUBLIC KEY BLOCK-----
When people want you to be able to send them encrypted messages they will send you a copy of their public keys and you will need to import them. This is an easy process, feel free to test it with the key I have listed above. First, copy the key so that it is in your clipboard.
gpg --import
now paste the key to the terminal.
ctrl d
note: ctrl represents the ctrl key, you do not type it in.
Now that people have your public key, they are able to encrypt messages to you. Also, now that you have their public key, you can encrypt messages to them. Let's encrypt a message, in this case I will simply encrypt the message to myself.
gpg -e -a
You did not specify a user ID. (you may use "-r")
Current recipients:
Enter the user ID. End with an empty line:
Allegedly you can specify users by username, however the same issue with kMfkeWm vs kmfkewm seems to be present, so it is best to select users by their e-mail address. Alternatively, you can select them by their full user ID. Let's take a moment to side track the current train of thought to show how to get a list of the full user ID's of people whose public keys you have:
gpg --list-keys
-------------------------------------
pub 4096R/00E5A93C 2012-08-25
uid KmfKeWm (lol) <kmFkEwM@kewekeke.onion>
sub 4096R/E075FB13 2012-08-25
pub 4096R/A4A22D7B 2012-09-11
uid kmfkewm (the email address is fake) <kmfkewm@silkroad.onion>
sub 4096R/930F85D3 2012-09-11
The UID consists of everything after UID up to and including the closing >
so let's get back to encrypting messages. Since it asked my for the UID of the recipient I wish to encrypt the message to....
kmfkewm (the email address is fake) <kmfkewm@silkroad.onion>
Current recipients:
4096R/930F85D3 2012-09-11 "kmfkewm (the email address is fake) <kmfkewm@silkroad.onion>"
Enter the user ID. End with an empty line:
At this point I could select to encrypt the message for multiple recipients, however I do not desire to do this so I simply hit the enter key with a blank line to signal that I have selected all desired recipients. Now type your message in
test
ctrl d
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.11 (GNU/Linux)
hQIMA4foEHyTD4XTAQ/+OH12e/1CQRnjivuthCIWXUMEr3QJDW8QdPEXv5dhmVte
awQi+OUGK8oHJUv2ydrpQJdR4V4RTSiZL3r94bD+04dwxZG7Yi+TZ7//GQ21hPua
l0Dgg6G/aNZH8cn0HQRFwOY7butvMgkB1I52j/CAaMHtRJaIwtRx+56k2M6CZSRu
Su14MUm7Yv0mg0itrd9i+vNb3298ZGIE9x5BeC0rh/3P+Sng+9c8v9cPJPaDHr8m
aZp6y6CgzlGoy6dzBpKpA3HdfR4wUgW+YOmVkWAVQldKnBkcEHsLdEwqwzmD8k3l
QJtOfyLbVQhaVvacEMvSNIHGpYm55FSwG0RtIje+QosLZgBku+GOYWtT/92tDm1j
oHNr9fAkNB8KMbYyHHz7IjFhYExuF+Fes0gocRDfJ0MArUHD0OSsYQDIWMBvRbFe
F4KHDKkEr6/bMGB4NPZD69tSw0y96+VELcwEbKmgXcmKlDay5jEFkjptiX6nKpzC
gPZQUsj2bz/0jZRLRa4fjOWeDKkyhQzXtHndMVnWNjCQyJKaBU9PTHkmQ9cbWeM7
uvpVWgpGEzEL7qsmXs5EHd7C3JVLLdC3cRgsxJVIwz/vUOPdjT/xRgRIZjOAFXUb
XdaJpoATCySw8KpNYn1XQGlg6bXTI+dpuEZSXPbe1bci5hzf5QkU5sLRhxFYVJTS
QAGSmEaDsTCVD5VDL2C5xvtHgeG+GVwRKRTEFvwm6wcikcoqD8p+IpgdUg5jcd4i
L3M4RQ/EHceD4IWn7EXBGiY=
=XBGa
-----END PGP MESSAGE-----
This is the ciphertext, and it has been encrypted to my key. Of course, it will be encrypted for whoever you selected when you entered a UID.
Sometimes you will get encrypted messages and need to decrypt them. Since I just encrypted a message to myself I will now go through the process of decrypting it.
gpg -d
You are presented with a blank line. Simply paste the ciphertext that you wish to decrypt
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.11 (GNU/Linux)
hQIMA4foEHyTD4XTAQ/+OH12e/1CQRnjivuthCIWXUMEr3QJDW8QdPEXv5dhmVte
awQi+OUGK8oHJUv2ydrpQJdR4V4RTSiZL3r94bD+04dwxZG7Yi+TZ7//GQ21hPua
l0Dgg6G/aNZH8cn0HQRFwOY7butvMgkB1I52j/CAaMHtRJaIwtRx+56k2M6CZSRu
Su14MUm7Yv0mg0itrd9i+vNb3298ZGIE9x5BeC0rh/3P+Sng+9c8v9cPJPaDHr8m
aZp6y6CgzlGoy6dzBpKpA3HdfR4wUgW+YOmVkWAVQldKnBkcEHsLdEwqwzmD8k3l
QJtOfyLbVQhaVvacEMvSNIHGpYm55FSwG0RtIje+QosLZgBku+GOYWtT/92tDm1j
oHNr9fAkNB8KMbYyHHz7IjFhYExuF+Fes0gocRDfJ0MArUHD0OSsYQDIWMBvRbFe
F4KHDKkEr6/bMGB4NPZD69tSw0y96+VELcwEbKmgXcmKlDay5jEFkjptiX6nKpzC
gPZQUsj2bz/0jZRLRa4fjOWeDKkyhQzXtHndMVnWNjCQyJKaBU9PTHkmQ9cbWeM7
uvpVWgpGEzEL7qsmXs5EHd7C3JVLLdC3cRgsxJVIwz/vUOPdjT/xRgRIZjOAFXUb
XdaJpoATCySw8KpNYn1XQGlg6bXTI+dpuEZSXPbe1bci5hzf5QkU5sLRhxFYVJTS
QAGSmEaDsTCVD5VDL2C5xvtHgeG+GVwRKRTEFvwm6wcikcoqD8p+IpgdUg5jcd4i
L3M4RQ/EHceD4IWn7EXBGiY=
=XBGa
-----END PGP MESSAGE-----
you will likely be automatically prompted for your password at this point, possibly in the terminal or possibly in a pop up GUI input box. Enter your password. To view the decrypted message you may have to hit ctrl d
ctrl d
You need a passphrase to unlock the secret key for
user: "kmfkewm (the email address is fake) <kmfkewm@silkroad.onion>"
4096-bit RSA key, ID 930F85D3, created 2012-09-11 (main key ID A4A22D7B)
gpg: encrypted with 4096-bit RSA key, ID 930F85D3, created 2012-09-11
"kmfkewm (the email address is fake) <kmfkewm@silkroad.onion>"
test
That sums up the basic commands required to use GPG from the command line. Of course you can do a lot more with GPG, symmetric encryption, hashing, file encryption, signatures and validation, etc, but I am not going to cover all of those unless people specifically request that I do. I hope that this shows that using GPG from the command line is trivial and that using GPG in general is trivial. I believe that this tutorial is fully cross platform. You do not need any fancy GUI or OS specific bullshit to make full use of GPG, and in fact I find that controlling it entirely from the command line is far less of a hassle. It is also far more secure as now an attacker sending you malicious ciphertexts can only hope to exploit a vulnerability in the core GPG engine, instead of the GUI package or wrapper you are using for GPG.