Silk Road forums

Discussion => Security => Topic started by: LouisCyphre on August 10, 2012, 12:29 am

Title: GPG HOWTO: Introduction to the GPG command line
Post by: LouisCyphre on August 10, 2012, 12:29 am
This document provides an introduction to basic command line use of GPG in a UNIX shell like Bash or Tcsh (for BSD, Linux, OS X, etc. users) and the Windows DOS prompt.  The command line options used here work with both GPG 1.4.x and GPG 2.0.x.

As with my previous guides, my instructions use GPG 1.4.12 on a POSIX compliant system.  Some UNIX commands (e.g. grep, less, more, etc.) will not be available to Windows users.

The guide assumes you know how open a shell/Terminal/DOS prompt on your system(s) and know the most basic commands for moving between directories, moving files and deleting files (although it is often better to use a secure deletion program).


*** REQUIREMENTS ***

Before using this guide you need to make sure that you have correctly configured your copy of GPG using my previous guide on that topic:

GPG HOWTO: GPG Configuration - The gpg.conf file
http://dkn255hz262ypmii.onion/index.php?topic=34204.0

I will be assuming that this type of configuration is in use throughout this guide.

You will need a text editor like Notepad (Windows), TextEdit (OS X), Nano (OS X, Linux, BSD, etc.), Vim (OS X, Linux, BSD, etc.) or Emacs (Windows, OS X, Linux, BSD, etc.).  More advanced text editors, like Vim and Emacs, provide greater options and are valuable to command line users.  This guide, as with all my guides, has been written with Emacs.

Files saved and used in this guide are all assumed to be in the same directory that you are running the commands in.

You will also need a GPG key and I strongly encourage using 4096-bit RSA/RSA or 4096-bit RSA/Elgamal keys.  To make an RSA/Elgamal key you can see my guide on that here:

GPG HOWTO: Creating large keys and mixing algorithms (expert mode)
http://dkn255hz262ypmii.onion/index.php?topic=28474.0

If you do not feel comfortable making an RSA/Elgamal key, that's fine, you can always do it later if you change your mind.  If you make a 4096-bit RSA/RSA key you can change it into an RSA/Elgamal key later anyway.


*** Online Resources (clearnet) ***

The following guides are essential resources for command line users of GPG:

The GNU Privacy Handbook
http://www.gnupg.org/gph/en/manual.html

The GNU Privacy Guard Manual
http://www.gnupg.org/documentation/manuals/gnupg/

GnuPG - Command Reference
http://www.spywarewarrior.com/uiuc/gpg/gpg-com-0.htm


*** GPG Command ***

GPG 1.4.x is invoked on the command line as: gpg
GPG 2.0.x is invoked on the command line as: gpg2

Note:  Systems can have both GPG 1.4.x and 2.0.x installed.  Systems with just GPG 2.0.x installed often have the gpg command linked to the gpg2 command.

GPG includes help on the command line which can be accessed at any time with the following command:

Code: [Select]
gpg --help
For the most part commands which work in GPG 1.4.x work in the same way in 2.0.x.  All commands in this guide will work with both versions.

Most options or flags that can be invoked on the command line can also be included in a gpg.conf.  There are some exceptions to this, but the details of those exceptions are included in the GPG manual and are beyond the scope of this introductory guide.


*** The Public Keyring ***

The entire public keyring can be viewed with this command:

Code: [Select]
gpg --list-keys
There is also a shortcut for it:

Code: [Select]
gpg -k
If, like me, you have a lot of keys on your keyring you can do this:

Code: [Select]
gpg -k | less
You can also check for a specific key by using the user ID (i.e. the name or email address) or using the key ID (i.e. the hexadecimal code identifying the key):

Code: [Select]
gpg -k lcyphre
gpg -k "Louis Cyphre"
gpg -k 0x7E8BE6B1DD7B4576
gpg -k DD7B4576

All those commands will display the details for my key if it is in your public keyring.

The --fingerprint flag can be added to display the fingerprint of any key or keys:

Code: [Select]
gpg -k --fingerprint 0x7E8BE6B1DD7B4576
If a string is used to list keys using the user ID which matches multiple keys then all keys including that string will be displayed:

Code: [Select]
gpg -k tormail
UNIX users can count the number of keys in their keyring with this command:

Code: [Select]
gpg -k | grep "^pub" | wc -l
Or the number of Tor Mail users:

Code: [Select]
gpg -k tormail | grep "^pub" | wc -l

*** The Secret Keyring ***

The entire secret or private keyring can be viewed with this command:

Code: [Select]
gpg --list-secret-keys
There is also a shortcut for it:

Code: [Select]
gpg -K
Note the uppercase K in the shortcut this time.

The other variations included for the the public keyring also operate with the secret keyring.


*** ASCII Armoured Files ***

GPG uses two main file types (there are more, but these two are the ones that concern us here):

1)  GPG encrypted messages or GPG signatures using the .gpg extension.

2)  GPG encrypted messages or GPG signatures with ASCII armouring using the .asc extension.

Public keys and encrypted messages posted to the forum, sent in email and posted on Silk Road all need to use ASCII armouring in order to be displayed correctly and used by others here.  ASCII armouring increases the file size when converting the encrypted data to base64 encoding, but it works and is somewhat offset by the compression used by GPG before a file is encrypted.

The armour flag is included with other commands at the time they are invoked and cannot be used after encryption to convert an encrypted message to an ASCII armoured one.  There are three flags available and they all perform the same function:

Code: [Select]
--armor
--armour
-a


*** GPG Output ***

GPG can display output to the screen, but a lot of commands need the output redirected to files.  Some commands, like encrypting, do this automatically by appending the .asc or .gpg extension.  Other commands, like exporting a key do not.  When using these other commands we need to specify the output file by using:

Code: [Select]
--output $FILENAME
-o $FILENAME

The output flag can be used to override the default filename GPG might otherwise use.


*** Importing Keys ***

To import a key first select the ASCII armoured key block and copy it.  Open your text editor, paste it in and save the file to a suitable filename (e.g. pubkey.asc).  To import the key just run this command:

Code: [Select]
gpg --import pubkey.asc
When the key has been imported you can safely delete the pubkey.asc file.

The import command will work on both public and secret keys.  GPG recognises the difference and saves them in the appropriate keyring file.  Secret keys include the public key so importing a secret key automatically imports the public key at the same time.


*** Exporting Public Keys ***

Exporting keys is essential to provide a copy of your public key to those people who need it.  You can also export any key in your public keyring, multiple keys or all the keys into a single public key block.

When I need to export my key I run this command:

Code: [Select]
gpg -a --export -o lc.asc 0x7E8BE6B1DD7B4576
The export command will never export a secret key, there is a separate command for that which is used to backup a secret key.


*** Exporting Secret Keys ***

The command to export a secret key for backup purposes is:

Code: [Select]
gpg -a --export-secret-keys -o mysecret.asc $KEY_ID
Where $KEY_ID is the key ID for your secret key.  You can leave that blank if you only have one secret key or want to export all the secret keys.

More detail on securely exporting and backing up secret keys can be found here:

GPG HOWTO: Backing up secret keys securely
http://dkn255hz262ypmii.onion/index.php?topic=28859.0


*** Encrypting Files and Messages ***

To encrypt a message or file we need to specify that we are encrypting, using ASCII armouring, the recipient or recipients and optionally an output file.

The encryption flag is:

Code: [Select]
--encrypt
The shortcut for this flag is:

Code: [Select]
-e
The flag to specify a recipient is:

Code: [Select]
--recipient
The shortcut for this flag is:

Code: [Select]
-r
By default messages are encrypted to the keys specified at the time of encryption plus any keys included in the "encrypt-to" line of the gpg.conf file.  It is HIGHLY recommended that you include your key in the "encrypt-to" line of your gpg.conf file.

If I wanted to encrypt a message (e.g. message.txt) to Guru I could use any of the following commands to do it:

Code: [Select]
gpg --armor --encrypt -o message.txt.asc --recipient 0x523FCBEE886855CA message.txt
gpg --armor --encrypt --recipient 0x523FCBEE886855CA message.txt
gpg --armour --encrypt --recipient 0x523FCBEE886855CA message.txt

What I actually do is much shorter and uses the shortcuts mentioned so far:

Code: [Select]
gpg -ea -r guru message.txt
All of these commands will produce an ASCII armoured file encrypted with both Guru's key and my key (which is included using the gpg.conf settings) called message.txt.asc.

Encrypting to multiple users can be done by specifying additional recipient flags.  If I wanted to encrypt my message to Guru and Pine I could do this:

Code: [Select]
gpg -ea -r guru -r 0xE9094AF9 message.txt
Note:  When using user IDs to specify a key to encrypt to, make sure that the user ID is unique and does not match any other keys.  Otherwise GPG will use the first key in the public keyring that matches for the recipient.


*** Decrypting Files and Messages ***

Once Guru has my message he needs to decrypt it.  The decryption process is just as straight forward.

The decryption flag is:

Code: [Select]
--decrypt
The shortcut for this flag is:

Code: [Select]
-d
By default GPG will attempt to decrypt any file when no flags are used, so both of the above flags are effectively optional.

Some of the possible commands for decrypting the encrypted message (message.txt.asc) are:

Code: [Select]
gpg --output message.txt --decrypt message.txt.asc
gpg --decrypt message.txt.asc
gpg -o message.txt -d message.txt.asc
gpg -d message.txt.asc
gpg message.txt.asc

When the command is run you will be prompted to enter the passphrase for your secret key.

All of those commands will save the decrypted file in a new file called message.txt.


*** Signing Messages ***

There are numerous ways to sign messages and files, in addition to signing or certifying keys.  For this basic guide the only options which concern us are clearsigning messages (e.g. like DPR does when making an official announcement) and signing a message when we encrypt it.

The flag to sign a message or file is:

Code: [Select]
--sign
The shortcut for that flag is:

Code: [Select]
-s
The flag to clearsign a message is:

Code: [Select]
--clearsign
There is no shortcut for clearsigning.

To return to our previous example message (message.txt) if I wanted to sign it when I encrypted the message to Guru I would include either of the --sign or -s flags in my encryption command:

Code: [Select]
gpg -sea -r guru message.txt
GPG would know to use the "default-key" specified in my gpg.conf and prompt me for the passphrase.  If I did not have a default-key specified or wanted to override the default key I could use the local-user flag:

Code: [Select]
--local-user
The shortcut for this flag is:

Code: [Select]
-u
For example:

Code: [Select]
gpg -u $OTHER_KEY_ID -sea -r guru message.txt
Clearsigning a message produces a plaintext file which contains a GPG signature.  By default GPG will name the output file the same way as it would an encrypted file with the .asc file.  You need to look at the file contents to see whether it is a clearsigned message or not.

If I had wanted to clearsign the message to Guru the command would be:

Code: [Select]
gpg --clearsign message.txt
Note:  The ASCII armouring flag is NOT required when clearsigning a message as it is not possible to clearsign without armouring.

To clearsign and then encrypt a message to Guru the commands would be:

Code: [Select]
gpg -o message-c.txt --clearsign message.txt
gpg -o message.txt.asc -ea -r guru

I would be prompted for my passphrase following the first command.

Other types of signatures not covered here include detached signatures, which are mainly for verifying files and signing and armouring text without encrypting it.


*** Verifying a Signature ***

To see if a signature is a GOOD signature or a BAD signature the command is:

Code: [Select]
--verify
There is no shortcut for this command, but messages that are signed and encrypted are automatically verified during the decryption process.

A GOOD signature means that the message or file has not been modified since the signature was made.

A BAD signature means that either the message or file has been modified or that an error occurred during the signing process.  It does NOT mean that there is definitely a problem, but it is advisable to contact the sender and confirm the details or what happened.

Note:  Some GUIs are known to modify clearsigned messages after signing in select circumstances.  As are some mail systems.  A common offender is a conflict between different character encoding settings.

To verify a message that has been clearsigned, save the message to a file (e.g. announcement.asc) and run this command:

Code: [Select]
gpg --verify announcement.asc

*****

I hope you have found this of some benefit.

In future posts I will provide more advanced commands, but this covers the basics for general usage on Silk Road and elsewhere.
Title: Re: GPG HOWTO: Introduction to the GPG command line
Post by: Crooked on August 15, 2012, 04:01 am
Thanks for this! Been making it a point to improve my security, and I must say, you, Guru, Pine, Shannon, and km have been a huge help to me this week! Thanks fellas  ;D
Title: Re: GPG HOWTO: Introduction to the GPG command line
Post by: nomodeset on August 18, 2012, 09:20 am
Thanks for the great guides. To list all the topics in the right order:

1 GPG HOWTO: GPG Configuration - The gpg.conf file

http://dkn255hz262ypmii.onion/index.php?topic=34204.0


2 GPG HOWTO: Introduction to the GPG command line

http://dkn255hz262ypmii.onion/index.php?topic=35022.0


3 GPG HOWTO: Creating large keys and mixing algorithms (expert mode)

http://dkn255hz262ypmii.onion/index.php?topic=28474.0


4 GPG HOWTO: Backing up secret keys securely

http://dkn255hz262ypmii.onion/index.php?topic=28859.0


5 GPG HOWTO: Encrypting to yourself and a vendor, but concealing all recipients

http://dkn255hz262ypmii.onion/index.php?topic=29235.0
Title: Re: GPG HOWTO: Introduction to the GPG command line
Post by: LouisCyphre on August 21, 2012, 08:14 am
Thanks for this! Been making it a point to improve my security, and I must say, you, Guru, Pine, Shannon, and km have been a huge help to me this week! Thanks fellas  ;D

You're welcome.  :)
Title: Re: GPG HOWTO: Introduction to the GPG command line
Post by: LouisCyphre on August 21, 2012, 09:08 am
Thanks for the great guides.

You're welcome.

Just to list all the topics in the right order:

Yeah, they definitely weren't written in the order they should be read.

I recommend newbies to view and save all of them.

I hope more than just newbies.  Especially the more advanced stuff with alternate key types.
Title: Re: GPG HOWTO: Introduction to the GPG command line
Post by: eJ3k1 on August 21, 2012, 09:15 am
If you are new to Linux:

www.linuxcommand.org

Very good website to help you get familiar with the terminal (command line) in general.
Title: Re: GPG HOWTO: Introduction to the GPG command line
Post by: nomodeset on August 21, 2012, 07:14 pm
Encryption and decryption in the command line:

Encryption:

Code: [Select]
gpg -r recipient -ea
message


Then press Ctrl+D to end input.

Decryption:

Code: [Select]
gpg
gpg: Go ahead and type your message ...
-----BEGIN PGP MESSAGE-----
...
-----END PGP MESSAGE-----

Then press ^D to end input and decrypt the message.