GNUPG is a powerful tool that provides cryptographic privacy and authentication for your data communication. It allows you to sign, encrypt, and decrypt programs, disks, and even emails.
Generating and Managing Keys
Generate a key pair: Use
gpg --full-generate-key
to create a unique pair of keys for encryption and signing.List key pairs: View all your available keys with
gpg --list-keys --keyid-format=long
.Display your public key: Share your public key with others using
gpg -a --export <Your Key ID>
. Never share your private key!Add a subkey: Subkeys enhance security. Use
gpg --edit-key [Your Key ID]
followed byaddkey
andsave
to add one.Display subkeys: After listing keys with
gpg --list-keys
, edit a key usinggpg --edit-key <Your Key ID>
. Copy the subkey ID and usegpg -a --export <KEY ID>
to display it.
Sharing and Revoking Keys
Send your public key to a public server: Public keys are meant to be shared. Use
gpg --send-keys <Your KEY ID>
to upload it.Generate a revocation certificate: If your key is compromised, create a revocation certificate with
gpg --output revoke.asc --gen-revoke <Your Key ID>
. Import it and upload it again to revoke the key.
Searching for and Importing Public Keys
Search for a public key: Find a key using its ID with
gpg --search-keys <KEY ID>
.Import a public key: Once found, import the key with
gpg --recv-keys <Key ID>
.
Understanding Trust
Beware of key impersonation: Anyone can create a key with your email address. To verify a key's authenticity, compare fingerprints.
Verify fingerprints: Use
gpg --fingerprint <Person's KEY ID>
to see a key's fingerprint. Contact the person and confirm it matches.
The Web of Trust
The web of trust allows you to trust others based on established trust relationships.
Trust a key: Use
gpg --edit-key <Person's Key ID>
, thentrust
andsave
to trust someone's key.Sign a key: Signing a key verifies its ownership. Edit the key with
gpg --ask-cert-level --edit-key <Person's Key ID>
. Look for "Full" trust on the left side of the user ID. Usecheck
to see who signed the key andsign
to add your signature. Upload the signed key again to the public server.Revoke your signature: If a signed key becomes invalid, use
gpg --edit-key <Person's Key ID>
, thenrevsig
andsave
to revoke your signature. Upload the updated key information.
Encryption vs. Signing
Encryption uses the receiver's public key to scramble the message. Only their private key can decrypt it. Share your public key beforehand for them to receive encrypted messages.
Signing uses your private key to create a digital signature that verifies the message's origin and integrity. The receiver uses your public key to confirm the signature.
Using GPG with Git
Signed commits: Add your GPG public key to your GitHub account.
Go to: https://github.com/settings/keys
Scroll to the bottom. You'll find Add GPG Key button in the GPG keys section.
Export your public key using this command:
gpg --export --armor <KEY ID>
Replace <KEY ID> with your actual KEY ID which you can find by listing your keys using this command:
gpg --list-keys
.If you have not created a gpg key yet, check this out: Generating and Managing Keys
Copy the exported public key content and paste it in the Github and save.
Note: The email associated to your key should match the primary email in your github and email in your local git.
Sign a single commit: Use
git commit -S <Your Key ID> -m "message"
to create signed commits.Global configuration: Set global Git settings with:
git config --global user.signingkey "<Your KEY ID>"
git config --global commit.gpgsign true
git config --global tag.gpgsign true
Commit email: Ensure the primary email in your key matches your Git commit email. Set it with:
git config --global
user.email
"<Email associated to your Key>"
Verify signed commits: Use
git log --show-signature
to see which commits are signed.
Using GPG to Encrypt Emails
GPG keys can encrypt emails. Upload your private key to a trusted email client like Thunderbird. You can then choose to digitally sign or encrypt emails based on the recipient's public key availability.