Skip to main content

Basic run down of how to use GnuPG to encrypt files, sign messages, read encrypted messages, and useful commands and applications helpful in aiding along the way.

title: Beginners Guide to GnuPG
author: Dr. Small
date: January 28th, 2008

## Introduction

I am going to give a basic run down of how to use [GnuPG] to encrypt files, sign
your messages, read encrypted messages from your friends and whatnot, along with
some of useful commands and applications you can use in aiding you along the

First off, incase you don't understand completely (which is absolutely fine, as
we are not expected to know everything), GPG is a key-based encryption method.
You will be given a public key and a private key. The private key, as indicated,
should remain private as to keep the entire idea of encryption secure.

A person who holds your public key and wishes to send you an encrypted message,
would encrypt the message with your public key. They can not decrypt their own
message after they encrypt it. Only you, who holds the private key can decrypt
the message.

## Applications

There are two different GUI based applications which can assist you in setting
up a GPG key. These two are GPA, which is a very simple application that does
everything you need, as far as key managing, deleteing, adding, signing and
adding a level of trust to another person's public key.

The second one is seahorse. It is built for Gnome, and uses the gnome-keyring
(if I am not mistaken) so it is a little bit more heavy than GPA, which is my
favorite. (Note to the reader, I am not a KDE user, but I am sure there is a KDE
GnuPG application suited for them. I am in no way discriminating them from this
guide for any reason).

Let's begin by installing GPA and seahorse (or you can choose one of the two if
you wish). From the Terminal (**Applications** > **Accessories** >
**Terminal**), run the following command:

    $ sudo apt-get install gpa seahorse

To launch GPA, from run dialog (**ALT + F2**) or the terminal:

    $ gpa

To launch seahorse, from the run dialog (**ALT + F2**) or the terminal:

    $ seahorse

Both of this GUI applications give you the opportunity to create a GPG key from
their menus, and if you wish to do it that way, you may do so. It should be very
simple and informational, so I will not explain how to do it from those
applications (as it could also be subject to change over time).

Another application worth mentioning would be FireGPG for Firefox. It can
encrypt / decrypt / sign / verify / import and export with GPG. To install it
for Firefox, please visit their [website][1].

## Generating A Key

As an alternative, you could create a GPG key from the command line of the
terminal. To do so, launch your terminal (**Applications** > **Accessories** >
**Terminal**) and run the following command, to get started:

    $ gpg --gen-key

You will then be prompted back with the following:

    Please select what kind of key you want:
       (1) DSA and Elgamal (default)
       (2) DSA (sign only)
       (5) RSA (sign only)
    Your selection?

You will want to select number **1**, as it can be used for encryption and
decryption, whereas the second and third choices are only allowed to sign
messages. To do so, press the number **1**, and then press **enter**.

You then will be prompted with the following:

    DSA keypair will have 1024 bits.
    ELG-E keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048)

You will want to enter **2048** here, as recommended by gnupg.

> If you don't want your key to expire (for the next prompt, select **0**).

Answer **yes** if the information is correct, when prompted, and then enter your
**Real Name**, **Email address**, and a **comment** (*which is optional*). If
everything is correct, press **o** (for Ok) and then **enter**.

You will then be asked to **enter a passphrase**. This process will be repeated.
As always, make a strong password which would be difficult to crack. **Do not
enter a name / address / birthdate or word from a dictionary as your password.**
Take the usual precautions, and make it random and difficult to crack.

After entering your passphrase, follow the instructions in the terminal:

    We need to generate a lot of random bytes. It is a good idea to perform some
    other action (type on the keyboard, move the mouse, utilize the disks)
    during the prime generation; this gives the random number generator a better
    chance to gain enough entropy.

When you have successfully finished generating your key, you will see a message
similar to the following:

    gpg: key <strong>069C39A4</strong> marked as ultimately trusted
    public and secret key created and signed.

    gpg: checking the trustdb
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0 valid: 2 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 1f, 0u
    pub 1024D/<strong>069C39A4</strong> 2008-01-28
    Key fingerprint = 516E E759 94BA 0DC1 37BE 1074 E46C B27D 069C 39A4
    uid samplekey <>
    sub 2048g/BC9EC4CB 2008-01-28
    Your KEY-ID would be the two keys (both identical) above which are in bold.
    The Key fingerprint is also listed there.

Your **KEY-ID** would be the two keys (both identical) above which are in bold.
The Key fingerprint is also listed there.

## Key Servers

Key servers are used to distribute your public key to other key servers and so
other users can easily look your name (or email up) in the database and find
your public key to send encrypted messages to you. This eliminates the process
of physically or unsecurely giving your friend your public key, and allows
others to be able to find you on an online database.

To upload your public key to the Ubuntu keyserver, there are 2 ways to do this.
By pasting your ASCII Armored Public Key into the submission box at the Ubuntu
Keyserver By using the terminal and gnupg to send your public key to the Ubuntu

To accomplish method 1, you will need to open seahorse, select your key under
"My Personal Keys" and click the "Export Public Key" in the toolbar. You can
optionally choose the name and location of which it will be saved to. Proceed to
open up: <> while opening your newly exported
public key with a text editor (gedit).

Select and copy the entire contents of your public key file, and paste it into
the "Submit a Key" text area on the Ubuntu Keyserver (link provided above).
Submit it, and it should then proceed to submit the key to the keyserver.

You should then be able to search for your email or name in the search string
box on the Ubuntu Keyserver page, to find your public key on the internet. This
is undoubtedly the Graphical way of doing it, but it can be somewhat longer.

To do it by the means of method 2, you would first need to open up a terminal
(**Applications** > **Accessories** > **Terminal**) and paste the following into

    $ gpg --send-keys --keyserver <KEY-ID>

Naturally, you would replace `<KEY-ID>` with your public key id, as stated
before. It also helps to memorize it, like I have done. If you forget what your
keyid is, just run:

    $ gpg --list-keys <EMAIL>

That will list the keys registered with your email (and since there should only
be one, it will only list your key.) Then you can obtain your **KEY-ID** and run
the command above, to submit it to the keyservers.

## Importing Keys

There are four different methods to importing a key, as stated below:

1. [FireGPG](#firegpg)
2. [GPA](#gpa)
3. [Seahorse](#seahorse)
4. [Terminal](#terminal)

All are quite simple to do, but FireGPG is the easiest of all if you are
importing a public key from a keyserver with Firefox. I will briefly explain all

### FireGPG

If you have somebody's public key on a webpage while in Firefox and have
installed [FireGPG] \(as mentioned above under [Applications](#applications)\),
then simply highlight the Public key from beginning PGP comment to ending PGP
comment, right click on it, select FireGPG and click the Import button. It's
that simple!

For your information, to solve confusion, the beginning and ending PGP comment
tags look like the following:


### GPA

If someone has given you their public key as a file, simply launch GPA and
select **Import** from the toolbar.

### Seahorse

If someone has given you their public key as a file, you can do one of two
things. First, you can open up **Nautilus** and double click **this file**, and
it should automatically import the public key into your **GnuPG**, or open
**Seahorse** and select ***Key*** from the menu and click ***Import***.

### Terminal

Open up the terminal (**Applications** > **Accessories** > **Terminal**) and

    $ gpg --import KEYFILE

`KEYFILE` would be the filename of the **public key** in your **home folder**.
(If it is not in your home folder, please cd to the proper directory first, and
then run the above command.)

## Tips and Tricks

Here is some more valuable information that can be useful when encrypting /
decrypting files with GPG from the terminal.

### List Keys

If you wish to see all of the keys you have imported into GnuPG, you can issue
the following command:

    $ gpg --list-keys

### Encrypt a File

If you wish to encrypt a file for your friend with his Public Key, run the
command in the following format:

    $ gpg -o encrypted_file.gpg --encrypt -r <KEY-ID> original.file


`-o encrypted_file.gpg`
    Output to the following filename.

    that's the encrypting part

`-r <KEY-ID>`
    Recipient. KEY-ID would be your friends KEY-ID here.

    The original file that you will be encrypting.

### Decrypt a File

If someone has sent you a file that has been encrypted with your public key, you
can decrypt it by the following:

    $ gpg --decrypt filename.gpg

### Clearsign a Document

Clearsigning is very similar to adding your signature to the bottom of a letter
or important paper. It signifies that it actually came from you. By
clearsigning, it generates a SHA1 hash of the entire file's contents and add's
the SHA1 sum to the bottom of the signature. If the file has been tampered with,
the signature verification will fail, which can be used to spot forgery.

If the user has edited the file after it has been signed, the verification of
the signature will also fail, because the SHA1 sum will not match that of the
actual content.

To clearsign a document / file, run the following:

    $ gpg --clearsign filename.txt

### Exporting your Public Key

To export your public key in ASCII Armored fashion, run the following command:

gpg --export -a <KEY-ID> > publickey.asc

Replace `<KEY-ID>` with your Public Key ID, and it will create a file called
**publickey.asc**, which you can distribute to your friends and they can import.

### Symmetric Encryption

GPG can also do a symmetric encrytion where you can encrypt a file with a
passphrase (this is not keybased encryption). To encrypt a file with a
passphrase, use this:

    $ gpg -c filename.txt

To decrypt this type of file, just use:

    $ gpg filename.txt

And you will be prompted for the passphrase and it will decrypt the file.

## Additional Links

- [](
- [GnuPrivacyGuardHowto](
- [The GNU Privacy Handbook](
- [Wikipedia: GNU Privacy Guard](

## Related Guides

- [How To: Use GnuPG along with WHIRLPOOL Hash to Encrypt an Individual File](
- [Advanced GnuPG Concepts - Advanced Key Generation](
- [How To: Install a Port Knocker - FWKNOP](