GNU Privacy Guard Tutorial

Last Modified: Tue, 01/15/2013 - 17:13

Introduction

GnuPG, the GNU Privacy Guard, is a suite of data encryption utilities based on the OpenPGP standard.  This document discusses installation and basic usage of GnuPG in a Linux/UNIX command line environment, as well as provides simple scripts to automate routine encryption and decryption tasks.

Installation

Since GnuPG is distributed as source code, it must be compiled before installation.  The following steps will guide you through the installation:

$ tar zxf gnupg-1.0.7.tar.gz
$ cd gnupg-1.0.7
$ ./configure && make && make install

Return to top

Key Management

Key Generation

Execute gpg --gen-key, then follow the prompts.  The default options should be fine, but be sure to properly identify yourself.  gpg --list-keys will display the keypair, if you'd like to verify it.

Exporting Public Keys

Execute gpg --armor --export --output filename.asc <userID> to export your public key.  This will allow you to exchange keys with others, which is necessary for them to send you encrypted documents.  Note that <userID> must be a unique key identifier string, is case sensitive, and must be enclosed in quotes.  Note also that the --armor parameter is optional - it is used to generate ASCII-armored output that can be inserted into e-mail, a web page, etc., for easier distribution.  Otherwise, an encrypted binary file is generated, which can only be read directly by GnuPG.

Importing and Signing Public Keys

Execute gpg --import <filename> to add someone else's public key to your keyring.  This is necessary to send encrypted documents to that person.  Before you're able to encrypt data using another person's public key, you'll need to sign it.  You can do this by executing gpg --sign-key <userID>.

Key Information

As mentioned above, gpg --list-keys will display a list of all keys on your keyring.  If you'd like more information about a particular key, use gpg --list-sigs <userID>.

Editing Keys

Execute gpg --edit <userID> to perform edit on a key.  This command will invoke a Command> where you can enter the command to perform specific operations.  Entering <? >will display all options.  There are several useful options here, including verifying signatures, deleting keys, signatures, and userIDs, and setting the trust level of a key.

Return to top

Data Encryption

Encrypting Files

Execute gpg --encrypt --recipient <userID> <filename>.  This will create a new, encrypted copy of the file with the .gpg extension appended to the filename.  If you'd like to change the filename or extension, you can do so by adding --output <filename> after --encrypt. Remember that only the recipient specified will be able to decrypt the file.

Encrypting and Signing

If you'd like to sign and encrypt a document, to additionally ensure that your file is delivered without tampering, you can execute gpg --encrypt --sign --recipient <userID> <filename>.

Decrypting Files

Execute gpg --decrypt <filename> to decrypt a document.  In order to decrypt a file, it must have been encrypted to you, and you'll have to enter your secret passphrase to verify that you are the intended recipient.

Return to top

Automation

Many routine tasks for GnuPG can be automated through scripting.  Presented here are a sample scripts for a couple common tasks.  Note, these scripts require including your private key passphrase in the script itself, so be sure appropriate security precautions are taken to protect them.

This first script will decrypt all files in a directory, assuming all are encrypted with the same public key.  It will also ask you after decryption whether or not you would like to delete the encrypted archives.

#!/bin/sh
echo <passphrase> | gpg --decrypt-file --passphrase <passphrase> *.gpg
echo "Would you like to delete the encrypted files (y/n)? "
read temp
case "$temp" in
[yY]) rm *.gpg
   echo ""
   echo "Encrypted files deleted."
   echo ""
;;
*) echo ""
   echo "Encrypted files not deleted."
   echo ""
;;
esac

The next script will encrypt all files in a directory (except for those that are already encrypted), assuming all are intended for the same recipient, and securely wipe the original documents.  As before, it will ask for confirmation before deleting any files.

#!/bin/sh
echo "Would you like to delete the unencrypted files after encryption"
echo "(y/n)?"
read temp
case "$temp" in
[yY]) gpg --encrypt-files --batch -q \
      --recipient <UserID> `ls | grep -v gpg$`
   rm -f `ls | grep -v gpg$`
   echo ""
   echo "Unencrypted files deleted."
   echo ""
;;
*) gpg --encrypt-files --batch -q \
   --recipient <UserID> `ls | grep -v gpg$`
   echo ""
   echo "Unencrypted files not deleted."
   echo ""
;;
esac

Return to top