≡ Menu

GnuPG Basics Explained with Linux GPG Command Examples

GnuPG stands for GNU Privacy Guard.

GnuPG is an open implementation of OpenPGP ( Pretty Good Privacy ) standard as defined in RFC 4880. In this article we will cover the installation and the basics of generating keys using gnupg.

This article is part of our ongoing series on Cryptography. If you are new to cryptography, refer to our earlier article on Introduction to Cryptography.

On Debian based systems, use the following command to install GnuPg tool.

# apt-get install gnupg

The first step to use GnuPg is to create the public and private key pairs. The following command is used to create the keys.

$ gpg --gen-key

The above command will act in Interactive mode. The following explains various input that needs to be given to the above gpg command.

1. Choose the algorithm to be used for key generation

gpg: directory `/home/lakshmanan/.gnupg' created
gpg: new configuration file `/home/lakshmanan/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/lakshmanan/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/lakshmanan/.gnupg/secring.gpg' created
gpg: keyring `/home/lakshmanan/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)

Your selection?

Each algorithm has its own advantages and disadvantages. Choose the one you prefer, or use the default RSA algorithm. Press 1 or Enter.

2. Select the key size

Once the algorithm is selected, it will ask for the key size.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

In general, bigger the key size, the more secure it is. Practically 2048 should be sufficient. Type your key size or press Enter to accept the default.

3. Key validity

The next input we need to provide is how long does the key is valid.

Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)

Type 0 if you don’t want the key to expire.

It will again ask for a confirmation. Press Y

Key does not expire at all
Is this correct? (y/N) y

4. Create User ID and Password

Each key will be mapped with a user id and password. Now it asks for your name, E-Mail and passphrase

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: lakshmanan
Email address: admin@thegeekstuff.com
Comment: My test GPG keys
You selected this USER-ID:
    "lakshmanan (My test GPG keys) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

Enter Passphrase

5. Final Output Keys

In-order to generate a unique key, the system needs more random bytes. So perform some operations which access the disk, network etc…, so that the system will get enough random bytes.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 39 more bytes)
+++++
+++++

Once sufficient random bytes is available, the keys will be generated.

gpg: /home/lakshmanan/.gnupg/trustdb.gpg: trustdb created
gpg: key A7344E7D marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/A7344E7D 2012-10-12
      Key fingerprint = 3AE0 7948 C880 E5F7 F0A1  E16A 6EBB 3931 A734 4E7D
uid                  lakshmanan (My test GPG keys)
sub   2048R/96F8EF9B 2012-10-12

Now we have generated the key pairs to use with GnuPg. The above output provides some important information such as

Key-ID A7344E7D

We will be using this Key-Id for doing various operations as we will see later.

6. List the Key Pairs

You can list the key’s that got generated using –list-keys and –list-secret-keys option

$ gpg --list-keys
/home/lakshmanan/.gnupg/pubring.gpg
-----------------------------------
pub   2048R/A7344E7D 2012-10-12
uid                  lakshmanan (My test GPG keys)
sub   2048R/96F8EF9B 2012-10-12

$ gpg --list-secret-keys
/home/lakshmanan/.gnupg/secring.gpg
-----------------------------------
sec   2048R/A7344E7D 2012-10-12
uid                  lakshmanan (My test GPG keys)
ssb   2048R/96F8EF9B 2012-10-12

7. Export Your Public Keys

Now we have generated a key pair. The next step is to publish your public key in internet ( Key Servers ), so that other person can use that public key to send message to you.

$ gpg --armor --export --output lakshmanan_pubkey.gpg lakshmanan

Now the file ‘lakshmanan_pubkey.gpg’ will have my public key. You can also use your Key-Id or Mail address as argument to this command.

$ gpg --armor --export --output lakshmanan_pubkey.gpg A7344E7D

or

$ gpg --armor --export --output lakshmanan_pubkey.gpg admin@thegeekstuff.com

Now you can send the file to the people you converse with.

8. Submit Keys to a Key-Server

Exporting your public key and sending it to individuals will be cumbersome, if you converse with many person. In that case, you can upload your public key to a server name “Key-Sever”. So people who want your key can get that from the key server.

$ gpg --send-keys --keyserver keyserver.ubuntu.com A7344E7D

Now you should have some basic understanding of GnuPG. In the future article of this series, we will explain how to encrypt, decrypt and digitally sign your messages using GnuPG.

Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • hdaz October 23, 2012, 10:36 am

    As you are generating a RSA key I believe you have missed a step in the above instructions I had to creat a sub key for encryption (although your output already shows a sub key sub 2048R/96F8EF9B 2012-10-12).

    gpg –edit-key KEYID
    addkey
    follow questions etc..

    cheers
    hdaz

  • Jalal Hajigholamali October 23, 2012, 12:13 pm

    Hi,

    Thanks for very nice and useful article…

  • Galia June 25, 2013, 6:41 am

    1. Write a command line in a batch file called “1_GenerateKey.bat” to generate the PGP public key pair for yourself. Specify the following information for the key:
    a. RSA key
    b. Used for both signing and encrypting.
    c. Key size: 2048 bits,
    d. Validity until 1 September, 2013.
    e. Real name is the real name of one student of the group.
    f. Email address is the real email address of the same student of the group.

  • Awez Shaikh December 19, 2013, 1:46 am

    Can you please give me practical example how can i use gpg in real world.

    Waiting for your reply..

    Thank you

  • me December 14, 2014, 10:03 pm

    Hi,

    I use Kubuntu and have gpg installed as a default program.

    First point. What is the difference between pgp and gpg?

    I have downloaded a programme from a website and the page talks of using keys to validate the program.

    Second point. Am I correct in assuming that the key must be imported into gpg before a validation can take place. Can validations be done ‘on the fly’?

    I am wondering how validations can help.

    Is it not possible to put a programme on a website, and place a key there that will fit, and the user (downloader) will note consistency on analysis. As for downloading keys, could someone not upload a key to a server that will show consistence on using gpg when the program itself may be problematic?

    Point three. Should keys be used that are published a website, or only those available via servers?

    No doubt, I will be back

    Thanks

    Ps. Is there a good forum for gpg discussions

  • Puneet Keswani April 11, 2016, 7:39 am

    Hi,
    Thanks for the info. It is really very helpful.
    I have a question here, in GPG is there a way to send an alert just before the public key is about to expire.