|
|
<!DOCTYPE html>
|
|
|
<html lang="en">
|
|
|
<head>
|
|
|
<meta charset="UTF-8">
|
|
|
<title>How To Encrypt Your Own Documents Using gpg | tait.tech</title>
|
|
|
<link rel="stylesheet" href="/assets/css/style.css">
|
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
|
</head>
|
|
|
<body>
|
|
|
<div id="wrapper">
|
|
|
<nav>
|
|
|
<input type="checkbox" id="menu">
|
|
|
<label for="menu">☰</label>
|
|
|
<div class="menu-content">
|
|
|
|
|
|
<a href="/" class="nav-link" >Home</a>
|
|
|
|
|
|
<a href="/tutoring/" class="nav-link" >Tutoring</a>
|
|
|
|
|
|
<a href="/blog/" class="nav-link" >Blog</a>
|
|
|
|
|
|
<a href="/links/" class="nav-link" >Links</a>
|
|
|
|
|
|
<a href="https://github.com/TTWNO/" class="nav-link" target="_blank" rel="noopener noreferrer" >Code</a>
|
|
|
|
|
|
</div>
|
|
|
</nav>
|
|
|
|
|
|
<h1>How To Encrypt Your Own Documents Using gpg</h1>
|
|
|
<h4 class="post-date line-under">Monday, April 06 2020</h4>
|
|
|
|
|
|
<div class="article">
|
|
|
<p>If you have ever wanted to garuntee the utmost security of your emails and documents, then this is the guide for you!
|
|
|
It should be noted that in some circles the tools used are more common than in others.
|
|
|
These are the everyday tools of many privacy advocates and computer nerds.</p>
|
|
|
|
|
|
<p>If you have never used Linux however, then the method of doing this will be rather unfamiliar.
|
|
|
This tutorial will be done on an <a href="https://archlinux.org/">Arch Linux</a> machine,
|
|
|
but it should be the same on Ubuntu, Fedora, CentOS, Debian,
|
|
|
OpenBSD, FreeBSD, MacOSX, etc.
|
|
|
The only operating system that does not include these tools by default (or easily accessible) is Windows.</p>
|
|
|
|
|
|
<p>This tutorial makes heavy use of the terminal.
|
|
|
You have been warned.</p>
|
|
|
|
|
|
<p><em>Let us…begin!</em></p>
|
|
|
|
|
|
<h2 id="glossary">Glossary</h2>
|
|
|
|
|
|
<ul>
|
|
|
<li><a href="https://en.wikipedia.org/wiki/Binary-to-text_encoding#ASCII_armor"><strong>ASCII armour</strong></a> — A way to encode <strong>OpenPGP</strong> documents so they are readable by humans. These files end in .asc</li>
|
|
|
<li><strong>(Open)PGP</strong> — An open standard for encoding pulbic keys and encrypted documents.</li>
|
|
|
<li><strong>GPG</strong> — GNUPrivacyGaurd is an implementation of <strong>OpenPGP</strong>. It is installed by default on most Linux distrobutions.</li>
|
|
|
</ul>
|
|
|
|
|
|
<h2 id="step-0-setup">Step 0: Setup</h2>
|
|
|
|
|
|
<p>We will be using the utility <code class="highlighter-rouge">gpg</code> for this tutorial.</p>
|
|
|
|
|
|
<p>The other thing to note: The character ‘$’ (dollar sign) is usually not typed when shown in a command.
|
|
|
It simply indicates that you do not need administrative privilages to run these commands.</p>
|
|
|
|
|
|
<p>Test to see if you get this output in your terminal.</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
$ gpg --version
|
|
|
|
|
|
gpg (GnuPG) 2.2.20
|
|
|
libgcrypt 1.8.5
|
|
|
Copyright (C) 2020 Free Software Foundation, Inc.
|
|
|
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
|
|
|
|
|
|
...
|
|
|
</pre>
|
|
|
|
|
|
<p>If this is not successful look into how to install these tools on your system.</p>
|
|
|
|
|
|
<h2 id="step-1-getcreate-a-public-key">Step 1: Get/Create A Public Key!</h2>
|
|
|
|
|
|
<h3 id="get-somebody-elses">Get Somebody Else’s</h3>
|
|
|
<p>Step one is having somebody to send your encrypted message to. Maybe this is a friend, a journalist, or a whistleblower.</p>
|
|
|
|
|
|
<p>To encrypt a document with somebody’s public key, you need to first obtain it.
|
|
|
My public key is available <a href="/public-key.asc">at this link</a>, and you can use it to send me encrypted stuff.</p>
|
|
|
|
|
|
<p>If you are on a linux terminal, you can use the <code class="highlighter-rouge">curl</code> or <code class="highlighter-rouge">wget</code> command to download it.</p>
|
|
|
|
|
|
<p>wget:</p>
|
|
|
<pre class="terminal">
|
|
|
$ wget https://tait.tech/public-key.asc
|
|
|
</pre>
|
|
|
|
|
|
<p>Curl:</p>
|
|
|
<pre class="terminal">
|
|
|
$ curl https://tait.tech/public-key.asc -o public-key.asc
|
|
|
</pre>
|
|
|
|
|
|
<h3 id="make-your-own-optional">Make Your Own (optional)</h3>
|
|
|
|
|
|
<p>The following section is quite long,
|
|
|
so if you don’t want to create your own keypair,
|
|
|
then feel free to skip to <a href="#step-2-import-public-key">Step #2</a>.</p>
|
|
|
|
|
|
<p>If you want to encrypt your own documents,
|
|
|
or you want others to be able to send you encrypted messages,
|
|
|
then you can create your own public/private key pair.
|
|
|
You can use these to encrypt your documents,
|
|
|
and you can send our public key to others so that they can securely communicate with yourself.</p>
|
|
|
|
|
|
<p>Run the following command in your terminal, and follow the steps I outline to get you started.</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
$ gpg --full-gen-key
|
|
|
</pre>
|
|
|
|
|
|
<p>This will produce the following dialog:</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
|
|
|
This is free software: you are free to change and redistribute it.
|
|
|
There is NO WARRANTY, to the extent permitted by law.
|
|
|
|
|
|
Please select what kind of key you want:
|
|
|
(1) RSA and RSA (default)
|
|
|
(2) DSA and Elgamal
|
|
|
(3) DSA (sign only)
|
|
|
(4) RSA (sign only)
|
|
|
(14) Existing key from card
|
|
|
Your selection?
|
|
|
</pre>
|
|
|
|
|
|
<p>Select the option <code class="highlighter-rouge">1</code>. You want two keys, both RSA.</p>
|
|
|
|
|
|
<p>Next we will select the key size:</p>
|
|
|
<pre class="terminal">
|
|
|
RSA keys may be between 1024 and 4096 bits long.
|
|
|
What keysize do you want? (2048)
|
|
|
</pre>
|
|
|
|
|
|
<p>Type the number 2048.</p>
|
|
|
|
|
|
<p>Next it will ask you how long you want the key to be valid.</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
Requested keysize is 2048 bits
|
|
|
Please specify how long the key should be valid.
|
|
|
0 = key does not expire
|
|
|
<n> = key expires in n days
|
|
|
<n>w = key expires in n weeks
|
|
|
<n>m = key expires in n months
|
|
|
<n>y = key expires in n years
|
|
|
Key is valid for? (0)
|
|
|
</pre>
|
|
|
|
|
|
<p>Type the number 1. This will enable you time to test it,
|
|
|
but it will make the key expire within 24 hours so that if you accidentally
|
|
|
share your private key, or delete your VM and no longer have access to it, you will be fine.</p>
|
|
|
|
|
|
<p>It will ask your if you are sure about the expiry date.</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
Key expires at Tue Apr 7 02:24:23 2020 UTC
|
|
|
Is this correct? (y/N)
|
|
|
</pre>
|
|
|
|
|
|
<p>Type <code class="highlighter-rouge">y</code> to confirm your choice.</p>
|
|
|
|
|
|
<p>Now <code class="highlighter-rouge">gpg</code> is going to ask you to create a user id to indetify this key.
|
|
|
Use some test data for now.
|
|
|
User input is in bold, feel free to follow along or to put your own test data in.</p>
|
|
|
|
|
|
<p>Once you are more comfortable with the tools,
|
|
|
then you can create a public/private keypair that you will keep for some time.</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
GnuPG needs to construct a user ID to identify your key.
|
|
|
|
|
|
Real name: <b>Mr. Tester</b>
|
|
|
Email address: <b>test@test.org</b>
|
|
|
Comment: <b>for testing only</b>
|
|
|
You selected this USER-ID:
|
|
|
"Mr. Tester (for testing only) <test@test.org>"
|
|
|
|
|
|
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? <b>O</b>
|
|
|
</pre>
|
|
|
|
|
|
<p>It will then ask you for a password.
|
|
|
If you are simply using this for test purposes,
|
|
|
then you can feel free to set it to something like “test”.
|
|
|
When create a long-term use pulbic key make sure to make the password <em>very</em> secure.</p>
|
|
|
|
|
|
<p>During the process of creating your key, <code class="highlighter-rouge">gpg</code> may warn you with this message:</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
We need to generate a lot of random bytes. It is a good idea to perform
|
|
|
some other action (type on the keyboard, move the mouse, utilize the
|
|
|
disks) during the prime generation; this gives the random number
|
|
|
generator a better chance to gain enough entropy.
|
|
|
</pre>
|
|
|
|
|
|
<p>If this happens, feel free to smash your keyboard (lightly),
|
|
|
watch a YouTube video on the machine,
|
|
|
browse the web with <a href="http://w3m.sourceforge.net/">w3m</a>,
|
|
|
etc. until the key is generated.</p>
|
|
|
|
|
|
<p>You will know it is done when you see this message (or something similar):</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
gpg: key EACCC490291EA7CE marked as ultimately trusted
|
|
|
gpg: revocation certificate stored as '/home/tait/.config/gnupg/openpgp-revocs.d/FFA7D7525C6546983F1152D8EACCC490291EA7CE.rev'
|
|
|
public and secret key created and signed.
|
|
|
|
|
|
pub rsa2048 2020-04-06 [SC] [expires: 2020-04-07]
|
|
|
FFA7D7525C6546983F1152D8EACCC490291EA7CE
|
|
|
uid Mr. Tester (for testing only) <test@test.org>
|
|
|
sub rsa2048 2020-04-06 [E] [expires: 2020-04-07]
|
|
|
</pre>
|
|
|
|
|
|
<p>Tada! You have your own public/private keypair!</p>
|
|
|
|
|
|
<p>Sharing a keypair that will expire soon is not a good idea,
|
|
|
however, if you are ready, then you can use this command to generate a public key file to share with others.</p>
|
|
|
|
|
|
<p>Feel free to substitute “Mr. Tester” for any other identifying part of your key.
|
|
|
Remember that to use the email, you must enclose it in < and >.</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
$ gpg --export --armour "Mr. Tester" > public-key.asc
|
|
|
</pre>
|
|
|
|
|
|
<p>To use the email as the identifier:</p>
|
|
|
<pre class="terminal">
|
|
|
$ gpg --export --armour "<test@test.org>" > public-key.asc
|
|
|
</pre>
|
|
|
|
|
|
<h2 id="step-2-import-public-key">Step 2: Import Public Key</h2>
|
|
|
|
|
|
<p>This list of keys that <code class="highlighter-rouge">gpg</code> keeps on tap so to speak, is called our “keyring”.
|
|
|
Your will need to import a new public key to encrypt files with <code class="highlighter-rouge">gpg</code>.</p>
|
|
|
|
|
|
<p>If you already created your own public key, then this step is not necessary unless you want to also encrypt something for me :)</p>
|
|
|
|
|
|
<figure>
|
|
|
<img src="/assets/img/keyring.jpg" alt="A keyring holding eight allen keys." />
|
|
|
<figcaption>
|
|
|
A keyring holding eight allen keys.
|
|
|
</figcaption>
|
|
|
</figure>
|
|
|
|
|
|
<p>To import a public key to use for encrypting files, use the <code class="highlighter-rouge">--import</code> option of <code class="highlighter-rouge">gpg</code>. Like so:</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
$ gpg --import public-key.asc
|
|
|
gpg: key 64FB4E386953BEAD: public key "Tait Hoyem <tait.hoyem@protonmail.com>" imported
|
|
|
gpg: Total number processed: 1
|
|
|
gpg: imported: 1
|
|
|
</pre>
|
|
|
|
|
|
<p>Now that we have imported a public key, we can make a message to send!</p>
|
|
|
|
|
|
<h2 id="step-3-have-a-message-to-encrypt">Step 3: Have A Message To Encrypt</h2>
|
|
|
|
|
|
<p>You can make a new file which holds some important, secret data.
|
|
|
Feel free to use a graphical editor if you have one, if not, <code class="highlighter-rouge">nano</code> works alright too.</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
Rules Of A Good Life:
|
|
|
|
|
|
1. Wash your hands!
|
|
|
2. Work hard!
|
|
|
3. Be firm.
|
|
|
5. Have good friends!
|
|
|
</pre>
|
|
|
|
|
|
<p>Save this file as something like <code class="highlighter-rouge">test-pgp.txt</code>, and we’ll use that name later.</p>
|
|
|
|
|
|
<h2 id="step-4-encrypt-a-message">Step 4: Encrypt A Message</h2>
|
|
|
|
|
|
<p>Now that we have a message to send and person to send to,
|
|
|
all we have to do is encrypt this message and it’ll be on its merry way!
|
|
|
To do so, we must specify two new options to <code class="highlighter-rouge">gpg</code>.</p>
|
|
|
|
|
|
<p>The first is <code class="highlighter-rouge">--recipient</code>.
|
|
|
This tells <code class="highlighter-rouge">gpg</code> to encrypt using a certin public key that we have in our keyring.
|
|
|
You can use the person’s name, email address, or the key’s uid.</p>
|
|
|
|
|
|
<p>The second is <code class="highlighter-rouge">--encrypt</code>.</p>
|
|
|
|
|
|
<p>You will also specify the <code class="highlighter-rouge">--armour</code> option to use ASCII armoured files. Put this option after <code class="highlighter-rouge">--encrypt</code>, and put the file name after <code class="highlighter-rouge">--armour</code>. See below.</p>
|
|
|
|
|
|
<p>You can either use your own public key name to encrypt a document (allowng only you to decrypt it),
|
|
|
or you can use my public key that we imported earlier (allowing only me to decrypt it).
|
|
|
Either way works fine.</p>
|
|
|
|
|
|
<p>This is the big one!</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
$ gpg --recipient "Tait Hoyem" --encrypt --armour test-gpg.txt
|
|
|
</pre>
|
|
|
|
|
|
<p>“But there is no output!” you might say!
|
|
|
Yes, that is because our new (encrypted) file has already been saved.
|
|
|
Let’s look at it with cat.</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
$ cat test-gpg.txt.asc
|
|
|
-----BEGIN PGP MESSAGE-----
|
|
|
|
|
|
hQIMA2mJuYb8vkIlAQ/9FDmXJgW2vI7p9sznKvHhQk7uTZvoWC3hCeqHoO3BSElP
|
|
|
XR1BNAkJ+bykB30M+9u+XDyRtTwazjvNPmYfQnIh0Q+BQZigDWbEd1R47jbzm7Tu
|
|
|
0eZKKapgEidfecULtaECX1sR3qPt1m9oZjyUR1rzNd8tezZlCu2pjdNZrkta2Bdm
|
|
|
Hh1xDS43Bw7PMQqraJsHwqr0M1GLDbMzPes2ZU5y4jEmXZ0PZdJ7kgjR8dvhLBfi
|
|
|
MU+4kYnnemQEztXBOjKidhyOntKiLjenvD00tVHrOuQoWuWCHGiqR24qSwVjeb9G
|
|
|
079gqH1VWi3fk2cwFA9f3TLvJqUwatyE0Hcba0U1d2Voz/C9JEQjT6FHuaCqQL6b
|
|
|
p7B7m2DwpywFGJpAn6ksrEYqHaLVWiEGmdMmHYuHxMw8+cqoSwbYymCZTwMBAuJe
|
|
|
Pr1VO9uNo+Vj5r8IX7ACcSsrjf0XkVzfX6ySsPbyOlGXnwzWSOM3Dk2Z9MqDORbj
|
|
|
0/7vJTnDctPuc91Rlp3YnJlZKWMcNfPMKMtvpljd2XuVwub+C4vGWXa9XLbRXmJo
|
|
|
cnEFT6SB11AKjytE2Urt62CCrYjJPBneabxbCztnBs+vQSx7Fj0LK6v4Euik/Xm/
|
|
|
9aKmZZW8306c9Zwgpp9glWjLMCDNxJRGdKRjZsnkt9hOEYsP1irTegystK6u4eHS
|
|
|
mwHX931ENOJsnPfQZCZ9b41Q9doZQ/N/WHstQO8MtA3HIN1sW3wYkGzOLKj4gJfm
|
|
|
bqR/TzQmXyLT1xZa+/yTscaV0P4OlI4vcii/k4DgeSeQVWp9o9DbZFxSCsdYVvPu
|
|
|
jaDMzZnIKoax1GFz/coUAHFQub2rLzaQ5DDbvrkX++UrAjuUtRcSFH0TKhahZmCF
|
|
|
nv117moLfK22Mst/
|
|
|
=bw8T
|
|
|
-----END PGP MESSAGE-----
|
|
|
</pre>
|
|
|
|
|
|
<h2 id="step-5-decryption-optional">Step 5: Decryption (optional)</h2>
|
|
|
|
|
|
<p>If you created your own public/private keypair in step 1,
|
|
|
and you encryped using <code class="highlighter-rouge">--recipient "Your Test Name"</code>,
|
|
|
then you can decrypt your document as well!</p>
|
|
|
|
|
|
<p>You will need to specify <code class="highlighter-rouge">--decrypt</code>, and that’s all folks!</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
$ gpg --decrypt test-gpg.txt.asc
|
|
|
</pre>
|
|
|
|
|
|
<p>A password dialog will then come up asking for your previously created password.
|
|
|
As long as you remember your password from before and enter it correctly: voila!</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
gpg: encrypted with 4096-bit RSA key, ID 6989B986FCBE4225, created 2020-01-02
|
|
|
"Tait Hoyem <tait.hoyem@protonmail.com>"
|
|
|
Rules Of A Good Life:
|
|
|
|
|
|
1. Wash your hands!
|
|
|
2. Work hard!
|
|
|
3. Be firm.
|
|
|
5. Have good friends!
|
|
|
</pre>
|
|
|
|
|
|
<h2 id="step-6-finale">Step 6: Finale!</h2>
|
|
|
|
|
|
<p>Ladies and gentleman, you have done it!
|
|
|
You have encrypted our very own document.
|
|
|
(And maybe even decrypted it yourself too :)</p>
|
|
|
|
|
|
<p>If you encrypted using my public key,
|
|
|
feel free to send it to <a href="mailto:tait@tait.tech">my email</a>.
|
|
|
I am happy to verify if it worked.</p>
|
|
|
|
|
|
<p>For more information on this subject, check out <a href="https://www.gnupg.org/gph/en/manual/c14.html">gnugp.org’s guide</a> on using GPG.
|
|
|
They are the ones that make these tools available,
|
|
|
and the <a href="https://www.gnu.org/">GNU Project</a> has been instrumental in creating the open-source world as it exists today.
|
|
|
Give ‘em some love, eh!</p>
|
|
|
|
|
|
<p>Thank you so much for sticking through this whole thing!
|
|
|
Let me know if there is anything that doesn’t make sense.
|
|
|
I am happy to improve this guide as time goes on if that is necessary.</p>
|
|
|
|
|
|
<p>Happy hacking :)</p>
|
|
|
|
|
|
</div>
|
|
|
|
|
|
<footer>
|
|
|
This page is mirrored on <a href="https://beta.tait.tech/2020/04/06/rsa4.html">beta.tait.tech</a>.
|
|
|
</footer>
|
|
|
|
|
|
</div>
|
|
|
</body>
|
|
|
</html>
|