GPG Hints - GNU Privacy GuardGPG is an Open Source set of tools that allow for symmetric and asymmetric encryption of data: emails, security keys, key-rings, even mountable secure virtual drives, (as loop-devices).
"Hints": Just some reminders, and resources for figuring things out!
- GPG Symmetric Encryption with ASCII Armor
- GPG-ZIP Helper Tool
- Creating Public and Private Keys, and Revocation Certificates
- Publishing Public Keys
- Revoking / Cancelling Keys
- Backing up Keys and Revocation Certificates
- Recovering / Decrypting Keys and Revocation Certificates
- GPG Website: https://www.gnupg.org/
- GPG For Windows Users: http://www.gpg4win.org/
- Enigmail for Secure Email: https://www.enigmail.net/home/index.php
2. GPG Symmetric Encryption with ASCII ArmorASCII Armor Encrypt the Secure Key, (a PGP Key, Bitlocker Recovery Key, etc), but use ASCII Armor if you want to email to yourself, or post in plain text.
Converting it from Binary to Base64 ASCII Armor, makes the encrypted key "Human Readable." However, doing so increases the output by about 33%, (or so)--which is not significant when encrypting keys. However, when encrypting folders, large files, etc, don't use ASCII Armor, or that 33% increase in size will be very noticeable.
cmd:/>gpg -c --cipher-algo=AES256 -a -o email@example.com firstname.lastname@example.org
Decrypting the Key is fairly simple, and GPG will infer from the data in the file which encryption algorithm is being used, or if it is in ASCII Armor.
cmd:/>gpg -o output.txt -d email@example.com
3. GPG-ZIP Helper ToolEncrypts and compresses the folder name "MyFolder", and its subfolders into one file, "EncryptedZipFile.gz.gpg.
// Specify a cipher, such as AES: --cipher-algo=AES256, otherwise, will result in CAST5 by default.
cmd:/>gpg-zip --symmetric --gpg-args --cipher-algo=AES256 --output EncryptedZipFile.gz.gpg MyFolder cmd:/>gpg-zip --decrypt EncryptedZipFile.gz.gpg
4. Creating Public and Private Keys, and Revocation CertificatesThere are GUI Tools, like Kleopatra, available on Linux and Windows that will help: http://www.gpg4win.org/
When creating a PGP public/private key pair--always be certain you specify an expiration date. Otherwise, if your key is compromised, and if you don't have a revocation certificate, you may be encounter someone misusing your key for an indeterminate period of time.
cmd:/>gpg --gen-key cmd:/>gpg --list-keys cmd:/>gpg --export -a 66H049E4 > 20141022.PGP.66H049E4.pub.key cmd:/> cmd:/>
5. Publishing Public KeysPublish the Keys to some key servers. Or, go to their websites, like MIT's to upload your PUBLIC key: https://pgp.mit.edu/
cmd:/>gpg --send-keys 66H049E4 cmd:/>gpg --keyserver subkeys.pgp.net --send-key 66H049E4 cmd:/>gpg --keyserver keys.gnupg.net --send-key 66H049E4
6. Revoking / Cancelling KeysYou can generate a Revocation Certificate in advance, and backup to some-place safe, in case you lose your Private Key, or someone else gets your Private Key, (if you are forgetful, lose keys and passwords, the dog eats your password, etc).
When you want to "cancel," (Revoke your certificate), public/upload the revocation certificate to the key servers, and they will synchronize, and tell everyone your key is no longer valid.
cmd:/>gpg --gen-revoke -a 66H049E4 > 20141022.PGP.66H049E4.rev.asc
7. Backing up Keys and Revocation CertificatesIt isn't necessary to encrypt your Public Key before backing it up, but be absolutely certain to encrypt your Private Key and Revocation Certificate before backing up.
Since these are small files, you can email them to yourself, or put on cloud storage, (encrypt them first!).
Be certain to encrypt the Private and Revocation certificates. Otherwise, your keys will be "importable" by PGP tools like Kleopatra, etc, and possibly subject to brute-force attacks, and compromised.
After you create encrypted files for your private key, and revocation certificate, don't delete the unencrypted keys "normally." Use "shred" utilities to delete those files securely.
- Export Key, or Genereate Revocation Certificate
- Alternatively, you could "pipe/redirect" the output to the GPG encrpytion pipeline.
- Shred Original Exported Private Key, and Revocation Key File.
cmd:/>gpg --export-secret-keys -a 66H049E4 > 20141022.PGP.66H049E4.prv.asc cmd:/>gpg --symmetric --cipher-algo=AES256 -a -o 20141022.PGP.66H049E4.prv.gpg 20141022.PGP.66H049E4.prv.asc cmd:/>gpg --symmetric --cipher-algo=AES256 -a -o 20141022.PGP.66H049E4.rev.gpg 20141022.PGP.66H049E4.rev.asc cmd:/>shred 20141022.PGP.66H049E4.prv.asc cmd:/>shred 20141022.PGP.66H049E4.rev.asc
8. Recovering / Decrypting Keys and Revocation CertificatesTo recover your keys from backup, decrypt using GPG, (Kleopatra, etc).
cmd:/>gpg -d -o 20141022.PGP.66H049E4.prv.asc 20141022.PGP.66H049E4.prv.gpg cmd:/>gpg -d -o 20141022.PGP.66H049E4.rev.asc 20141022.PGP.66H049E4.rev.gpg