How to use GnuPG to Sign and Encrypt your data

Linux

How to use GnuPG to Sign and Encrypt your data

By novicejava1 0
gpg_encryption

Here in this article we will be using GnuPG also known as GPG for secure communication between two users. We will be generating a set of keypairs for each user and try to sign and encrypt the data by one user and transfer the encrypted data to other user.

Test Environment

Fedora 39 instances

What is GnuPG

Encryption helps in protecting your privacy along with the privacy of the other party with whom you are communicating. GnuPG also known as GPG allow to sign and encrypt your data for secure communication with other party. Its an Opensource implementation of the OpenPGP standards.

If you are interested in watching the video. Here is the YouTube video on the same step by step procedure outlined below.

Procedure

Step1: VM Setup

Here we are going to use two separate machines “fedresearch1.stack.com” and “fedresearch2.stack.com” belonging to user “alice” and “bob” respectively logged in.

[alice@fedresearch1 ~]$ 
[bob@fedresearch2 ~]$

Step2: Generate Keypairs

Here in this step we will generate a keypair for alice and bob. Generating a keypair requires us to provide with the following details for each component of the key.

[alice@fedresearch1 ~]$ gpg --full-generate-key

Key Details

  • Type of key to select (RSA and RSA)
  • Key size (3072)
  • Key expiry (1y)

User Details

  • real name (alice)
  • email address (alice@stack.com)
  • comment (alice)
  • passphrase (your_strong_passphrase)

Once the keypair is generated you can validate your key as shown below.

[alice@fedresearch1 ~]$ gpg --list-keys alice
pub   rsa3072 2023-11-15 [SC] [expires: 2024-11-14]
      AC132CD0A97D4368BB9BD8878D4A6FF5295DCEBD
uid           [ultimate] alice (alice) <alice@stack.com>
sub   rsa3072 2023-11-15 [E] [expires: 2024-11-14]

Also along with the keypair a revocation certificate is also generated at the following location. To avoid an accidental use of this file, a colon has been inserted before the 5 dashes below. Remove this colon with a text editor before importing and publishing this revocation certificate.

Here we generated two keypairs, one is the primary keypair (pub) which can be used for Signing and Certificate creation (SC). The second keypair (sub) can be used for encryption. Also in the output please nothe uid section which provides the user id details.

Here are the Constant Character and their description for your reference.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Constant Character
───────────────────────────────
PUBKEY_USAGE_SIG S
PUBKEY_USAGE_CERT C
PUBKEY_USAGE_ENC E
PUBKEY_USAGE_AUTH A
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Similarly we can generate the keypair for Bob with the same set of inputs.

[bob@fedresearch2 ~]$ gpg --list-keys bob
pub   rsa3072 2023-11-15 [SC] [expires: 2024-11-14]
      F593FE48502A90B6200C91B784C2DAE798B3ABCC
uid           [ultimate] bob (bob) <bob@stack.com>
sub   rsa3072 2023-11-15 [E] [expires: 2024-11-14]

Step3: Export Public Keys

In order to share your public keys they need to be exported from your keyring data store. These keys are already self-signed. Let’s export the public keys which from keypairs which we generated for each user “alice” and “bob”. The option “–armor” is used to generate the public keys in ASCII format rather than a binary format.

[alice@fedresearch1 ~]$ gpg --armor --output alice.gpg --export alice
[alice@fedresearch1 ~]$ ls -ltr alice.gpg 
-rw-r--r--. 1 alice alice 2456 Nov 15 16:20 alice.gpg
[bob@fedresearch2 ~]$ gpg --armor --output bob.gpg --export bob
[bob@fedresearch2 ~]$ ls -ltr bob.gpg 
-rw-r--r--. 1 bob bob 2448 Nov 15 16:23 bob.gpg

Now that we have the public key’s exported from each user’s keyring database. Let’s share them with each other. Here we are going to use the scp tool to share the public key with each other.

[alice@fedresearch1 ~]$ scp alice.gpg bob@fedresearch2.stack.com:/home/bob/
[bob@fedresearch2 ~]$ scp bob.gpg alice@fedresearch1.stack.com:/home/alice/
[alice@fedresearch1 ~]$ ls -ltr *.gpg
-rw-r--r--. 1 alice alice 2456 Nov 15 16:20 alice.gpg
-rw-r--r--. 1 alice alice 2448 Nov 15 16:27 bob.gpg
[bob@fedresearch2 ~]$ ls -ltr *.gpg
-rw-r--r--. 1 bob bob 2448 Nov 15 16:23 bob.gpg
-rw-r--r--. 1 bob bob 2456 Nov 15 16:27 alice.gpg

Step4: Import Public Keys

Now that we can the public key’s copied to each other system. We need to import these keys into the keyring data for us to use them.

[alice@fedresearch1 ~]$ gpg --import bob.gpg
[bob@fedresearch2 ~]$ gpg --import alice.gpg

Let’s list the keys that are now avaiable in our keyring database for each user.

[alice@fedresearch1 ~]$ gpg --list-keys
/home/alice/.gnupg/pubring.kbx
------------------------------
pub   rsa3072 2023-11-15 [SC] [expires: 2024-11-14]
      AC132CD0A97D4368BB9BD8878D4A6FF5295DCEBD
uid           [ultimate] alice (alice) <alice@stack.com>
sub   rsa3072 2023-11-15 [E] [expires: 2024-11-14]

pub   rsa3072 2023-11-15 [SC] [expires: 2024-11-14]
      F593FE48502A90B6200C91B784C2DAE798B3ABCC
uid           [ unknown] bob (bob) <bob@stack.com>
sub   rsa3072 2023-11-15 [E] [expires: 2024-11-14]
[bob@fedresearch2 ~]$ gpg --list-keys
[keyboxd]
---------
pub   rsa3072 2023-11-15 [SC] [expires: 2024-11-14]
      AC132CD0A97D4368BB9BD8878D4A6FF5295DCEBD
uid           [ unknown] alice (alice) <alice@stack.com>
sub   rsa3072 2023-11-15 [E] [expires: 2024-11-14]

pub   rsa3072 2023-11-15 [SC] [expires: 2024-11-14]
      F593FE48502A90B6200C91B784C2DAE798B3ABCC
uid           [ultimate] bob (bob) <bob@stack.com>
sub   rsa3072 2023-11-15 [E] [expires: 2024-11-14]

Step5: Sign Keys

A key is validated by verifying the key’s fingerprint and then signing the key to certify it as a valid key. A key’s fingerprint is verified with the key’s owner. This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key’s true owner.

Key verification is a weak point in public-key cryptography, you should be extremely careful and always check a key’s fingerprint with the owner before signing the key.

If you look at the import key’s in the uid section it shows as “unknown”. That means the key is still not verified. Let’s now verify the key in each of the user’s keyring database after verifying the key’s fingerprint.

[alice@fedresearch1 ~]$ gpg --sign-key bob
[bob@fedresearch2 ~]$ gpg --sign-key alice

Now if you list the key’s from each user’s keyring database the uid status changes from “unknown” to “full” as shown below.

[alice@fedresearch1 ~]$ gpg --list-keys
/home/alice/.gnupg/pubring.kbx
------------------------------
pub   rsa3072 2023-11-15 [SC] [expires: 2024-11-14]
      AC132CD0A97D4368BB9BD8878D4A6FF5295DCEBD
uid           [ultimate] alice (alice) <alice@stack.com>
sub   rsa3072 2023-11-15 [E] [expires: 2024-11-14]

pub   rsa3072 2023-11-15 [SC] [expires: 2024-11-14]
      F593FE48502A90B6200C91B784C2DAE798B3ABCC
uid           [  full  ] bob (bob) <bob@stack.com>
sub   rsa3072 2023-11-15 [E] [expires: 2024-11-14]
[bob@fedresearch2 ~]$ gpg --list-keys
[keyboxd]
---------
pub   rsa3072 2023-11-15 [SC] [expires: 2024-11-14]
      AC132CD0A97D4368BB9BD8878D4A6FF5295DCEBD
uid           [  full  ] alice (alice) <alice@stack.com>
sub   rsa3072 2023-11-15 [E] [expires: 2024-11-14]

pub   rsa3072 2023-11-15 [SC] [expires: 2024-11-14]
      F593FE48502A90B6200C91B784C2DAE798B3ABCC
uid           [ultimate] bob (bob) <bob@stack.com>
sub   rsa3072 2023-11-15 [E] [expires: 2024-11-14]

Step6: Create Document

Now that we are ready with set of keypairs created and shared with each other. Let’s now create a document that we would like to share in a secure manner from alice to bob.

[alice@fedresearch1 ~]$ echo "This is a secure document that needs to be sent to bob" > sendtobob.txt

Step7: Sign Document

Before the document is encrypted for sending. We need to make sure that we sign the document with the private key of the user who is sending the document. In this case it is user “alice” private key with which the document is signed. This is to ensure that the recipent knows that the document is received from the intended user.

[alice@fedresearch1 ~]$ gpg --armor --output sendtobob.gpg --sign sendtobob.txt
[alice@fedresearch1 ~]$ ls -ltr sendtobob.gpg 
-rw-r--r--. 1 alice alice 809 Nov 15 16:46 sendtobob.gpg
[alice@fedresearch1 ~]$ cat sendtobob.gpg 
-----BEGIN PGP MESSAGE-----

owEBIALf/ZANAwAIAY1Kb/UpXc69AaxZYg1zZW5kdG9ib2IudHh0ZVSonVRoaXMg
aXMgYSBzZWN1cmUgZG9jdW1lbnQgdGhhdCBuZWVkcyB0byBiZSBzZW50IHRvIGJv
YmdwZyAtLWxpc3Qta2V5cwqJAbMEAAEIAB0WIQSsEyzQqX1DaLub2IeNSm/1KV3O
vQUCZVSonQAKCRCNSm/1KV3Ovcx3C/oCSvfu76s9MS2y7nS2IT1KXZ+9d9RT+/l0
zyMJCBgb5NIvOtn/aAs9QIQAHO8vdcxYWIhfqqEBYMnRRCFRVDi7ZbMA8TSQu3+B
VREr65zVX9o6a9sThCQNFSwX5AzTFNOagSxckrnshejn9NJXNQZXM+t/xhk0BVz1
7mMbpQNGvP6EOOIZ9FOYq6Ond1AVM+hrd/svK/ZiYTixEvou9aahTuW64CQZzjKm
YRwxCNy7K1ncbEHmfZldB7KG7AwkO3UnlktbB9qOmIx2couW4tYh4A7+bx6YoYOT
FKR7iz+fLY7h9pS7rVnclC/ggITVw6VFPiGMXk8wBEBMfd7A1Ximj/K10apyY7N6
YKPprfgTVK4WYI9Z4e9/oICiAUPdP80rWFPFmOUTFrX4qkxjjPLx8N6WeVBWBHLw
/Oe2lfNYdG1fbDYQxAPAimOvHTuZO9ByP74k8QLHwjPLS4nPePCKzoj5JGv1nQEt
KQRpQPxl8ZScrccW49DVf2qSfSB2+qk=
=1Eyu
-----END PGP MESSAGE-----

Step8: Encrypt Document

Now that document is already signed. Its time to encrypt the document using the public key of the recipient by provide the –recipient details. Here is the command for encrypting the document.

[alice@fedresearch1 ~]$ gpg --output sendtobob.encrypted --encrypt --recipient bob@stack.com sendtobob.gpg

Let’s send this encrypted document to “bob” using the scp tool as shown below.

[alice@fedresearch1 ~]$ scp sendtobob.encrypted bob@fedresearch2.stack.com:/home/bob/

Step9: Decrypt Document

Here first we decrypt the encrypted document using the bob’s private key using the below command.

[bob@fedresearch2 ~]$ gpg --output sendtobob.txt --decrypt sendtobob.encrypted 
gpg: encrypted with rsa3072 key, ID 9C5F5216B98852B6, created 2023-11-15
      "bob (bob) <bob@stack.com>"

Now let’s verify the signature on the document. If we are satisfied that the document is signed by the intended recipient. We can decrypt the document further using the “alice” public key as shown below.

[bob@fedresearch2 ~]$ gpg --verify sendtobob.txt 
gpg: Signature made Wed 15 Nov 2023 04:46:45 PM IST
gpg:                using RSA key AC132CD0A97D4368BB9BD8878D4A6FF5295DCEBD
gpg: Good signature from "alice (alice) <alice@stack.com>" [full]
[bob@fedresearch2 ~]$ gpg --output sendtobob.decrypted --decrypt sendtobob.txt
gpg: Signature made Wed 15 Nov 2023 04:46:45 PM IST
gpg:                using RSA key AC132CD0A97D4368BB9BD8878D4A6FF5295DCEBD
gpg: Good signature from "alice (alice) <alice@stack.com>" [full]

Here is our decrypted document.

[bob@fedresearch2 ~]$ cat sendtobob.decrypted 
This is a secure document that needs to be sent to bob

Step10: Easy Way

Generate document to send to bob

[alice@fedresearch1 ~]$ echo "This is a secret journal to send to bob" > journal_to_bob.txt

Sign and Encrypt

[alice@fedresearch1 ~]$ gpg --encrypt --sign --armor -r bob@stack.com journal_to_bob.txt 
[alice@fedresearch1 ~]$ ls -ltr journal_to_bob.txt.asc 
-rw-r--r--. 1 alice alice 1386 Nov 15 18:52 journal_to_bob.txt.asc

Send the signed and encrypted document to bob using scp

[alice@fedresearch1 ~]$ scp journal_to_bob.txt.asc bob@fedresearch2.stack.com:/home/bob/

Verify and Decrypt

[bob@fedresearch2 ~]$ gpg journal_to_bob.txt.asc

Here is the decrypted document

[bob@fedresearch2 ~]$ cat journal_to_bob.txt
This is a secret journal to send to bob

Hope you enjoyed reading this article. Thank you..