PGP / GnuPG basics

Secure file transfers with PGP

view on github

PGP

✔️ PGP (Pretty Good Privacy) is used to secure file transfers.

✔️ PGP can be used to send messages confidentially.

✔️ For this, PGP uses a hybrid cryptosystem by combining symmetric-key encryption and public-key encryption :

  1. The message is encrypted using symmetric encryption algorithm, which requires a symmetric key generated by the sender.
  2. The symmetric key is used only once and is also called a session key. The message and its session key are sent to the receiver.
  3. The session key must be sent to the receiver so they know how to decrypt the message, but to protect it during transmission it is encrypted with the receiver's public key.
  4. Only the private key belonging to the receiver can decrypt the session key, and use it to symmetrically decrypt the message.

GNUPG

✔️ GnuPG is the GNU implementation of the OpenPGP standard

✔️ It supports the following encryption algorithms :

  1. RSA and RSA (default)
  2. DSA and Elgamal
  3. DSA (sign only)
  4. RSA (sign only)

✔️ extended GnuPG cheatsheet

General commands

# outputs GnuPG version as well as public key/symmetric/hash/compression algorithms
gpg --version

GnuPG database

# public keyring (local public keys database)
~/.gnupg/pubring.kbx

# private keys storage
~/private-keys-v1.d/.

# pre-generated revocation certificates storage
~/.gnupg/openpgp-revocs.d/.

Database commands

# list local public and private keys files for current user
tree ~/.gnupg/.

# display details about local keys database for current user
kbxutil ~/.gnupg/pubring.kbx

# display stats about local keys database for current user
kbxutil --stats ~/.gnupg/pubring.kbx

Symmetric encryption commands

# plain file is encrypted with passphrase protected symmetric encryption (default : AES-256)
gpg --symmetric --output <encrypted-file> <plain-file>

Asymmetric encryption commands

# generate new key pair for asymmetric encryption 
# prompts for key type, key size, expiration date, user id, user email, comments, private key passphrase
gpg --full-gen-key

# list available keys and public keys ids (all, public, secret)
gpg --list-keys
gpg --list-public-keys
gpg --list-secret-keys

# deletes public keys from local keys database 
gpg --delete-keys <key-pair-id>

# deletes public and private keys from local keys database 
gpg --delete-secret-and-public-key <key-pair-id>

# current user (key pair originator) generates public key file
# --armor will output the key as an ASCII file (default is OpenPGP binary)
gpg --armor --output <public.key.gpg> --export <key-pair-id>

# current user (key pair originator) generates private key file
# --armor will output the key as an ASCII file (default is OpenPGP binary)
gpg --armor --output <private.key.gpg> --export-secret-keys <key-pair-id>

# view PGP packets from file : sort public/private keys files
pgpdump <key.file.gpg> | less

# view PGP packets from file : view algorithm used for file encryption
pgpdump <encrypted-file> | less

# plain file is encrypted with current user's public key using public key file
gpg --encrypt --output <encrypted-file> --recipient-file <public.key.gpg> <plain-file>

# import public/private key into local database (passphrase needed for private key) 
gpg --import private.key.gpg