8.8. Using PGP/GPG encryption and decryption¶
GnuPG encrypts messages using asymmetric keypairs individually generated by GnuPG users. The resulting public keys can be exchanged with other users. Signing other people’s public keys and assigning appropriate level of trusts is the foundation on which webs of trust are built for securely exchanging signed and confidential messages.
The public keys are used for encrypting data and the private keys for decrypting the data encrypted with the corresponding public key.
If a partner gives you a public key, you can encrypt data with it. This data can only be decrypted by the owner of the private key associated with the public key.
If the private key is lost the encrypted data can not be recovered.
Generating a private key:
- You will have to enter:
- What kind and size key you want.
- Duration for which the key should be valid. You can safely choose a non-expiring key for your own use. If you plan to use a key for public signing, you might want to consider a yearly expiration.
- Your real name and e-mail address; these are necessary for identifying your key in a larger set of keys.
- A comment for your key, useful for distinguishing a key. The comment can be empty.
- A passphrase.
To allow partners to encrypt files that will later have to be decrypted by you, you will have to export and distribute the public key part of your GPG/PGP key:
gpg --armor --output pubkey.asc --export 'Your Name'
This command will store the public key inside the pubkey.asc file and you can distribute this file to all your partners.
Before you can encrypt files that will be later decrypted by your partners, you must first import the partner’s private key into your PGP/GPG key storage:
gpg --import KEYFILE
When importing a public key onto another machine, you may have to configure GPG to trust the key. Otherwise, when you use the key to do encryption, you may get a prompt like:
It is NOT certain that the key belongs to the person named in the user ID. If you really know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N)
This locks the execution of a non-interactive script, waiting for user’s input.
To trust the key, run:
gpg --edit-key NAME
In the GPG console type “trust” and select the level of trust with a recommended value of 5:
Command> trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y
Type quit to exit the key validation process.
Once the partner’s public key is imported into your GPG/GPG key storage, you can encrypt a file using the following command:
gpg --encrypt --recipient 'email@example.com' myfile.txt
Replace firstname.lastname@example.org with the name of the partner that will have to decrypt the file.
Once your partners have received your public key, they can use it for encrypting files.
The files encrypted using your public key file can only be decrypted using your private key part.
To decrypt a file, execute the following command:
gpg --output unencrypted_file.txt --decrypt encrypted_file.txt.gpg
On-the-fly encryption and/or decryption support is currently not built in the product. However, encrypted versions of the file can be transferred with its file integrity intact. SFTPPlus client-side transfers allow executing external commands before and after a file is transferred, which can then be used for integrating the transfer with a PGP process.