Pretty Good Privacy, or PGP is a data encryption program. Users generate random keys that are then attached to them or "signed" with a username and email. PGP works in two ways: through symmetric key-encryption and public key encryption
PGP is now proprietary software, but GPG or GNU Privacy Guard is an update of PGP that complies with OpenPGP standards, meaning that it is open-source compliant and can accept both PGP and GPG keys. In this tutorial we will be using GPGTools, which is a suite of GPG keychain access.
PGP and GPG encryption rely on the following two-pronged structure:
- a public-key generated for encrypting messages and verifying digital signatures.
- a private-key generated for creating digital signatures and decrypting messages
- In this system, a user can encrypt a message to a recipient using the recipient's public key, but only the recipient can decrypt the message (using their private key.
- Download and install GPG Mac, an open source implementation of PGP. Downloading the suite will give you MacGPG, as well as GPG Keychain.
- Opening up the terminal, generate your first key pair with the command
gpg --gen-keyYou will encounter a screen with key choice options:
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
The different acronyms stand for encyrption algorithms. The default should be sufficient. 3. Next, choose your key length and expiration date.
RSA keys may be between 1024 and 8192 bits long.
What keysize do you want? (2048)```
Press enter to select the default
```Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Again, press enter to select the default. The prompt will then ask you to confirm your choice.
4. Enter your key identity information in your name, email addres, and a comment, like "GPG tutorial" that will allow you to identify this key.
5. Choose a passphrase. Passphrases, unlike passwords should be long and something you will be able to remember. You will be prompted to re-enter your passphrase.
6. While GPG is generating the key pair, do something else with the community to create more process instructions for the computer, thus making the "random" key generation stronger.
7. The terminal will then print your key fingerprint. The key fingerprint should loook like:
When you list your key, the output should read:
pub 2048R/EC46F7B6 2014-12-03
Key fingerprint = 27FF B803 A166 C222 2215 16DE 569C 7FFB EC46 F7B6
uid Your name (Mac GPG Tutorial) <[email protected]>
sub 2048R/CEC68CA3 2014-12-03
The last eight digits, in this case, EC46F7B6 will be important for identifying your key.
8. To list your public keys again, gpg --list-keys. You should see some test keys generated by GPG. To list your private keys, use the command gpg --list-secret-keys.
- To import a public key,
gpg --import [keyfilename.asc] - To search a key on the public server,
gpg --search-keys EC46F7B6(where the last 8 digits, again, are the fingerprint of the key you want to acquire) respond to the prompt verification, and press enter. - To verify the key fingerprint,
gpg --fingerprint EC46F7B6. You will want to make sure the fingerprint matches what your friend says it is. - If the fingerprint matches, sign it
gpg --sign-key EC46F7B6. Signing a key assigns it a level of trust.
(For the purposes of this tutorial, we'll be be encrypting files ourselves, to make it simple, but the message could be sent anywhere)
- Make a directory called "crypto"
cd crypto```
2. Make a secret message. `touch secret-message.txt`
In `secret-message.txt`, write a short message, eg "This is a secret message to myself"
3. Encrypt this file with your public key and sign it with your private key `gpg -ao cipher.asc -esr [email protected] secret-message.txt`. You've now generated an encrypted version of this message in the file `cipher.asc`
4. To decrypt this message, `gpg -o decrypted-secret-message.txt -d cipher.asc`.
5. Open the file to verify that it is the same message:
cat decrypted-secret-message.txt This is a secret message to myself
## Managing and Protecting Keys
1. Make a directory in your home called "keymat"
mkdir keymat
cd keymat
2. Once in that directory, create an "ASCII armored file"––meaning that your file has been encrypted into binary––output of your public keys with this command:
`gpg -ao publickey.asc --export [your email address for the key]`
3. To view the key, `cat publickey.asc`. The key should appear to be a long block of characters. This is the public key.
4. In order for the public key to be useful, you must send it to a server, using the command `gpg --send-keys EC46F7B6` The eight digits at the end of the command should be replaced with the last eight digits of your key fingerprint from step 8. above.
5. In case you ever forget your password, or your key becomes compromised, it's a good idea to generate a revocation certificate (as the certificate can only be generated with a passphrase). To do this, enter `gpg -ao revokecert.asc --gen-revoke EC46F7B6 ` where the last eight digits are from your key. The command prompt will the reason for the revocation. Enter 0 and then enter an optional description, eg "In case I lose my passphrase." Then enter your passphrase. You should now see a file called `revokecert.asc` in your keymat. This is your revocation certificate
6. Next, back up your private keys.
`gpg -a --export-secret-keys EC46F7B6 | gpg -aco privatekey.pgp.asc` You should now see a file called `privatekey.pgp.asc` in your keymat.
7. Print, back up or otherwise store these files and make sure to securely delete the directory "keymat"!
This tutorial is adapted from Robert Sosinski's [tutorial](http://www.reactive.io/tips/2008/02/18/working-with-pgp-and-mac-os-x/) with notes drawn from Jerzy J. Gangi's [tutorial](http://notes.jerzygangi.com/the-best-pgp-tutorial-for-mac-os-x-ever/) as well.