Edit Rename Changes History Upload Download Back to Top

GPG Signing and Encrypting

Once you have another persons public key (see how to exchange public keys), you can sign and encrypt files in such a way that only they can verify and/or decrypt them.

You can have many private keys on your key ring. In the following, the examples assume that there is either only one private key on your key ring, or that a default key has been nominated in the GPG configuration file.

Signing files

In the same way that you might sign a letter, you can use GPG plus your private key to sign electronic documents.

gpg --armor --clearsign test.txt will create a file called test.txt.asc which contains the original text from test.txt, and a digest computed using your key.

If the original file looked like this:

This is some text.

The signed version will look something like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is some text.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: 'Email me for my public key'

iD8DBQE+ycRnF1uP4b67kz8RArZdAJ9e98RkcYICyJktEpah5/RoQX93vgCfUuOh
1I3aTPTGXitruRjhms3Kx7Y=
=ju77
-----END PGP SIGNATURE-----

The comment "Email me for my public key" is taken from the gpg configuration file. On a linux machine, this file is ~/.gnupg/gnupg.conf (it may be ~/.gnupg/options for RedHat). Add a line to the end of the file giving the comment option. To get the comment above, add the following on a line by itself:

comment 'Email me for my public key'

Of course, you can make the comment anything you like, but the idea is to help people to find your public key so that they can check that the signature is valid.

Many modern email tools provide a way to sign email as you send it. See the documentation for your email tool for more information on this.

Verifying a Signed File

You can make sure that the content of the file you are reading is the exact same content that was signed.

gpg --verify test.txt.asc will take the example file produced in the "Signing" section above, and will make sure that the content has not been changed in any way.

If the file is OK, you see the following message:

[you@tiger]$ gpg --verify test.txt.asc 
gpg: Signature made Tue 20 May 2003 04:00:07 PM EST using DSA key ID GEBV933F
gpg: Good signature from "fbloggs@openskills.com"

If the content of the file or signature have been tampered with, you will see:

 [you@tiger]$ gpg --verify test.txt.asc 
gpg: Signature made Tue 20 May 2003 04:00:07 PM EST using DSA key ID GEBV933F
gpg: BAD signature from "fbloggs@openskills.com" 

Encrypting

Let us say we have a file containing sensitive information, called sensitive.txt, and we want to send it to Fred Bloggs. We can encrypt the file using gpg -r fbloggs@openskills.org -o sensitive.txt.gpg --encrypt sensitive.txt, where -r means recipient, and -o means output file. Once this has run, we can send sensitive.txt.gpg to Fred knowing that only he will be able to read it.

The file sensitive.txt.gpg produced in the above example is a binary file, and so looks like garbage. You can attach it to an email, but you can't cut and paste because it is not text. To make the encrypted file be text, add the -a (for ASCII) option. Just before the -o in the above example would be fine. An ASCII version of an encrypted file will be larger than the binary version.

It is good practice to sign a file you encrypt. To do this, just add the -s option. You will be prompted for your pass phrase before the signed encrypted output is produced. Now, only Fred can read the file, and he knows that you are the one who sent it.

Decrypting

Now, let us say that Fred send us JustForYou.txt.gpg which is a binary encryption of a text file.

To read the file, we have to decrypt it. We can use gpg -o JustForYou.txt --decrypt JustForYou.txt.gpg. If Fred encrypted the file using your public key, then the file will be decrypted - once you supply your pass phase. Also, if Fred signed the encrypted file (which, really, he should have done), we get a message to confirm that. The decryption looks like something like this:

[you@tiger tmp]$ gpg -o JustForYou.txt --decrypt JustForYou.txt.gpg
You need a passphrase to unlock the secret key for user: "**You** {you@openskills.com}"
1024-bit ELG-E key, ID XAF476E9, created 2003-04-09 (main key ID GEBV933F)
gpg: encrypted with 1024-bit ELG-E key, ID XAF476E9, created 2003-04-09 "Fred Bloggs {fblogs@openskills.org}"
gpg: Signature made Sun 13 Apr 2003 06:30:45 PM EST using DSA key ID GEBV933F
gpg: Good signature from "Fred Bloggs {fbloggs@openskills.org}"


Edit Rename Changes History Upload Download Back to Top