Generate pair of key
gpg --gen-key
//or
gpg --full-generate-key
List keys
❯ gpg --list-keys
/home/ken/.gnupg/pubring.kbx
----------------------------
pub rsa2048 2024-02-26 [SC]
E9FA8C3C96FE003FF38FD7552459B2802BA5CDBF
uid [ultimate] Rio Chandra <[email protected]>
uid [ultimate] [jpeg image of size 5231]
sub rsa2048 2024-02-26 [E]
sub dsa2048 2024-02-27 [S]
pub rsa3072 2024-02-27 [SC] [expires: 2026-02-26]
3F3346EC17EF0A675CDE4E91823342FF03A817CF
uid [ultimate] Kenichi <[email protected]>
sub rsa3072 2024-02-27 [E] [expires: 2026-02-26]
Export public key
You can use tab to see available key
gpg --export --armor 3F3346EC17EF0A675CDE4E91823342FF03A817CF
Only share this key to others
Export secret key
DO NOT SHARE THIS SECRET KEY
gpg --export-secret-keys --armor [email protected]
What is –armor ?
Armor will generate to ascii format instead binary format. Binary format can’t open by text editor and can’t easily send over internet.
Example without --armor
❯ gpg --export 3F3346EC17EF0A675CDE4E91823342FF03A817CF
��eݠ�
�s�wf!YI�_�q���';���[Y%��
M���|�b����s����������ɞF��S����GLZ�!t�b䴑�l�'���A~�_Rr,(:=$py?z���f&�ţ�P����x�0#i}$�3>����g�,��p�'0Xs�o��������9�tr���������秣�L����c�h�
�
�e�Y�m[���c��Z��:�]���?r"�{Ht%{xz�?�.}��|�H��i�^�y��&z�S��a�u�z盂���.
��yH��F�����эS�yW�0���$�P!W�
with --armor
❯ gpg --export --armor 3F3346EC17EF0A675CDE4E91823342FF03A817CF
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGXdoIIBDADGHkSbzfG/YJFWDeNz3XdmIVlJml+TFXGH2QbSJzuJ+9hbWSWc
4QtNi7elmgh8lmLZxszkc9bt9oOkmoeD0tDJnkYV+aJT/6f2y0dMWu0hdJhi5LSR
/WzHJ7rAFaFBftlfUnIsKBU6PQ4kcHk/evTXD89mJh2ExaPgu1CwmubwldereNww
I2l9FySmMz7+46UBs3/CZ8AsuYBwkCcwGVhz6m+hyQiTjovTF/+m4Tm2dHKnjJ6m
s430rbbnp6PTTJ7u7YbVY8BooAziDDWAj9z6Y4nzWoi8OhpdmaizP3Ii4HtIdCV7
eHq9P58ufY+ZfL8USPf7abhek3njH88mesRTqI1hsnXKeuebgqyiEZcuDR37CNtl
j1mVbVvovAob1rHtAMp5SAKVxRRG5rDb9P/G0Y1Tr3lX5ZswDo/kHsQk6FAhV54K
...
-----END PGP PUBLIC KEY BLOCK-----
Encrypt file
Complete code
❯ gpg -e --armor -r [email protected] -o secret-note-for-kenichi-no-sign.txt.gpg secret-note.txt
-
-e: encryption method -
--armor: change to ascii -
-r: recipient of the file, only this person able to decrypt this. you can use email, or user id or fingerprint -
-o: output the file -
secret-note.txt: name of file
Short code
❯ gpg -e -r [email protected] secret-note.txt
Without --armor, it will generate binary file. without -o, it will export as secret-note.txt.gpg
With sign
❯ gpg -e --armor -r [email protected] --sign [email protected] -o secret-note-for-kenichi.txt.gpg secret-note.txt
It will show Who encrypt this file.
Example decrypt file have no sign
The result will not show who encrypt this file
❯ gpg -d secret-note-for-kenichi-no-sign.txt.gpg
gpg: encrypted with 3072-bit RSA key, ID 103BE28053B41138, created 2024-02-27
"Kenichi <[email protected]>"
hello world
Example decrypt file with sign
The result will show Who encrypt/sign the file
❯ gpg -d secret-note-for-kenichi.txt.gpg
gpg: encrypted with 3072-bit RSA key, ID 103BE28053B41138, created 2024-02-27
"Kenichi <[email protected]>"
hello world
gpg: Signature made Sel 27 Feb 2024 03:44:02 WIB
gpg: using DSA key 63B866127E8374BB6B05D4EF7424C79AE827CB3D
gpg: Good signature from "Rio Chandra <[email protected]>" [ultimate]
gpg: aka "[jpeg image of size 5231]" [ultimate]
Decrypt file
only use -d and gpg will try each secret key saved on computer to decrypt.
❯ gpg -d secret-note-for-kenichi-no-sign.txt.gpg
gpg: encrypted with 3072-bit RSA key, ID 103BE28053B41138, created 2024-02-27
"Kenichi <[email protected]>"
hello world
Encrypt only use passphrase
Instead using asymetric key, use passphrase (aka symmetric) instead. It will ask you to insert the password encryption.
❯ gpg --symmetric secret-note.txt
## Or
❯ gpg -c secret-note.txt
## It will ask you the passphrase
Use gpg -d to decrypt
❯ gpg -d secret-note.txt.gpg
Credit Photo by Georg Bommeli on Unsplash
