Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Using GPG: Nuts and Bolds

So far, there's been a lot of discussion about keys and key exchanges. Now we finally begin to get into the actual day-to-day use of GPG for sending and receiving data.

There are two basic kinds of exchanges that are routinely made with GPG. They are signed data and encrypted data. In the first case, the sender uses a private key and the receiver a public key. In the second case, vice versa.

Signatures for Data

Data signatures are created for data you're sending out. A signature is generated using your private key; any user receiving this data who has your public key and trusts it can use it to validate the integrity of the data you've sent. He or she can then be sure that the information being received comes straight from you and hasn't been tampered with.

The simplest way to sign a piece of data is to use the ASCII-ready --clearsign command. This causes GPG to produce a nice, human-readable signature suitable for sending via e-mail.

$ gpg --clearsign mymessage.txt

You need a passphrase to unlock the secret key for
user: "Ima User (I'm just ME) <me@mynet.net>"
1024-bit DSA key, ID D9BAC463, created 2001-01-15

Enter passphrase:
$

After entering the passphrase, you'll notice that a new file with the .asc extension has been created—in this case, mymessage.txt.asc. This file contains the original contents of mymessage.txt plus a signature similar to the one shown in this code.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6YouhU87DFNm6xGMRAiwqAJ4mnviKz5wA9HFhCW9PG6zl7A2LPACgk0SB
n+yWiCt4SCTVkSSgezGKIUk=
=WnX/
-----END PGP SIGNATURE-----

When the file or message containing this signature is received, the recipient who has your public key on file can verify the message's integrity by using the --verify command to GPG:

$ gpg --verify message.txt.asc
gpg: Signature made Sat Jan 13 22:33:21 2001 MST using DSA key D9BAC463
gpg: Good signature from "Ima User (I'm just ME) <me@mynet.net>"
$

A verified signature indicates that the message or file really does come from the source it claims to be from and that it hasn't been modified in any way.

Encrypting and Decrypting Data

GPG is also useful when a message, file, or other unit of data is for one person's eyes only. At times like this, GPG can use the person's public key to encrypt the file, making it unreadable until it is decrypted by the person holding the matching private key (presumably the intended recipient).

To encrypt a data file using the recipient's public key, use the -r argument to specify a recipient, and use the --encrypt command to instruct GPG to encrypt the file in question.

$ gpg -r pipi@hairnet.org -a --encrypt message.txt
$

It's as simple as that; GPG silently uses the public key on file for pipi@hairnet.org to encrypt message.txt and writes the output to message.txt.asc. The resultant file is shown here.

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

hQEOA/Yj7lT9u0d9EAQAhE+KaGfMzvRfCdrfW2EYzuu+YeaKdoJksHB16CO7RsZC
DkllV/uma/rMj5PiDzFoV8PGjqdq9M+n9YXOVnuG3XITWhuvfFqm1KWxK9e0UDoS
7Tb2cm+k8UK18HBI/EaNrV+a3A5YQr6nVY0OCXheohg3+9ursFc8uOBQma64/VUD
/io0EQiIxEmERy2UsN7e+OB1/w4FUcRt7FFWCTVMGdUuQPY8UkeStH7u43NlPsf5
6uPPjaTxCOjjQoCf17XnfxqJPm9c0uyPDjljXYmp74XroT+lHvGcaKK56t0agGVo
i5nMflXoCIA2n/KDALzTjy7cIzLnUeYVU4NrBt7pV4TTyelxYB70mW94Wlr5BlLj
S+FYueR31i790QO+265iS4QPA+zxXIT5KCF8TT1gVPaZOJxmo0wRKuoOYrCd7LQD
Oz3exhCgeKKjfZRwJtqvl/QVamFJWSyhAiuTlA60IHyxIqAZlwLoYoXs9oOIs49g
HLYG6hSemJEW+fTX8xipOOfDXzHrJjUE897igeW62Mf6HLr4aNb1kwrlH7d7Xdr8
29+sckZlSRtBvL3/dSw5FcRCFYbS51AHstdywYvNu4rqSOljv5C6dXEw9Gre+wPS
5S7k0KoTLK4VOZJI2byBTZxgjQNr7ytpu1QMN2+10tpHx6MLkUFV/BJZbAtJ3C0v
auS4xskoSlZgbuX/8Veqhx4GC0lSRLqn14M9CP/tzZN0dIZSTbM2aq58zk0wZZVB
Tmb06HdYvkLrcLkmyNBt3/PUlDIIdeXNCkqN5bjGD/elTtkaMmHN9OIIDHWA9olR
tcXoLJPF4kgg1q6y6pgy2sklYQhI8A4q8VoQNJDzF/SbKvlnGji5HyF6rvKDCF0m
/l0heQEMn4AyFbJ7LZt2zh4i3jSwyV4Ff+tWJD09xaNziKi791FaSBVMxsPhT4SD
w+R75JR/FV0IRpMsy8kdJw/+kejQwCmRqDbm3EHOESCOouxsL8JB39vX+1h32p1b
EdVyQIHZA+TomHsp/y3i+EX52MC8+8XmCukHfT0dCVcnfk2H0hKvFueBkW8Y2JGd
FJZb+CDX33Aapr6FW9CIXvI+1NFOz+cIWVZIYYECnUZe4l3Jikjw3rY2To4E/WUy
MN+ZKsMb6xlhMSoRa9qHWY+S/pp9D8qiqweOLg4cnCjZBZWVOMf4dMcDWNjsW3mX
GgYVmPf52WxvVFtp1yjNbHBu+is8/ZR1P04efD+kOg1WtwpfRdHKQ1o1fn/OxYX1
oP7PVR5BK05HaQYmI0Vlwkcv59RyeYqqOQOiEfL0hEWdGy1gdj0R0eHYuZLnBLfb
SHJ2OtRpcqHuXB27EU3C4OR/N++7ExhG/MNB8WPFb82cbIP8xDF9q+3b73b7myTn
JpAYj4p2ocv9Zf1DH9HHaT7bYD37hvjLlNXe07kYOlMWB9+48meO/o+Yjn5oEj60
wipRdCiP4TUoAwC9EDFED64qLXST9MBycLrc5DwiMYzfdyauiHU3MNhUfErXVaRJ
/5ljtJUGHA/P/ouqbSCleHQ=
=2Sgq
-----END PGP MESSAGE-----

An encrypted message can be signed as well. To do this, include the -s argument in addition to the others when encrypting using GPG.

To decrypt an encrypted file like this one, Pipi will need to use the --decrypt command and redirect standard output to the place where she'd like the message to go.

$ gpg --decrypt message.txt.asc > message.txt

You need a passphrase to unlock the secret key for
user: "Pipi Socks (I'm WIRED) <pipi@hairnet.org>"
1024-bit ELG-E key, ID FDBB477D, created 2001-01-15

Enter passphrase:
$

Once Pipi has entered the passphrase for her secret key, the message you sent will be decrypted and sent to the file message.txt. You have now securely transmitted a message using GPG to Pipi.

  • + Share This
  • 🔖 Save To Your Account