Using GPG: Nuts and Bolds
So far, there's been a lot of discussion about keys and key exchanges. Now we finally begin to get into the actual day-to-day use of GPG for sending and receiving data.
There are two basic kinds of exchanges that are routinely made with GPG. They are signed data and encrypted data. In the first case, the sender uses a private key and the receiver a public key. In the second case, vice versa.
Signatures for Data
Data signatures are created for data you're sending out. A signature is generated using your private key; any user receiving this data who has your public key and trusts it can use it to validate the integrity of the data you've sent. He or she can then be sure that the information being received comes straight from you and hasn't been tampered with.
The simplest way to sign a piece of data is to use the ASCII-ready --clearsign command. This causes GPG to produce a nice, human-readable signature suitable for sending via e-mail.
$ gpg --clearsign mymessage.txt You need a passphrase to unlock the secret key for user: "Ima User (I'm just ME) <firstname.lastname@example.org>" 1024-bit DSA key, ID D9BAC463, created 2001-01-15 Enter passphrase: $
After entering the passphrase, you'll notice that a new file with the .asc extension has been createdin this case, mymessage.txt.asc. This file contains the original contents of mymessage.txt plus a signature similar to the one shown in this code.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6YouhU87DFNm6xGMRAiwqAJ4mnviKz5wA9HFhCW9PG6zl7A2LPACgk0SB n+yWiCt4SCTVkSSgezGKIUk= =WnX/ -----END PGP SIGNATURE-----
When the file or message containing this signature is received, the recipient who has your public key on file can verify the message's integrity by using the --verify command to GPG:
$ gpg --verify message.txt.asc gpg: Signature made Sat Jan 13 22:33:21 2001 MST using DSA key D9BAC463 gpg: Good signature from "Ima User (I'm just ME) <email@example.com>" $
A verified signature indicates that the message or file really does come from the source it claims to be from and that it hasn't been modified in any way.
Encrypting and Decrypting Data
GPG is also useful when a message, file, or other unit of data is for one person's eyes only. At times like this, GPG can use the person's public key to encrypt the file, making it unreadable until it is decrypted by the person holding the matching private key (presumably the intended recipient).
To encrypt a data file using the recipient's public key, use the -r argument to specify a recipient, and use the --encrypt command to instruct GPG to encrypt the file in question.
$ gpg -r firstname.lastname@example.org -a --encrypt message.txt $
It's as simple as that; GPG silently uses the public key on file for email@example.com to encrypt message.txt and writes the output to message.txt.asc. The resultant file is shown here.
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org hQEOA/Yj7lT9u0d9EAQAhE+KaGfMzvRfCdrfW2EYzuu+YeaKdoJksHB16CO7RsZC DkllV/uma/rMj5PiDzFoV8PGjqdq9M+n9YXOVnuG3XITWhuvfFqm1KWxK9e0UDoS 7Tb2cm+k8UK18HBI/EaNrV+a3A5YQr6nVY0OCXheohg3+9ursFc8uOBQma64/VUD /io0EQiIxEmERy2UsN7e+OB1/w4FUcRt7FFWCTVMGdUuQPY8UkeStH7u43NlPsf5 6uPPjaTxCOjjQoCf17XnfxqJPm9c0uyPDjljXYmp74XroT+lHvGcaKK56t0agGVo i5nMflXoCIA2n/KDALzTjy7cIzLnUeYVU4NrBt7pV4TTyelxYB70mW94Wlr5BlLj S+FYueR31i790QO+265iS4QPA+zxXIT5KCF8TT1gVPaZOJxmo0wRKuoOYrCd7LQD Oz3exhCgeKKjfZRwJtqvl/QVamFJWSyhAiuTlA60IHyxIqAZlwLoYoXs9oOIs49g HLYG6hSemJEW+fTX8xipOOfDXzHrJjUE897igeW62Mf6HLr4aNb1kwrlH7d7Xdr8 29+sckZlSRtBvL3/dSw5FcRCFYbS51AHstdywYvNu4rqSOljv5C6dXEw9Gre+wPS 5S7k0KoTLK4VOZJI2byBTZxgjQNr7ytpu1QMN2+10tpHx6MLkUFV/BJZbAtJ3C0v auS4xskoSlZgbuX/8Veqhx4GC0lSRLqn14M9CP/tzZN0dIZSTbM2aq58zk0wZZVB Tmb06HdYvkLrcLkmyNBt3/PUlDIIdeXNCkqN5bjGD/elTtkaMmHN9OIIDHWA9olR tcXoLJPF4kgg1q6y6pgy2sklYQhI8A4q8VoQNJDzF/SbKvlnGji5HyF6rvKDCF0m /l0heQEMn4AyFbJ7LZt2zh4i3jSwyV4Ff+tWJD09xaNziKi791FaSBVMxsPhT4SD w+R75JR/FV0IRpMsy8kdJw/+kejQwCmRqDbm3EHOESCOouxsL8JB39vX+1h32p1b EdVyQIHZA+TomHsp/y3i+EX52MC8+8XmCukHfT0dCVcnfk2H0hKvFueBkW8Y2JGd FJZb+CDX33Aapr6FW9CIXvI+1NFOz+cIWVZIYYECnUZe4l3Jikjw3rY2To4E/WUy MN+ZKsMb6xlhMSoRa9qHWY+S/pp9D8qiqweOLg4cnCjZBZWVOMf4dMcDWNjsW3mX GgYVmPf52WxvVFtp1yjNbHBu+is8/ZR1P04efD+kOg1WtwpfRdHKQ1o1fn/OxYX1 oP7PVR5BK05HaQYmI0Vlwkcv59RyeYqqOQOiEfL0hEWdGy1gdj0R0eHYuZLnBLfb SHJ2OtRpcqHuXB27EU3C4OR/N++7ExhG/MNB8WPFb82cbIP8xDF9q+3b73b7myTn JpAYj4p2ocv9Zf1DH9HHaT7bYD37hvjLlNXe07kYOlMWB9+48meO/o+Yjn5oEj60 wipRdCiP4TUoAwC9EDFED64qLXST9MBycLrc5DwiMYzfdyauiHU3MNhUfErXVaRJ /5ljtJUGHA/P/ouqbSCleHQ= =2Sgq -----END PGP MESSAGE-----
An encrypted message can be signed as well. To do this, include the -s argument in addition to the others when encrypting using GPG.
To decrypt an encrypted file like this one, Pipi will need to use the --decrypt command and redirect standard output to the place where she'd like the message to go.
$ gpg --decrypt message.txt.asc > message.txt You need a passphrase to unlock the secret key for user: "Pipi Socks (I'm WIRED) <firstname.lastname@example.org>" 1024-bit ELG-E key, ID FDBB477D, created 2001-01-15 Enter passphrase: $
Once Pipi has entered the passphrase for her secret key, the message you sent will be decrypted and sent to the file message.txt. You have now securely transmitted a message using GPG to Pipi.