GnuPG (GNU Privacy Guard)
In this article we are going to look at setting up GnuPG and how to encrypt sensitive data. The GnuPG application is a free implementation of the OpenPGP application with features such as: “Decrypts and verifies PGP 5, 6 and 7 messages”, “Supports ElGamal, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER”, “English, Danish, Dutch, Esperanto, Estonian, French, German, Japanese, Italian, Polish, Portuguese (Brazilian), Portuguese (Portuguese), Russian, Spanish, Swedish and Turkish language support” and many other features.
In this article we will be using SUSE Linux Enterprise Desktop 10 SP1. If you are using SUSE Linux Enterprise Server 10 SP1 you will need to compile the GunPG software.
The installation of GnuPG on SUSE Linux Enterprise Desktop 10 SP1 is very simple. SLED 10 SP1 ships the GnuPG RPM (Red Hat Package Management) package. To install the GnuPG package you can issue the following command to start YaST “yast sw_single” or “yast2 sw_single“. Once the YaST tool has loaded you can search for the GnuPG program simply by searching for the keyword “gnupg“.
Once you have installed GnuPG you can issue the command “gpg” from the command line with the “–help” qualifier as shown in Figure 1.
damian@linux-7q52:~> gpg --help gpg (GnuPG) 1.4.2 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Syntax: gpg [options] [files] sign, check, encrypt or decrypt default operation depends on the input data Commands: -s, --sign [file] make a signature --clearsign [file] make a clear text signature -b, --detach-sign make a detached signature -e, --encrypt encrypt data -c, --symmetric encryption only with symmetric cipher -d, --decrypt decrypt data (default) --verify verify a signature --list-keys list keys --list-sigs list keys and signatures --check-sigs list and check key signatures --fingerprint list keys and fingerprints -K, --list-secret-keys list secret keys --gen-key generate a new key pair --delete-keys remove keys from the public keyring --delete-secret-keys remove keys from the secret keyring --sign-key sign a key --lsign-key sign a key locally --edit-key sign or edit a key --gen-revoke generate a revocation certificate --export export keys --send-keys export keys to a key server --recv-keys import keys from a key server --search-keys search for keys on a key server --refresh-keys update all keys from a keyserver --import import/merge keys --card-status print the card status --card-edit change data on a card --change-pin change a card's PIN --update-trustdb update the trust database --print-md algo [files] print message digests Options: -a, --armor create ascii armored output -r, --recipient NAME encrypt for NAME -u, --local-user use this user-id to sign or decrypt -z N set compress level N (0 disables) --textmode use canonical text mode -o, --output use as output file -v, --verbose verbose -n, --dry-run do not make any changes -i, --interactive prompt before overwriting --openpgp use strict OpenPGP behavior --pgp2 generate PGP 2.x compatible messages (See the man page for a complete listing of all commands and options) Examples: -se -r Bob [file] sign and encrypt for user Bob --clearsign [file] make a clear text signature --detach-sign [file] make a detached signature --list-keys [names] show keys --fingerprint [names] show fingerprints Please report bugs to
Figure 1: Checking GnuPG supported qualifiers.
Before we begin to generate a public and a private key you can check to see if there are any keys already in your GnuPG keyring using the “gpg” command with the “–list-keys” qualifier as shown in Figure 1.1.
damian@linux-7q52:~> gpg --list-keys gpg: /home/damian/.gnupg/trustdb.gpg: trustdb created
Figure 1.1: Displaying the current list of keys.
If no keys are return you can begin generating a key pair using the “gpg” command with the “–gen-key” qualifier as shown in Figure 1.2.
damian@linux-7q52:~> gpg --gen-key gpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire
= key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Damian Myerscough Email address: Damian@example.com Comment: Damian Myerscough's Keys You selected this USER-ID: "Damian Myerscough (Damian Myerscough's Keys) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++++++++++++++++++++++++++++++++++++++++++.+++++++++++++++++++++++++++++++++++.++++++++++..++++++++++.+++++++++++++++...+++++++++++++++..+++++......>+++++........................................................................................+++++ Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 277 more bytes) We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++.+++++.+++++++++++++++++++++++++.+++++...+++++.++++++++++.+++++.++++++++++++++++++++..+++++.++++++++++..++++++++++....+++++++++++++++..+++++.++++++++++..+++++++++++++++++++++++++.+++++>....+++++.++++++++++++++++++++.+++++...++++++++++.++++++++++>+++++>+++++>+++++...>......+++++...........< ..+++++...................................................................................................................................................+++++^^^ gpg: key 25C422DB marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/25C422DB 2008-03-28 Key fingerprint = C6CF 8D5E 5EA2 B4BD 58FA 9B13 7D54 2E11 25C4 22DB uid Damian Myerscough (Damian Myerscough's Keys) sub 4096g/16790907 2008-03-28
Figure 1.2: Generating a new key.
As you can see in Figure 1.2 you will be asked multiple questions regarding you’re key, fill in the details that suite your needs. I would strongly recommend using “DSA and Elgamal” as this allows you to perform encryption of files whereas the other two options are used for signing data to provide data integrity.
Once you have successfully generate a key pair you can manage your key with the “gpg” command, some of the qualifier you might want to use for managing your key(s) are listed in Table 1.
|–delete-keys||Remove keys from the public keyring.|
|–edit-key||Sign or edit a key.|
|–send-keys||Export keys to a key server.|
|–search-keys||Search for keys on a key server.|
Table 1: GnuPG management qualifiers.
If you are uncomfortable working from the command line it is possible to install a utility called: “Seahorse” which is available at  and provides a nice GUI (Graphical User Interface) for managing GnuPG keys. In a later article I will cover installing Seahorse for anyone who is interested in this.
Encrypting and Decrypting Data
In this section of the article we are going to look at encrypting a sensitive text file using GnuPG and the key that was just generated. The first step we will do is create a simple text file with some fictitious data and will encrypt the file making it useless to other users. Figure 2 shows the text file we will be encrypting.
Username Password ---------------------------------------- Damian p4ssw0rd Jason cl1ck Chisa cl1ckcl1ck24
Figure 2: Fictitious data.
Once you have created a fictitious data file you can begin encrypting it using the “gpg” command as shown in Figure 2.1. In Figure 2.1 you may be wondering where the “25C422DB” was retrieved, this can be retrieved using the “gpg –list-key” command as shown in Figure 1.1.
damian@linux-7q52:~> gpg -r 25C422DB -e secret_data.txt damian@linux-7q52:~> ls bin Desktop Documents public_html secret_data.txt secret_data.txt.gpg
Figure 2.1: Encrypting the sensitive data.
As you can see from Figure 2.1 a new file has been created called: “secret_data.txt.gpg”, if you use the “cat” command against this file or open it with your favorite text editor you will notice that all the data has been scrambled.
The “secure_data.txt.gpg” file can now be sent transmitted across the Internet or via an insecure media and still be guaranteed secure. If you need to decrypt this file you can simple use the “-d” qualifier as shown in Figure 2.2.
damian@linux-7q52:~> gpg -r 25C422DB -d secret_data.txt.gpg You need a passphrase to unlock the secret key for user: "Damian Myerscough (Damian Myerscough's Keys)
" 4096-bit ELG-E key, ID 16790907, created 2008-03-28 (main key ID 25C422DB) gpg: encrypted with 4096-bit ELG-E key, ID 16790907, created 2008-03-28 "Damian Myerscough (Damian Myerscough's Keys) " Username Password ---------------------------------------- Damian p4ssw0rd Jason cl1ck Chisa cl1ckcl1ck24
Figure 2.2: Decrypting the “secure_data.txt.gpg” file.
As you can see from Figure 2.2 the data from the “secure_data.txt.gpg” file was printed onto the screen, to have the contents goto a file you can use simple redirection as shown in Figure 2.3.
damian@linux-7q52:~> gpg -r 25C422DB -d secret_data.txt.gpg > secure_data.txt
Figure 2.3: Writing the decrypted contents to a file.
In this article we only touched on the basics of GnuPG. I would recommend you visit the GnuPG website to find out even more about GnuPG  and its latest features. Now that you have GnuPG setup and configured you can now protect your sensitive data and also provide authenticity by signing files using GnuPG.