How to secure your data with encryption (GPG)
Introduction
So, We’ll use a public key cryptography system to encrypt our sensitive data. As a brief explanation, what this system does is that it generates two “keys”, a public key which you may share with others so they can encrypt files and share them with you, and a private key which you must keep secure with which you, and only you will be able to decrypt the files that others encrypted for you, and encrypt files to share with others (or that you simply want to keep private and secure). Don’t worry if you aren’t clear yet, let’s get practical about it so you understand.
Generating our keys
First of all we need to generate our keys, we’ll do so with GPG in our terminal (If you don’t have it, you can download it from this page, also for Windows & Mac):
~$ gpg --full-gen-key
Which should ask you what kind of key you want, we’ll go with the default option (RSA and RSA):
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
Then it will ask you for the length of the key, we’ll pick the max (4096) for more security:
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Now it will ask you for the period of validity of the key. It defaults to zero which means never expires (a better practice will of course be to set a expire period in case our system is compromised):
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Then it will prompt you to confirm the expire period of the key, to put you name, email address, and a comment (optional) for the key:
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: FC
Name must be at least 5 characters long
Real name: FireOfColossus
Email address: fireofcolossus@gmail.com
Comment: sample key
Finally it will ask you to validate the data or do changes if necessary. My data is ok, so I’ll go with O
(okay):
You selected this USER-ID:
"FireOfColossus (sample key) <fireofcolossus@gmail.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
Then it will prompt you to put a passphrase to protect your secret key which you will have to type when using your private key. Be careful to remember or save that password in a secure place, because if you lose or forget this keyphrase your will also lose access to your private keys (which will make your public key useless also).
Now you should have something that looks like this:
gpg: key A584DBDB7C072F90 marked as ultimately trusted
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/517DDA2CA792897ECC7DCBC9A584DBDB7C072F90.rev'
public and secret key created and signed.
pub rsa4096 2021-10-31 [SC]
517DDA2CA792897ECC7DCBC9A584DBDB7C072F90
uid FireOfColossus (sample key) <fireofcolossus@gmail.com>
sub rsa4096 2021-10-31 [E]
The random string (in my case 517DDA...072F90
) is the ID of your key which you can later use to encrypt, decrypt, export and things of the sort. You can also use the email or name associated to the key.
To export your public key so others can verify your identity and encrypt messages for you, simply run:
~$ gpg --output yourname.gpg --export your-associated-email@sample.com
And that’s it, now you can send them your public key.
Encrypting
Now that we have a keypair, let’s encrypt a file so only ourselves can decrypt and see our highly sensitive data!
~$ gpg --output sample_doc.gpg --encrypt --sign --armor -r fireofcolossus@gmail.com sample_file.txt
Don’t worry about all the options. Right now the most important thing you need to know is that --output doc.gpg
signals what will be the output file of the encryption, --encrypt
encrypts the file (duh!), -r email@sample.com
selects the recipient (in this case ourselves) of the encryption so they are the only ones able to decrypt the file, and at the end you put the file you want to encrypt (in this case sample_file.txt
).
Now if someone tries to open that file without access to our private key they will not be able to see the content.
Now to decrypt it, we just have to run the following command:
~$ gpg --output sample_doc.txt --decrypt sample_doc.gpg
Sending
Now… let’s say that you want to send an encrypted file to someone else. What would you do? Well… first of all, get their public key. For example, you can get mine from this link and then runing gpg --import FC-Zer0x1.gpg
on your terminal from the same directory, or simply run:
~$ curl -sL https://cyberrenaissance.xyz/FC-Zer0x1.gpg | gpg --import
Now what you would do is run the same as the above command to encrypt the file but substituting the recipient email, in this case for mine:
~$ gpg --output private_message_FC.gpg --encrypt --sign --armor -r fc-zer0x1@cyberrenaissance.xyz private_message_FC.txt
And now send the message (with your public key also) my way!
Other important considerations
~$ gpg --fingerprint public-key-to-verify@example.com
Then verify with them that the output fingerprint is the same as theirs.
The to indicate that you trust their public key you can sign it with the following command:
~$ gpg --sign-key verified-public-key@example.com
--sign
command we used above to encrypt our files? We were just using our digital signature to sign our file to protect ourselves from tampering/modifications done by attackers.--armor
option which I forgot to mention changes the output to be an ASCII file instead of a binary.And that’s it. You just learned the basics of encryption with GPG. There are a few things I didn’t cover but I didn’t want to make this article tedious so I only went over the most practical stuff.
--- Metadata ---
Categories: TECH