How to secure your data with encryption (GPG)

Introduction

So, We’ll use a public key cryptography system to encrypt our sensitive data. As a brief explanation, what this system does is that it generates two “keys”, a public key which you may share with others so they can encrypt files and share them with you, and a private key which you must keep secure with which you, and only you will be able to decrypt the files that others encrypted for you, and encrypt files to share with others (or that you simply want to keep private and secure). Don’t worry if you aren’t clear yet, let’s get practical about it so you understand.

Generating our keys

First of all we need to generate our keys, we’ll do so with GPG in our terminal (If you don’t have it, you can download it from this page, also for Windows & Mac):

~$ gpg --full-gen-key

Which should ask you what kind of key you want, we’ll go with the default option (RSA and RSA):

gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
          This is free software: you are free to change and redistribute it.
          There is NO WARRANTY, to the extent permitted by law.
  
          Please select what kind of key you want:
             (1) RSA and RSA (default)
             (2) DSA and Elgamal
             (3) DSA (sign only)
             (4) RSA (sign only)
            (14) Existing key from card
          Your selection? 1

Then it will ask you for the length of the key, we’ll pick the max (4096) for more security:

RSA keys may be between 1024 and 4096 bits long.
          What keysize do you want? (3072) 4096

Now it will ask you for the period of validity of the key. It defaults to zero which means never expires (a better practice will of course be to set a expire period in case our system is compromised):

Requested keysize is 4096 bits
          Please specify how long the key should be valid.
                   0 = key does not expire
                <n>  = key expires in n days
                <n>w = key expires in n weeks
                <n>m = key expires in n months
                <n>y = key expires in n years
          Key is valid for? (0) 0

Then it will prompt you to confirm the expire period of the key, to put you name, email address, and a comment (optional) for the key:

Key does not expire at all
          Is this correct? (y/N) y
  
          GnuPG needs to construct a user ID to identify your key.
  
          Real name: FC
          Name must be at least 5 characters long
          Real name: FireOfColossus
          Email address: fireofcolossus@gmail.com
          Comment: sample key

Finally it will ask you to validate the data or do changes if necessary. My data is ok, so I’ll go with O (okay):

You selected this USER-ID:
              "FireOfColossus (sample key) <fireofcolossus@gmail.com>"
  
          Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

Then it will prompt you to put a passphrase to protect your secret key which you will have to type when using your private key. Be careful to remember or save that password in a secure place, because if you lose or forget this keyphrase your will also lose access to your private keys (which will make your public key useless also).

Now you should have something that looks like this:

gpg: key A584DBDB7C072F90 marked as ultimately trusted
          gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/517DDA2CA792897ECC7DCBC9A584DBDB7C072F90.rev'
          public and secret key created and signed.
  
          pub   rsa4096 2021-10-31 [SC]
                517DDA2CA792897ECC7DCBC9A584DBDB7C072F90
          uid                      FireOfColossus (sample key) <fireofcolossus@gmail.com>
          sub   rsa4096 2021-10-31 [E]

The random string (in my case 517DDA...072F90) is the ID of your key which you can later use to encrypt, decrypt, export and things of the sort. You can also use the email or name associated to the key.

To export your public key so others can verify your identity and encrypt messages for you, simply run:

And that’s it, now you can send them your public key.

Encrypting

Now that we have a keypair, let’s encrypt a file so only ourselves can decrypt and see our highly sensitive data!

~$ gpg --output sample_doc.gpg --encrypt --sign --armor -r fireofcolossus@gmail.com sample_file.txt

Don’t worry about all the options. Right now the most important thing you need to know is that --output doc.gpg signals what will be the output file of the encryption, --encrypt encrypts the file (duh!), -r email@sample.com selects the recipient (in this case ourselves) of the encryption so they are the only ones able to decrypt the file, and at the end you put the file you want to encrypt (in this case sample_file.txt).

Now if someone tries to open that file without access to our private key they will not be able to see the content.

Now to decrypt it, we just have to run the following command:

~$ gpg --output sample_doc.txt --decrypt sample_doc.gpg

Sending

Now… let’s say that you want to send an encrypted file to someone else. What would you do? Well… first of all, get their public key. For example, you can get mine from this link and then runing gpg --import FC-Zer0x1.gpg on your terminal from the same directory, or simply run:

~$ curl -sL https://cyberrenaissance.xyz/FC-Zer0x1.gpg | gpg --import

Now what you would do is run the same as the above command to encrypt the file but substituting the recipient email, in this case for mine:

~$ gpg --output private_message_FC.gpg --encrypt --sign --armor -r fc-zer0x1@cyberrenaissance.xyz private_message_FC.txt

And now send the message (with your public key also) my way!

Other important considerations

~$ gpg --fingerprint public-key-to-verify@example.com

~$ gpg --sign-key verified-public-key@example.com

And that’s it. You just learned the basics of encryption with GPG. There are a few things I didn’t cover but I didn’t want to make this article tedious so I only went over the most practical stuff.

--- Metadata ---

Categories: TECH