Notes on GPG

July 02, 2017

Security really matters these years¹. WannaCry gave us a global warning early this year. Before, Chinese netizens feel quite safe maybe because of few technology audience… or rather GFW helps? With the technology’s deeper root in life accompanied by mobile payment, online shopping, smart stuff and the like, I believe security issue is critical enough to draw everyone’s attention. Security is the most inevitable thing even if one may ignore privacy problem for now.

Okay, here is my notes on GPG. I only introduce my commonly used options and all the details are in GnuPG manual.

Options

-k/--list-public-keys: List public keys.
-K/--list-secret-keys: List private keys.
-e/--encrypt: Encrypt data by specifying public key (recipient).
-s/--sign: Sign a message by key.
-c/--symmetric: Encrypt with a symmetric cipher using a passphrase.
--cipher-algo: Specify cipher algorithm. (list all available by running gpg --version)
-d/--decrypt: Decrypt data.
-r/--recipient: This option is used for specifying the recipient (user-id).
-a/--armor: Create ASCII output.
-o/--output: Specify output file name.
--clear-sign: Add signature to the original file.
--detach-sign: Generate a signature separately.

Examples

Basic Encryption

gpg -r chris -e foo.txt
# It creates foo.txt.gpg

Encrypt with Symmetric Cipher

gpg -c foo.txt
# Enter passphase twice and foo.txt.gpg is created.

ASCII output

gpg -c -a foo.txt
# Enter passphase twice and foo.txt.asc is created.

Using with pipeline

echo "hello" | gpg -c -a -
# -----BEGIN PGP MESSAGE-----
#
# jA0EBwMCI9EOCv8RfTDh0jsB6f1PHXr7CnPvtFQ3+1xzVkaaFT0NGnaXV7vp0TA6
# yQaOCS806a4Gg7/3UxBcPqm1t74asvk2tgm06Q==
# =fstr
# -----END PGP MESSAGE-----

Sign and verify

gpg --clear-sign foo.txt
# File foo.txt.asc which is not encrypted is generated
gpg -d foo.txt.asc # show raw data and verify signature
gpg --verify foo.txt.asc # verify signature

Detached sign

gpg --detach-sign foo.txt
# File foo.txt.sig (notice its size) is generated
gpg --verify foo.txt.sig foo.txt # verify signature

Output to stdout

gpg -o - -ac foo.txt
# -----BEGIN PGP SIGNATURE-----
# 
# iQEzBAABCAAdFiEEiul6fOyv8uDC/NJyNkEjOM7Lx3AFAllZ9bYACgkQNkEjOM7L
# x3DWtggAg+ACLCf4uDutKZNen9JQEMsoxlNmCoZpfTraE5Hy6eeZ3m4CV8YlpPup
# Qhl9ajFvvTL8pdS3e6LSWvViZ3MRfTYi8bxfpb4Erv4Isk+kCIZJwG7QmFCKLtCA
# ERoj1Mygt2AL7mPQBWKWtetYGrbScOPRNKu/cRhazbovHoUJbgtjZRpyn9+U9lRz
# OEBJTBqFO4p4uefbwstMLg+ZnId3Q2MTqmb0DGuu4GRUpDQf2U+R+6meTprjayPE
# T1QDHpI9hQ9gto0PGT3G9hSAWIJqxLXytltTAclPNVv62GhBEfgh10zRe1wkhYiz
# uXM+IG4guxTRIAynlz6esmyGHoer/g==
# =qDbQ
# -----END PGP SIGNATURE-----

收到的邮件内容被篡改了 ↩