GnuPG in a Tiny Nutshell

Dave Worth (cesium@ahpcc.unm.edu)

First note, for the real details that I may gloss over %man gpg

Target Audience: Those unfamilar with PGP/GPG or only familar with PGP 2.6.x

GPG is a free, opensource implementation of the OpenPGP standard, and is thus cool. It generates big keys and has a very friendly interface unlike bits of PGP.

1. Get GPG or use a machine which has it.
2. This is actually a personal decision and one probably based on where you plan on checking your mail. Truchas have gpg version 1.0.1 and if you check your mail there it's not such a bad idea to generate your key there. If you fetchmail your mail locally then you probably want gpg locally. The source is available from It's in the FreeBSD ports tree.

3. To generate a key just run %gpg --gen-key and follow the instructions.
   1. Choose a key type, DSA and ElGamal (default) are generally appropriate.

   2. Choose a key size, the minimum should be 1024, 2048 is better. (1024 is default)

   3. Choose a key expiration. This is up to you and for general purpose, non-super-secret uses never is fine. Though in more important circumstances expiring keys can be useful.

   4. When asked give gpg your real name, your email address, you can generally give the comment field a miss.

   5. When prompted choose a passphrase, make it long enough to be secure, but make sure you remember it... numbers, letters, symbols, etc... the usual password stuff.

   GPG will now begin to generate the actual key, it will say:

   "We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy."

   Do that, give it something to generate entropy... It may ask for more bytes, do more stuff... it did this 3 times on truchas for me.

4. Generate a revocation key by running %gpg --gen-revoke and follow instructions. It will ask for your passphrase... Print out the generated revocation key and keep it safe somewhere.

5. Export your ascii armored public key. The term ascii armor is key in GPG land... If you do not ascii armor all output from GPG is binary, which is sometimes not so helpful (and harder to include in the body of an email message). To export your key run %gpg --armor --export "<real name>". Copy the output and put it in your .plan in your home directory, and mail it systems.

List all of the keys in your keyring run %gpg --list-keys

To list a small subset of keys in your keyring then you may follow list keys by the first few characters (taken case-insensitively) of their "real name" thus to find all the people who's keys you have whose first name starts with a ''d'' just run %gpg --list-keys d

To sign a file run %gpg --clearsign <filename> Note: %gpg --sign <filename> will make the output binary and less useful

To verify a signature run %gpg --verify <filename> The owner of the signature's public key must be in your keyring for this to work.

To encrypt a file run %gpg --encrypt <filename>

To sign an encrypt run %gpg --sign --encrypt <filename> or for fun %gpg -se <filename> You will be asked for the name of the person you are encrypting to...

To decrypt a file run %gpg --decrypt <filename>