Friday, 10 March 2017

Setting up and using gpg (GnuPG) with CentOS 7

PGP was first introduced by Phil Zimmermann & Associates and was a proprietary piece of software that allowed users to encrypt their files - although later on one of the original developers began work on OpenPGP (an open-source alternative.)

These days GPG (GnuPG) is also extremely popular and is based open OpenPGP standards and is widely available across most popular operating systems.

For this tutorial I will focus on CentOS 7 - however much of the processes are exactly the same on most Linux distributions.

GPG makes use of PKI - so can be used to encrypt data, but also allows us to sign data so that it can be independently verified.

Let's go ahead and install the relevant packages:

sudo yum install gnupg2

There is also the 'gnupg1' package available that is *internally* quite different from gnupg2 and is typically more suited for server / embedded environments as it requires less dependencies.

gnupg2 keeps your public keys and secret keys in a 'keyring.' A keyring is simply a container that stores certificates, keys etc. securely.

We'll proceed by generating the private / public key pair:

gnupg2 --gen-key

For this demonstration we'll choose RSA for the algorithm, a key size of 4096 bits and an expiry of 1 year.

When you first generate your keys you will notice two files are created:

~/.gnupg/pubring.gpg (Stores the public keys)

~/.gnupg/secring.gpg (Stores the 'secret' / private keys)

We can view our public keys with:

gpg2 --list-keys

and our public ones with:

gpg2 --list-secret-keys

In order to delete key pairs we should firstly delete the secret key with:

gpg2 --delete-secret-key <key-id>

and then remove the associated public key:

gpg2 --delete-keys <key-id>

Sending / Receiving files with GPG 

In order to receive a file securely from another party we must firstly provide them with it (preferably via offline media such as a USB stick) export our public key with:

gpg2 --armor --export -a <key-id> public.key

The 'armor' option instructs GPG to encode the output with ASCII ensuring that it can be emailed.

The other party will then encrypt data with your public key - however they must firstly import your public key:

gpg2 --import public.key

and then encrypt the data with:

gpg2 --encrypt --armor --recipient "Joe Blogs" secret.txt

This will generator a file called secret.txt.asc (you might want to rename this to something more meaningful like secret.txt.gpg)  - this can then be transmitted to yourself - who can then decrypt the file with the following:

gpg2 --decrypt secret.txt.asc > secret_decrypted.txt

You should then be prompted for the password associated with the private / secret key.


Post a Comment