PGP Encryption

Sometimes you come across a situation when in a rather large enterprise they completely do not understand (or do not want to understand) why encryption of data, communication channels, and mail correspondence is necessary. This situation also occurs in my work. The situation with a strange loss of client-bank data helped to cut this Gordian knot.

Now in several stages the team is being trained in the basics of working with the gpg program. The decision to use the GnuPG utility to encrypt mail correspondence, files was made because of its availability in various Linux distributions. You may ask what Linux does in the enterprise. I will answer this - as a result of persistent 3-month work, a network of about 200 pc was transferred to linux with 90% success, which I can talk about a bit later.


Let’s get started with the basics and principles of encryption. We will analyze the system known as public key encryption, which has become the de facto standard for encrypting all kinds of information.

This scheme uses two keys: one is the private key, which is stored only by the user, and the second is the public key, which is publicly available and transmitted to other users. A public key belonging to the user or to whom he wants to send encrypted information is used for encryption. And only the owner of the corresponding private key will be able to decrypt the data. There is also a third key, called a session key. It is generated automatically and is used for encryption and decryption. And since all this is done automatically, it is rarely mentioned in the process description.

Two encryption packages using the public key scheme are widely used. The first is commercial PGP (Pretty Cood Privacy), GPG (GNU Privacy Guard), which is a free implementation of PGP. The second is OpenSSH. Further we will consider only GPG, due to its openness and prevalence.

The main goal of GPG is to perform file encryption. It does not establish secure data channels, as OpenSSH does. It simply encrypts the data and checks its integrity.

The first thing to do before you start working with GPG is to create a key pair: public and private. This is best done under the account under which you are constantly working. The command to create the keys is:

gpg --gen-key

During the generation process, you must select the type of key (the first option is suitable by default), its size, validity period, username, e-mail, password. All these points are intuitive and I will not dwell on them.

Generation is complete, a pair of keys is ready for use. Both files - pubring.gpg (public keychain) and secring.gpg (private keychain) - will be stored in binary in the $ HOME / .gnupg directory. The public key can be presented in two forms: in the form of binary code and in text format. The default format is binary. To convert the key to a text format, you must run:

gpg -a --export user> user.pub.key.asc

part of the command “> user.pub.key.asc” serves to redirect the output not to the screen, but to the file.

In order to see the key identifier, you can run a key check, as a result of which a list of keys will be displayed in the pubring.gpg file:

gpg --list-key

Until now, we have been working with our keys. But what about the keys of other users? To do this, insert the public key received from the outside into your public keychain:

gpg --import otherkey.pub.key.gpg.asc (where otherkey.pub.key.gpg.asc is the received key file)

Encryption is only one way to verify the integrity and reliability of information. Another way is to sign files. In this method, based on the characteristics of the file, a kind of signature is created, in the creation of which the private key data is involved. If the file between the time it was signed and the time it was received is not changed, when decrypting it or checking it using GPG, the following message will appear:

[user @ host] $ gpg --verify foo.txt.asc foo.txt
gpg: Signature made Thu March 18 14:10:50 2009 EST using DSA key ID 12EA888D
gpg: Good signature from "******"

To sign a file with the name “file”, you need to run:

gpg -b file

As a result of this command, a binary file will be created. In order to translate it into ASCII representation, you need to do this:

gpg -ba file

The option “-b” is used to create a separate signature file. The signature file has the same name as the signed file, but only with the extension .gpg or .asc, depending on whether it is signed in binary or in ASCII.

And finally, I'll tell you how to encrypt files themselves. Suppose a user has a public key and wants to send you an encrypted file. To do this, he needs to run the following command:

gpg -r user -e file (where “user” is the identifier of the key in the bundle to which the encrypted file is sent to the owner, “file” is the name of the encrypted file)

The result is a file.gpg file that you can send. You can also get the file immediately in the text representation at the output:

gpg -r user -ea file (where “user” is the identifier of the key in the bundle to which the encrypted file is sent to the owner, “file” is the name of the encrypted file)

Having received such a file, you need just execute:

gpg -d file.gpg (or .asc) You can

combine encryption with a signature with one command:

gpg -r user -bea file

As a result, we get an encrypted file, during decryption of which the steps will be taken to create a signature for it.

The original is on the blog .