GnuPG

Comprehensive Guide and Cheat Sheet for GnuPG

GNU Privacy Guard (GnuPG or GPG) is a powerful, open-source tool for secure communication and data storage. It implements the OpenPGP standard (RFC 4880, now RFC 9580) and is widely used for encrypting, decrypting, signing, and verifying data and communications. This guide provides a thorough overview, practical cheat sheet, and best practices for using GnuPG effectively.

---

1. Fundamentals and Architecture

• What is GnuPG? GnuPG is a free software suite for encryption and signing of data and communications, compliant with the OpenPGP standard. It uses a hybrid encryption model: symmetric-key cryptography for speed and public-key cryptography for secure key exchange .

• Core Components:

  • Key Management System: Generate, manage, and exchange public/private key pairs.

  • Encryption & Signing: Supports RSA, ElGamal, DSA, and AES algorithms.

  • Libgcrypt: Provides cryptographic functions, including elliptic-curve cryptography.

  • Frontends: Command-line tool with GUI frontends like Seahorse (GNOME) and KGPG (KDE).

  • Protocols: Supports OpenPGP, S/MIME, and SSH .

---

2. Installation and System Requirements

• Supported OS: Windows, macOS, Linux, RISC OS, Android .

• System Requirements:

  • Windows: Compatible with modern versions (e.g., Windows 10+), requires at least 1 GHz CPU, 1–2 GB RAM.

  • Linux/macOS: Check distribution compatibility and install via package manager (e.g., apt, yum, brew).

• Installation Steps:

  1. Download from official GnuPG site.

  2. Install using the provided installer or package manager.

  3. Verify installation: gpg --version .

• Configuration: GnuPG stores configuration and keyrings in ~/.gnupg by default .

---

3. Key Management

Key Generation

gpg --gen-key

• Follow prompts for name, email, key type, size, and expiration .

Listing Keys

gpg --list-keys           # List public keys
gpg --list-secret-keys    # List private keys

Exporting Keys

gpg --export -a "User Name" > publickey.asc
gpg --export-secret-keys -a "User Name" > privatekey.asc

• -a outputs in ASCII-armored format .

Importing Keys

gpg --import publickey.asc

Key Revocation

• Generate a revocation certificate (do this when you create your key!):

gpg --output revoke.asc --gen-revoke your@email.com

• Import the revocation certificate if needed:

gpg --import revoke.asc

Key Signing and Trust

• Sign someone’s public key to certify it:

gpg --sign-key email@example.com

• Set trust level:

gpg --edit-key email@example.com
# Then use the 'trust' command in the interactive prompt

---

4. Encryption, Decryption, Signing, and Verification

Encrypting Files

gpg --encrypt --recipient recipient@email.com file.txt

• Output: file.txt.gpg (encrypted file) .

Decrypting Files

gpg --decrypt file.txt.gpg

• Outputs decrypted content to stdout or file .

Signing Files

gpg --sign file.txt

• Creates file.txt.gpg (signed and encrypted).

• To create a detached signature:

gpg --detach-sign file.txt

Verifying Signatures

gpg --verify file.txt.gpg
gpg --verify file.txt.sig file.txt

Encrypt and Sign in One Step

gpg --encrypt --sign --recipient recipient@email.com file.txt

---

5. Integration with Other Software

Email Clients

• Thunderbird + Enigmail (or built-in OpenPGP support in recent Thunderbird versions).

• Mailvelope for webmail.

• Process:

  1. Generate/import keys in GnuPG.

  2. Configure email client to use GnuPG.

  3. Share public key with contacts.

  4. Encrypt/sign emails as needed .

Git

• Sign commits:

git config --global user.signingkey <key-id>
git commit -S -m "Your commit message"

• Verify signed commits: Platforms like GitHub and GitLab display commit verification status .

Other Integrations

• Python: Use python-gnupg for programmatic access.

• S/MIME and SSH: GnuPG can manage S/MIME certificates and SSH keys .

---

6. Best Practices and Security Considerations

• Key Management:

  • Use strong passphrases for private keys.

  • Regularly rotate keys and subkeys.

  • Backup keys and revocation certificates securely.

  • Revoke and replace compromised keys immediately .

• Algorithm Selection:

  • Use strong, modern algorithms (e.g., RSA 4096-bit, ECC).

  • Avoid deprecated algorithms.

• Verification:

  • Always verify signatures on received files and messages.

  • Check key fingerprints before trusting/importing keys .

• Updates:

  • Keep GnuPG and related software up to date to patch vulnerabilities .

• User Education:

  • Train users on secure key handling and the importance of encryption .

---

7. Troubleshooting

• Cannot Decrypt:

  • Ensure the correct private key is in your keyring.

  • Check file permissions on ~/.gnupg.

• Signature Verification Fails:

  • Import the sender’s public key.

  • Check for key expiration or revocation.

• Key Not Trusted:

  • Set trust level using gpg --edit-key and the trust command.

• General Help:

  • gpg --help for command options.

  • Consult official documentation and community forums for support .

---

8. Cheat Sheet: Common GnuPG Commands

Task	Command Example
Generate keypair	gpg --gen-key
List public keys	gpg --list-keys
List private keys	gpg --list-secret-keys
Export public key	gpg --export -a "User Name" > publickey.asc
Export private key	gpg --export-secret-keys -a "User Name" > privatekey.asc
Import key	gpg --import publickey.asc
Encrypt file	gpg --encrypt --recipient user@email.com file.txt
Decrypt file	gpg --decrypt file.txt.gpg
Sign file	gpg --sign file.txt
Detached signature	gpg --detach-sign file.txt
Verify signature	gpg --verify file.txt.sig file.txt
Generate revocation cert	gpg --output revoke.asc --gen-revoke your@email.com
Sign another’s key	gpg --sign-key email@example.com
Edit key (set trust, etc.)	gpg --edit-key email@example.com
List fingerprints	gpg --fingerprint

---

9. Resources

• Official Documentation: https://gnupg.org/documentation/

• Community Forums & Mailing Lists: https://gnupg.org/community/

• Tutorials: YouTube, technical blogs, and course platforms.

• Integration Guides: Search for specific guides for your email client, Git, or other software .

---

10. Summary Table: Common Use Cases

Use Case	Description
Email Encryption	Securely send/receive emails; verify sender identity
File Encryption	Protect sensitive files at rest or in transit
Software Signing	Sign software releases to ensure authenticity
Secure Messaging	Encrypt messages in chat or collaboration tools
Git Commit Signing	Verify code authorship and integrity in version control

---

By following this guide and cheat sheet, you can confidently use GnuPG for a wide range of security and privacy tasks, from personal email encryption to professional software signing and secure development workflows .