Difference between revisions of "Linux: gpg"

From RHS Wiki
Jump to navigation Jump to search
Tag: visualeditor-switched
Tag: visualeditor
 
(11 intermediate revisions by the same user not shown)
Line 9: Line 9:
 
====Encrypt & Sign====
 
====Encrypt & Sign====
 
  gpg --encrypt --sign --recipient 'some user ID value' <file>
 
  gpg --encrypt --sign --recipient 'some user ID value' <file>
 +
 +
====Encrypt without prompt for key verification====
 +
gpg --trust-model always --encrypt --recipient rafael@herrerosolis.com secret_file.txt
  
 
===Decryption===
 
===Decryption===
Line 17: Line 20:
  
 
==Asimetric Cipher==
 
==Asimetric Cipher==
===Generate keys===
+
 
<source lang=text>-full-generate-key
+
===Private Key===
 +
 
 +
====Generate keys====
 +
<source lang="text">gpg --full-generate-key
 
gpg --default-new-key-algo rsa4096 --gen-key
 
gpg --default-new-key-algo rsa4096 --gen-key
 
gpg --gen-key</source>
 
gpg --gen-key</source>
  
===List private keys===
+
====Import secret keys====
 +
  gpg --allow-secret-key-import --import tmp.asc
 +
 
 +
====List private keys====
 
  gpg --list-secret-keys
 
  gpg --list-secret-keys
===Export private key===
+
====Export private key====
 
  gpg --export-secret-key -a "User Name" > private.key
 
  gpg --export-secret-key -a "User Name" > private.key
===Export public key===
+
 
====To file====
+
====Change private key passphrase====
 +
<syntaxhighlight lang="text">
 +
user@machine:~$ gpg --list-secret-keys
 +
gpg: checking the trustdb
 +
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
 +
gpg: depth: 0  valid:  1  signed:  0  trust: 0-, 0q, 0n, 0m, 0f, 2u
 +
/home/user/.gnupg/pubring.kbx
 +
-----------------------------
 +
 
 +
sec  rsa1024 2019-11-19 [SC]
 +
      9D8D8CBC5B2A8A641C8CA0F58167B416B55E2859
 +
uid          [ultimate] RRA Example (No comments) <rra@rra.lan>
 +
ssb  rsa1024 2019-11-19 [E]
 +
 
 +
</syntaxhighlight><syntaxhighlight lang="text">
 +
user@machine:~$ gpg --edit-key 9D8D8CBC5B2A8A641C8CA0F58167B416B55E2859
 +
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
 +
This is free software: you are free to change and redistribute it.
 +
There is NO WARRANTY, to the extent permitted by law.
 +
 
 +
Secret key is available.
 +
 
 +
sec  rsa1024/8167B416B55E2859
 +
    created: 2019-11-19  expires: never      usage: SC 
 +
    trust: ultimate      validity: ultimate
 +
ssb  rsa1024/85BB533A53DAA163
 +
    created: 2019-11-19  expires: never      usage: E 
 +
[ultimate] (1). RRA Example (No comments) <rra@rra.lan>
 +
 
 +
gpg> passwd
 +
 
 +
</syntaxhighlight>
 +
 
 +
====Delete Private Key====
 +
<syntaxhighlight lang="bash">
 +
gpg --delete-secret-key 8167B416B55E2859
 +
</syntaxhighlight>
 +
 
 +
===Public Keys===
 +
 
 +
====Export public key====
 +
=====To file=====
 
  gpg --output <destination_file.gpg> --export <public_key_ID>
 
  gpg --output <destination_file.gpg> --export <public_key_ID>
====To server====
+
 
 +
=====Export all public keys=====
 +
<syntaxhighlight lang="bash">
 +
gpg --list-keys | grep -v "pub\|sub\|uid\|--" | sed '/^$/d' | xargs -t -n 1 -I ARG gpg --export --armor ARG
 +
</syntaxhighlight>
 +
 
 +
=====To server=====
 
  gpg --send-keys --keyserver pgp.mit.edu 18384645
 
  gpg --send-keys --keyserver pgp.mit.edu 18384645
====To ascii file====
+
=====To ascii file=====
 
  gpg --armor --export you@example.com > mykey.asc
 
  gpg --armor --export you@example.com > mykey.asc
  
===Import secret keys===
+
====Import public keys====
  gpg --allow-secret-key-import --import tmp.asc
+
=====From file=====
===Import public keys===
 
====From file====
 
 
  gpg --import <publickeyfile.gpg>
 
  gpg --import <publickeyfile.gpg>
====From server====
+
=====From server=====
 
  gpg --keyserver pgp.mit.edu --recv-keys 18384645
 
  gpg --keyserver pgp.mit.edu --recv-keys 18384645
 +
 +
====Delete Public Key====
 +
<syntaxhighlight lang="bash">
 +
gpg --delete-key 8167B416B55E2859
 +
</syntaxhighlight>
  
 
===Encrypt with a public key===
 
===Encrypt with a public key===
Line 51: Line 110:
 
====Encrypt to multiple recipients====
 
====Encrypt to multiple recipients====
 
  <nowiki>gpg --recipient 42FF42FF \
 
  <nowiki>gpg --recipient 42FF42FF \
      --recipient 12345678 \
+
              --recipient 12345678 \
      --recipient FEFEFEFE \
+
              --recipient FEFEFEFE \
      --encrypt-files backup.tar</nowiki>
+
              --encrypt-files backup.tar</nowiki>
 +
 
 +
====Encrypt without recipient key verification prompt====
 +
<syntaxhighlight lang="bash">
 +
gpg --trust-model always --encrypt --recipient rafael@herrerosolis.com secret_file.txt
 +
</syntaxhighlight>
 +
 
 +
====Encrypt without prompt for key verification====
 +
gpg --trust-model always --encrypt --recipient rafael@herrerosolis.com secret_file.txt
  
 
===Decrypt with private key===
 
===Decrypt with private key===
 
  comando gpg -d <encrypted_file>
 
  comando gpg -d <encrypted_file>
  
 +
=== List keys that can decrypt some file ===
 +
<syntaxhighlight lang="bash">
 +
gpg --list-only --no-default-keyring file.gpg
 +
</syntaxhighlight><br />
 
===Signing Keys===
 
===Signing Keys===
 
[https://www.phildev.net/pgp/gpgsigning.html Sign keys]
 
[https://www.phildev.net/pgp/gpgsigning.html Sign keys]

Latest revision as of 15:16, 19 December 2019

GnuPG

Simetric Cipher

Encryption

gpg -c file.txt

we will be prompt for a password.
Or: 

gpg -ca file.txt

If we want an ascii output

Encrypt & Sign

gpg --encrypt --sign --recipient 'some user ID value' <file>

Encrypt without prompt for key verification

gpg --trust-model always --encrypt --recipient rafael@herrerosolis.com secret_file.txt

Decryption

gpg -d file.txt
gpg --output <file> --decrypt <encrypted-and-signed-file>
find . -type f -name '*.gpg' -exec sh -c 'for file do gpg "$file"; done' sh {} +

we will be prompt for a password.

Asimetric Cipher

Private Key

Generate keys

gpg --full-generate-key
gpg --default-new-key-algo rsa4096 --gen-key
gpg --gen-key

Import secret keys

 gpg --allow-secret-key-import --import tmp.asc

List private keys

gpg --list-secret-keys

Export private key

gpg --export-secret-key -a "User Name" > private.key

Change private key passphrase

user@machine:~$ gpg --list-secret-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
/home/user/.gnupg/pubring.kbx
-----------------------------

sec   rsa1024 2019-11-19 [SC]
      9D8D8CBC5B2A8A641C8CA0F58167B416B55E2859
uid           [ultimate] RRA Example (No comments) <rra@rra.lan>
ssb   rsa1024 2019-11-19 [E]

user@machine:~$ gpg --edit-key 9D8D8CBC5B2A8A641C8CA0F58167B416B55E2859
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa1024/8167B416B55E2859
     created: 2019-11-19  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa1024/85BB533A53DAA163
     created: 2019-11-19  expires: never       usage: E   
[ultimate] (1). RRA Example (No comments) <rra@rra.lan>

gpg> passwd

Delete Private Key

gpg --delete-secret-key 8167B416B55E2859

Public Keys

Export public key

To file
gpg --output <destination_file.gpg> --export <public_key_ID>
Export all public keys
gpg --list-keys | grep -v "pub\|sub\|uid\|--" | sed '/^$/d' | xargs -t -n 1 -I ARG gpg --export --armor ARG
To server
gpg --send-keys --keyserver pgp.mit.edu 18384645
To ascii file
gpg --armor --export you@example.com > mykey.asc

Import public keys

From file
gpg --import <publickeyfile.gpg>
From server
gpg --keyserver pgp.mit.edu --recv-keys 18384645

Delete Public Key

gpg --delete-key 8167B416B55E2859

Encrypt with a public key

List public keys

gpg --list-keys

Encrypt one recipient

gpg --recipient <key ID> --encrypt <file>

Encrypt with ascii output

gpg --armor --encrypt --output ~/test.crypt --recipient redteam@bbva.com  ~/test.txt

Encrypt to multiple recipients

gpg --recipient 42FF42FF \
              --recipient 12345678 \
              --recipient FEFEFEFE \
              --encrypt-files backup.tar

Encrypt without recipient key verification prompt

gpg --trust-model always --encrypt --recipient rafael@herrerosolis.com secret_file.txt

Encrypt without prompt for key verification

gpg --trust-model always --encrypt --recipient rafael@herrerosolis.com secret_file.txt

Decrypt with private key

comando gpg -d <encrypted_file>

List keys that can decrypt some file

gpg --list-only --no-default-keyring file.gpg


Signing Keys

Sign keys

Signing

Sign

gpg -u <private_Key_ID> --output <output_signed_file> --sign <file_to_sign>
gpg --local-user <private_Key_ID> --output <output_signed_file> --sign <file_to_sign>

Verify signature

gpg -d <signed_file>

or 

gpg --verify <signed_file>

CheatSheet

Gpg_cheat_sheet.tar.gz
https://www.digitalocean.com/community/tutorials/how-to-use-gpg-to-encrypt-and-sign-messages
http://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/

Retrieved from "https://wiki.herrerosolis.com/index.php?title=Linux:_gpg&oldid=2069"