Speedrunning encryption with GPG and PGP

Achieving 'military grade encryption', 'bank level encryption', etc.. for your private files, made easy.
Original image by Chris Liverani from

Achieving 'military grade encryption', 'bank level encryption', etc.. for your private files does not have to be complicated. Today we are going to take a hands-on approach to encryption using GPG.

Basics

What is encryption about?

  • It is about hiding information from people. Hiding information from people, even if they intercept that information. This is done by turning it into gibberish.
  • The turning into gibberish is support by some magic (yes math, I am looking at you) which we are not going to cover today.

What is asymmetric encryption?

  • A method with which we end up with two keys.
  • A public key which is, well..., publicly known by everyone.
  • The public key is used for encrypting information.
  • A private key which is, well..., privately known only by yourself. Never share your private key with anyone.
  • The private key is used for decrypting information.

What is the workflow in asymmetric encryption?

  1. The information you want to share will be encrypted with the public key of the receiver of the information.
  2. The encrypted information is then sent to the receiver of the information.
  3. The receiver can then decrypt the information using his private key.
    • The information can only be decrypted with the private key.
    • Since the private key never gets shared, the information can only be decrypted by the receiver and no one else.

Which software to use?

  • GPG "Gnu Privacy Guard" is a battle tested, more or less standard tool for encryption. It is suggested by official and unofficial entities for secure communications.

Hands On Examples

Listing keys

  • To see all the public keys that you can encrypt information with, issue
gpg --list-keys
listing public keys using gpg.
Running this the first time will end up in something like this. Since we don't have anything here, we don't see anything yet.

Generating Keys

  • First of all, you need to generate a private and public key pair. This is done using
gpg --full-generate-key
generating a key pair.
The bigger the keysize the longer it takes for an attacker to crack the encryption. Nowadays a key length of 1024 bits is no longer suggested by insitutions like the NIST and the BSI. I always just use 4096 bits to be safe.

Exporting keys

  • For exporting, we always issue the --armor command to make sure nothing goes wrong in transit. This will make the content of our keys use the ASCII format.

exporting public key

  • First of all we need the id of the key that we want to export. We can list the shorthand id of our keys using this command.
gpg --list-keys --keyid-format=short
  • Then all we need to do is export it to a file.
    gpg --armor --output pubkeyNameHere --export keyIdHere
    
  • Example:
    exporting a public key.
    This public key needs to be known by anyone who wants to send us an encrypted message. Now at least we have a file we can easily share.

NOTE: I will always use my key id "FACF7ADA" for the rest of the commands. Make sure to replace it with your own key id when you try out gpg.

Uploading public key to a key server

  • Soo.. now we can just send anyone that wants to ever send us an encrypted message the file we just exported before we chat...
  • While this can be done it is quite cumbersome at scale. That is where key servers come to the rescue.
  • Key servers store public keys. Popular ones can be reached under "http://pgp.mit.edu/", "https://keyserver.ubuntu.com/" or "https://keys.openpgp.org/".
  • A cool thing about key servers is that they exchange their entries. Which means that at the end of the day, every key server knows every public key.
  • Let's upload our key to a key server.
    gpg --keyserver hkp://keyserver.ubuntu.com:80 --send-keys yourKeyIdHere
    
    gpg --keyserver hkp://keyserver.ubuntu.com:80 --send-keys FACF7ADA
    
  • It normally takes some hours for the keyservers to be updated. If you can't find the just updated public key on the page after uploading, try again later.

Encrypting information for a specific user/public key

Getting a public key from the key servers

  • First of all we need to get our hands on the public key of this specific user.
  • Often we have some kind of information about who we want to send data to. This can be an email, a name, or they public key id of the user.
  • For our case, we start looking for keys by name.
gpg --keyserver pgp.mit.edu  --search-keys "Pierre Dahmani"

results in

searching for and importing a public key.
We can see that anyone can now easily get our public key (and therefore encrypt messages which can only be decrypted/read by ourselves).
- *NOTE: A bare name does not guarantee to identify the user. Anyone could upload a key with a given name and email.*

Encrypting information with that specific public key

  • Now that we have the public key (we will just use the one we created before) we can encrypt information.
  • For our example, we have a file called 'secrets' with this content.
    content of our secret
    Wow, no surprise that we want to keep this one a secret...
  • Lets encrypt it and see the result.
gpg --recipient "FACF7ADA" --armor --output encrypted-secrets --encrypt secrets
  • Somewhat more generic, for understanding.
gpg --recipient "keyIdOfRecipientHere" --armor --output outputFilenameHere --encrypt inputFilenameHere
showcasing the encrypted secret
Now that's some high quality gibberish. Can you tell what's the secret? Well, luckily noone but the owner of the private key can.

Decrypting information

  • Whenever you receive an encrypted information (which was encrypted with your public key) you can decrypt it like this.
gpg --output secrets --decrypt encrypted-secrets
showcasing the decrypted secret
There we go, we successfully transformed gibberish into a message. This could only be done because we own the private key which belongs to the public key this file was encrypted with. As long as you keep the private key secret, only you are able to read/decrypt this information.
  • Congrats, you are now able to use military grade encryption!
  • To test this out, feel free to send me an encrypted file to my email hi@pd-dev.xyz. I will make sure to respond :]

Resources for theory

  • You can just drop this section, if you only want to securely encrypt and decrypt data and don't care about the theory behind it.
  • Asymmetric encryption is used and approved by trusted entities like:
    • NIST the "National Institute of Standards and Technology"
    • BSI (let's just say the german version of the NIST).
  • PGP RFC
  • RSA wikipedia
  • FIPS(Federal Information Processing Standards Publication) of the NIST approving RSA here.
  • 2022 publication of the BSI approving RSA.