Have you ever had sensitive information such as passwords or server login information you needed to send someone via email, but didn't know how to send it securely to avoid the information falling into the wrong hands?
Here you'll learn how to securely transmit messages and files encrypted with PGP via the popular gnupg tool. Let's dive right in, and learn how to secure our communications!
Install gnupg
If you've never heard of PGP before, check out an excellent PGP primer and explanation, which contains various details we won't get into here for brevity's sake. First check whether or not gnupg is already installed. Within terminal, run the command:
gnupg --version
If it displays the version of gnupg you're currently running (should be v2+), then you're all set and can move to the next section. Otherwise, you can install gnupg by running:
sudo apt-get install gnupg2
Once finished, check to ensure it's installed:
gnupg -- version
Assuming gnupg was properly installed, this will display the version number.
Generate a PGP Key
Using asymmetrical encryption, you will first generate a PGP key-pair that consists of both a public and private key. The public key can be freely distributed to anyone who you wish to receive encrypted messages from, while the private key is kept to yourself in a safe place.
People can then encrypt messages to the public key, and send an encrypted message, which can then be decrypted using the private key. To generate a key-pair run:
gpg --generate-key
This will start by asking your name and email address, which doesn't necessarily have to be your real name and email. However, it is what others will see when selecting who to encrypt messages to, so ensure it's something others can easily identify you by.
Next enter the letter O to confirm the name and email address, and you'll be prompted to enter a desired password, which can be anything you wish. You will need to enter this password each time you want to decrypt a message that was sent to you.
Once you've confirmed the password, it will begin generating your new PGP key-pair, which can take a few minutes to gather enough entropy/random data from your computer. Feel free to navigate away from terminal for a couple minutes and do something else until you see a message saying your key has been successfully generated.
Export Your Public Key
Now that your key-pair is generated, you need to export the public key to distribute to others. Within terminal run the command:
gpg -a --export -e 'myname@domain.com` > mykey.asc
Ensure to change 'myname@domain.com' with the email address you supplied when generating your PGP key. You will now see a new file in the current directory named mykey.asc. Send this file to anyone who you wish to be able to send you encrypted messages.
Import Public Keys
Same as you can now share your public key with others, people will also share their public keys with you. When you receive someone's public PGP key, save the file to a directory and accessing terminal from the same directory, run:
gpg --import key.asc
This will import the person's public PGP key into gnupg allowing you to begin sending encrypted messages to them. At any time you may view a list of all PGP keys currently available within gnupg:
gpg --list-keys
You will see a bunch of entries that look similar to below, one for each key available within gnupg:
pub rsa3072 2020-01-30 [SC] [expires: 2022-01-29]
8978168C4E79A08553E5789CD42A4A4EC1468CFE
uid [ unknown] Matt Dizak <matt.dizak@gmail.com>
The only pieces of information you need to take notice of there is the name and email address of the entry, which states the owner of that key. When encrypting messages, you will only need the email address of the recipient.
Encrypt Messages via PGP
For example, you may need to send some sensitive information to your web designer, who's PGP key you have already imported under the email address designer@domain.com. Type out the desired message and save it to a text file, e.g. message.txt. Within terminal and inside the directory where message.txt resides, run the command:
gpg -e -a -r 'designer@domain.com' message.txt
Let's quickly break down the above command:
- -e specifies that we're encrypting data
- -a states we want the output in ASCII or plain text format
- -r stands for recipient, hence why it's followed by the email address of our designer
- Finally comes the message file we wish to encrypt
Most likely this will ask you to confirm that you indeed wish to encrypt to this public key, and you can just hit the Y key to agree. A new message.txt.asc file will be created, and if you open the file in a text editor you will see something similar to:
-----BEGIN PGP MESSAGE-----
hQGMAzCBDnMltq9zAQv/ZHQ3tJq+feazdLa3thzQE2bhPx+7WaPZcX7SdkoyuKvw
9faS7h9OwBjQ4vUyDKespSq3ZNf1pRgNoXijjs3MGEi5IsYxDgNWo1ZJv2qQqp36
.....
-----END PGP MESSAGE-----
This is the newly generated encrypted form of our message. You can either attach this file in an email, or simply copy and paste the contents of this file into the body contents of an email message.
The recipient will then be able to decrypt the message on their end using their private key, ensuring that anyone who sees this message during transit will not be able to view the plain text version.
Encrypting Binary Files
The above section explained how to encrypt text messages, but what about binary files? It works pretty much the same, and for example to encrypt a file named images.zip, within terminal run the command:
gpg -e -r 'designer@domain.com' images.zip
Only difference being the -a option is removed, along with the name of the output file. Then as before, if prompted to confirm use of the public key, simply press the Y key to agree.
A new file named images.zip.gpg will be created, which is the encrypted version of our zip file that we can email to our designer as an attachment. They can then decrypt the ZIP file using their private key.
Decrypting Messages
You also need a way to decrypt messages that are sent to you. Please remember, in order for someone to send you an encrypted message, you must first share your public PGP key with them. You will get an encrypted block of text, which looks the same as encrypting a message, such as:
-----BEGIN PGP MESSAGE-----
hQGMAzCBDnMltq9zAQv/ZHQ3tJq+feazdLa3thzQE2bhPx+7WaPZcX7SdkoyuKvw
9faS7h9OwBjQ4vUyDKespSq3ZNf1pRgNoXijjs3MGEi5IsYxDgNWo1ZJv2qQqp36
.....
-----END PGP MESSAGE-----
Save this block of text to a file such as message.asc, and within terminal run the command:
gpg -d message.asc > message.txt
You will be prompted to enter your password, which is the same password you supplied when initially generating your PGP key-pair. Upon successful entry of your password, a message.txt file will be created which contains the decrypted version of the message in plain text. That's all there is to it!
Congratulations, Your Communications are Now Secure!
Through this guide you've learned everything necessary to properly secure your communications via PGP encryption. You've learned how to generate a PGP key-pair, export your public key to share to others, import the public keys of others, plus how to encrypt and decrypt messages.
Next time you need to send sensitive information via email, you can now rest assured only the intended recipient will be able to see the contents of the message, keeping it away from unwanted guests. Happy encrypting!