Using GPG at VTC

This document describes how to use the GPG program in a basic way. I will cover how to send and receive encrypted messages, and how to digitally sign messages as well as verify the signature on messages. This document is intended to support my classes at Vermont Technical College. It is not intended to be a general treatment of GPG for the entire internet community. This document talks about how to use GPG on a Unix system. However, most of what is said here applies equally well to the Windows command line version of the program. This document does not discuss any graphical front-end tools (of which several are available).

Generating a key

Before people can send you encrypted mail, you will need to generate a public/private key pair for yourself. Do this with the command

          gpg --gen-key

You can accept the various default options presented to you, except you might consider setting an expiration date on your key. If your key is lost you probably want it to eventually become invalid without any intervention on your part. I suggest using a key lifetime of five years (the offered default is fine). For the "key ID" use your full name together with your email address like this (you can leave the "Comment" field blank)

Peter Chapin <>

This uniquely identifies you. When you refer to a key ID with GPG you can normally just use any substring of the ID that is unique on your key ring. However it is a good idea to be sure your full ID is quite specific. It is possible to change the ID associated with your key without also changing your key. (Useful if you change email addresses).

Your GPG key has two parts: a public part that you can give to anyone, and a private part that you should keep to yourself. These "keys" are large binary numbers—they are not words. However, your private key is kept in a file and encrypted using a passphrase that you provide when the key is generated. In order to use your private key, you will have to provide the passphrase. Thus even if your secret key ring file is found by someone else, that alone won't allow them to use your private key.

Extracting your public key

Your public key is something you must give to people before they can send you encrypted mail. People will also need your public key to verify your digital signatures. Post your public key widely. It is public. I have mine on my web site. To extract your public key from your key ring use a command such as

          gpg --export -a key_ID > filename

Where key_ID is your Key ID (or any substring contained in it) and filename is the name of the file where the key should go. This command will extract the key in ASCII format—plain text—so that you can send it around more easily.

Putting my public key on your key ring

Download my public key into a file, say pchapin.asc. Then do this command

          gpg --import pchapin.asc

GPG will see that pchapin.asc is a public key and try to add it to your public key ring. You should now check the key fingerprint to verify that you have the correct key. If an attacker replaces my key on this web site with a bogus one you might actually be encrypting messages for the attacker to read!

To check the fingerprint do

          gpg --edit pchapin

This goes into a special key editing mode. Use the fpr command to have GPG display the key fingerprint. The correct fingerprint for my key is: 7C36 F524 CB69 6C92 5C73 6960 C527 DAF1 829F 8212. Don't believe what you read here! An attacker who can replace my key on this site can also modify this page. You should obtain the correct fingerprint directly from me.

If you are sure you have the correct key you can sign my key with your key using the sign command. Then, if you want, you can export my key and give it to your friends. If your friends are confident that you only sign keys you are sure about, they can take your signature as "proof" that they have a valid copy of my key. They do not need to check the fingerprint directly with me. In this way GPG builds a "web of trust" that allows keys to be distributed in a reasonably secure manner without a central authority.

Once you have added my key to your key ring, you can view the contents of your key ring with the command

          gpg --list-keys
Encrypting and signing a message to me

First prepare your message in a text file using an editor of your choice. To encrypt the file use a command such as

          gpg -sea -r pchapin file.txt

Where file.txt is the name of the file containing the message. The -sea options mean the following

The -r option specifies the recipient of the message. In other words it specifies which public key to use to make the encryption. The command above will create the file file.txt.asc. It will not overwrite the original file (at least not without warning you first).

To send me the file, enter your mail program and include the file into the body of a mail message to me or as an attachment.

Verifying my signature

Occasionally I will send you messages that have been "clear signed" using GPG. A clear signed message can be read without using GPG but still has a GPG signature at the bottom. If you want to verify that I actually sent one of these messages you should export it out of your mail program (in pine use the "E" command while reading the message). Then leave your mail program and use the command

          gpg afile.txt

where afile.txt is the file where you saved the message. GPG will find the "BEGIN PGP SIGNED MESSAGE" header in the file and know what to do. If you have my public key on your key ring it will verify the signature and print out an appropriate message. If you don't have my public key you will be told that it can't verify the signature.

Security loophole!

GPG uses highly secure encryption algorithms. However, the strength of GPG can be easily compromised by mishandling. You should be especially aware of the following points.

To be truly secure, you should use GPG on your own machine with excellent physical security and with no network connections.

© Copyright 2017 by Peter C. Chapin.
Last Revised: October 23, 2017