by hash3liZer . 02 March 2019
Privacy, Data Theft, Online Fraud, and many other reasons could be the reason why you want to encrypt your files or maybe the data is too much confidential to be transmitted over the wire.
GnuPG (GNU Privacy Guard) is a another flexible tool to encrypt data securely with a couple of algorithms and keeping the keys private so that only we have the right to access data.
GPG, also named GnuPG, came as a successor to PGP (Pretty Good Privacy). Now, both of the tools are used to encrypt the files and data. However, as of GPG is based on the IETF approved standard OpenPGP, unlikely users usually choose to use GPG for no other reason that it's open-source and is free to use whatsoever.
Unlike OpenSSL, it works differently by maintaining states and keys to encyrpt and decrypt data.
Now, coming to the point, you can import keys from other softwares and export them, do symmetric and asymmetric encryption, push and pull from a keyserver and produce output to be tranmitted over the internet. Let's find out:
If you are running latest version of Debian or Debian flavour like Parrot or Kali, GnuPG would have been already installed. If you don't have it already, you can install it with apt package manager:
$ apt update $ apt install gnupg
Or to install the latest version and do the homework yourself, you can compile the binaries from github. Make sure you have the dependencies to do the installation. You can get all the documentation here :
$ git clone https://github.com/gpg/gnupg.git $ cd gnupg/ $ chmod a+x ./configure $ ./configure $ make && make check && make install
The difference between symmetric encryption and the asymmetric encryption is that the latter one uses two different keys (private & public) to encrypt and decrypt data while the other one use the same key.
Both has their own pros and cons. If the situation is simple like you and your receiver want to use the same key, then prior option might be suitable for you. To simply generate the encrypted file:
gpg --symmetric [YourFile.txt]
Now, if you happen to be on a server or remotely connected to a computer through command line, you can alter the syntax because otherwise a GUI interface would be required to enter your password:
$ gpg --pinentry-mode loopback --passphrase password --symmetric text.txt
This will create an encrypted file by the name text.txt.gpg. Now, remove the orignal file and decrypt the file generated by gpg:
$ rm text.txt $ gpg text.txt.gpg
Now, coming to the actual part, let's say we are building an application to transfer data between two servers and we have to make sure of data integrity and security.
If would be better to choose another way around and why not create two different keys, one to encrypt and other to decrypt. You can place the public key on some public place like on a website and tell your transmitter to encrypt data with that key.
Now, the fun thing is only you can decrypt the data because only you have the the key to do so.
Now, first generate the key-pair:
$ gpg --gen-key
This would prompt you for basic information like your name and email address. Then it will generate a pair of keys which can be seen by supplying the following commands:
$ gpg --list-keys
The above would list the public keys available in your key manager. To view the private keys:
$ gpg --list-secret-keys
If you already have a pair of keys from another tool that uses gpg, you can import them as well:
$ gpg --import anotherkey.asc
People all over the world uses keyservers to provide their public keys to general public. You can directly extract required keys from such a server with gpg. That would go such like:
$ gpg --keyserver [keyserver.net] --search-keys [parameters]
And finally you can export your own generated keys to provide them to general public:
$ gpg --export -a "hash3liZer" > publickey.pub
And to export private keys as well:
$ gpg --export-private-keys -a "hash3liZer" > privatekey.priv
As any other part we have seen before, encrypting and decrypting is also much easier with gpg.
With the default behaviour when you will generate the encrypted version of the file, it's in a form that can't transferred through requests. In simple, you can produce an encrypted copy of a file with this command:
$ gpg --encrypt --recipient email@example.com
To produce such an output that can transferred over the wire in ASCII codec:
$ gpg --encrypt --armor --recipient firstname.lastname@example.org
When you receive the encrypted version of a file that has been done through your public key, just push the file through gpg:
$ gpg filereceived.gpg
Or even better to store the data in a seperate file:
$ gpg --output output.txt --no-tty filereceived.gpg
Now, since you can publicy disclose the keys, it's important to know that whether when you get a key from someone else is really belongs to that person or not.
For example, someone gives you a key and says he is the owner and infact he is not. Such a situation can be managed by verifying end users fingerprint of keys. You can get the fingerprint of a key:
$ gpg --fingerprint email@example.com
And in the case if you trust a person and have already validated the key, you can sign a key. This way if you again export this key and send this to someone else who have a trust in you is likely to have trust in the owner of the key as well.
This way one person can be an intermediary between the general public and the companies.
And the public can trust the intermediary without actually contacting the company. The signing of a key is very straightforward:
$ gpg --sign-key firstname.lastname@example.org
To delete a key from an author:
$ gpg --delete-keys email@example.com
$ gpg --delete-secret-keys firstname.lastname@example.org
GPG can help us secure our data for the communication over the internet. It not just securely encrypt the data but gives us a robust way to transfer it over the wire to a specific person or the public. An intermediary can act on behalf of company and can gain trust of the people without mistrusting any of the sides.
Securely encrypting data over the internet is the concern for every main-stream user and no one would like his data to be compromised by intercepting parties and the sniffers installed by hackers on the networks.