GPG operates with a pair of keys : a public key and a private (or secret) key.
The public key can/will/must be distributed to your corespondents (or whatever you will call them). The private/secret key is kept to you and only you. If you would like to make a comparison with the “real” world: a public key compares (in some way) to a padlock. The private key compares to the (hardware) key to open up the padlock. You can distribute as many padlocks as you wish to your friends/familiy/coworkers. They can put something in a box, and they can lock with the padlock. Notice, that they do not need to know or have anything else but the padlock you ditributed.
On the other hand, if such a package (locked with padlock) arrives at you door, there’s one (and only one) person who can unlock the padlock with the right (hardware) key.
In our digital world…Let’s say Bob and Alice like to send each other some secret pictures (I don’t know what pictures). If the pictures (or messages) are so secret they want to make sure that if Bob sends a picture only Alice can see it. Ant the other way around…if Alice sends a picture only Bob can see it.
GPG can make this scenario work. Bob and Alice both create a Public/Private keypair. Bob sends his public key to Alice, and Alice sends her public key to Bob. What will happen (a possible scenario):
- Bob finds a very nice picture he want to show Alice
- Bob encrypts the file (a picture is in a file right?) with the public key he received from Alice
- Bob sends the encrypted file to Alice
- Alice receives the encrypted file from Bob
- Alice does have the private key which matches the public key Bob encrypted the file with. Sol Alice will decrypt the file with here private key. (The private key is proteced with a password/passphrase)
- Alice enjoys the picture.
The other way around is (ofcourse) similar
- Alice encrypts a file with the public key provided by Bob
- Alice send the encrypted file over to Bob
- Bob can decrypt the file with the private key corresponding to the publoic key
What will actually happen when a encrypted file is send to John? If John is a friend of Bob and Alice he may also have there public keys. But…You can not decrypt a file with a public key. Only the owner of the private key can decrypt a file. So if Bob decides that JOhn can also view the picture he has to have the public key of John to decrypt the file. Send the encrypted file over to John, who then can decrypt the file. Notice that this last file can not be decrypted by Alice…she doesn’t have the private key corresponding to the public key the file was encrypted with.
Take-away points:
- Keep you private key private!!!!!
- (And don’t loose it, it can’t be re-generated. If it’s gone ….it’s gone)
- You can distribute he public key to anyone.
- Public key is for encrypting
- Private key is for decrypting
Let’s generate a public/private keypair:
[martijn@radijs ~]$ gpg --gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: Alice
Email address: alice@maboc.nl
You selected this USER-ID:
"Alice <alice@maboc.nl>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 04DCFBE4CBC60470 marked as ultimately trusted
gpg: revocation certificate stored as '/home/martijn/.gnupg/openpgp-revocs.d/BDE968AD7D64C2EDCF86E32204DCFBE4CBC60470.rev'
public and secret key created and signed.
pub rsa2048 2020-11-04 [SC] [expires: 2022-11-04]
BDE968AD7D64C2EDCF86E32204DCFBE4CBC60470
uid Alice <alice@maboc.nl>
sub rsa2048 2020-11-04 [E] [expires: 2022-11-04]
[martijn@radijs ~]$
The gpg-command given : gpg –key-gen
gpg will ask you few things, and creates the keypair, which it will immediately embed in the gpg-keyring,
so you do not end up with a 2 files.
Let’s have a look at the public keys in my keyring:
[martijn@radijs ~]$ gpg --list-keys
/home/martijn/.gnupg/pubring.gpg
--------------------------------
pub rsa2048 2013-11-06 [SC]
C231212EA5A7F7899B7D6CB01A72A9C77464C96F
uid [ultimate] Martijn Bos (Pipesmoking Idiot)
sub rsa2048 2013-11-06 [E]
pub rsa2048 2014-05-02 [SCA]
B373F3BC8699ED78BF34DF143B13088E5679E916
uid [ultimate] Martijn Bos
sub rsa2048 2014-05-02 [E]
pub rsa2048 2020-11-04 [SC] [expires: 2022-11-04]
BDE968AD7D64C2EDCF86E32204DCFBE4CBC60470
uid [ultimate] Alice
sub rsa2048 2020-11-04 [E] [expires: 2022-11-04]
[martijn@radijs ~]$
And let’s look at the private keys in my keyring:
[martijn@radijs ~]$ gpg --list-secret-keys
/home/martijn/.gnupg/pubring.gpg
--------------------------------
sec rsa2048 2013-11-06 [SC]
C231212EA5A7F7899B7D6CB01A72A9C77464C96F
uid [ultimate] Martijn Bos (Pipesmoking Idiot)
ssb rsa2048 2013-11-06 [E]
sec rsa2048 2014-05-02 [SCA]
B373F3BC8699ED78BF34DF143B13088E5679E916
uid [ultimate] Martijn Bos
ssb rsa2048 2014-05-02 [E]
sec rsa2048 2020-11-04 [SC] [expires: 2022-11-04]
BDE968AD7D64C2EDCF86E32204DCFBE4CBC60470
uid [ultimate] Alice
ssb rsa2048 2020-11-04 [E] [expires: 2022-11-04]
[martijn@radijs ~]$
That will be enough for one day….