Hello. I have noticed a lack of proper tutorials on how to use PGP/GPG. I also noticed that the ones which did exist focused on using a GUI application. As an alternative this tutorial will describe the in’s and out’s to securely and easily using PGP/GPG to encrypt communications, using a terminal interface, so one can maintain anonymity on tor and make sure only intended parties read the messages created. This is a guide on how to encrypt messages via the Gnu Privacy Guard, and does not detail the inner workings, nor signing.
===Terminology===
First and foremost, there are two different common forms of asymmetric encryption on the deep web that is mentioned; PGP, and GPG. both are more or less the same thing.
PGP stands for Pretty Good Privacy.
GPG refers to the more trusted GnuPG, which stands for GNU Privacy Guard.
As stated earlier, the two are considered very similar to one another, differing mainly in development and trust. This guide recommends the use of GnuPG, and will be using it.
A keypair is the combination of public and private keys that form your ability to securely send messages. Your keypair will consist of your public key; the one you share with everyone else, and your private key; the one you keep to yourself and never distribute.
ASCII Armor is the use of ASCII characters to display the encrypted data instead of using a .gpg file. This is desirable when sending messages using PM systems.
===Installation===
This guide will be using GnuPG, it can be downloaded from the following link (WARNING: CLEARNET LINK) https://www.gnupg.org/index.html
If you are running TAILS, GnuPG should already be installed. Once there, go ahead and download a stable release for the OS of your choosing. The application comes with GUI applications, and you are welcome to install them, but throughout this guide we will be using the terminal/command line instead.
You can test to ensure the installation was successful by opening a terminal/cmdPrompt and typing the following command:
gpg --helpA large amount of text including command arguments should display itself on the console, this indicates the installation was successful.
===Generating a keypair===
Before we can encrypt a message, we are going to need to generate a keypair. You only need to do this once. to do this, enter the following command:
gpg --gen-keyThe following text will then be prompted:
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1The main difference between RSA & DSA and Elgamal is the underlying mathematical principles, for this guide we’ll be using RSA. Enter 1 and hit enter. Next prompt:
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096Technically you should be safe at 2048, but I would recommend the use of 4096 for the added security. Next prompt:
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1yIn the world of privacy, permanent anything is usually looked down upon, so I would recommend setting some length of time. For this tutorial my key will last for 1 year. To do this I enter 1y. Next prompt:
Key expires at 12/12/15
Is this correct? (y/N) yI entered y, as it was the correct amount of time. The next prompt will ask for each of the following one at a time. The only field you actually need to fill out is real name. In that category put whatever you want. The Email address and comment are optional.
GnuPG needs to construct a user ID to identify your key.
Real name: WhatEverNameYouWant
Email address:
Comment:
You selected this USER-ID:
"WhatEverNameYouWant"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? OModification options are given, but I’m satisfied with my entry, so I entered O to progress further.
You will then be presented with a prompt to enter a passphrase. Pick a good one and move on. You will then be presented with the following message:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key CA637B79 marked as ultimately trusted
public and secret key created and signed.Basically hit a bunch of keys on your keyboard, and click around a bit until it finishes generating random information. Once done, you should receive some form of confirmation, and return to the console. At this point you will have successfully generated a keypair that can be used to encrypt and decrypt messages.
===Getting your public key===
At this stage you now have your own keypair; the next step is to retrieve your public key so you can distribute it for others to use when messaging you. In this tutorial, we created a user under the ID of WhatEverNameYouWant. This is the ID which I shall use. To print the key, enter the following command:
gpg --armor --export WhatEverNameYouWantwhere WhatEverNameYouWant is the ID or Email picked when creating the keypair. This will print the public key to the console screen, if you want it instead to save it to a file the following command can instead be entered:
gpg --armor --output myPubKey.asc --export WhatEverNameYouWantWhere myPubKey.asc is the name and directory path of the file to save it to. This can be opened with a text editor, and the public key can be copied.
Here is the WhatEverNameYouWant public key that it displayed:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQINBFSbfIkBEADAaq137U0Tq15It9JJ9GHOQ0/ZLftvyIg6CBNxezK7DHWq8AJm
yYsU6QASOPkmNHFuY6fqDGAFv9ae28fBxdeoNGDKmzXrMtTWKyvyon2zzoHobtjU
09eW9sNkLVBLdfbE9bhz9vPR8/ZDRu7bb3sAMwA69AOg7TW3Q5Yr8jcsygy7W1Yt
3Kha6axJzhNt/rBQhHrUKAdPTMVMkmHEFTyJVo9UZ35zWcA+UqMmKNBTsNnNdt+1
XW68ptjUVXU+pqd955XUiYWR9g66F39TR6bXp1tQ73QjNZYjTiQc1ddZaJacoVYL
yzjpXB9dXa5l1tiTRlxF4zlPhhend+xuHSYDSjiW8AwpDqx47JP1RcpE+kGROE7u
GyLI6ZxgjGC5c60j6a4s3nlKgY05gBaDhfHncvNpUXFRn67YUlCzXssj587mS8MW
Eh+lxXBcg+KWK1Mq0D+LgasnOTE2s8ixD8MMiOiogrwUW8XTeLC4/lpkx40Xw3cp
5U5+7pnTrq1O28cjB3iWA8feFEvslercanzATJqP/S+3UN4LNdJn8SmgRFDMtoOq
/D2sfWT3oHM+8jEFmRUlEf9gflKV6WcEiAwPLXwLjP5WQwGki7IHr9EvVMYnKN2v
bzkkr4EnrQXRUM/dGL+lPYR7fr4sEoBBcQ+TA5x0HthtnS2MYNw+0rljbwARAQAB
tBNXaGF0RXZlck5hbWVZb3VXYW50iQI/BBMBAgApBQJUm3yJAhsDBQkB4TOABwsJ
CAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQU8Au/spje3kzhw//UYP8yMqjim6Y
O3SKGcouFVGNXb5AeUvVVzxUDT+mfiueTpeNWfjwtDmKpAxp3jXI/6oGmulvYKp9
ag/LkDdTr4VotQd+vt9Z90F82w/ZET7DYTYLe8djPPnwDXIeY/zDx2e9KnTIUASY
Ed00UHRLD0NIDqd4fFkZV5kzHjRqAC1V/s//aKS5Z5BZAarD6wVHjAC3j9HBw4C8
VU3kcqa3suFBRYh4Eiue4eZq0BlLv8h3USBEci8BlVSPpvn6Z2Wzw2c2X6JEoCw9
fodr88QKRe+JJVK+4FpATshEUDyX0ihnY2Zk5/wuUAVDjYbo8+STESakiTDOu4yF
eu+o3VaTS6H/UHfF+SXhvpg9y0DD2egM8Zg6wDARJhBmp/Zq/pDhgO8TkhBwTXR/
J0Uoc2+Qx6fxlGFnjT3ytQpsSgdH+s4euPfDrxt7jIU0NVWA314EpLkO4bYFooxr
eZ0zGBFhdejJ7j8eTYv6MMdThD/kV3buRGml13/+0FUQXQkXC44G/NEuXE0oGVlI
VsYUKcBR1tUfuaD++S80lsb9+6+DFXxWOFvsng8L/3FonHprWaz4HB71XoDT5p/t
OJLhOCUC/bL8lam3RCuru+wOVDriLA9iGCXyMcVDi5yCrzjb9tyZs8ZKbfyn9u4Q
26bEWn1+rXrRtPLTG1moxRF4QQCPKF+5Ag0EVJt8iQEQAOiMs5jIqyeNoA4VtBsp
hnD3cIpbDXB5eVd5y7iHJHSKtRRGXXgL+GzH47peFPE29lwI32gdjPvljTj91wOR
Y7IbdUP5kVMwSkGSVNdiBFA/EUzE6or7Cr+ue5qrqCqGPyNhMBpl4e9doixNuGg4
Sflq9QLEvrpwekH4InhH9+hVGWLZ2LxZY3YB7um/77YhOmWMuiXyBkd6zkU+qWcq
7PlKzLTfeAXwFPP/qmOdrH+heL1NeX31/7c907KIK793sUba2wFM8YP3q8T0UT8c
/1CfZytxbwGCBOGtnXQeqHVdrEDO93l15ExefsStU+LncwKjeVMQemkBv5fmf8Fy
S/0Etc/O23xTzCGRPgg5PlI5zpZ6zYseMkHUvjY3UST4Qli3WKdxM+XdVuTYJlDN
ITaHOBdIAw0XktcRaAl9rmOsXHiAv98TWQ66ERxUb7IL5p3E0RYXHBt7kvlV/nQa
eXaltoj6BMRX90Rl0U1GVmf4ZdKuRCeR4EEuQR1ydUYArZ2xcLKwVY5PVSgXiTLs
D+TKdItgAtmNIec1QUDxN3Jk3t35QeuJwu0IvgqBB4aejq/bcc+R6O7PXl7/Ifaz
uIHDCqWIiKKVE+kjn50zhlCAJ7sUvsO3bY6v+XpNmouv2OH+GicgxZ4E2euvmhzT
I49hCOFn8GQuGj6dGl42yMnPABEBAAGJAiUEGAECAA8FAlSbfIkCGwwFCQHhM4AA
CgkQU8Au/spje3lunhAAjPqsOagjbqYyt/gq+SRq84bYY0lbpEvuEe/u0BGsFcOI
+ZjvCa+GzAUrQIBZbXiuueLFeAhoUaXc3ghkvtcpoaSrxvslEjztznLAcquvJtxq
g89DefpOH+eov1gAKnH4FcaPraYC9EKTLUtXDWJUqo0fXwtkeH8uFYtG5VHCSSkn
W9yQy8rLvxJgc/SAnVPZ+Cqt0O3ZMArgGwHViyGbsEHRSKhOKnACko50dV070E4e
Ox2C+IjIkHDpQ7XKpMyKIu08cSj0Q0q9zKF9cW6keozSQo/uNCitPi4bzywbLooY
O++gGGwvXu77b4rs+2DFOXbutXFUUVdiB+Ed+bcZ6qrPMLmP22SgB6jbPkd06SfB
vHaM7oMbOPghEFTXYuIKvz2IagP+v6k73RKG1ByVz8pr3iFBJj+L8FbUwaNsu19C
mOooEj+dQlS7dsHZdOwD4NNwCQQ5E5yLoQVgrHFjQP+LfOWLj6jcmnRlExUSjHhK
/9aoaxgMJqbPlcgCygMg2ZHnJDVQtIZRpQuwMj9vf6ZSBejViOW/mrWVhwJIoARm
Hepl8ZBp+DZcRLsyslB51sFoZusc12gS68TlJhv6VDYCWLFuFD9ct097ZC9IrtWa
vGUpqfY0i7bap29k6GKXCYqmzNMMYGZ2PYtitYhHE++h+C2CXsQ9t6pMc3rhTUE=
=U4Mn
-----END PGP PUBLIC KEY BLOCK-----===Importing someone else’s public key===
To encrypt a message for someone, you’re going to need to import their public key. Like generating a keypair, you only need to do this once. For this tutorial I will be importing the public key provided on Agora’s help and info page. You are more than welcome to import the public key displayed earlier. The first step is to copy the public key to a text file.
Once that is done, enter the following command:
gpg --import pubkey.ascwhere pubkey.asc is the file where you saved the public key you want to import. Here’s the output you should receive:
gpg: key (Expunged): public key "Agora One" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)And that’s it, you can now write messages using the key imported.
===Encrypting a message===
Once you have imported someone else’s public key, you can encrypt a message. For this tutorial, I will use the text Hello World! and place it into file myMessage.txt .
Now that we have a file with a message in it, enter the following command:
gpg --armor --output encMessage.asc --encrypt myMessage.txtwhere myMessage.txt is the name of the file you are encrypting. Throughout this tutorial, there has been use of other parameters before encrypting the message. Let’s take a minute and examine the parameters set forth. Notice that we use –encrypt and then the file name to specify the file to encrypt, but there are a few other parameters not fully described.
–armor tells the program to use ASCII armor, this makes GnuPG encrypt the data in the file so it can be copied and pasted via text characters.
–output enables the user to specify a name and location of the output file, where encMessage.asc is the desired name of the output file.
So once that command is input, the user will be prompted to enter a recipient. As seen earlier, the user ID for Agora was Agora One. So that is what I entered. Alternatively, the user’s email can also be entered. After that, I simply hit enter to confirm no other recipients.
This is what the console looked like:
You did not specify a user ID. (you may use "-r")
Current recipients:
Enter the user ID. End with an empty line: Agora One
gpg: (Expunged): There is no assurance this key belongs to the named user
pub (Expunged)/(Expunged) Agora One
Primary key fingerprint: (Expunged)
Subkey fingerprint: (Expunged)
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
Current recipients:
(Expunged)/(Expunged) "Agora One"
Enter the user ID. End with an empty line:I just added this key from agora, so I am well aware that it is the actual user ID, therefore I can trust it, and input y and preceded on. Needing no other recipients, I simply hit enter and let the program compile an encrypted message.
Upon completion, the file encMessage.asc was generated. When opened with a text editor, the PGP message was shown. This is the message which I would send to the recipient, in this case it would be the Agora staff.
===Decrypting a message===
So at this stage you can now generate your own keys, and send messages to others using their keys. The only thing left is to decrypt a message when a user messages you. This is the text Hello World! when encrypted using the WhatEverNameYouWant public key:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2
hQIMA0O56MNiiHV5AQ//WLFKdMBF0a5vuW9EoNbWvS656cPBvKHiEBT7ygtvHLfM
DS7hDzp+F7gqImm3Ql3be5o+7QNHDIRWdEiZ2SR3NopHyRYHEA9k3G+d33qV/Ykz
su8qqxUm7Y3UKtf2nKpY3jRPml5Stm8QtwaznARH6tPqzHCh69f7Uz40pwpbl53v
kpTOKcjYAwI5rC/k4GNgGj3luhEgzha13j7VXDl9zaXK78NaBQCBqUUJbtPG3jmv
vZRLvvgMPxbSuyyYPNbXoNkvImNfP4UdD4KSBRHq2LiSDkkyJqXZJ2ZrP7j3gE/4
rJ2hiUeJLQpDE51CEpGY0lfJIFz7JbIv+V3CNqkJOR/2TtqZhjkp4gLFgVPNpolf
mVoTG0eOZjieP9d56cPVEW3uEpc4CvtqDHIRQeEBMgPVQeKTL+iTk8Zq02Bg6C0l
8ITh/ekhiweD5jBbC0to7PCHFMH4TJklnRrmzl2ykNzcB6RR1QJgk9EceE/vxYEB
Y2FFqTUcbzZRi4hpCbfqgDZDgG9SbUgkDmWLV0OuQ/iGZJiu7wyI4KiXl9BSoY7q
NrMjhvOBUNFIn7FoquxH9c+ETUFnchm9y9Cu3+RzA8eqqJF+sCrCXokLE/J6aRrW
zq0FlK4lzpFMHSYWpt7CDJh5uIe6zxyzPDN2vUAbGAzW8mLaA5IEKLH2yHJehcrS
VAHd/9l3vKzweZdugQVAloTBMdX06YZBlhuBQl19br1SGiFTk+TeiyykQCqrWHYt
bDoXB1S9BX8ux8RRSi53Y9xVN0/EA5pYJpzx8geJ0NikFeAFSQ==
=gL3V
-----END PGP MESSAGE-----Decrypting this is a relatively painless and simple process. First I saved the message to a text file titled myEncMessage.asc. Once there I entered the following command:
gpg --decrypt myEncMessage.ascwhere myEncMessage.asc is the name of the file with the message in it. This command will have it output the message into the console, if you want it to be placed into a file instead, use the following command:
gpg --output myDecMessage.txt --decrypt myEncMessage.ascWhere myDecMessage.txt is the name of the file to export the message to.
The decryption process requires accessing the private key; for this reason, you must provide the password you created when generating the keypair. During the process a prompt will appear, fill in the password and it will decrypt. Here is the output of the command with no output file specified:
You need a passphrase to unlock the secret key for
user: "WhatEverNameYouWant"
4096-bit RSA key, ID , created 2014-12-12 (main key ID)
gpg: encrypted with 4096-bit RSA key, ID , created 2014-12-12
"WhatEverNameYouWant"
Hello World!Notice how a recipient is never specified, this is because the ciphertext can be linked to a key automatically. If the user has a message and the appropriate key to decipher it, GnuPG will find it on it’s own.
===Kudos===
Here are a few extra useful commands that the GNU Privacy Guard provides:
gpg --list-keysThis command lists all public keys stored on the machine.
gpg --list-secret-keysThis command will do the same, but with private keys.
If you want to change a key to a trusted one, enter the following command:
gpg --edit-key WhatEverNameYouWantThe following will then appear:
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/(Expunged) created: 2014-12-25 expires: 2015-12-25 usage: SC
trust: ultimate validity: ultimate
sub 4096R/(Expunged) created: 2014-12-25 expires: 2015-12-25 usage: E
[ultimate] (1). WhatEverNameYouWant
gpg> trustI enter the command trust which takes me to the prompt asking to set the trust level.
pub 4096R/(Expunged) created: 2014-12-25 expires: 2015-12-25 usage: SC
trust: marginally validity: marginally
sub 4096R/(Expunged) created: 2014-12-25 expires: 2015-12-25 usage: E
[ultimate] (1). WhatEverNameYouWant
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5I created the key, so there’s no reason other than to trust it to its fullest extent, therefore I selected 5.
Do you really want to set this key to ultimate trust? (y/N) y
pub 4096R/(Expunged) created: 2014-12-12 expires: 2015-12-12 usage: SC
trust: ultimate validity: ultimate
sub 4096R/(Expunged) created: 2014-12-12 expires: 2015-12-12 usage: E
[ultimate] (1). WhatEverNameYouWantAnd that’s that.
DeadDeafcon
Full article (Only available on Tor):
Linux Security Blog 