Using PGP/GPG Like A Pro

Hello. I have noticed a lack of proper tutorials on how to use PGP/GPG. I also noticed that the ones which did exist focused on using a GUI application. As an alternative this tutorial will describe the in’s and out’s to securely and easily using PGP/GPG to encrypt communications, using a terminal interface, so one can maintain anonymity on tor and make sure only intended parties read the messages created. This is a guide on how to encrypt messages via the Gnu Privacy Guard, and does not detail the inner workings, nor signing.

First and foremost, there are two different common forms of asymmetric encryption on the deep web that is mentioned; PGP, and GPG. both are more or less the same thing.

PGP stands for Pretty Good Privacy.

GPG refers to the more trusted GnuPG, which stands for GNU Privacy Guard.
As stated earlier, the two are considered very similar to one another, differing mainly in development and trust. This guide recommends the use of GnuPG, and will be using it.

A keypair is the combination of public and private keys that form your ability to securely send messages. Your keypair will consist of your public key; the one you share with everyone else, and your private key; the one you keep to yourself and never distribute.

ASCII Armor is the use of ASCII characters to display the encrypted data instead of using a .gpg file. This is desirable when sending messages using PM systems.

This guide will be using GnuPG, it can be downloaded from the following link (WARNING: CLEARNET LINK)
If you are running TAILS, GnuPG should already be installed. Once there, go ahead and download a stable release for the OS of your choosing. The application comes with GUI applications, and you are welcome to install them, but throughout this guide we will be using the terminal/command line instead.
You can test to ensure the installation was successful by opening a terminal/cmdPrompt and typing the following command:

gpg --help

A large amount of text including command arguments should display itself on the console, this indicates the installation was successful.

===Generating a keypair===
Before we can encrypt a message, we are going to need to generate a keypair. You only need to do this once. to do this, enter the following command:

gpg --gen-key

The following text will then be prompted:

gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1

The main difference between RSA & DSA and Elgamal is the underlying mathematical principles, for this guide we’ll be using RSA. Enter 1 and hit enter. Next prompt:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096

Technically you should be safe at 2048, but I would recommend the use of 4096 for the added security. Next prompt:

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y

In the world of privacy, permanent anything is usually looked down upon, so I would recommend setting some length of time. For this tutorial my key will last for 1 year. To do this I enter 1y. Next prompt:

Key expires at 12/12/15
Is this correct? (y/N) y

I entered y, as it was the correct amount of time. The next prompt will ask for each of the following one at a time. The only field you actually need to fill out is real name. In that category put whatever you want. The Email address and comment are optional.

GnuPG needs to construct a user ID to identify your key.

Real name: WhatEverNameYouWant
Email address:
You selected this USER-ID:

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

Modification options are given, but I’m satisfied with my entry, so I entered O to progress further.

You will then be presented with a prompt to enter a passphrase. Pick a good one and move on. You will then be presented with the following message:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key CA637B79 marked as ultimately trusted
public and secret key created and signed.

Basically hit a bunch of keys on your keyboard, and click around a bit until it finishes generating random information. Once done, you should receive some form of confirmation, and return to the console. At this point you will have successfully generated a keypair that can be used to encrypt and decrypt messages.

===Getting your public key===
At this stage you now have your own keypair; the next step is to retrieve your public key so you can distribute it for others to use when messaging you. In this tutorial, we created a user under the ID of WhatEverNameYouWant. This is the ID which I shall use. To print the key, enter the following command:

gpg --armor --export WhatEverNameYouWant

where WhatEverNameYouWant is the ID or Email picked when creating the keypair. This will print the public key to the console screen, if you want it instead to save it to a file the following command can instead be entered:

gpg --armor --output myPubKey.asc --export WhatEverNameYouWant

Where myPubKey.asc is the name and directory path of the file to save it to. This can be opened with a text editor, and the public key can be copied.

Here is the WhatEverNameYouWant public key that it displayed:

Version: GnuPG v2


===Importing someone else’s public key===
To encrypt a message for someone, you’re going to need to import their public key. Like generating a keypair, you only need to do this once. For this tutorial I will be importing the public key provided on Agora’s help and info page. You are more than welcome to import the public key displayed earlier. The first step is to copy the public key to a text file.
Once that is done, enter the following command:

gpg --import pubkey.asc

where pubkey.asc is the file where you saved the public key you want to import. Here’s the output you should receive:

gpg: key (Expunged): public key "Agora One" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

And that’s it, you can now write messages using the key imported.

===Encrypting a message===
Once you have imported someone else’s public key, you can encrypt a message. For this tutorial, I will use the text Hello World! and place it into file myMessage.txt .
Now that we have a file with a message in it, enter the following command:

gpg --armor --output encMessage.asc --encrypt myMessage.txt

where myMessage.txt is the name of the file you are encrypting. Throughout this tutorial, there has been use of other parameters before encrypting the message. Let’s take a minute and examine the parameters set forth. Notice that we use –encrypt and then the file name to specify the file to encrypt, but there are a few other parameters not fully described.
–armor tells the program to use ASCII armor, this makes GnuPG encrypt the data in the file so it can be copied and pasted via text characters.
–output enables the user to specify a name and location of the output file, where encMessage.asc is the desired name of the output file.

So once that command is input, the user will be prompted to enter a recipient. As seen earlier, the user ID for Agora was Agora One. So that is what I entered. Alternatively, the user’s email can also be entered. After that, I simply hit enter to confirm no other recipients.
This is what the console looked like:

You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line: Agora One
gpg: (Expunged): There is no assurance this key belongs to the named user

pub  (Expunged)/(Expunged) Agora One
 Primary key fingerprint: (Expunged)
      Subkey fingerprint: (Expunged)

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

Current recipients:
(Expunged)/(Expunged) "Agora One"

Enter the user ID.  End with an empty line:

I just added this key from agora, so I am well aware that it is the actual user ID, therefore I can trust it, and input y and preceded on. Needing no other recipients, I simply hit enter and let the program compile an encrypted message.

Upon completion, the file encMessage.asc was generated. When opened with a text editor, the PGP message was shown. This is the message which I would send to the recipient, in this case it would be the Agora staff.

===Decrypting a message===
So at this stage you can now generate your own keys, and send messages to others using their keys. The only thing left is to decrypt a message when a user messages you. This is the text Hello World! when encrypted using the WhatEverNameYouWant public key:

Version: GnuPG v2


Decrypting this is a relatively painless and simple process. First I saved the message to a text file titled myEncMessage.asc. Once there I entered the following command:

gpg --decrypt myEncMessage.asc

where myEncMessage.asc is the name of the file with the message in it. This command will have it output the message into the console, if you want it to be placed into a file instead, use the following command:

gpg --output myDecMessage.txt --decrypt myEncMessage.asc

Where myDecMessage.txt is the name of the file to export the message to.

The decryption process requires accessing the private key; for this reason, you must provide the password you created when generating the keypair. During the process a prompt will appear, fill in the password and it will decrypt. Here is the output of the command with no output file specified:

You need a passphrase to unlock the secret key for
user: "WhatEverNameYouWant"
4096-bit RSA key, ID , created 2014-12-12 (main key ID)

gpg: encrypted with 4096-bit RSA key, ID , created 2014-12-12
Hello World!

Notice how a recipient is never specified, this is because the ciphertext can be linked to a key automatically. If the user has a message and the appropriate key to decipher it, GnuPG will find it on it’s own.

Here are a few extra useful commands that the GNU Privacy Guard provides:

gpg --list-keys

This command lists all public keys stored on the machine.

gpg --list-secret-keys

This command will do the same, but with private keys.

If you want to change a key to a trusted one, enter the following command:

gpg --edit-key WhatEverNameYouWant

The following will then appear:

gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/(Expunged) created: 2014-12-25  expires: 2015-12-25  usage: SC
                     trust: ultimate      validity: ultimate
sub  4096R/(Expunged) created: 2014-12-25  expires: 2015-12-25  usage: E
[ultimate] (1). WhatEverNameYouWant

gpg> trust

I enter the command trust which takes me to the prompt asking to set the trust level.

pub  4096R/(Expunged) created: 2014-12-25  expires: 2015-12-25  usage: SC
                     trust: marginally validity: marginally
sub  4096R/(Expunged) created: 2014-12-25  expires: 2015-12-25  usage: E
[ultimate] (1). WhatEverNameYouWant

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5

I created the key, so there’s no reason other than to trust it to its fullest extent, therefore I selected 5.

Do you really want to set this key to ultimate trust? (y/N) y

pub  4096R/(Expunged)  created: 2014-12-12  expires: 2015-12-12  usage: SC
                     trust: ultimate      validity: ultimate
sub  4096R/(Expunged)  created: 2014-12-12  expires: 2015-12-12  usage: E
[ultimate] (1). WhatEverNameYouWant

And that’s that.



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.