I'm confused about GPG, and it's confused about me

Peter Lebbing peter at digitalbrains.com
Mon Jan 30 11:48:46 CET 2017

First off, two questions:

Why are you using GnuPG 1.4 by the way? It's generally only recommended
for server deployments rather than end-users. For desktop use, 2.0 and
2.1 are often a better choice.

And are you sure GnuPG 1.4 is the only GnuPG on your system? 1.4 and 2.0
will happily work together, but 2.1 doesn't combine well with 1.4. If
some of the tools you use actually use 2.1 and others use 1.4, confusion
may arise.

Often, GnuPG 1.4 will nonetheless be installed on your Linux system. For
instance, the package manager might use it to verify the signatures on
the package lists of your distribution. This is another use case for
1.4: not for the people with user accounts but for the system itself.

On 30/01/17 04:04, Reid Vail wrote:
> I have two email addresses. I'm to send an encrypted message from my gmail
> address to my runbox address just to test and to make sure I understand the steps,
> and to be sure I have the right tools loaded.

If you don't have anything worthwhile in your GnuPG installation, you
could radically start anew by just

$ cd ~
$ rm -r .gnupg

>From the command line, you would create a key with

$ gpg --gen-key

and follow the prompts. In your setup, you would do it twice, once for
both e-mail addresses. However, note that you could also create one key
and associate both e-mail addresses with that one key. Many people have
one key to rule them all, with as many associated identities as they like.

A lot can be said on key expiry and revocation certificates. I'm going
to be brief and without justification recommend a key expiry of 2 years
and generating and keeping safe a revocation certificate with for example:

$ gpg -o revoc.asc --gen-revoke [KEYID]

Give no reason and no comment, since you don't know right now why you
might use it in the future.

If you generated a key, it will just be available on your keyring and
already be valid. Trust needs to anchor somewhere, there has to be some
initial step where you simply state "this is trusted". For OpenPGP,
that's on your own keys. With GnuPG, this is done by assigning
"ultimate" ownertrust to keys (here, your own keys). So you don't need
to sign your own keys if it is just for your own consumption. You could
still sign your own keys with your other own keys to indicate to other
people that you are saying you are really you. (You have to love the
sentences you get when talking about your multiple disjoint identities! :-)

If however you need to spread your own keys to several of your own
systems, you'd use

$ gpg -o my_sec.gpg --export-secret-key [KEYID]

then transfer my_sec.gpg to the second system and there:

$ gpg --import my_sec.gpg

followed by (this is important):

$ gpg --edit-key [KEYID] trust

and assigning ultimate trust to the imported key. GnuPG does this
automatically for keys /created/, not for keys /imported/. In general,
do this just for your own keys.

If you will habitually use one key and only incidentally the other,
you'd put the following in your gpg.conf:

default-key [KEYID]

This will tell GnuPG that of the several private keys, it should use
that one to make signatures. If you have only one private key (even if
it has multiple associated identities, one for GMail, one for Runbox),
you do not need this.

To encrypt to your GMail account from the command-line, do:

$ echo Hi to myself >test.txt
$ gpg -r rsv869 at gmail.com -e test.txt

You now have an encrypted file test.txt.gpg. You are not prompted for a
passphrase since this is a public-key-only operation: it just needs the
public key of rsv869 at gmail.com, which is not encrypted data. However, if
you also want to sign with rsv869 at runbox.com, you'd do:

$ gpg -u rsv869 at runbox.com -r rsv869 at gmail.com -se test.txt

Now it will ask for a passphrase since you are signing it with the
Runbox key. If you had the Runbox key as a default-key in gpg.conf, you
could simply do:

$ gpg -r rsv869 at gmail.com -se test.txt

If there is a default-key in gpg.conf but you wish to sign using the
other this time, use the -u [KEYID] to choose which key to sign with.

To decrypt this file, you'd do:

$ gpg test.txt.gpg

which will prompt for the GMail key passphrase because that is the key
it was encrypted to. It will deliver a file called test.txt, and if it
was signed, it'll say so in the output.

Hopefully this helps you get started a bit.

Note that if you decide you want one key with both e-mail accounts
associated, you would add the second identity with:

$ gpg --edit-key [KEYID] adduid

You can just encrypt to yourself even with just one key, but if you
want, you can also send me an encrypted mail off-list and I will tell
you whether it could be decrypted or not.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list