This site is now 100% read-only, and retired.

Gnu Privacy Guard (GPG)

Posted by chris on Tue 21 Mar 2006 at 09:29

GNU Privacy Guard, or GPG, is a free replacement for the famous encryption tool PGP written by Phil Zimmermann. It is a tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. Here we'll provide a quick introduction to generating a key-pair and using it for basic tasks.

Gnu Privacy Guard


What is Gnu Privacy Guard (gnupg) ?

According to the Gnu Privacy Handbook "GnuPG is a tool for secure communication".

In a little more detail - gnupg is a tool that uses "Public Key Cryptography" to allow you to encrypt documents so that only the people you want can decrypt it and to sign documents so that people can be sure that it really was you that sent it.

The GPG handbook has all the information you could possibly need about using gnupg and should be your first place to look if you are unsure about anything. A lot of the information included here is based on the GPG handbook.

A very brief intro to public key cryptography

Cryptography comes in two basic sorts - symmetric and asymmetric.

Symmetric cryptography is where both the sender and the receiver have the same key (a secret) which can both be used to encrypt/decrypt a document. The trouble with this is that it is hard to ensure safe distribution of the secret.

Asymmetric cryptography is where a different key is used for the encryption and decryption actions.

Public key cryptography is normally based on asymmetric cryptography. This is how gnupg works. Every user has a key pair (a secret key and a public key). Anyone and everyone has access to the public key. Anything encrypted with the public key can be decrypted using the private key. Anything signed with the private key can be verified with the public key. So - only the owner can sign and decrypt - but anyone can check a signature - or send the owner stuff encrypted in such a fashion that they can decrypt it.

What is Signing?

Signing is the act of attaching a digital signature (created using a private signing key) that anyone with the appropriate public key can verify.

What is Encryption?

Encryption is the act of transforming a document so that only the person with the ability to decrypt can obtain the original content (the content in clear).

For more information - see the Gnu Privacy Handbook.


This being debian - a quick:

aptitude install gnupg
will suffice.

Your key pair

To be able to do much with gnupg you will need your own private/public key pair.

Key generation

When a person creates their first key - the system requires that it can be used for signing. You can also choose to have a sub-key created to allow for encryption.

So - let's create a key (gnupg uses ~/.gnupg as a default homedir)

gpg --gen-key

The first question is on key type. The first option will create both a DSA signing key and an Elgamal encryption key - so let's choose that:

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection?

When creating the Elgamal key the system wants to know how large a key to use. It can be between 1024 and 4096 bits long (at least on Debian sid) and defaults to 2048. The Gnu Privacy Handbook suggests that the default is just fine:

DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

Now you need to decide how long the key should be valid for. The default is for a non-expiring key:

 Please specify how long the key should be valid.
       0 = key does not expire
    <n>  = key expires in n days
    <n>w = key expires in n weeks
    <n>m = key expires in n months
    <n>y = key expires in n years
Key is valid for? (0) 

Finally you need to associate a primary ID with the keypair. An ID is a name, optional comment and e-mail address:

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: <Your Real Name>
Email address: <Your E-Mail Address>
Comment: <A comment if you want one>
You selected this USER-ID:
    "Your Real name (A comment if you want one) <Your E-Mail Address>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

All that's left is to define a passphrase. Note - it's called a passphrase not a password. It should be at least a good password and preferably several words long.

Generating a revocation certificate

But - what happens if you have a non-expiring key and someone gets hold of the secret key? Or what happens if you lose the secret key? You need to be able to revoke the keys so that other people see them as non-valid.

To do this - we need a revocation certificate. This has to be generated using the secret key - so DO IT STRAIGHT AWAY.

gpg --output revoke.asc --gen-revoke <keyid>

What is the keyid? Well - you can get that by running "gpg --list-keys your email address" for example mine shows:

gpg --list-keys

pub   1024D/224A5434 2001-05-03
uid                  Chris Searle <>
uid                  Chris Searle <>
uid                  Chris Searle <>
sub   2048g/87584E91 2001-05-03
so I have a keyid of 224A5434.

Remember to store the secret key and the revocation certificate somewhere other than just ~/.gnupg - perhaps burn them on a CD that is then safely stored.


Now - you have your own key. I have mine. How do we give each other a copy of our public keys? How do we verify them?

Well - physically obtaining the keys is easy - you can download them from the web - from a keyserver - they are after all simple files.

But now we need to verify the keys are correct - how do we know that some third party hasn't put out a fake file?

If you know the person personally then it's easy. You meet up - you sign their public key with your signing key and they sign your public key with their signing key. All you then have to do is re-upload your keys to the key server and you're finished.

But - what say you don't know the person. Well - as an example - the Debian developers often seem to attend key signing sessions - where they turn up - with documentation as to who they are - and all sign each others keys. The main point here is that the documentation is external to gnupg - it could be a passport for example.

However - does this mean you have to meet up with everyone? The answer is - luckily - no. We set up what is know as a web of trust.

Let's take an example. You download my public key (either from a keyserver or from my site). You have no way of knowing if that public key really is mine - and that I am who I say I am. However - our good friend Steve has signed the key already (NB - Steve hasn't signed the key and for good reason - we've not met nor have we a shared web of trust that proves to him anything about me! But for this example let us assume that he has signed it). You have also met Steve - and exchanged keys - and - since you know him to be a security conscious person - you reckon that he takes care when signing keys - so - in your trust database you have stated that Steves signatures are as good as your own. Therefore - because Steve's signature verifies OK - you trust that the key you have obtained is correct.

Further info is available within the GPG handbook

If you're interested in meeting other people to exchange identifies for key-signing purposes there are some sites which allow you to get in touch with like-minded people such as


A keyserver is a public place where keys can be easily shared. You can either have a keyserver line in your config (I have the line keyserver x-hkp:// in my .gnupg/options file) or use the --key-server option to the gpg command.

In the following I use the key id of 224A5434 - since that is my main key ID (as shown via

gpg --list-keys chris@chris
pub   1024D/224A5434 2001-05-03
uid                  Chris Searle <>
uid                  Chris Searle <>
uid                  Chris Searle <>
sub   2048g/87584E91 2001-05-03

Submitting to a keyserver

To submit a key to the keyserver

gpg --send-key 224A5434

Searching for a key on a keyserver

If you don't know the key ID then you can use e.g.

gpg --search-key ""
This will list all the keys that match - and allow you to select which ones to download

Receiving from a keyserver

If you do know the key id then a simple

gpg --recv-key 224A5434
will suffice.

Secure apt

As of apt 0.6 the gnupg package signatures can be checked. To do this - you will need the secure apt key installed. If the key is missing then apt-get upgrade (amongst other things) will complain about a missing key (luckily telling you the key id). To install the key you can run

gpg --keyserver --recv-keys <keyid>
gpg --export <keyid> | sudo apt-key add -

Authentication of documents

Signing a document

There are three main ways to sign a document.

  • Sign it directly in the document file (the output will be a binary file)
  • Clearsign it directly in the document file - (this will not compress the original file data and will use ascii armouring which creates a signature that contains no 8-bit characters - useful for mail)
  • Sign it by creating a signature file that is sent alongside the original

Sign a file

To sign the file filename and write the signed document to filename.gpg:

gpg -s filename > filename.gpg

Sign a file (armoured)

To sign the file filename and write the clearsigned document to filename.gpg:

gpg --clearsign filename > filename.gpg

Sign a file - separate signature file

To sign the file filename and write the signature document to filename.sig:

gpg --output filename.sig --detach-sig filename

Verifying a signature

Just verifying the signature

To verify a signature in filename.gpg:

gpg --verify filename.gpg

Verifying the signature and obtaining the document

To retrieve the original document (filename) from filename.gpg you can try

gpg --output filename --decrypt filename.gpg

Verifying a detached signature

If a separate signature file has been generated (filename.sig) - to check the signature

gpg --verify filename.sig filename


Encrypting a document

To encrypt the document filename using the recipients public key (so that only they can decrypt it)

gpg --output filename.gpg --encrypt --recipient   filename

For each person you are sending to, add a new --recipient clause.

If you want to be able to decrypt the document - remember to add your own ID to the list of recipients.

Decrypting a document

To decrypt a message that someone has sent you encrypted using your public key

gpg --output filename --decrypt filename.gpg

Since you need to use your private key for decryption - you will need to provide your passphrase.


It is possible to add gnupg support to many different mail clients. Emacs/gnus users can use mailcrypt. Thunderbird users can use enigmail.


The info file included in the package has a section with the following headings:

  • Hooking into Rmail:
  • Hooking into VM:
  • Hooking into MH-E:
  • Hooking into Gnus:
  • Hooking into Mew:


Install the package mozilla-thunderbird-enigmail. Once the extension is installed in thunderbird you will get a new menu for configuring enigmail - and you can also set per account settings.



Re: Gnu Privacy Guard (GPG)
Posted by Anonymous (145.85.xx.xx) on Tue 21 Mar 2006 at 10:13
And to use gpg with mutt simply add these lines to your .muttrc:

### PGP ######################
set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f"
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f"
set pgp_encrypt_only_command="/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 072F
6133 -- -r %r -- %f"
set pgp_encrypt_sign_command="/usr/lib/mutt/pgpewrap gpg --passphrase-fd 0 --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --a
rmor --always-trust --encrypt-to [yourkey] -- -r %r -- %f"
set pgp_import_command="gpg --no-verbose --import -v %f"
set pgp_export_command="gpg --no-verbose --export --armor %r"
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r"
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons --list-secret-keys %r"
set pgp_autosign=yes
set pgp_sign_as=[yourkey]
set pgp_replyencrypt=yes
set pgp_timeout=1800
set pgp_good_sign="^gpg: Good signature from"

[ Parent ]

Re: Gnu Privacy Guard (GPG)
Posted by Anonymous (61.11.xx.xx) on Wed 22 Mar 2006 at 04:08
"And to use gpg with mutt simply add these lines to your .muttrc:"
[followed by over 20 lines of obscure mutt pgp/gpg incantations]

Now that is an innovative use of the word "simply" :-)

Yeah, OK, I'm nitpicking. It is simple if you just cut and paste.
And, if you RTFM (man muttrc, man gpg, man pgp etc) it isn't actually
hard figure out what the lines do, too.


[ Parent ]

Re: Gnu Privacy Guard (GPG)
Posted by dkg (216.254.xx.xx) on Wed 22 Mar 2006 at 05:20
[ View Weblogs ]
You can also find a comparable mutt configuration file on a debian system in /usr/share/doc/mutt/examples/gpg.rc.

If you want to add the configuration to your mutt configuration, just do:

cat /usr/share/doc/mutt/examples/gpg.rc >> ~/.muttrc

[ Parent ]

Re: Gnu Privacy Guard (GPG)
Posted by tonybaldwin (71.235.xx.xx) on Fri 16 Mar 2012 at 00:12
[ View Weblogs ]
or just add
source /path/to/gpg.rc

(copy it somewhere in your /home/...I have it in ~/.gnupg, so I have
source ~/.gnupg/gpg.rc
all tony, all the time!

[ Parent ]