GPG / PGP Keys
GPG / PGP Keys are the bane of forensic investigators. They are a pair of digital keys which secure your data and make your conversations private.
This feels like a lost art.
GPG encryption is the one consistent thing cryptographers and forensic investigators have told me they hate.
I'm going to take you through the process of generating your own GPG keys and how to use them to encrypt communications.
A Short History: From PGP to GPG
Pretty Good Privacy (PGP) was developed by Phil Zimmermann in 1991 as a means to provide cryptographic privacy and authentication for data communication. PGP uses a combination of symmetric-key cryptography and public-key cryptography and became popular for securing emails and files.
However, due to licensing restrictions and the need for an open-source alternative, Gnu Privacy Guard (GPG) was created by Werner Koch in 1999. GPG, also known as GnuPG, is a free software implementation of the OpenPGP standard. It offers similar encryption capabilities as PGP but with the added benefits of being open-source and highly extensible.
The Basics of Public and Private Key Pairs
At the heart of GPG encryption are the public and private key pairs. These keys are essential for secure communication:
- Public Key: This key is shared with others. It’s used to encrypt messages or files intended for you. By distributing your public key, you allow others to send you encrypted data that only you can decrypt with your private key.
- Private Key: This key must be kept secret and secure. It is used to decrypt messages or files that were encrypted with your public key. If someone gains access to your private key, they can decrypt your encrypted data, compromising your security.
Guarding your private key is paramount. Store it in a secure location and never share it with anyone.
Publishing Your Public Key
To facilitate encrypted communication, you need to make your public key available to others. Here are a few ways to publish your public key:
- Key Servers: Upload your public key to a key server where others can search for it and download it.
- Personal Website or Blog: Post your public key on your website or blog, allowing others to easily find and use it.
- Email: Include your public key as an attachment or a block of text in your email signature.
Publishing your public key ensures that those who want to send you encrypted data can easily obtain the necessary information to do so.
Choosing Between ECC and RSA
When generating your GPG keys, you have the option to choose between different encryption algorithms, with the most common being RSA and Elliptic Curve Cryptography (ECC).
- RSA (Rivest-Shamir-Adleman): This is a widely used encryption algorithm that relies on the difficulty of factoring large integers. RSA keys are typically larger (2048-bit, 3072-bit, or 4096-bit) and have been the standard for many years. However, larger key sizes can result in slower performance, especially on devices with limited computational power.
- ECC (Elliptic Curve Cryptography): ECC is a more modern approach that offers stronger security with smaller key sizes. For instance, a 256-bit ECC key provides comparable security to a 3072-bit RSA key. ECC is faster and more efficient, making it a better choice for modern applications, especially on mobile devices.
Choosing ECC over RSA can enhance security while maintaining better performance, but it’s essential to ensure that all parties involved in communication support ECC.
By understanding the history, key concepts, and options available, you can make informed decisions about using GPG encryption to secure your communications.
Let's get into creating a GPG key pair suing the ECC option.
Installing GPG
GPG comes standard on most Linux distributions. Simply opening terminal and entering GPG is all you need to do.
macOS
macOS does not come with GPG pre-installed. You can download the officially supported tool called GPG Suite here. There are many options on the openPGP website if you'd like to look for a better fit for yourself.
Please note: before you do this on macOS, open Terminal and then click on "Secure Keyboard Entry" so none of your typing accidentally ends up in some diagnostics or analytics.
Windows
You'll want to look through the options to find the right one for yourself.
Creating your first GPG Key Pair
From terminal / command line enter the following command.
gpg --expert --full-gen-key
After that you will be prompted with options. We will enter 9
for ECC.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
Your selection? 9
Then we will select the curve. For efficiency, we're going to select Curve 25519
.
Please select which elliptic curve you want:
(1) Curve 25519
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 1
You can always extend the age of your keys. Commonly people select 2 years. I do not because I can't keep track of one more etherial item.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Next it will ask for your personal information to identify your key. Since you can use this key to verify your identity, most people elect for their name here and not an internet handle.
GnuPG needs to construct a user ID to identify your key.
Real name: Jake Smith
Email address: jake@wildarcher.net
Comment:
You selected this USER-ID:
"Jake Smith <jake@wildarcher.net>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Now it will prompt you to enter a passphrase you'll have to enter to use your private key. Please make sure this is a longer passphrase.
When your key is created it will tell you its fingerprint and details about the key.
Now we want to store it in a safe way on an external hard drive.
Key Storage
The key will already be on your computer when you generate it. Now we want to move a copy of it off to secure storage.
Encrypted Flash Storage
I'm going to walk you through using Disk Utility.app
on macOS to do this. In Windows you can use Bitlocker. On Linux you can use cryptsetup
.
Open Disk Utility.app
by pressing CMD+SPACE
and entering "disk utility" and choosing the option there.
Click on the external flash drive and click "Erase".
Now name your flash drive and choose "APFS (Encrypted)".
This will not allow you to set the passphrase to encrypt the drive.
After you enter your passphrase, you are brought back to the Name & Format prompt where you will click "Erase."
Now you are ready to use it for storage. When you attached your encrypted flash drive, Finder will prompt you for the passphrase.
Encrypting Files with GPG
If you want to use Finder, you can right click on any file, go to Services and choose "OpenPGP: Encrypt File"
You will be asked which recipient to encrypt for. By default, you will be signing the file so the recipient knows you sent it.
And now you click the "Encrypt" button. You will need to enter the passphrase for your private key.
You will get a new file in the same directory which is the original file name with .gpg
appended to it.
Decrypting files
If you want to decrypt the file, right click on the file, choose Services and "OpenPGP: Decrypt file."
It should automatically decrypt the file and give you a notification about the signature used by the sender.