GnuPG

GnuPG (GNU Privacy Guard), also known as GPG, is a free implementation of the OpenPGP standard (RFC4880). GPG supports both symmetric and public-key cryptography, and typically operates using both.

GPG can be used for digital signing, authentication, and encryption of data. It is often used to encrypt and sign email messages, but can also be used with files or plaintext.

GPG supports hardware security devices with an OpenPGP module, such as the YubiKey.

includes which can be used as a ssh agent.

Additional software
GnuPG can be used alone, but integrates with a wide variety of software.

Mail clients

 * PinePGP.
 * Mutt - A small but very powerful text-based mail client.
 * Evolution - A GNOME Microsoft Outlook work alike.
 * KMail - KDE's mail client.
 * Installing KGPG might be of interest when using the KDE desktop environment. This small program allows for the generation of key pairs, importing keys from ASCII files, signing imported keys, exporting keys, among a few other nifty features.
 * Thunderbird - since version 78 has built-in encryption and no longer uses GnuPG.

Other

 * Tor - Tor can be used to contact keyservers anonymously. See Tor for configuration.

Configuration
GPG requires very little or no configuration to actually be used, most configuration tends to be centered around how the  and  behave.

The is used to cache passphrases for keys and to manage key access.

Pinentry
is a helper application that uses to request the passphrase in a graphical window. It comes in many flavors, including: gtk3, qt5, tty, and curses.

If was installed with more than one popup window type, it is possible to choose between the windows with the  command:

GPG Agent
is packaged with which can be used to cache passphrases and manage unlocked key access

GPG must be configured to use, this can be accomplished with

Configuration changes can be reloaded with:

Using gpg-agent for SSH
To use 's SSH socket as for SSH, the SSH_AUTH_SOCK environment variable must be changed to point to the socket created by, this can be accomplished with.

will not use auth keys unless the keygrips are present in

Keygrips can be obtained by running:

Where the [A] key is the Authorization key, which is used for ssh login.

Changing pinentry for SSH logins
If is used over SSH, a graphical  password prompt will not come up in the login shell. This causes all operations that require a password to fail. The following snippet can be added to, this tells to use a curses prompt in the current shell. The snippet does not affect the settings when using local shells.

Generic
A generic method to autostart the GPG agent is to add  to a shell's rc file.

KDE
KDE manages the GPG agent using the following files:


 * 1) - System agent startup configuration
 * 2) - System agent shutdown configuration
 * 3) - User startup configuration
 * 4) - User shutdown configuration

The system configuration should contain a template for the GPG agent, it can be activated by uncommenting the following. To enable it for a single user, the configuration must be added to the user configuration.

Generating keys
can be used to generate a basic keypair, but using offers many useful options, such as the creation of elliptic curve keys.

Primary key
The GPG key creation process can be started with:

(11) ECC (set your own capabilities) is selected, so this first generated key will have sign and certify functions. Additional subkeys may be created for encryption and/or authentication capabilities.

By default, the first key should have the sign and certify options set:

After selecting q, (1) Curve 25519, or whatever key type is preferred can be selected.

Once the key type is selected, a expiration date should be set, setting it to 0 makes the key not expire, but setting an expiry can help with security, because if a key or passphrase is leaked, at least it eventually expires. This is not a substitute for key revocation.

Now that the key parameters have been defined, identification information must be provided.

Finally, a passphrase must be added to the key. This passphrase is important, because it is used to protect the private key.

Add an encryption key
To view and edit the created key, can be used. should also work, as long as Larry exists as a user in the detected keyrings.

Like with the creation of the sign and certify key, an exipriation date must be set, and GPG will prompt for the key password before adding the key.

Add an Authentication key
An Authentication key must be created to use GPG keys for SSH.

The authentication key can be created with:

Listing keys
Loaded public keys can be displayed with :

Private keys can be listed by using instead of :

Public keys
Public keys can be exported in an armored form by using :

Private Keys
Private keys can be exported with: gpg --output {key}.secret.gpg --export-secret-keys {key} and gpg --output {key}.secret-sub.gpg --export-secret-subkeys {key} can be used, where {key} is the uid or fingerprint associated with the key.

Importing keys
A key can be imported from a file using:, or from stdin using where the key can be pasted, and loaded by sending an EOF using +.

Gentoo release keys
Gentoo's GPG keys can be imported by running:

or

Loading a key from stdin
If a private key is being loaded, may prompt for the key passwords:

When importing key backups, it may make sense to mark the keys as ultimately trusted:

Signing keys
An imported key can be signed once it's verified

Sending keys to key servers
Now that a key has been generated, it is probably a good idea to send it to a world key server. There are a lot of key servers in the world and most of them exchange keys. In this next example Larry the cow's key will be sent to the pool.sks-keyservers.net server. Sending keys uses HTTP, so if a proxy is used for HTTP traffic do not forget to set it accordingly. The command for sending the key is:

Where 75447B14 is the ID of the key you would like to send. If a HTTP proxy is not needed then the  option can be removed.

Sending other people's keys that Larry has signed to the key server is also a good idea. We could send Luis Pinto's key to the key server. This way someone who trusts Larry's key can use the signature that he has placed there to trust Luis's key.

Getting keys from key servers
Now we are going to search for Gustavo Felisberto's key and add it to the keyring of Larry the cow.

From the server response it is possible to see few keys have been submitted to the key server, however only  is used. Now Larry the cow can get the key and sign it if he trusts it.

Refreshing existing keys
Existing PGP keys should be refreshed on a regular interval (twice a month is common). To refresh keys, define a key server with which to connect:

This command can be added to a cron job or systemd timer.

Encrypting and signing
Let's say that Larry has a file he wishes to send Luis. Larry can encrypt it, sign it, or encrypt and sign it. Encrypting means that only Luis will be able to open it. The signature tells Luis that it was really Larry who created the file.

To encrypt:

To sign:

To encrypt and sign:

This will create binary files. To create ASCII files, just add the  option to the beginning of the command.

Decrypting and verifying signatures
Suppose that Larry has received an encrypted file. The command used to decrypt it is. This will decrypt the document and verify the signature (if there is one).

Encrypting and decrypting without keys
It is possible to encrypt files using passwords instead of keys. The password itself will function as the key — it will be used as a symmetric cipher. The file can be encrypted using ; decrypting uses the same command mentioned above.

GnuPG will ask for a passphrase and a passphrase verification.

Advanced features
There are some nice advanced features in GnuPG. To find them, open the file.

Uncomment the two lines above. With this modification, any time GnuPG needs to check a signature and does not find the public key on the local keyring it will contact the key server at hkps://keys.gentoo.org in an attempt to fetch the public key from the server.

Another nice command is. This will contact the key server defined in the configuration file and refresh the public keys in the local keyring from there. It is capable of searching for revoked keys, new IDs, and new signatures on keys. It is a wise idea to run this command once or twice a month; if a user revokes their key this can provide a notification the key can no longer be trusted.

About email signatures
95% of the time GnuPG is used with email by signing/encrypting outgoing messages or reading signed/encrypted messages.

There are two ways two sign/encrypt a email with GnuPG, the old way and the new way. In the old way messages would appear in plain text, with no possible formatting and attached files would be unsigned/unencrypted. Here is an example of a message signed the old way:

Messages this way are not good in today's world, where there are nice GUIs and email readers that understand HTML.

To solve this an addition to the MIME (Multipurpose Internet Mail Extensions) was created. This adds a field to the email that tells the mail reader that the full content of the message is signed and/or encrypted. The problem with this is that not all mail readers support such features. Some even mess up the content (Microsoft's Outlook is famous for not working with this).

Kgpg
Kgpg is a wonderful GUI for GnuPG. The main screen provides an area to paste text to sign or encrypt. The reverse is also true: ASCII armored text to be decrypted can also be entered.

Seahorse
Seahorse aims to be a GnuPG GUI interface for the GNOME desktop. The software has been evolving fast, but it still lacks many important features that can be found in Kgpg or the command line version.

KMail
If the  USE flag is set, KMail will be compiled with gpg support, and will be able to encrypt and decrypt inline PGP mails automatically as well as encrypting OpenPGP/MIME mails. To decrypt OpenPGP/MIME mails (which most users want) a GPG agent must be running.

To verify if KMail is properly configured navigate to. A GpgME-based backend should be listed and the OpenPGP checkbox should be checked. If it is listed but grayed out, click on. If the GpgME-based backend remains grayed out, KMail is not working properly.

When unable to get KMail to behave, see the official KMail PGP page for more information.

Claws-Mail
Claws Mail is very fast with big mailboxes and works well with GPG. The only problem is that it does not work with the old PGP signatures.

To use a GPG key with Claws-Mail navigate to. Once there choose which key to use, most users should go with the default key.

Thunderbird
Thunderbird - since version 78 has built-in encryption, but it can be made to use system GnuPG.

External resources

 * https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/ - An article explaining the creation of subkeys.
 * https://keys.openpgp.org/ - OpenPGP.org's PGP infrastructure. Key server is running the Hagrid keyserver software. Use hkps://keys.openpgp.org for accessing from.
 * https://keys.gentoo.org/ - Gentoo Infrastructure's official PGP key server.
 * https://sks-keyservers.net/ - Key servers ran by a former Gentoo developer.
 * https://www.gnupg.org/gph/en/manual.html - John Michael Ashley's "The GNU Privacy Handbook". Very good book for beginners.