GPG or GNU Privacy Guard is an "encryption" thing by Free Software Foundation which is a free implementation from OpenPGP standard. In internet, you cannot trust anyone especially in using services you don't know how it works under the hood.
"Privacy" and "Encryption" is not a "radical" thing. You can imagine it like how you speak with your friend about something but in the middle there is someone who is listening you. How do you feel?
Many services now support e2e encryption like WhatsApp (by default) or Telegram (via secret message), but since you cannot see everything under WhatsApp/Telegram system, you cannot 100% guarantee you are good.
Using encryption is both fun and boring. First, this is such a complex concept. Second, the question like "Why should I even care?". But if you care a lot with HTTPS (beside that SEO-thing), you probably should care with this because HTTPS is about encryption (Secure HTTP) but in different layer: It encrypt your request to server.
For example, I can steal your cookie; Read your form data, etc if we are in the same network and you communicate with server via HTTP protocol. Yes, I'm the middle man, and I can attack you.
Now, imagine you communicate with people you care, about everything, between that, I listen your communication. Not so important, until it is :))
We can't 100% rely on services that offers e2e encryption that we can't control. To solve this, we need an additional layer. In this context, that was GPG.
How it looks like?
I need to send this urgent, important, and confidential email to my friend. If you try to "spy" me (or my friend), you can't get any useful information because all you get was like this:
-----BEGIN PGP MESSAGE----- hQEMA71/WM2fs7tqAQf8CWO57jBVf+xZZNXrrQfVY5VKfRjxpv/aTtOfAc1BOb5h Btn+W0326b+OPUkXeWDn0JTovGXuFYAVTBzB0AMST013+jG6L2+lEM0vKat7pQMW WVtKSwRBFUQ8PELAsxR+XdjVmf5sALjCFzQIjwiKyx29tQSlkGh86QYrOT46h8na myaiQTP1so6e1r4zlBX8KDgDrMFfhUiYeQ8DsrINWCutdMq1cNTrZ+QJD+WPkmyG iiLzHL8erbS91veyTa81VUXT3dlxOUpSV8SP5NPe34C0WnCvQh68E+BXF0QTz1nR xBIK7+KE7TlM9d3HlDTqdmV8P0Vygr+boDZUBFy3jNJQAYa8k8BcCEW17vbOvHwz q9CAz05X118VCg2PuBqPAV+FdW3xcQR/xTs1Qcvs5mb+95Y/dkuKD7Vj1/enbOj7 A3MD/SBkOkem90tA3Hlg0lw= =w7LJ -----END PGP MESSAGE-----
And someone who can read those message is only my friend, the recipient. How it works? The simple picture is like this:
encrypt('mySecretKey', 'text', 'recipientPublicKey')
So I need to know your public key (also you need my public key too to decrypt it) so I can send you an email and to make sure that only you who can read that email (and without edited content). If "someone in the middle" was modified the content, the email is simply corrupted; Or will tell you that the email is not come from me.
This is how it looks like when I try to decrypt the content.
From above image you know that the sender was for me and the recipient is you.
So how to getting started? I assume you've installed GPG so we can skip the installation process.
You need to generate your key. For this, you can execute this script in your favorite terminal
$ gpg --generate-key
And follow the instrusction in your screen.
Share the public key
Now, you need to tell the world that you use GPG and welcome everyone to send you an encrypted email. For this, you can execute script below:
$ gpg --import --armor <your_key_id>
If you not sure which your key id is, you can see available keys by execute this script:
$ gpg --list-keys
Than you can copy the long-words above your identifier (Name <email>). See image below:
Also you can publish your public key to "keyserver", so people will only use your PGP fingerprint instead of downloading your public key manually.
292E8F8794194AA8 is only the last 16 characters of your PGP fingerprint, which is I use it on my twitter bio. Also you use the full length of your fingerprint if you want.
To make your public key "searchable", you need to send your public key to the keyserver.
$ gpg --send-keys <your_key_id>
So if your key id was
292E8F8796664AA8, I can grab your public key by execute this command:
$ gpg --search-key 292E8F8796664AA8
And now I (and you) can send an encrypted message without worrying the middleman!
Literally you are not limited to send an encrypted message with GPG, but for this context let's focus on this. First of all, you need to create a "file" that contains the message you want to send to me. For example, the filename is
undangan_rabi.txt, and the content is like this:
Halo riz, 21 Oktober nanti aku nikah. 19 Oktober jalan-jalan ke Jogja, yuk? For the last. Regards.
The sender is
rizaldy[at]icloud[dot]com and the receipent is
fariz[at]icloud[dot]com. Now let's encrypt (and sign) this file so the only one who can read this message is the receipent.
$ gpg -r firstname.lastname@example.org -se undangan_rabi.txt
So you can get the "encrypted version" of the text, for example the name is
undangan_rabi.txt.gpg. Let's see what is the content.
Oops, that was unreadable. Its impossible to send that "unicoded" text in email. Let's use "ascii armored output" so the content is "send-able" in email.
$ gpg -r email@example.com -sea undangan_rabi.txt
After that, you will get the expected result (but with
So you can send me an email with content like that.
So I got the email. Since I have your public key, all I need is only decrypt that content.
The meta data is clear:
- The sender is fariz[at]icloud[dot]com (for example, OK?). See that "Good signature" text.
- The receipent is rizaldy[at]icloud[dot]com (once again, for example!)
- Timestamp of when the content is "encrypted".
After that, I can send you back an encrypted email that the content is only me and god knows (for now 😛).
-----BEGIN PGP MESSAGE----- hQEMAwfmghWsV72bAQgAwcaYebcT7OFJ0oKoKSwgrsqHI1mSHZBaEVI1zM49Zzal DwO95VoCAdXOmd71lNsdnXZBp9+4Tr/Y9u0YxNuxyZUSCorBFzbPjH3TPhGjcrzP 8X55SoR2FIz3S6RaI3ddJbl6S/jEOowA6VWLyDilFpWGyibXBVnZrpIeTf83pjLI 3lAdqS4XzEkXAxfQSmeidZz/oXfs36S8zzjcQqlDuam/EzMAitLmZN9VCh+TAYku zImQv4JpayYmsvIrdj3VoKjIWEUCvUBE0FBbsmYS2YytLltaH8ha24ZuSvV4bj1q nKkX4kdYs24H5SFunENpSTIaawtccjSI2m2j5N/FVtJrAUujxeyTOYevQ3dovjsm zklROilaDarNSjjarwYcspbqUBAHK/0RhhXUpDpTzGODbqAo60XZ/EHOOvflVypp Gs2XseiNo1NPf+sdjVGNUE1wfO3gylPz4xvlEVhFlTYQBhFfeHn5YHWArTk= =qHxs -----END PGP MESSAGE-----
This is pretty fun and borring. You need to create file, encrypt it, send it, receive reply, decrypt it, etc. If you don't want deals with the technical details, you can use 3rd party frontend apps, so you can let the app handle the encryption thing.
Since I'm not big fans of GUI app, this workflow is not a problem for me.
This is how "end to end encryption" should looks like. But in this context, you hold your private key and your receipent public key, on your own machine. You don't even know which private key you use while using "e2e feature" in WhatsApp/Telegram, right?
I appreciate your effort if you send me an encrypted email, and will happy to send you back either just for fun or for general purpose. Even in other medium like Telegram or Twitter DM is welcome, in case you are skeptic with those service.
Also, don't forget to tell me your public key or I cannot read your email :)
Enjoy the internet, folks!