Getting started with GPG

Getting started with GPG

GPG or GNU Privacy Guard is an "encryption" thing by Free Software Foundation which is a free implementation from OpenPGP standard. In internet, you cannot trust anyone especially in using services you don't know how it works under the hood.

"Privacy" and "Encryption" is not a "radical" thing. You can imagine it like how you speak with your friend about something but in the middle there is someone who is listening you. How do you feel?

Many services now support e2e encryption like WhatsApp (by default) or Telegram (via secret message), but since you cannot see everything under WhatsApp/Telegram system, you cannot 100% guarantee you are good.

Using encryption is both fun and boring. First, this is such a complex concept. Second, the question like "Why should I even care?". But if you care a lot with HTTPS (beside that SEO-thing), you probably should care with this because HTTPS is about encryption (Secure HTTP) but in different layer: It encrypt your request to server.

For example, I can steal your cookie; Read your form data, etc if we are in the same network and you communicate with server via HTTP protocol. Yes, I'm the middle man, and I can attack you.

Now, imagine you communicate with people you care, about everything, between that, I listen your communication. Not so important, until it is :))

We can't 100% rely on services that offers e2e encryption that we can't control. To solve this, we need an additional layer. In this context, that was GPG.

How it looks like?

I need to send this urgent, important, and confidential email to my friend. If you try to "spy" me (or my friend), you can't get any useful information because all you get was like this:

-----BEGIN PGP MESSAGE-----

hQEMA71/WM2fs7tqAQf8CWO57jBVf+xZZNXrrQfVY5VKfRjxpv/aTtOfAc1BOb5h
Btn+W0326b+OPUkXeWDn0JTovGXuFYAVTBzB0AMST013+jG6L2+lEM0vKat7pQMW
WVtKSwRBFUQ8PELAsxR+XdjVmf5sALjCFzQIjwiKyx29tQSlkGh86QYrOT46h8na
myaiQTP1so6e1r4zlBX8KDgDrMFfhUiYeQ8DsrINWCutdMq1cNTrZ+QJD+WPkmyG
iiLzHL8erbS91veyTa81VUXT3dlxOUpSV8SP5NPe34C0WnCvQh68E+BXF0QTz1nR
xBIK7+KE7TlM9d3HlDTqdmV8P0Vygr+boDZUBFy3jNJQAYa8k8BcCEW17vbOvHwz
q9CAz05X118VCg2PuBqPAV+FdW3xcQR/xTs1Qcvs5mb+95Y/dkuKD7Vj1/enbOj7
A3MD/SBkOkem90tA3Hlg0lw=
=w7LJ
-----END PGP MESSAGE-----

And someone who can read those message is only my friend, the recipient. How it works? The simple picture is like this:

encrypt('mySecretKey', 'text', 'recipientPublicKey')

So I need to know your public key (also you need my public key too to decrypt it) so I can send you an email and to make sure that only you who can read that email (and without edited content). If "someone in the middle" was modified the content, the email is simply corrupted; Or will tell you that the email is not come from me.

This is how it looks like when I try to decrypt the content.

From above image you know that the sender was for me and the recipient is you.

So how to getting started? I assume you've installed GPG so we can skip the installation process.

Generate key

You need to generate your key. For this, you can execute this script in your favorite terminal

$ gpg --generate-key

And follow the instrusction in your screen.

Share the public key

Now, you need to tell the world that you use GPG and welcome everyone to send you an encrypted email. For this, you can execute script below:

$ gpg --import --armor <your_key_id>

If you not sure which your key id is, you can see available keys by execute this script:

$ gpg --list-keys

Than you can copy the long-words above your identifier (Name <email>). See image below:

Also you can publish your public key to "keyserver", so people will only use your PGP fingerprint instead of downloading your public key manually.

The 292E8F8794194AA8 is only the last 16 characters of your PGP fingerprint, which is I use it on my twitter bio. Also you use the full length of your fingerprint if you want.

To make your public key "searchable", you need to send your public key to the keyserver.

$ gpg --send-keys <your_key_id>

So if your key id was 292E8F8796664AA8, I can grab your public key by execute this command:

$ gpg --search-key 292E8F8796664AA8

And now I (and you) can send an encrypted message without worrying the middleman!

Send message

Literally you are not limited to send an encrypted message with GPG, but for this context let's focus on this. First of all, you need to create a "file" that contains the message you want to send to me. For example, the filename is undangan_rabi.txt, and the content is like this:

Halo riz,

21 Oktober nanti aku nikah. 19 Oktober
jalan-jalan ke Jogja, yuk? For the last.

Regards.

The sender is rizaldy[at]icloud[dot]com and the receipent is fariz[at]icloud[dot]com. Now let's encrypt (and sign) this file so the only one who can read this message is the receipent.

$ gpg -r fariz@icloud.com -se undangan_rabi.txt

In short:

  • -r is receipent
  • -s is "sign"
  • -e is "encrypt"

So you can get the "encrypted version" of the text, for example the name is undangan_rabi.txt.gpg. Let's see what is the content.

Oops, that was unreadable. Its impossible to send that "unicoded" text in email. Let's use "ascii armored output" so the content is "send-able" in email.

$ gpg -r fariz@icloud.com -sea undangan_rabi.txt

After that, you will get the expected result (but with .asc extension).

So you can send me an email with content like that.

So I got the email. Since I have your public key, all I need is only decrypt that content.

The meta data is clear:

  • The sender is fariz[at]icloud[dot]com (for example, OK?). See that "Good signature" text.
  • The receipent is rizaldy[at]icloud[dot]com (once again, for example!)
  • Timestamp of when the content is "encrypted".

After that, I can send you back an encrypted email that the content is only me and god knows (for now 😛).

-----BEGIN PGP MESSAGE-----

hQEMAwfmghWsV72bAQgAwcaYebcT7OFJ0oKoKSwgrsqHI1mSHZBaEVI1zM49Zzal
DwO95VoCAdXOmd71lNsdnXZBp9+4Tr/Y9u0YxNuxyZUSCorBFzbPjH3TPhGjcrzP
8X55SoR2FIz3S6RaI3ddJbl6S/jEOowA6VWLyDilFpWGyibXBVnZrpIeTf83pjLI
3lAdqS4XzEkXAxfQSmeidZz/oXfs36S8zzjcQqlDuam/EzMAitLmZN9VCh+TAYku
zImQv4JpayYmsvIrdj3VoKjIWEUCvUBE0FBbsmYS2YytLltaH8ha24ZuSvV4bj1q
nKkX4kdYs24H5SFunENpSTIaawtccjSI2m2j5N/FVtJrAUujxeyTOYevQ3dovjsm
zklROilaDarNSjjarwYcspbqUBAHK/0RhhXUpDpTzGODbqAo60XZ/EHOOvflVypp
Gs2XseiNo1NPf+sdjVGNUE1wfO3gylPz4xvlEVhFlTYQBhFfeHn5YHWArTk=
=qHxs
-----END PGP MESSAGE-----

Closing

This is pretty fun and borring. You need to create file, encrypt it, send it, receive reply, decrypt it, etc. If you don't want deals with the technical details, you can use 3rd party frontend apps, so you can let the app handle the encryption thing.

Since I'm not big fans of GUI app, this workflow is not a problem for me.

This is how "end to end encryption" should looks like. But in this context, you hold your private key and your receipent public key, on your own machine. You don't even know which private key you use while using "e2e feature" in WhatsApp/Telegram, right?


I appreciate your effort if you send me an encrypted email, and will happy to send you back either just for fun or for general purpose. Even in other medium like Telegram or Twitter DM is welcome, in case you are skeptic with those service.

Also, don't forget to tell me your public key or I cannot read your email :)

Enjoy the internet, folks!

Discussion here.