Encrypt with GPG Key
One of the greatest feature from GnuPG is the ability to encrypt an object or a payload (e.g. message) with your GPG encryption key.
This section guides you on how to sign a payload with your GPG Key.
Import Recipient Public Key
You need to import your recipient public key that has encrypt capability ([E]
symbol) and sign capability ([S]
symbol) in order to perform a proper signed encryption for him/her. To ensure the public key is in your key-ring, use --list-key --keyid-format LONG
argument and find his/her email. Without an encryption-capable and sign-capable subkeys, the public key is useless for proper encryption. Example:
$ gpg --list-key --keyid-format LONG
/home/jane/.gnupg/pubring.kbx
---------------------------------
pub rsa4096/DFF009F42B8F65F1 2018-09-23 [SC]
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid [ultimate] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
sub rsa4096/E0F5C6ECC87BF4FB 2018-09-23 [E]
sub rsa4096/226B3ACC3859EF97 2018-09-23 [E]
sub rsa4096/DFF009F42B8F65F1 2018-09-23 [S]
In the example above:
- The encryption capable subkeys are:
E0F5C6ECC87BF4FB
, and226B3ACC3859EF97
. - The sign capable subkey is:
DFF009F42B8F65F1
, andDFF009F42B8F65F1
.
Encrypt Payload With Subkey
There are various ways to sign the payload with the primary key. It depends on the type of output you're looking for. Also, if no subkey is supplied, GPG will use the latest sign subkey to perform the signing process. All sign processes create an output payload instead of overwriting with the original payload.
A proper encryption is always "encrypt and sign":
- You make the payload confidential.
- You must also ensures the encrypted medium is trustable.
GPG employs "sign then encrypt" based on its design convention. If you're a security paranoid, you can do "sign then encrypt then sign (manually)".
Simple Encrypt and Sign
To perform encrypt and sign, you use the following command depending on which output you're looking for:
$ gpg --encrypt --sign --recipient <recipient email> <path/to/file> # binary file output
$ gpg --armor --encrypt --sign --recipient <recipient email> <path/to/file> # text file output
It will generate a new payload file with the extension: .gpg
or .asc
respectively. The payload is encrypted. Here's an example:
# perform basic encrypt
$ gpg --encrypt --sign --recipient jane.smith@example.com object.txt
# Encrypt the output into human-readable format
$ gpg --armor --encrypt --sign --recipient jane.smith@example.com object.txt
Encrypt With Specific Subkey
In situation where you need a specific subkey, you prepend --local-user <sub-key ID>!
argument. Watch out for exclamation mark (!
); you need to append at the end of the ID. Also, this only works for --encrypt
and not --sign
. You have to do the the --sign
manually before/after the encryption is done.
Example command:
$ gpg --local-user <sub-key ID>! --encrypt --recipient <recipient email> <path/to/file>
$ gpg --local-user <sub-key ID>! --armor --encrypt --recipient <recipient email> <path/to/file>
Based on the example above, say we want to implement 5BC0273C015198A1
:
# perform basic encrypt
$ gpg --local-user E0F5C6ECC87BF4FB! --encrypt --recipient jane.smith@example.com object.txt
# Encrypt the output into human-readable format
$ gpg --local-user E0F5C6ECC87BF4FB! --armor --encrypt --recipient jane.smith@example.com object.txt
Encrypt with Specific Passphrase
In the scenario where you have multiple encryption sub-keys, you can append --symmetric
argument. Keep in mind that this is not your primary key passphrase. Also, this only works for --encrypt
and not --sign
. You have to do the the --sign
manually before/after the encryption is done.
Example command:
$ gpg --symmetric --encrypt --recipient <recipient email> <path/to/file>
$ gpg --symmetric --armor --encrypt --recipient <recipient email> <path/to/file>
Based on the example above:
# perform basic encrypt
$ gpg --symmetric --encrypt --recipient jane.smith@example.com object.txt
# Encrypt the output into human-readable format
$ gpg --symmetric --armor --encrypt --recipient jane.smith@example.com object.txt
You'll be prompted to enter a different passphrase input for encrypting this file. This temporary passphrase for you and your recipient to decrypt later.
That's all about encrypting and signing a payload with GPG.