← blog

PGP/ GPG Introduction II - Asymmetric Encryption

This is a continuation of part 1 of PGP/GPG Introduction, where I talk about symmetric encryption.

Asymmetric Encryption

Asymmetric encryption is also known as Public Key Cryptography, uses a key-pair to encrypt and decrypt a file. This encryption scheme is popular for many messaging apps and email because it allows both parties to encrypt and decrypt messages without sharing a pre-selected password. Instead, a user holds two keys: a Private Key, and a Public Key.

The Private Key is a key that is kept secret, and should not be shared. Conversely, a Public Key can be distributed widely. Using public-key cryptography allows for a few interesting applications, including public key encryption, where a message encrypted with a recipients public key can only be decrypted with the matching private key. It also allows for digital signatures, a recipient can verify the messages sender using the sender's public key, if it is signed with the sender's public key.

I won't go into the specifics about digital identity concepts, instead I will demonstrate how PGP/GPG is used for public key encryption using Gnu Privacy Guard(GPG).

Generating a Key-Pair

In order to use pgp's asymmetric encryption functions, you must generate a key pair. A key pair is generated with:
gpg --gen-key

GPG provides an interface for you to to generate a pair. It takes a few minutes to generate a key pair. It is important to move your mouse or type random letters in order to introduce entropy and make a more secure key.

Once it is done you can view your private key with:
gpg --export-secret-key --armor your_name

It will output in the terminal your private key in ASCII. Be sure to never provide this to anyone!

To export your public key, you can run:
gpg --armor --output public-key.gpg --export your@email.com

This will output a file called public-key.gpg. Its alright to rename this and distribute the public key. Many people will add their PGP Public Key as an attachment to their email or put it on their website for download. People need to be able to access your public key to encrypt a message to you that only you can read.

Importing a PGP contact

Once you obtain someone else's public key, you must add it to your key-ring in order to start using them. They will have to add your public key as well. Consider it like adding them to your approved contacts on a phone.

In order to add a public key, first, download their public key. For example it will be called mark-signature.asc.

To import their key, run:
gpg --import mark-signature.asc

In order to check the keys in your key ring you can run:
gpg --list-keys


In order to asymmetrically encrypt a message for your recipient you can run:
gpg --encrypt --armor -r "name@email.com" message_file

This will output a file called message_file.asc. This encrypted message can be sent anywhere and only the person with the corresponding private key will be able to decrypt the message.

An additional security message you can use, is signing the message. This will ensure that the recipient will know the message is coming from you as well. They'll have to have you added to their contact list in order to decrypt it.

The flag is: --sign

The whole encryption command will look like:
gpg --encrypt --armor --sign -r "name@email.com" message_file

Side note

As you may see... using PGP via command-line can be quite complicated and require a lot of steps. I think it is useful to see how it works, but know that there are some e-mail clients that will simplify the whole process for you. Some popular ones are Thunderbird and KDE KMail. Another option is to use ProtonMail. ProtonMail is an email service that has end-to-end encryption fully integrated and makes this process a whole lot easier.