What is PGP?
PGP stands for Pretty Good Privacy. It is an encryption system that allows users to send encrypted messages and has been a standard used since it was created in 1991. It works by generating two keys for every user; a private key and a public key.
Your private key is a unique code used to allow you to decrypt messages that have been encrypted using your public key.
Warning: NEVER SHARE your PRIVATE KEY with ANYONE and keep it backed up in a safe place.
This way we can send private messages between strangers and not worry about anybody else seeing the contents. If this sounds a bit confusing then it wont be by then end of this tutorial.
Your public key is a code which everyone can see. You can safely give out your public key to anybody however only you can decrypt your public key. This is done with your private key. We will learn more about those shortly.
By using public keys it means for example; I might post my public key here and anybody can download my key to then use it to send me directly an encrypted message that only I can open. If I have that person’s public key then I can also send them a message that only they can open.
Using PGP on Linux
Using the default keyring manager in MINT 20.1
Many Linux distributions have a built in keyring manager that can easily do many common operations of PGP. Just open “Seahorse” also called “passwords and keys” from the applications menu. Click the “+” symbol in the top left and select GPG key. Set the key strength to 4096. This is the strongest level of RSA encryption offered here. You can use 2048 which is default but i always prefer to make the encryption as complex as possible.
For the name you should always use a fake name or “alias” that is not the same or closely related to one you have or currently use anywhere else.
You don’t need to put an email however if you do choose to put one make sure its fake or a burner (throw-away) account, unless you’re using it in a situation where you want people to be able to contact you via an email address
After that is done you can find your key in the GnuPG keys section of the Keyring Manager.
Export your keys
Now that you have created a key you might want to give your public key to someone so they can send you an encrypted message.
To do so double click on your key and go to the details tab.
Now hit export to file and make sure you check “export public keys”. We don’t want to export our private key as this is only for use in decrypting messages sent o the public key. It is fine to export this if you need to take it with you to use it on a different computer for example.
Now pick a name for the file and where to save it. This is your public key file and it’s what you will be giving out to other people so that they can encrypt messages that only the intended can read.
You can send this file to someone and they can import it and use it to send you encrypted messages. There are more ways to import keys but i will go over those later.
To import a key file you just double click on it and it will be added to your keyring automatically! You can also import keys in GPA using the clipboard. I am going to explain what GPA is in the next section.
Using GPA to encrypt and decrypt
Now that we have our keys we need to use them to encrypt messages. So lets say I’m going to encrypt a secret message to my friend, let’s call him “cyberjunk77” . What I need to do is first make sure I have imported their key file. Now you are going to download GPA.
This is a tool that allows you to encrypt messages to anyone’s key for them to decrypt later. Search for GPA in the software centre or just type the following into the console ( Ctrl + Alt + ‘T’ is a handy keyboard shortcut for this);
Sudo apt-get install gpa
Now open GPA and go to the clipboard.
You may simply type your message into the clipboard window and then click the icon at the top which says “encrypt buffer text”. It’s the image representing a blue key in an envelope.
Now select the person you want to send it to. In this case “cyberjunk77”.
You should see a notice pop-up saying “this key is untrusted are you sure you want to continue” just hit yes. This just means you haven’t signed the key yet but that’s fine, your going to learn about this later. For now it’s not important.
The text that’s left is the encrypted message that is what you send to the person who you are trying to communicate with.
To decrypt a message it’s a very similar process.
You need the encrypted text which someone else has encrypted using your public key. It will look something like this:
—–BEGIN PGP MESSAGE—–
—–END PGP MESSAGE—–
To decrypt it just copy the entire message including the lines.
Next go back to the gpa clipboard window and click the button next to the one we used before, this one says “decrypt buffer text” on mouse over.
Click the button and it will ask for the password you created for your Secret key (remember: do not give this out!).
Now you should see the contents of the message!
And now you are armed with the information needed to simply send and receive messages in PGP.
How can you be sure a message posted in a public forum was actually sent by the person that they are claiming to be? This is where verifying signatures comes in handy.
So in order to verify that the message was actually encrypted by who they say it is you need to sign that persons key. to do so right click their key in the keyring and then click “sign” Make sure that you know the key you have is the official one. You can do this by certifying that the “fingerprint” matches one from a trusted source such as darknetlive.com
Now this means whenever you see a message signed by this person, like this one signed by me:
—–BEGIN PGP SIGNED MESSAGE—–
Dillinger PGP tutorial
—–BEGIN PGP SIGNATURE—–
—–END PGP SIGNATURE—–
You can paste it to the GPA clipboard and click the “check signatures of buffer text” button and If it really was my key that signed the message you will see this pop up
This way if you see a message from someone you can check the signature to know that its from the person who it claims to be from and not someone pretending to be them. For example you can use this to make sure that your viewing legitimate market links from the sites admins and not phishing links.