Thursday, December 11, 2008

Gnu Privacy Guard (GPG)

The Gnu Privacy Guard (GPG) is a command line application that can use public key encryption to safeguard text and data and prepare it for transport through the email system.

It is not part of the default install of OS X and must be installed manually.

To generate a new key pair:
gpg --gen-key

To list keys on your public keyring:
gpg --list-keys

To list keys on your secret keyring:
gpg --list-secret-keys

To encrypt a text file "message.txt" for recipient "foo" with ASCII armor (Base64):
gpg -e -a -r foo message.txt
The encrypted message is saved as file "message.txt.asc".

To encrypt a text file "message.txt" for recipient "foo" with ASCII armor and sign it with your secret key:
gpg -s -e -a -r foo message.txt

To import a public key:
gpg --import keyfile

To sign a newly imported key with your secret key:
gpg --sign-key keyname

To delete a public key from the keyring:
gpg --delete-key keyname

To verify a file with a detached signature:
gpg --verify signature data-file

To import a public key:
gpg --import keyfile

Set up a trusted public key (no passphrase required):

If you want to encrypt files in a script and not be prompted for your passphrase, you need to sign all public keys you want to use. Follow this procedure (GPG 1.2.5+) to sign a public key.

  1. gpg --edit-key keyname
  2. at the prompt, enter "trust"
  3. select "4" for trust fully
  4. enter "lsign" to locally sign it
  5. at the prompt, enter 3 for very careful checking
  6. answer "yes" to the the "Really Sign?" prompt
  7. enter secret key passphrase when requested
  8. enter "save"
The key is now signed and can be used in a script without passphrase requirements.