GnuPG has pretty good privacy

Paul Guerin
7 min readAug 24, 2022

Imagine a use-case where you want to send sensitive documents (or any other file or message) to someone over the public internet. Because the medium is the public internet, you’ll want to use encryption to safeguard the information if someone else intercepts your communication.

In another use-case, you may want to store the sensitive documents at the destination with the same encryption as at the source. Then as long as you have the same keys available, you can decrypt those documents — even after those keys have expired.

You may have another requirement that you don’t want to decrypt, then re-encrypt all your existing documents each time you create new keys.

Another use-case is that you want to encrypt your email communication with another person. The other person may be a journalist. You will need a compatible email client to use encryption, and the instructions to this are here:

Edward Snowden with a disguised voice is apparently the author of this instructional video of how to encrypt your email communications

An encryption system that supports all the above is GnuPG.

GnuPG is a tool for secure communication.

GnuPG

The official website of the GnuPG is below:

GnuPG is open source, and available on almost any current operating system.

GnuPG for Windows

For Windows users, there is a paid and a free binary version for the current release.

The full featured Windows version of GnuPG is the paid version, and is linked to https://gpg4win.org/download.html.

The free GnuPG version for Windows is labelled as the ‘Simple installer for the current GnuPG’.

Once you have downloaded the binary for Windows, it is recommended to verify the signature to ensure the binary has not been tampered with. If you have Git for Windows (otherwise known as Git Bash) then you can use either the sha1sum or sha256sum (preferred) utilities to verify the binary.

Note: The manual for sha1sum mentions this: “Do not use the SHA-1 algorithm for security related purposes. Instead, use an SHA-2 algorithm, implemented in the programs sha224sum(1), sha256sum(1), sha384sum(1), sha512sum(1), or the BLAKE2 algorithm, implemented in b2sum(1).”

Then compare with the ‘List of SHA-1 check-sums’ table at the GnuPG website: GnuPG — Integrity Check

# Use sha256sum for Git Bash
# The hash below comes from https://gnupg.org/download/integrity_check.html
sha256sum -c <(echo 6e428f5224ce36863da38510fb015f976a9292637370795fbdb1f3b9ca54d403 ~/Downloads/gnupg-w32-2.4.2_20230530.exe)

If all is well then you’ll receive a ‘gnupg-w32–2.4.2_20230530.exe: OK’ message.

GnuPG update

If you have GnuPG already installed, and you just want to upgrade to the most recent version from the website. After downloading the most recent version, you can verify the download with GnuPG.

GnuPG allows a more comprehensive check than the sha1sum and sha256sum utilities, so verify the downloads like this:

# download the GnuPG public keys
curl -O https://gnupg.org/signature_key.asc

# import the GnuPG public keys into your keyring
gpg --verbose --import signature_key.asc

# quick check on what GnuPG public keys you imported
gpg -k

Now do a visual check of the fingerprints of those public keys from the GnuPG website: https://gnupg.org/signature_key.html

If the Werner Koch fingerprint on the website matches what gpg is telling you, then you can trust that the public key you have was created by Werner Koch:

# trust that the Werner Koch public key was created by Werner Koch
gpg --edit-key 6DAA6E64A76D2840571B4902528897B826403ADA

trust

5

save

Now the public key is trusted, you can check signature of the binary, with the binary.

# verify that the executable matches with the signature that was downloaded
gpg --verify gnupg-w32-2.4.2_20230530.exe.sig gnupg-w32-2.4.2_20230530.exe

If all is well then you should see :

Introduction

For encryption, GnuPG allows you the choice of using a :

  • public key cipher, or
  • symmetrical cipher.

Your secret key of a public key cipher can also be protected with a symmetrical cipher.

There is also a feature to sign documents with your secret key.

GnuPG can also be used for email, as messages and attachments can be stored encrypted. The Thunderbird email client has historically allowed you to encrypt and decrypt messages by importing a key created by GnuPG.

Later versions of Thunderbird give you a choice to create encryption keys natively within the client, or import pre-created GnuPG keys instead.

Encryption key management with a GUI

To manage the keys you create, you can use numerous GUI key management applications, such as the Gnu Privacy Assistant (ie GPA).

Gnu Privacy Assistant

Also there many 3rd-party GUI key management applications that can be used. eg Seahorse.

Seahorse

For those that don’t prefer a GUI application, there is also a powerful command line interface.

Install GnuPG and Pinentry

The package to install GnuPG may be listed by your distribution as gnupg2. For the Fedora Linux distribution, install the GnuPG package like this:

# Fedora GnuPG version 2
sudo dnf install gnupg2

Your distribution will also contain another application that can be combined with GnuPG. The application will either be gpg-zip (earlier versions of GnuPG), or gpgtar (later versions of GnuPG).

In Fedora, installing gnupg2 will also install the Pinentry utility by default.

Setup Pinentry

Pinentry is a utility that allows for secure entry of PINs or passphrases. GnuPG uses the Pinentry utility to allow you to input a passphrase in a secure way.

There are a few flavours of Pinentry, and you can see which ones are installed like this:

ls /usr/bin/pinentry*

If you’re working with GnuPG from the command line, then by default, GnuPG will run Pinentry-curses.

Pinentry-curses implements a PIN entry dialog using the curses tool kit, meaning that it is useful for users working in text mode without the X Window System.

Using Pinentry-curses, your passphrase prompt will look like this:

GnuPG will call Pinentry when it needs to, and if running GnuPG locally you may not get any problems.

Troubleshooting Pinentry

However, there may be other use cases where you may come across some issues with Pinentry, such as not prompting you for passphrases.

Pinentry just does not work

You may get an error similar to:

“gpg: public key decryption failed: Inappropriate ioctl for device”

The solution is to setup the environment configuration before you start working with GnuPG:

# For the Bash shell, set the prerequisite environment variable
export GPG_TTY=$(tty)

# For the Fish shell, set the prerequisite environment variable
set GPG_TTY $(tty)

Even better is to add that in advance to your shell configuration file (eg .bashrc, .kshrc, etc) so you don’t need to enter it each time you use GnuPG.

Pinentry still does not work

If you are running a terminal application that isn’t compatible with the curses tool kit, then you’ll get an error similar to:

“gpg: agent_genkey failed: Required environment variable not set”

From experience, the Xterm terminal does work with the curses tool kit from Pinentry. However some other terminal applications may have some compatibility issues using the curses tool kit with SSH. eg Kitty, Urxvt.

However there is a solution, and it requires Pinentry-tty.

Pinentry-tty implements a PIN entry prompt directly on the controlling tty.

Pinentry-tty is installed like this in Fedora Linux:

sudo dnf install pinentry-tty

Now when GnuPG calls Pinentry, the passphrase prompt will look like this:

Other problems are documented in the official documentation in chapter 14.3.

Common Problems (Using the GNU Privacy Guard) (gnupg.org)

Pinentry may seem more trouble than it’s worth, but it is necessary to safeguard the security of your passphrase.

GnuPG command syntax

The first step is to confirm which syntax to use for GnuPG. In some Linux repos gpg and gpg2 are separate GnuPG versions.

However in Fedora Linux, the gpg command is an alias for gpg2, so it’s valid to use gpg.

For Cygwin, the command is gpg2.

In Windows, gpg refers to version 2, and there is no gpg2 command.

# confirm which command syntax to use as it varies between
# operating system, Cygwin, and Git Bash.
gpg2 --version
gpg --version

Displaying the version information will also list the supported algorithms.

For the GnuPG release 2.3.4, the default encryption algorithm used for the public key cipher is ed25519.

Ed25519 is a cryptography solution implementing Edwards-curve Digital Signature Algorithm (EdDSA), and is considered more secure with faster performance than RSA keys.

Continue your GnuPG journey with your first encryption:

--

--