GPG - A beginner's guide

04 Dec 2017

This is mostly adapted from GitHub’s guide which can be found at https://help.github.com/articles/signing-commits-using-gpg/ and https://help.github.com/articles/generating-a-new-gpg-key/
I also used this guide to import/export keys https://www.debuntu.org/how-to-importexport-gpg-key-pair/

What is GPG?

GPG is an acronymn for Gnu Privacy Guard. It is a powerful tool that allows you to, among other things, set up and manage PGP (Pretty Good Privacy) keys.

Why should I use GPG?

The obvious answer here is that you can use it for nefarious purposes, and lots of people probably do. But there are plenty of good reasons why you should want to use it. I actually started using it to sign my GitHub commits, and that highlights the primary reason I started using it, which is so that I can verify my identity. Also, PGP operates on a web of trust. In other words, other people that know you can verify your key, which eventually leads to a more trusted key. So, the sooner and longer you use a PGP key, the more trusted it becomes, essentially.

How do I use GPG?

That is the purpose of this post, to outline this process. I will go over this process in several steps.

Installing GPG
Generating a key
Get key info
Exporting your key
Importing your key
Optional stuff

Installing GPG

This one is easy. Just download the command line tools from the GPG site

Generating a key

From the command line type gpg --gen-key. If you are not presented with a list of options, you may need to type gpg --full-generate-key instead.

From the list of options, choose RSA and RSA by just pressing enter.

For the key size, you definitely want 4096.

For the key expiration, just press enter to select the default of no expiration.

Enter your user information as prompted.

If you want to use your key to sign GitHub commits, you need to enter the primary email for your GitHub account.

Finally, type a secure passphrase to complete the process.

Get key info

To list your keys use the following command gpg --list-secret-keys --keyid-format LONG

Take special note of what follows after the slash, that is the key ID. For example sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]

Copy that ID, and then use the following command to print your public key in the terminal, replacing my example ID with yours of course. gpg --armor --export 3AA5C34371567BD2

You can use this command to print your private key in the terminal gpg --armor --export-secret-key 3AA5C34371567BD2

Exporting your key

If you would like to create a file from the previous output you can use the following commands, renaming mygpgkey_pub.gpg and mygpgkey_sec.gpg to whatever you would like, and of course using your key ID and not my example one. gpg --output mygpgkey_pub.gpg --armor --export 3AA5C34371567BD2
gpg --output mygpgkey_sec.gpg --armor --export-secret-key 3AA5C34371567BD2

Importing your key

If you have multiple machines/virtual machines/whatever, you may want to export and import these keys so that you can verify your identity no matter which machine you are using.

Once you have exported your public/private key pair to files, as outlined above, it is easy to import them. From the folder that contains your keys, use these commands

gpg --import mygpgkey_pub.gpg
gpg --import mygpgkey_sec.gpg

If importing your secret key doesn’t work, you may need to add the option –allow-secret-key-import. However, that options is deprecated, and recent versions of GPG won’t make use of it.

Optional stuff

Configure git

GitHub Desktop does not support signing commits yet. So, if you’d rather use that than command line git, this section is useless.

However, I recommend that you make it a priority to familiarize yourself with command line git if you are wanting to be a serious programmer. You will almost assuredly be using the Linux platform at some point, and as of this writing, there is no GitHub Desktop app for any Linux distro.

To have git automatically sign your commits, the process is very easy. First, you need to your key ID which if you’ve forgotten how to get that, refer to the Get key info section. Once you have it, use this command to have git sign all commits git config --global commit.gpgsign true. Then, you’ll need to tell git which key to use by default using this command, replacing my example key ID with yours git config --global user.signingkey 3AA5C34371567BD2 Finally, if you are using a program to store your passwords so you don’t have to type it every time, there is a git option that allows you to specify this. In the case of Windows, I use Gpg4win, which is the official GPG distribution for Windows. To specify this program as the default gpg program I used the following command git config --global gpg.program "C:/Program Files (x86)/GnuPG/bin/gpg.exe"

Because that last command has a space in it, those quotation marks aren’t optional.

Now, all of this will amount to nothing if you don’t import your public key into GitHub. From your GitHub profile settings page, select SSH and GPG keys from the left menu. Now, select the New GPG key button, and copy/paste your public key ASCII text here.

Auto password

If you like automatic passwords (like me), you’ll want to use some optional GPG software. For Windows, I recommend Gpg4win, which is the official GPG distribution for Windows. For Macs, I recommend GPG Suite, which integrates into KeyChain.

Set up encrypted gmail

There is an extension for chrome that makes this super easy. It’s called FlowCrypt. Once you have it installed, it works with both Gmail and Inbox, so if you go to either one, you’ll notice a banner that will guide you in the setup process, which will guide you in the process of setting it up. If you need to, you can refer to the Get key info section to help you with printing your key information so you can copy it to FlowCrypt.