GPG - A beginner's guide04 Dec 2017
This is mostly adapted from GitHub’s guide which can be found at
I also used this guide to import/export keys https://www.debuntu.org/how-to-importexport-gpg-key-pair/
What is GPG?
Why should I use GPG?
The obvious answer here is that you can use it for nefarious purposes, and lots of people probably do. But there are plenty of good reasons why you should want to use it. I actually started using it to sign my GitHub commits, and that highlights the primary reason I started using it, which is so that I can verify my identity. Also, PGP operates on a web of trust. In other words, other people that know you can verify your key, which eventually leads to a more trusted key. So, the sooner and longer you use a PGP key, the more trusted it becomes, essentially.
How do I use GPG?
That is the purpose of this post, to outline this process. I will go over this process in several steps.
- Installing GPG
- Generating a key
- Get key info
- Exporting your key
- Importing your key
- Optional stuff
This one is easy. Just download the command line tools from the GPG site
Generating a key
From the command line type
gpg --gen-key. If you are not presented with a list
of options, you may need to type
gpg --full-generate-key instead.
From the list of options, choose
RSA and RSA by just pressing enter.
For the key size, you definitely want
For the key expiration, just press enter to select the default of no expiration.
Enter your user information as prompted.
If you want to use your key to sign GitHub commits, you need to enter the primary email for your GitHub account.
Finally, type a secure passphrase to complete the process.
Get key info
To list your keys use the following command
gpg --list-secret-keys --keyid-format LONG
Take special note of what follows after the slash, that is the key ID. For
sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
Copy that ID, and then use the following command to print your public key in the
terminal, replacing my example ID with yours of course.
gpg --armor --export 3AA5C34371567BD2
You can use this command to print your private key in the terminal
gpg --armor --export-secret-key 3AA5C34371567BD2
Exporting your key
If you would like to create a file from the previous output you can use the
following commands, renaming mygpgkey_pub.gpg and mygpgkey_sec.gpg to whatever
you would like, and of course using your key ID and not my example one.
gpg --output mygpgkey_pub.gpg --armor --export 3AA5C34371567BD2
gpg --output mygpgkey_sec.gpg --armor --export-secret-key 3AA5C34371567BD2
Importing your key
If you have multiple machines/virtual machines/whatever, you may want to export and import these keys so that you can verify your identity no matter which machine you are using.
Once you have exported your public/private key pair to files, as outlined above, it is easy to import them. From the folder that contains your keys, use these commands
gpg --import mygpgkey_pub.gpg
gpg --import mygpgkey_sec.gpg
If importing your secret key doesn’t work, you may need to add the option –allow-secret-key-import. However, that options is deprecated, and recent versions of GPG won’t make use of it.
GitHub Desktop does not support signing commits yet. So, if you’d rather use that than command line git, this section is useless.
However, I recommend that you make it a priority to familiarize yourself with command line git if you are wanting to be a serious programmer. You will almost assuredly be using the Linux platform at some point, and as of this writing, there is no GitHub Desktop app for any Linux distro.
To have git automatically sign your commits, the process is very easy.
First, you need to your key ID which if you’ve forgotten how to get that, refer
to the Get key info section. Once you have it, use this command
to have git sign all commits
git config --global commit.gpgsign true. Then,
you’ll need to tell git which key to use by default using this command,
replacing my example key ID with yours
git config --global user.signingkey 3AA5C34371567BD2
Finally, if you are using a program to store your passwords so you don’t have to
type it every time, there is a git option that allows you to specify this. In
the case of Windows, I use Gpg4win, which is the
official GPG distribution for Windows. To specify this program as the default
gpg program I used the following command
git config --global gpg.program "C:/Program Files (x86)/GnuPG/bin/gpg.exe"
Because that last command has a space in it, those quotation marks aren’t optional.
Now, all of this will amount to nothing if you don’t import your public key into GitHub. From your GitHub profile settings page, select SSH and GPG keys from the left menu. Now, select the New GPG key button, and copy/paste your public key ASCII text here.
If you like automatic passwords (like me), you’ll want to use some optional GPG software. For Windows, I recommend Gpg4win, which is the official GPG distribution for Windows. For Macs, I recommend GPG Suite, which integrates into KeyChain.
Set up encrypted gmail
There is an extension for chrome that makes this super easy. It’s called FlowCrypt. Once you have it installed, it works with both Gmail and Inbox, so if you go to either one, you’ll notice a banner that will guide you in the setup process, which will guide you in the process of setting it up. If you need to, you can refer to the Get key info section to help you with printing your key information so you can copy it to FlowCrypt.