GnuPG (GNU Privacy Guard) is a complete and free implementation of the OpenPGP standard that provides data and communication encryption, digital signatures, and key management.

What is GnuPG?

GnuPG is an open source encryption tool that implements the OpenPGP standard (RFC 4880), allowing encryption and signing of data, as well as secure management of cryptographic keys.

Main Characteristics

Encryption and Signatures

  • Symmetric Encryption: AES, 3DES, Twofish, Blowfish
  • Asymmetric Encryption: RSA, DSA, ECDSA, EdDSA
  • Hash Functions: SHA-1, SHA-256, SHA-512, RIPEMD160
  • Compression: ZIP, ZLIB, BZIP2

Key Management

  • Generation: Key pair creation
  • Import/Export: Key exchange
  • Revocation: Key revocation
  • Web of Trust: Trust network

Standards

  • OpenPGP: RFC 4880
  • S/MIME: Email encryption
  • X.509: Digital certificates
  • RFC 3156: MIME Security

Installation and Configuration

Linux Installation

1
2
3
4
5
6
7
8
9

# Ubuntu/Debian
sudo apt-get update
sudo apt-get install gnupg

# CentOS/RHEL
sudo yum install gnupg2

# Verify installation
gpg --version

Windows Installation

1
2
3
4
5
6
7
8

# Using Chocolatey
choco install gnupg

# Direct download
# https://www.gnupg.org/download/

# Verify installation
gpg --version

macOS Installation

1
2
3
4
5

# Using Homebrew
brew install gnupg

# Verify installation
gpg --version

Basic Usage

Key Generation

RSA Key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Generate RSA key pair
gpg --full-generate-key

# Generate with specific parameters
gpg --batch --full-generate-key <<EOF
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: John Doe
Name-Email: john@example.com
Expire-Date: 2y
Passphrase: my_secure_password
EOF

ECC Key

1
2
3
4
5

# Generate ECC key
gpg --expert --full-generate-key

# Select option 9 (ECC and ECC)
# Select curve (Curve 25519, P-256, P-384, P-521)

Key Management

List Keys

1
2
3
4
5
6
7
8

# List public keys
gpg --list-keys

# List private keys
gpg --list-secret-keys

# List with details
gpg --list-keys --with-colons

Export/Import Keys

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Export public key
gpg --armor --export john@example.com > public.key

# Export private key
gpg --armor --export-secret-keys john@example.com > private.key

# Import key
gpg --import public.key

# Import private key
gpg --import private.key

Revoke Key

1
2
3
4
5

# Generate revocation certificate
gpg --output revoke.asc --gen-revoke john@example.com

# Apply revocation
gpg --import revoke.asc

Encryption and Decryption

Symmetric Encryption

1
2
3
4
5

# Encrypt file symmetrically
gpg --symmetric --cipher-algo AES256 file.txt

# Decrypt file
gpg --decrypt file.txt.gpg > file.txt

Asymmetric Encryption

1
2
3
4
5
6
7
8

# Encrypt for specific recipient
gpg --encrypt --recipient john@example.com file.txt

# Encrypt and sign
gpg --encrypt --sign --recipient john@example.com file.txt

# Decrypt file
gpg --decrypt file.txt.gpg > file.txt

Digital Signatures

Sign Document

1
2
3
4
5
6
7
8

# Sign file
gpg --sign file.txt

# Sign with separate output
gpg --detach-sign file.txt

# Sign and encrypt
gpg --sign --encrypt --recipient john@example.com file.txt

Verify Signature

1
2
3
4
5

# Verify signature
gpg --verify file.txt.sig file.txt

# Verify attached signature
gpg --verify file.txt.gpg

Advanced Configuration

Configuration File

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# Create configuration file
mkdir -p ~/.gnupg
cat > ~/.gnupg/gpg.conf <<EOF
# GnuPG configuration
default-key john@example.com
keyserver hkp://keys.openpgp.org
keyserver-options auto-key-retrieve
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES
EOF

Agent Configuration

1
2
3
4
5
6
7
8
9

# Start GPG agent
gpg-agent --daemon

# Configure agent
cat > ~/.gnupg/gpg-agent.conf <<EOF
default-cache-ttl 600
max-cache-ttl 7200
pinentry-program /usr/bin/pinentry-gtk-2
EOF

Practical Applications

Email Encryption

Thunderbird with Enigmail

1
2
3
4

# Install Enigmail in Thunderbird
# Configure email account
# Generate key pair
# Configure automatic encryption

Mutt

1
2
3
4
5

# Configure Mutt with GPG
set crypt_use_gpgme=yes
set crypt_autosign=yes
set crypt_replysign=yes
set crypt_replyencrypt=yes

File Encryption

Encryption Script

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

#!/bin/bash
# Script to encrypt files

if [ $# -eq 0 ]; then
    echo "Usage: $0 <file>"
    exit 1
fi

FILE=$1
RECIPIENT="john@example.com"

# Encrypt file
gpg --encrypt --sign --recipient $RECIPIENT "$FILE"

echo "Encrypted file: ${FILE}.gpg"

Decryption Script

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

#!/bin/bash
# Script to decrypt files

if [ $# -eq 0 ]; then
    echo "Usage: $0 <file.gpg>"
    exit 1
fi

FILE=$1

# Decrypt file
gpg --decrypt "$FILE" > "${FILE%.gpg}"

echo "Decrypted file: ${FILE%.gpg}"

Secure Backup

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

#!/bin/bash
# Encrypted backup script

BACKUP_DIR="/home/user/backup"
ENCRYPTED_DIR="/home/user/backup_encrypted"
RECIPIENT="john@example.com"

# Create encrypted backup directory
mkdir -p "$ENCRYPTED_DIR"

# Encrypt backup files
for file in "$BACKUP_DIR"/*; do
    if [ -f "$file" ]; then
        gpg --encrypt --recipient "$RECIPIENT" --output "$ENCRYPTED_DIR/$(basename "$file").gpg" "$file"
    fi
done

echo "Encrypted backup completed"

Web of Trust

Concepts

  • Trust: Level of trust in a key
  • Validity: Key validity
  • Signatures: Key signatures
  • Certification: Key certification

Trust Management

1
2
3
4
5
6
7
8
9

# Sign another person's key
gpg --sign-key john@example.com

# Verify key signatures
gpg --check-sigs john@example.com

# Edit trust
gpg --edit-key john@example.com
# Command: trust

Upload Key to Server

1
2
3
4
5
6
7
8

# Upload public key
gpg --send-keys --keyserver keys.openpgp.org 0x12345678

# Search key on server
gpg --search-keys john@example.com

# Receive updated key
gpg --recv-keys 0x12345678

Best Practices

Security

  • Strong Keys: Use keys of at least 2048 bits
  • Passwords: Secure and unique passwords
  • Rotation: Rotate keys regularly
  • Backup: Backup private keys

Management

  • Revocation: Maintain revocation certificates
  • Expiration: Set expiration dates
  • Identification: Verify identities before signing
  • Update: Keep GnuPG updated

Configuration

  • Configuration: Secure configuration
  • Agents: Use key agents
  • Servers: Use trusted key servers
  • Logs: Maintain operation logs

Troubleshooting

Common Problems

  • Keys: Key problems
  • Signatures: Signature problems
  • Encryption: Encryption problems
  • Agents: Agent problems

Diagnostic Tools

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Verify configuration
gpg --version --verbose

# Verify keys
gpg --list-keys --with-colons

# Verify signatures
gpg --check-sigs

# Verify configuration
gpg --dump-options
  • OpenSSL - Complementary cryptographic library
  • PKI - Infrastructure that complements GnuPG
  • RSA - Algorithm implemented in GnuPG
  • AES - Algorithm implemented in GnuPG
  • ECC - Algorithm implemented in GnuPG
  • Hash Functions - Algorithms implemented in GnuPG
  • TLS/SSL - Protocol that complements GnuPG
  • CISO - Role that oversees GnuPG
  • General Cybersecurity - Discipline that includes GnuPG
  • Security Breaches - Incidents that affect GnuPG
  • Attack Vectors - Attacks against GnuPG
  • Incident Response - Process that includes GnuPG
  • SIEM - System that monitors GnuPG
  • SOAR - Automation that manages GnuPG
  • EDR - Tool that protects GnuPG
  • Firewall - Device that complements GnuPG
  • VPN - Connection that can use GnuPG
  • Dashboards - Visualization of GnuPG metrics
  • Logs - GnuPG operation logs

References