Symmetric keys
To encrypt the file with passphrase:
gpg --symmetric file_to_encrypt
This will prompt you for the passphrase to enter to encrypt the file,
To strongly encrypt, create first a symmetric key and use this as passphrase
To decrypt simply run, and give passphrase when prompted:
gpg --decrypt file_to_decrypt
Here gpg will know whether to use symmetric or asymmtric decryption here
Here gpg after taking the passphrase, uses a key-derivation-function(kdf) to derive a key from the passphrase and use that key to encrypt the file
Key Distribution
The process of making your key publicly available on a keyserver is coupled with an important security measure - email authorization. Upon upload, the keyserver sends an email to the associated address with a link for authorization. Clicking on this link is mandatory for the key to be accessible to others for search and download, primarily based on email search.
This approach not only ensures the legitimacy of key ownership but also safeguards against attempts to manipulate key distribution for malicious purposes. The email authorization step adds an extra layer of protection, making the key distribution process more resilient against potential threats.
To send the publickey to the key-server:
gpg --keyserver <keyserverurl> --send-keys <fingerprint>
For example:
gpg --keyserver hkps://keys.openpgp.org --send-keys <fingerprint>
Now to search for a key on keyserver: (NOTE: Reflection of uploaded publickey takes some time)
gpg --keyserver hkps://keys.openpgp.org --search-keys <username or email>
Once you find the key on the keyserver, along with the metadata, it will also show the fingerprint for that key, So to download that public key:
gpg --keyserver hkps://keys.openpgp.org --recv-keys <fingerprint>
Also other than openpgp,
we have pgp.mit.edu keyserver available so you can change above url to, [hkp://pgp.mit.edu]
Edit key expiration
To edit the key expiration date, run:
gpg --edit-key <key fingerprint or name or email>
You will get gpg prompt
gpg>
run expire
gpg> expire
and then choose option make sure to run save
gpg> save
DONE
Multiple Recipents
When you run the following command:
gpg --encrypt --recipent <recipent name or email as per pubkey> file_to_encrypt
here there is only single recipient, so the gpg will directly encrypt the file with the public key of the recipient and create a .gpg file
but supppose you give multiple recipients like this:
gpg --encrypt --recipient <r1> --recipient <r2> --recipient <r3> file_to_encrypt
Here the gpg first, creates a symmetric key and encrypts the file, and then encrypts the symmetric key each with public key of the recipient so if there are 3 recipients 3 encrypted symmetric keys will get created and they are going to get appended to the encrypted file along with their metadata
Signing and Verification
To sign a file
gpg --sign file
To verify a file
gpg --verify file
Related Posts
Thank you for reading "gpg: symmetric-cryptography, key distribution and more...."
Subscribe via email or RSS feed to be the first to receive my content.
If you liked this post, check out my featured posts or learn more about me.