Public key encryption allows people to send secure messages to each other without exchanging pre-determined passwords. GnuPG is an open source implementation of a public key encryption system called OpenPGP. Other public key systems exist, but GnuPGP is both free and Free, so that’s what we’ll be using for this example.

First, you get to install GnuPG. If your operating system has a package manager such as apt or MacPorts, it’s generally as simple as:

sudo port install gpg

Creating a Key Pair

Now that we have it installed, lets generate a key pair. Key pairs allow others to encrypt messages to us using our public key, which we can then decrypt using our private key. Doing this in gpg is simple, just type:

gpg --gen-key

GnuPG will then ask a set of questions, including a passphrase, name, and email address. The default values it uses for the key settings are generally acceptable. GnuPG will then generate a key and add it to our keyring, which holds all our known public and private keys. To see the contents of the keyring, we type:

>gpg --list-keys
pub   1024D/A4D1213F 2007-08-23
uid                  Ben Rady <brady@objectmentor.com>
sub   ...

GnuPG then spits out the public and private key ID’s. Now that we have a key pair, we can decrypt messages sent to us. But how will anyone get our public key to encrypt messages? Well, we could export our public key and post it on our website. Or we could just email it to everyone we know. However, there are also numerous key servers around the Internet that host public keys, such as the MIT key server, and we can post our key to one of them. To do so, we type:

gpg --keyserver pgp.mit.edu --send-keys A4D1213F 

Sending Encrypted Messages

So once the receipent has generated a key pair and made their public key available, we can send them a secure message. First, we need to import their public key into our keyring:

gpg --keyserver pgp.mit.edu --recv-keys A4D1213F

If you don’t know the key ID that you want to import, the MIT keyserver has a search function that will search by name or email address. However, it’s important to verify that the key you find in the search is really the public key of your intended recipient. Once we do that we (generally) should mark the key as trusted by typing:

gpg --edit-key brady@objectmentor.com
Command> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5

Now, we can create a message and encrypt it:

echo 'Secure Message' | gpg -e -r brady@objectmentor.com > secure.gpg

We could have just as easily encrypted one or more files by passing them as parameters to GnuPG. We also could have included multiple recipients. Now we can safely email our secure message (stored in the secure.gpg file) to the recipient.

Receiving Encrypted Messages

When someone sends us an encrypted message, decrypting it is easy.

> gpg -d secure.gpg
gpg: encrypted with ...
      "Ben Rady <brady@objectmentor.com>" 
Secure Message

And there’s our secure message. Kept safe from the prying eyes of the Internet.