Linux Security Basics: How to Encrypt and Sign Files with GnuPG
Linux comes with the GNU Privacy Guard (GnuPG or GPG) encryption and authentication utility.
With GnuPG, you can create your public and private key pair on your Linux system, encrypt files
with your key, and digitally sign a message to authenticate that it's from you. If you send a
digitally signed message to someone who has your public key, the recipient can verify that you
signed the message.
Understanding public key encryption
The basic idea behind public key encryption is to use a pair of keys - one private and the
other public - that are related but can't be used to guess one from the other. Anything
encrypted with the private key can be decrypted only with the corresponding public key, and
vice versa. The public key is for distribution to other people; you keep the private key in
a safe place.
You can use public key encryption to communicate securely with others. Let's try an example.
Suppose that Alice wants to send secure messages to Bob. Each person generates public key and
private key pairs, after which they exchange their public keys. When Alice wants to send a
message to Bob, she encrypts the message by using Bob's public key and sends the encrypted
message to him. Now the message is secure from eavesdropping, because only Bob's private key
can decrypt the message, and only Bob has that key. When Bob receives the message, he uses
his private key to decrypt the message and read it.
At this point, you might say, "Wait a minute! How does Bob know that the message really
came from Alice? What if someone else uses Bob's public key and sends a message as though it
came from Alice?" This situation is where digital signatures come in.
Understanding digital signatures
The purpose of digital (electronic) signatures is the same as that of pen-and-ink signatures,
but how you sign digitally is different. Unlike a pen-and-ink signature, your digital signature
depends on the message you're signing. The first step in creating a digital signature is
applying a mathematical function to the message and reducing it to a fixed-size message digest
(also called a hash or a fingerprint). No matter how big your message is, the message digest
is usually 128 or 160 bits, depending on the hashing function.
The next step is applying public key encryption. Simply encrypt the message digest with your
private key, and you get the digital signature for the message. Typically, the digital
signature is added to the end of the message, and voila - you get an electronically signed message.
What good does the digital signature do? Well, anyone who wants to verify that the message
is indeed signed by you takes your public key and decrypts the digital signature. What that
person gets is the message digest (the encrypted hash) of the message. Then he or she applies
the same hash function to the message and compares the computed hash with the decrypted value.
If the two match, then no one has tampered with the message. Because your public key was used
to verify the signature, the message must have been signed with the private key known only to
you, so the message must be from you!
In the theoretical scenario in which Alice sends private messages to Bob, Alice can digitally
sign her message to make sure that Bob can tell that the message is really from her.
Here's how Alice sends her private message to Bob with the assurance that Bob can tell it's from her:
1. Alice uses software to compute the message digest of the message and then encrypts the digest by using her private key - her digital signature for the message.
2. Alice encrypts the message (again, using some convenient software and Bob's public key).
3. She sends both the encrypted message and the digital signature to Bob.
4. Bob decrypts the message, using his private key.
5. Bob decrypts the digital signature, using Alice's public key, which gives him the message digest.
6. Bob computes the message digest of the message and compares it with what he got by decrypting the digital signature.
7. If the two message digests match, Bob can be sure that the message really came from Alice.