.--------.
/ .------. \
/ / \ \
| | | |
_| |________| |_
.' |_| |_| '.
'._____ ____ _____.'
| .'____'. |
'.__.'.' '.'.__.'
'.__ | SHHH | __.'
| '.'.____.'.' |
'.____'.____.'____.'
'.________________.' "The universe believes in encryption. It's easier to encrypt information than to decrypt it." - Julian Assange
Hello guys, today I'm here to teach you and present the most secure and reliable method I use to send files/messages in my daily life: PGP.
PGP (Pretty Good Privacy) is a widely used encryption program designed to protect the privacy and security of digital communications.
Developed by Phil Zimmermann in 1991, PGP allows users to encrypt and digitally sign messages, files, and emails,
ensuring that only authorized recipients can access the content.
But how is this possible? Well, I'll explain it now in a simple way.
[0x1] How Does PGP Work?
PGP uses a combination of symmetric and asymmetric encryption. But what does that mean?
Well, in summary, symmetric encryption uses a single key to encrypt and decrypt data. It's fast and efficient but requires the key to be shared securely.
On the other hand, asymmetric encryption uses a pair of keys: A Public Key, which is used only to encrypt files,
and a Private Key, which is used only to decrypt them. The Public Key can be shared with anyone, while the Private Key must be kept secret.
The combination of these encryption methods in PGP makes me believe that PGP is the most secure encryption we have, as it has been proven to be secure and something that governments or agencies
cannot control or break.
There are several examples, from journalists communicating and exposing government secrets to illegal markets that use encryption to keep the content of conversations private.
[0x2] Examples
I can cite some examples of people who used PGP to keep their messages and emails secure:
- Edward Snowden
Edward Snowden, famous for being the American whistleblower who, while working at the NSA, the United States National Security Agency, revealed the largest global surveillance scheme.
Carried out by the United States, this scheme had plans to expand to other neighboring countries. Thanks to PGP encryption and other security methods, he was able to contact two journalists.
Both had to learn how to use PGP so they could send evidence and messages securely. And even then, he asked them to meet in Hong Kong in July 2013.
- Julian Assange
Julian Assange, creator of WikiLeaks, developed a refuge where journalists could send evidence and documents revealing crimes committed by the state,
including war crimes, murders, and censorship. On his site, journalists could submit their reports without issues, as the platform operated through TOR and PGP,
ensuring that all messages and files were transmitted securely. Additionally, these mechanisms prevented governments from taking down the site or interfering with the messages.
- Ross Ulbricht (Dread Pirate Roberts)
Ross Ulbricht, known by the pseudonym "Dread Pirate Roberts," was the creator of Silk Road, one of the largest online markets on the dark web. Launched in 2011, the site operated through the TOR network,
allowing users to buy and sell products anonymously, primarily illicit drugs. To ensure the security and secrecy of communications within Silk Road,
Ulbricht used PGP. This ensured that messages and transactions were protected against interception, guaranteeing that only the legitimate recipient could read the information.
The combination of TOR with PGP encryption made Silk Road extremely difficult to trace, allowing the clandestine market to operate for over two years before being dismantled by the FBI in 2013.
[0x3] How to Use It?
To use PGP, I'll teach you using GPG (GNU Privacy Guard), a program created by GNU that works on both Linux and Windows thanks to https://www.gpg4win.org/.
After downloading it for your respective platforms, let's start by creating our key pair using the command: gpg --full-generate-key
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
|bezumiya@x00r:~$ gpg --full-generate-key
|gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
|This is free software: you are free to change and redistribute it.
|There is NO WARRANTY, to the extent permitted by law.
|
|Please select what kind of key you want: //Here you choose the type of your key
| (1) RSA and RSA (default)
| (2) DSA and Elgamal
| (3) DSA (sign only)
| (4) RSA (sign only)
| (14) Existing key from card
|Your selection? 1 //I selected 1
|RSA keys may be between 1024 and 4096 bits long.
|What keysize do you want? (3072) //I just pressed Enter to use the default key size
|Requested keysize is 3072 bits
|Please specify how long the key should be valid. //Here you specify the expiration time of your key
| 0 = key does not expire
| <n> = key expires in n days
| <n>w = key expires in n weeks
| <n>m = key expires in n months
| <n>y = key expires in n years
|Key is valid for? (0) 0
|Key does not expire at all //I decided it should never expire.
|Is this correct? (y/N) y
|
|GnuPG needs to construct a user ID to identify your key.
|
|Real name: bezumiya
|Email address: bezumiya@riseup.net //Now we just need to enter our details like Name/Email
|Comment: My PGP key
|You selected this USER-ID:
| "bezumiya (My PGP key) <bezumiya@riseup.net>"
|
|Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
|We need to generate a lot of random bytes. It is a good idea to perform
|some other action (type on the keyboard, move the mouse, utilize the //Now it will ask you for a password
|disks) during the prime generation; this gives the random number //Remember to save it, as you'll need it for
|generator a better chance to gain enough entropy. //All interactions with your Private key
|gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/4FDD60BF67F87F6E3A5129BFD06ADAC26456FD6A.rev'
|public and secret key created and signed.
|
|pub rsa3072/0xD06ADAC26456FD6A 2025-02-05 [SC]
| 4FDD60BF67F87F6E3A5129BFD06ADAC26456FD6A
|uid bezumiya (My PGP key) <bezumiya@riseup.net> //And that's it :) we have a PGP key pair
|sub rsa3072/0xC82FB054024A27E2 2025-02-05 [E]
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
Now, with our PGP key created, we can send our Public key to someone so they can encrypt a message or file.
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
|bezumiya@x00r:~$ gpg --export -a "bezumiya@riseup.net" > pubkey.pgp
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
This way, we can send the pubkey.pgp file to anyone, and they will be able to import it and encrypt any file.
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
|kitty@cardboard:~$ gpg --import pubkey.pgp
|gpg: key D63B826C5651E675: public key "bezumiya <bezumiya@riseup.net>" imported
|gpg: Total number processed: 1
|gpg: imported: 1
|kitty@cardboard:~$ gpg --list-keys
|/home/kitty/.gnupg/pubring.kbx
|----------------------------
|pub rsa3072 2025-02-05 [SC] [expires: 2027-02-05]
| 788C90B86FC730919217FDC5D63B826C5651E675 <bezumiya@riseup.net> //Let's get the key ID
|uid [ unknown] bezumiya <bezumiya@riseup.net>
|sub rsa3072 2025-02-05 [E] [expires: 2027-02-05]
|kitty@cardboard:~$ gpg -r 788C90B86FC730919217FDC5D63B826C5651E675 --encrypt msg.txt
|gpg: E7D5F977CE423A52: There is no assurance this key belongs to the named user
|
|sub rsa3072/E7D5F977CE423A52 2025-02-05 bezumiya <bezumiya@riseup.net>
| Primary key fingerprint: DC55 A171 72BB 586D 4F4F 10A5 61FB 2171 97B4 105D
| Subkey fingerprint: 8AA8 290B 9403 424E 885B 77CF E7D5 F977 CE42 3A52
|
|It is NOT certain that the key belongs to the person named
|in the user ID. If you *really* know what you are doing,
|you may answer the next question with yes.
|
|Use this key anyway? (y/N) y //File encrypted! (msg.txt.gpg)
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
Now the user can send the file msg.txt.gpg to the owner of the private key, which is me :D
By downloading the file, we just need to decrypt it.
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
|bezumiya@x00r:~$gpg --decrypt msg.txt.gpg //It will ask for the Private Key password
|gpg: encrypted with 3072-bit RSA key, ID 0xE339189519B3314C, created 2025-02-06
| "bezumiya <bezumiya@riseup.net>"
|Hello :)
|
|I am here to prove that there is still a secure way to send messages!
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
And that's it, we have an encrypted and decrypted message using PGP encryption.
Now that we know the basics of PGP and the GPG utility, we can approach other topics.
[0x4] Trust in Keys
You might have noticed that when I was encrypting a file, there was this message:
"It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes."
This message happens because the trust of the key was Unknown. And for that, we will edit the trust level of the key, but why does this matter?
The main reason for the trust level in GPG is to avoid MITM (Man in the Middle) attacks.
Someone could intercept your communication and provide a fake key, making you encrypt messages for an attacker instead of the real recipient.
Setting the trust level correctly helps prevent this kind of attack.
So, to change the trust of keys, we will need to use the following commands:
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
|kitty@cardboard:~$ gpg --edit-key 788C90B86FC730919217FDC5D63B826C5651E675 //Enter your key's keyID accordingly
|gpg (GnuPG) 2.2.45; Copyright (C) 2024 g10 Code GmbH
|This is free software: you are free to change and redistribute it.
|There is NO WARRANTY, to the extent permitted by law.
|
|
|pub rsa3072/D63B826C5651E675
| created: 2025-02-06 expires: never usage: SC
| trust: unknown validity: unknown
|sub rsa3072/E339189519B3314C
| created: 2025-02-06 expires: never usage: E
|[ unknown] (1). bezumiya <bezumiya@riseup.net> //Notice the key trust is unknown
|
|gpg> trust //Changing the trust
|pub rsa3072/D63B826C5651E675
| created: 2025-02-06 expires: never usage: SC
| trust: unknown validity: unknown
|sub rsa3072/E339189519B3314C
| created: 2025-02-06 expires: never usage: E
|[ unknown] (1). bezumiya <bezumiya@riseup.net>
|
|Please decide how far you trust this user to correctly verify other users' keys
|(by looking at passports, checking fingerprints from different sources, etc.)
|
| 1 = I don't know or won't say
| 2 = I do NOT trust
| 3 = I trust marginally
| 4 = I trust fully
| 5 = I trust ultimately
| m = back to the main menu
|
|Your decision? 5 //I set it to 5 because I know the owner of the key (myself xD)
|Do you really want to set this key to ultimate trust? (y/N) y
|pub rsa3072/D63B826C5651E675
| created: 2025-02-06 expires: never usage: SC
| trust: ultimate validity: unknown
|sub rsa3072/E339189519B3314C
| created: 2025-02-06 expires: never usage: E
|[ unknown] (1). bezumiya <bezumiya@riseup.net>
|Please note that the shown key validity is not necessarily correct
|unless you restart the program.
|
|gpg> quit
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
Now we can encrypt and perform other actions without GPG warnings because you edited the trust, stating that you fully trust this public key.
Now that I’ve shown how to edit trust, let’s move on to another GPG feature, which is signing files and keys.
[0x5] Signing Files
Signing files and messages with GPG allows you to ensure that the content has not been altered and that it really came from you.
The digital signature uses your private key to sign, and anyone can verify the authenticity using your public key.
Let's create a .txt file with a message and digitally sign it using GPG:
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
|bezumiya@x00r:~$ echo ":3 hii" > msg.txt
|bezumiya@x00r:~$ gpg --clearsign msg.txt //I'm using --clearsign, but there are several other options.
|bezumiya@x00r:~$ cat msg.txt.asc
|-----BEGIN PGP SIGNED MESSAGE-----
|Hash: SHA512
|
|:3 hii
|-----BEGIN PGP SIGNATURE-----
|
|iQITBAEBCgB9FiEEeIyQuG/HMJGSF/3F1juCbFZR5nUFAmekKz5fFIAAAAAALgAo
|aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDc4
|OEM5MEI4NkZDNzMwOTE5MjE3RkRDNUQ2M0I4MjZDNTY1MUU2NzUACgkQ1juCbFZR
|5nUo9Qv/TkADYVxKg7yxmhTRfuf1jNOX/HvUcZ7TkQtnLMRXD/leas3GE71awPro
|T64KF52jdy7AZ/H2Ts4i7szrn/Om6TX6KXmh9yAw2CyqEyMJqZTebPuvkbfYQ4sc
|+9WU7dTPstnLONIwu9sf7GCncarNCjdIXMuRBjbezWibifVpf2qnA4HbbbwfGZKl
|HHE9DZIZYyrCYoH595O8qdTD4zqzPblZNXrWQLsZNpgqHCSDtfMcx96G80Jl9OUb
|VBDUznoJ8+BqU3vmm3Hq2U+H6bpVUim7PWEqGN2eKwlIWfDX2Gs7D/01LLDwphj2
|S/21TAcCfmUAw3xbHKtwfXig/PWEZqS/ejv8iNVAi0GhpUBjLu8BAOXqY6NCfoQx
|f2kChLsAcD0W5mevxtiFPcP51dY47NLwRFQq+9jTfbEHBBf/94hSxPEtdqS55s8l
|c01VVZ3JFLnNhzDzbK0w0vb0Zf/fZOZ8ChnBlODReFO5vvarV7XryjVbywtuCXNR
|fWiBi0Kr
|=PQLS
|-----END PGP SIGNATURE-----
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
Well, now we can send this text to someone else so they can validate and verify that this ":3 hii" was really written by me.
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
|kitty@cardboard:~$ gpg --verify msg.txt.asc
|gpg: Signature made Thu Feb 6 03:23:42 2025 UTC
|gpg: using RSA key 788C90B86FC730919217FDC5D63B826C5651E675
|gpg: checking the trustdb
|gpg: marginals needed: 3 completes needed: 1 trust model: pgp
|gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
|gpg: Good signature from "bezumiya <bezumiya@riseup.net>" [ultimate]
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
Now you're probably thinking: "Ah, what if I change the signed message?" Well, I changed one character in the message and will verify it again:
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
|kitty@cardboard:~$ cat msg.txt.asc
|-----BEGIN PGP SIGNED MESSAGE-----
|Hash: SHA512
|
|:) hii
|-----BEGIN PGP SIGNATURE-----
|
|iQITBAEBCgB9FiEEeIyQuG/HMJGSF/3F1juCbFZR5nUFAmekKz5fFIAAAAAALgAo
|aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDc4
|OEM5MEI4NkZDNzMwOTE5MjE3RkRDNUQ2M0I4MjZDNTY1MUU2NzUACgkQ1juCbFZR
|5nUo9Qv/TkADYVxKg7yxmhTRfuf1jNOX/HvUcZ7TkQtnLMRXD/leas3GE71awPro
|T64KF52jdy7AZ/H2Ts4i7szrn/Om6TX6KXmh9yAw2CyqEyMJqZTebPuvkbfYQ4sc
|+9WU7dTPstnLONIwu9sf7GCncarNCjdIXMuRBjbezWibifVpf2qnA4HbbbwfGZKl
|HHE9DZIZYyrCYoH595O8qdTD4zqzPblZNXrWQLsZNpgqHCSDtfMcx96G80Jl9OUb
|VBDUznoJ8+BqU3vmm3Hq2U+H6bpVUim7PWEqGN2eKwlIWfDX2Gs7D/01LLDwphj2
|S/21TAcCfmUAw3xbHKtwfXig/PWEZqS/ejv8iNVAi0GhpUBjLu8BAOXqY6NCfoQx
|f2kChLsAcD0W5mevxtiFPcP51dY47NLwRFQq+9jTfbEHBBf/94hSxPEtdqS55s8l
|c01VVZ3JFLnNhzDzbK0w0vb0Zf/fZOZ8ChnBlODReFO5vvarV7XryjVbywtuCXNR
|fWiBi0Kr
|=PQLS
|-----END PGP SIGNATURE-----
|kitty@cardboard:~$ gpg --verify msg.txt.asc
|gpg: Signature made Thu Feb 6 03:23:42 2025 UTC
|gpg: using RSA key 788C90B86FC730919217FDC5D63B826C5651E675
|gpg: BAD signature from "bezumiya <bezumiya@riseup.net>" [ultimate]
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
This shows the security of PGP, just one character changed makes the entire signature invalid.
[0x6] Conclusion
And that's it! I hope you start using PGP more and explore other forms of encryption, diving deeper into these topics. Stay secure, and until the next post!
[Inicio]