• Asymmetric cryptography, also known as public-key cryptography, is a process that uses a pair of related keys – one public key and one private key – to encrypt and decrypt a message and protect it from unauthorized access or use.

  • A public key is a cryptographic key that can be used by any person to encrypt a message so that it can only be decrypted by the intended recipient with their private key.


  • When someone wants to send an encrypted message, they can pull the intended recipient’s public key from a public directory and use it to encrypt the message before sending it. The recipient of the message can then decrypt the message using their related private key.

If the sender encrypts the message using their private key, the message can be decrypted only using that sender’s public key, thus authenticating the sender. These encryption and decryption processes happen automatically; users do not need to physically lock and unlock the message. Asymmetric encryption It is by far the most secure encryption process because users are never required to reveal or share their private keys, thus decreasing the chances of a cybercriminal discovering a user’s private key during transmission.

One of the best implementations of the Asymmetric,symmetric algorithms is by using GNUPG also known as GPG which is a Cross-Platform free software.

So let’s take a look on how we could use GnuPG to do that.

Generate GPG keys

gpg --full-gen-key

To list your keyrings

gpg --list-keys

Or by using

gpg --list-public-keys

List your secret key

gpg --list-secret-keys

Export your own public gpg key for others

gpg --armor --export user-id > public_key.asc

Note If you’re not sure what’s your user-id

  • You can find it with
gpg --list-key | grep -B 3 "Your name or email address (or the name you used when generating the keys)" 
# Example
gpg --list-key | grep -B 3 "anas@cschad.com" 
# It's the line containing 40 characters

Export your own private gpg key (Keep it safe)

gpg --armor --export-secret-keys user-id > pubkey.asc

Upload your key to keys.opengpg.org so people can easily find your key

gpg --export your_address@example.net | curl -T - https://keys.openpgp.org 

Export someone’s public key

gpg --import my_friends_public_key.asc

Find someone’s key

gpg --auto-key-locate keyserver --locate-keys user@example.net

You can also search/upload keys directly from

https://keys.openpgp.org

To refresh all your keys (e.g. new revocation certificates and subkeys):

gpg --refresh-keys

gpg –edit-key

This will bring you to a gpg command line interface from which you can display the fingerprint using:

fpr

Once verified with the owner, you can sign the key using:

sign

Then, to double check that it is signed, you can run:

check

To exit from gpg cli, enter: “quit” or hit Ctrl+d You will be asked if you want to “Save Changes? (y/N)”, enter y for this. Now you have validated that public key.

To encrypt a file

gpg -e -r keyId filename 

Key revocation

If your private key got compromised or no longer active …

gpg --output revocation_cert.asc --gen-revoke keyId

After your keypair is created you should immediately generate a revocation certificate for the primary public key using the option –gen-revoke. If you forget your passphrase or if your private key is compromised or lost, this revocation certificate may be published to notify others that the public key should no longer be used.

  • Note that you cannot create this revocation certificate after you’ve lost your private key! So it is recommended to create one at the same time that you create the key pair, then keep it in a really safe place. If you had to use this revocation certificate, you would do the following to update your keyring:

Delete a key

gpg --delete-secret-key [uid]
gpg --delete-key [uid]

Send someone an encrypted message

After you have imported his gpg public key and verify its fingerprint with him Then you sign the public key.

Now you want to send him an encrypted document using his public key

gpg --output doc.gpg --encrypt --recipient (hisemail|ID|uid) doc_you_wish_to_send.txt

Decrypt a message you have received

gpg --output doc --decrypt doc.gpg

Making and verifying signatures

To make a digital signature that the file you have uploaded … send has not been tempered with.

gpg --output doc.sig --sign doc

This is not very useful since you’ll have to decrypt the doc and edit the keys etc
a Better way is to use detached signatures

To make a signature

gpg --output doc.sig --detach-sig doc   

To verify a signature of a file you need both the signature and the file.

gpg --verify doc.sig doc

the output should look something like: Good signature from “xxx” email@example.com

If you have any insights or suggestions, I would love to hear them 🙂.