GPG/ GnuPG Practice

So here’s the deal with GnuPG, or GPG as most call it—I’ve been messing around with it a lot, and honestly, it’s a lifesaver for keeping stuff secure. You start by importing and exporting keys—that’s like exchanging digital ID cards. You import someone’s public key to send them encrypted messages, or export yours so others can do the same. Then comes the fun part: examining keys. You check fingerprints, expiration dates, and trust levels to make sure you’re not dealing with imposters.

The big thing to remember? Public keys are for sharing—they encrypt messages sent to you. Secret keys, though, are super private, used to decrypt messages and sign stuff. Losing your secret key is like losing your house keys, so store it safely, back it up (preferably encrypted), and keep copies somewhere secure.

I mostly learned all this by chatting with AI and actually running these commands myself. Figured it’s worth jotting down and sharing—helps keep your cryptography game strong without the mystery.

gpg decrypt encrypted with elg key, id is secret key id or public key id

In GPG, you use the secret key, not the public key, to decrypt a message. GPG automatically attempts to decrypt with the correct key from your secret keyring, so you generally do not need to specify a key ID for decryption.

The message itself contains a reference to the public key used for encryption, which GPG uses to find the corresponding secret key in your keyring. The ELG key type is specifically for encryption, and your corresponding private ELG key is what is needed for decryption.

Steps for decryption

Ensure you have the secret key First, confirm that the necessary secret key is present in your keyring.
```
gpg --list-secret-keys --keyid-format=long
```
The output will show all your secret keys. Look for the key ID mentioned in the encryption process or associated with the recipient of the message.
Decrypt the file Use the --decrypt or -d option with the encrypted file. If the secret key is in your keyring, GPG will find it automatically.
```
gpg --output [output_filename] --decrypt [encrypted_filename]
```
--output [output_filename]: Specifies the name for the decrypted output file. --decrypt [encrypted_filename]: The name of the file you want to decrypt.

If the file is not corrupted, GPG will prompt you for the passphrase associated with the secret key and then output the decrypted content.
Handling issues

“No secret key” error: If you receive a “no secret key” error, it means the private key needed for decryption is not in your keyring. You will need to import it using gpg --import [secret_key_file]. Decryption output: By default, GPG prints the decrypted content to the console (standard output). Use the --output option to redirect it to a file.

gpg import secret key

To import a secret (or private) GPG key, you use the gpg --import command with the key file as an argument. The secret key file usually has an .asc or .gpg extension. GPG automatically places the imported key in your secret keyring, and the associated public key in your public keyring.

Command-line import

Use the following command, replacing private.key with the actual path and name of your secret key file:

gpg --import /path/to/your/private.key

GPG will prompt you for the passphrase associated with the key during the import process.

Copy and paste from a terminal

If your secret key is in an armored format (human-readable text), you can copy and paste it directly into the terminal.

Run the gpg —import command without a filename.
Paste the entire key block into the terminal, including the -----BEGIN PGP PRIVATE KEY BLOCK----- and -----END PGP PRIVATE KEY BLOCK----- headers.
Press Ctrl+D and then Enter to finalize the import.

How to verify a successful import

After importing, you can confirm that the key is in your keyring by listing your secret keys:

gpg --list-secret-keys --keyid-format=long

The output should now include the details of the secret key you just imported. You will see a sec (secret) entry for the primary key and an ssb (secret subkey) entry if subkeys are present.

Special considerations

Older GnuPG versions: Some older versions of GnuPG required the --allow-secret-key-import flag. This is now obsolete and not needed in modern GPG installations.
Trust level: The import command adds the key but does not automatically set its trust level. After importing, you should edit the key to set the ownership trust level to “ultimate” to indicate that you fully trust it.
```
gpg --edit-key <KEY_ID>
# Type 'trust' at the prompt and follow the instructions.
```

gpg examine key before import

You can use the gpg --show-keys command to inspect a key file before importing it into your keyring. This allows you to verify details such as the key ID, creation date, expiration date, and user IDs associated with the key without altering your keyring.

How to examine a key file

To examine a key file, use gpg --show-keys followed by the key filename. You can also add the --with-fingerprint option to display the full fingerprint. Example

gpg --show-keys my-secret-key.asc

Example with fingerprint

gpg --show-keys --with-fingerprint my-secret-key.asc

The output for a secret key will look similar to this, with sec indicating a secret key and ssb indicating a secret subkey:

sec   rsa4096 2024-09-05 [SC]
      F123 4567 89AB CDEF 1234 5678 9ABC DEF1 2345 6789
uid           [ultimate] John Doe <john.doe@example.com>
ssb   rsa4096 2024-09-05 [E]

Advanced examination

For a more technical, packet-level view of the key file, use gpg --list-packets. This is useful for debugging and understanding the key’s internal structure. Example

gpg --list-packets my-secret-key.asc

Example with verbose output

gpg --verbose --list-packets my-secret-key.asc

Other things to check

Before importing a key, you should confirm the following details from the gpg —show-keys output:

Key ID and Fingerprint: Confirm that the key’s ID matches the one you expect. A full fingerprint is the most reliable identifier.
UID (User ID): Ensure the user ID, such as the name and email address, matches the key’s owner.
Creation and Expiration Dates: Review the key’s creation date and, if applicable, its expiration date to ensure it is still valid.
Key Flags ([SC], [E]): Verify the key’s capabilities. A secret key for signing and certification will have [SC], while an encryption subkey will have [E].

what is such id? how to find such id representing which gpg key, public or secret?

gpg --decrypt shows 
gpg: encrypted with ELG key, ID <string>

The “ID” shown by gpg --decrypt when it encounters an ELG key is the public key ID of the key used to encrypt the message. It is embedded in the encrypted file itself and is used by GPG to look for the corresponding secret key in your keyring.

Public key vs. secret key

A GPG key pair consists of a public key and a private (or secret) key.

Public key: This key is shared with others so they can encrypt messages that only you can read. It is not a secret. The ID is a shortened version of the public key’s fingerprint.
Secret key: You keep this key private. It is required to decrypt messages that have been encrypted with the corresponding public key.

The encrypted message itself can only contain public information, like the ID of the public key used for encryption. GPG uses this ID to automatically find the correct secret key to use for decryption.

How to use the key ID

If your decryption failed with an error like “No secret key,” you can use the ID provided by GPG to find the correct key.

Search your secret keyring: List your secret keys and look for the key ID shown in the error message.
```
gpg --list-secret-keys --keyid-format=long
```
This command will show all secret keys in your keyring, including both the main key and any subkeys (like an ELG encryption subkey). Look for a key that matches the ID.
Examine the key file: If you have the key file but haven’t imported it yet, use gpg --show-keys to display its information, including the key ID, without importing it.
```
gpg --show-keys my-secret-key.asc
```
Find the corresponding public key: The ID is associated with the public key. If you are troubleshooting, you can find the full fingerprint by listing your public keys with --keyid-format=long.
```
gpg --list-keys --keyid-format=long <KEY_ID>
```

`gpg --show-key` lists pub key id which is much longer than the id following “encrypted with elg key”

The discrepancy in length you are observing is because GPG uses different formats for key IDs.

During decryption (gpg --decrypt), the output “encrypted with ELG key, ID ” shows a shorter ID, typically the 8-character or 16-character public key ID. This ID is embedded in the encrypted message and is used as a hint to find the correct key.
When listing a key (gpg --show-keys or gpg --list-keys), the command typically displays the full fingerprint, which is a 40-character hexadecimal string representing a SHA-1 hash of the key.

GPG key ID formats

Every GPG key is identified by a fingerprint, but shorter versions are commonly used for convenience.

Type	Length	Derivation	Safety
Fingerprint	40 characters	A full SHA-1 hash of the key.	Very secure and the most reliable identifier.
Long Key ID	16 characters	The last 16 characters (64 bits) of the key’s fingerprint.	More secure than a short ID, but still subject to collision attacks.
Short Key ID	8 characters	The last 8 characters (32 bits) of the key’s fingerprint.	Insecure and vulnerable to collision attacks. You should avoid using these.

How to use the shorter ID to find the longer one

To match the shorter ID from your decrypt output to the full fingerprint of your key, you can search your keyring.

Look for a match in your key listings: The short ID will always be the last 8 characters of a longer ID or fingerprint.

Use a command with the short ID: For example, to find the full fingerprint of a key, you can use the gpg command with the short key ID. GPG is smart enough to find matches even with a shorter ID.

# This will show the full fingerprint for the matching key
gpg --fingerprint <short_key_id>

# This will display all your secret keys in the "long key ID" format
gpg --list-secret-keys --keyid-format=long

Example If your decrypt command shows:

gpg: encrypted with ELG key, ID 1234ABCD

You can use the short ID to get more information:

gpg --fingerprint 1234ABCD

This might produce an output like:

pub   rsa4096 2024-09-05 [SC]
      F123 4567 89AB CDEF 1234 5678 9ABC DEF1 2345 ABCD
uid           [ultimate] John Doe <john.doe@example.com>

In this output, 1234ABCD is the short key ID, while the full fingerprint is the much longer string on the second line.

does it have to import all gpg secret keys before they can be examined?

No, you do not have to import secret keys before examining them. GPG provides several command-line options that allow you to inspect the contents and properties of a key file directly, without adding it to your keyring.

This is a useful practice for security reasons, as it allows you to verify a key’s details before committing it to your system.

How to examine a key file without importing

gpg --show-keys

This is the standard command for inspecting a key file. It displays a summary of the key’s information, including its fingerprint, user ID, and capabilities.

gpg --show-keys my-secret-key.asc

To also see the full fingerprint of any subkeys, you can add the --with-fingerprint option.

gpg --show-keys --with-fingerprint my-secret-key.asc

gpg --list-packets

For more technical users, this command provides a detailed, packet-level view of the key’s data. This is useful for debugging but is not intended for easy parsing.

gpg --list-packets my-secret-key.asc

gpg --dry-run --import

You can run an “import” in a simulated mode to see what GPG would do without actually changing your keyring. This is particularly useful for scripting key verification.

gpg --dry-run --import my-secret-key.asc

Distinguishing a secret key from a public key file

When examining a key file, the output will tell you whether it contains a secret key (sec) or just a public key (pub).

Secret key output: The first line will start with sec (secret) and be followed by the algorithm, creation date, and capabilities.
Public key output: The first line will start with pub (public), followed by similar details.

Using a temporary keyring

If you need to perform more advanced operations on a key without affecting your main keyring, you can use a temporary GnuPG home directory or keyring. Example using a temporary keyring

gpg --primary-keyring temporary.gpg --import my-secret-key.asc
gpg --primary-keyring temporary.gpg --list-secret-keys
rm temporary.gpg

does a gpg key have to be imported before using it to decrypt

Yes, a secret GPG key must be imported into a GnuPG keyring before it can be used to decrypt a message. The gpg command requires that the private key be present in a keyring it can access to find the correct key for decryption.

While you cannot use a key file directly for decryption without importing it, there are workarounds if you do not want the key in your permanent keyring.

Why a secret key must be imported

GPG uses a keyring to manage all your keys. When a message is encrypted, it includes the public key ID of the recipient. When you run the decryption command, GPG uses this ID to automatically search your keyrings for the corresponding secret key. If the secret key isn’t in a keyring, GPG won’t be able to find and use it.

Workarounds for using a key without permanent import

If you only need to use a key temporarily without importing it into your default keyring, you can use a temporary GnuPG home directory or keyring.

Option 1: Temporary GnuPG home directory

This is the most isolated and secure method, as it completely separates the operation from your main keyring.

Create a temporary directory to serve as the GPG home:
```
TEMP_HOMEDIR=$(mktemp -d)
```

Import the secret key into this temporary home directory:

gpg --homedir "$TEMP_HOMEDIR" --import my-secret-key.asc

Decrypt the file using the temporary home directory:

gpg --homedir "$TEMP_HOMEDIR" --output decrypted_file.txt --decrypt encrypted_file.gpg

Remove the temporary directory and its contents:
```
rm -r "$TEMP_HOMEDIR"
```

Option 2: Temporary keyring file

This method is simpler for GnuPG versions that support it (though the old --secret-keyring option is obsolete since GnuPG 2.1).

Create a new, temporary keyring and import your secret key into it:

gpg --no-default-keyring --secret-keyring temp.gpg --import my-secret-key.asc

Use the temporary keyring to decrypt the message:

gpg --no-default-keyring --secret-keyring temp.gpg --decrypt encrypted_file.gpg

Delete the temporary keyring file when you are done.

if i don’t want to use a gpg secret key, which has been imported. does it or its keyring still works even i have deleted it

If you delete a GPG secret key from your keyring, it no longer works for decryption or signing because GnuPG can no longer access the private cryptographic material. Deleting the key is a permanent action, and the keyring is updated to reflect its removal.

How deleting a key affects your system

Decryption stops working: Any messages encrypted with the corresponding public key become unreadable, unless you have a backup of the secret key to re-import.
Signing fails: You will no longer be able to use the deleted key to sign files or commits.
Keyring functionality: Your GnuPG keyring itself remains functional for all other keys it contains. The deletion only affects the specific key you removed.
Deleting public key separately: Deleting a secret key does not automatically delete the corresponding public key. This can be useful for verifying old signatures, but to fully remove a key pair, you must delete both.

Recommendations before deleting a secret key

Before deleting a secret key, you should take these steps to avoid issues:

Create a backup: Export the secret key to an encrypted file with the command gpg --export-secret-keys --armor <key_id> > backup.asc. This is the only way to recover the key later.
Generate and publish a revocation certificate: If you published the public key to a keyserver, it’s a best practice to revoke it first. A revocation certificate informs others that the key is no longer valid. This is important if you believe the key was compromised. You must do this before deleting the secret key.
Delete the public key: If you intend to fully remove all traces of the key, delete the public key from your keyring as well. GnuPG will warn you if you try to delete the public key before its corresponding secret key.
Confirm the deletion: After running gpg --delete-secret-key, verify that it is gone by listing your secret keys again with gpg --list-secret-keys.

when using `gpg --encrypt`, how to use specific secret key id instead of `--recipient`

In GPG, the --encrypt command uses a public key to encrypt a file for a recipient, not a secret key. A secret key cannot be used directly for encryption in the same way. The correct way to encrypt for yourself with a specific key is to use the --recipient option with your own public key’s ID.

If you need to encrypt a file for yourself, you must use your public key as the recipient. Since you already have both the public and private parts of your key in your keyring, GPG can perform the encryption and decryption for you.

Encrypt for yourself with your public key

Find your key ID: If you don’t know your key ID, you can find it by listing your keys. For the most reliable identifier, you should use the full fingerprint or the long key ID.
```
gpg --list-secret-keys --keyid-format=long
```
The output will show a line that looks something like this:
```
sec rsa4096 2024-09-05 [SC] F123456789ABCDEF123456789ABCDEF123456789
```
The long hexadecimal string is your key ID/fingerprint.
Encrypt the file using your public key ID: Use the --recipient or -r option with your key ID.
```
gpg --encrypt --recipient <KEY_ID> file.txt
```
Replace <KEY_ID> with your key ID (the hexadecimal string from the previous step) and file.txt with the name of the file you want to encrypt.
Decrypt the file: GPG will automatically use the corresponding secret key in your keyring to decrypt the message when you run the decrypt command.
```
gpg --output file.txt --decrypt file.txt.gpg
```

Alternative methods

Using a specific subkey

If you have multiple subkeys (e.g., separate keys for signing and encryption) and want to use a specific encryption subkey, append an exclamation mark ! to the key ID.

gpg --encrypt --recipient <SUBKEY_ID>! file.txt

The `--encrypt-to` option

For automatically encrypting to yourself whenever you encrypt for others, you can configure the encrypt-to option in your gpg.conf file.

Add this line to your ~/.gnupg/gpg.conf file:

encrypt-to <KEY_ID>

Now, when you encrypt for a recipient, GPG will automatically include your public key in the encryption process, so you can decrypt the file yourself later.

Symmetric encryption

For a simpler approach that does not involve public/private key pairs, you can use symmetric encryption with a passphrase.

gpg --symmetric file.txt

This will prompt you for a passphrase to encrypt the file. To decrypt it, you will need to provide the same passphrase.