? PGP Guide ?

[Mutt]

PGP In Plain English: A Simple Man's Guide To Using PGP/GPG Like A Pro

The model of public key cryptography relies on one crucial, and fallible assumption: The owner of the key has not given access to a third party, and is the sole person in control of the private key. In other words, Bob does not have access to Alice's private key and/or passphrase.

If a key is compromised, it's game over. Protect your private key and passphrase, back them up, and do not solely rely on PGP to keep you safe.

Now that we've got that out of the way, let's get started.

Terminology
First and foremost, there are two different common forms of asymmetric encryption on the deep web that is mentioned; PGP, and GPG. both are more or less the same thing.

PGP stands for Pretty Good Privacy.

GPG refers to the more trusted GnuPG, which stands for GNU Privacy Guard.
As stated earlier, the two are considered very similar to one another, differing mainly in development and trust. This guide recommends the use of GnuPG, and will be using it.

A keypair is the combination of public and private keys that form your ability to securely send messages. Your keypair will consist of your public key; the one you share with everyone else, and your private key; the one you keep to yourself and never distribute.

ASCII Armor is the use of ASCII characters to display the encrypted data instead of using a .gpg file. This is desirable when sending messages using PM systems.

Installation
This guide will be using GnuPG. TAILS, along with most Linux distributions, come with GnuPG installed.

If you are using an OS that does not come with you, it can be downloaded from here.

The application comes with GUI applications, and you are welcome to install them, but throughout this guide we will be using the terminal/command line instead.
You can test to ensure the installation was successful by opening a terminal/cmdPrompt and typing the following command:

gpg --help

A large amount of text including command arguments should display itself on the console, this indicates the installation was successful.

PGP Guide Table of Contents
Generating a Keypair
Exporting and Importing Keys
Encrypting and Decrypting Messages
Signatures and Verification
Editing Keys
Useful Commands

Generating a Keypair ??
Before we can encrypt a message, we are going to need to generate a keypair. To do this, enter the following command:

gpg --gen-key

The following text will then be prompted:

gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1

The main difference between RSA & DSA and Elgamal is the underlying mathematical principles, for this guide we'll be using RSA. Enter 1 and hit enter. Next prompt:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096

Use of 4096 for the added security. Next prompt:

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y

In the world of privacy, permanent anything is usually looked down upon, so I would recommend setting some length of time. For this tutorial my key will last for 1 year. To do this I enter 1y. Next prompt:

Key expires at 04/20/21
Is this correct? (y/N) y

I entered y, as it was the correct amount of time. The next prompt will ask for each of the following one at a time. The only field you actually need to fill out is real name. In that category put whatever you want. The Email address and comment are optional.

GnuPG needs to construct a user ID to identify your key.

Real name: WhatEverNameYouWant
Email address:
Comment:
You selected this USER-ID:
    "WhatEverNameYouWant"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

Modification options are given, but I'm satisfied with my entry, so I entered O to progress further. You will then be presented with a prompt to enter a passphrase. Pick a good one and move on. You will then be presented with the following message:

We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
gpg: key CA637B79 marked as ultimately trusted
public and secret key created and signed.

Basically hit a bunch of keys on your keyboard, and click around a bit until it finishes generating random information. Once done, you should receive some form of confirmation, and return to the console. At this point you will have successfully generated a keypair that can be used to encrypt and decrypt messages.

Exporting and Importing Keys ?
At this stage you now have your own keypair, the next step is to retrieve your public key so you can distribute it for others to use when messaging you. In this tutorial, we created a user under the ID of WhatEverNameYouWant. This is the ID which I shall use. To print the key, enter the following command:

gpg --armor --export WhatEverNameYouWant

where WhatEverNameYouWant is the ID or Email picked when creating the keypair. This will print the public key to the console screen:

-----BEGIN PGP PUBLIC KEY BLOCK-----
......
-----END PGP PUBLIC KEY BLOCK-----

If you want it instead to save it to a file the following command can instead be entered:

gpg --armor --output myPubKey.asc --export WhatEverNameYouWant

Where myPubKey.asc is the name and directory path of the file to save it to. This can be opened with a text editor, and the public key can be copied. Alternatively, you can use a single bracket redirect character to funnel the output of a command into a file:

gpg --armor -export WhatEverNameYouWant > myPubKey.asc

The result is the same. *LINUX TIP* The ">" character redirects stdout (standard out-- what would normally be printed on the screen), and overwrites the file placed to the right of the character. If no such file exists, it is created. If the file does exist, it will be overwritten, and the previous information that it contained will be lost. To export your private key, you will enter the following command:

gpg --armor --export-secret-keys WhatEverNameYouWant

This will print an output to the console resembling this: '

-----BEGIN PGP PRIVATE KEY BLOCK-----
....
-----END PGP PRIVATE KEY BLOCK-----

To export to a file, use either the "--output" or the ">" character methods outlined above. As a reminder, do not EVER share your private key with anyone. The only time you should be exporting your private key is when creating a back up.

Importing a Key
To encrypt a message for someone, you're going to need to import their public key. For this tutorial I will be importing the public key provided on Agora's help and info page. You are more than welcome to import the public key displayed earlier. . . IMPORTANT: When importing a new key for the first time, make sure to verify that the key is accurate before importing. Ie: If you are importing a vendor's key from a market, check that the key text matches what you see for the same vendor on other markets. Sites like Recon can be very useful for this purpose. Failing to verify the vendor's key on another site before importing it leaves you vulnerable to third parties listening in on your conversation in the event the market you're using has been compromised. . . To import a key from a file:

gpg --import path/to/pubkey.asc

where pubkey.asc is the file where you saved the public key you want to import. Here's the output you should receive:

gpg: key (Expunged): public key "Agora One" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

And that's it, you can now write messages using the key imported. The Fileless Method To import a key directly, without the use of a file, you can use either the "cat" command, or "echo" along with a pipe character "|". Using "cat":

cat pubkey.asc | gpg --import

The output is the same as the other methods:

gpg: key 0B701872: public key "Mun Mun Mun " imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

*LINUX TIP* The "echo" command allows the user to input a string, which is then sent to stdout. Just like in the cat example, the pipe character turns the output from the "echo" command on the left into and input for the "gpg" command on the right.

Encrypting a Message
Once you have imported someone else's public key, you can encrypt a message. For this tutorial, I will use the text Hello World! and place it into file myMessage.txt .
Now that we have a file with a message in it, enter the following command:

gpg --armor --output encMessage.asc --encrypt myMessage.txt

where myMessage.txt is the name of the file you are encrypting. Throughout this tutorial, there has been use of other parameters before encrypting the message. Let's take a minute and examine the parameters set forth. Notice that we use --encrypt and then the file name to specify the file to encrypt, but there are a few other parameters not fully described. --armor tells the program to use ASCII armor, this makes GnuPG encrypt the data in the file so it can be copied and pasted via text characters. --output enables the user to specify a name and location of the output file, where encMessage.asc is the desired name of the output file. So once that command is input, the user will be prompted to enter a recipient. As seen earlier, the user ID for Agora was Agora One. So that is what I entered. Alternatively, the user's email can also be entered. After that, I simply hit enter to confirm no other recipients. This is what the console looked like:

You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line: Agora One
gpg: (Expunged): There is no assurance this key belongs to the named user

pub  (Expunged)/(Expunged) Agora One
Primary key fingerprint: (Expunged)
      Subkey fingerprint: (Expunged)

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

Current recipients:
(Expunged)/(Expunged) "Agora One"

Enter the user ID.  End with an empty line:

I just added this key from agora, so I am well aware that it is the actual user ID, therefore I can trust it, and input y and preceded on. Needing no other recipients, I simply hit enter and let the program compile an encrypted message. Upon completion, the file encMessage.asc was generated. When opened with a text editor, the PGP message was shown. This is the message which I would send to the recipient, in this case it would be the Agora staff.

*LINUX TIP* Note that all of the longhand flags preceded by a double dash "--" (--encrypt, --armor, --recipient) can be shortened to single character flags preceded by a single dash "-" (-e, -a, -r). These single character flags can then be combined into one flag representing a combination of single character flags, -ear. Most commands have both short and longhand flags, which can be found using "[command] --help" or by pulling up the command manual with "man [command]" Be aware though, some programs have strict enforcement over the order of flags delivered. Check the help or manual pages for whatever program you are using for more information. Using echo:

echo "Hello world" | gpg -ear Mun

Note that when using echo, you can use "SHIFT+ENTER" to jump to a new line. You might opt to type your messages in a more user-friendly text editor, and then paste them into the console if formatting is a concern. ===Decrypting a message=== So at this stage you can now generate your own keys, and send messages to others using their keys. The only thing left is to decrypt a message when a user messages you. This is the text Hello World! when encrypted using the WhatEverNameYouWant public key:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2


hQIMA0O56MNiiHV5AQ//WLFKdMBF0a5vuW9EoNbWvS656cPBvKHiEBT7ygtvHLfM
DS7hDzp+F7gqImm3Ql3be5o+7QNHDIRWdEiZ2SR3NopHyRYHEA9k3G+d33qV/Ykz
su8qqxUm7Y3UKtf2nKpY3jRPml5Stm8QtwaznARH6tPqzHCh69f7Uz40pwpbl53v
kpTOKcjYAwI5rC/k4GNgGj3luhEgzha13j7VXDl9zaXK78NaBQCBqUUJbtPG3jmv
vZRLvvgMPxbSuyyYPNbXoNkvImNfP4UdD4KSBRHq2LiSDkkyJqXZJ2ZrP7j3gE/4
rJ2hiUeJLQpDE51CEpGY0lfJIFz7JbIv+V3CNqkJOR/2TtqZhjkp4gLFgVPNpolf
mVoTG0eOZjieP9d56cPVEW3uEpc4CvtqDHIRQeEBMgPVQeKTL+iTk8Zq02Bg6C0l
8ITh/ekhiweD5jBbC0to7PCHFMH4TJklnRrmzl2ykNzcB6RR1QJgk9EceE/vxYEB
Y2FFqTUcbzZRi4hpCbfqgDZDgG9SbUgkDmWLV0OuQ/iGZJiu7wyI4KiXl9BSoY7q
NrMjhvOBUNFIn7FoquxH9c+ETUFnchm9y9Cu3+RzA8eqqJF+sCrCXokLE/J6aRrW
zq0FlK4lzpFMHSYWpt7CDJh5uIe6zxyzPDN2vUAbGAzW8mLaA5IEKLH2yHJehcrS
VAHd/9l3vKzweZdugQVAloTBMdX06YZBlhuBQl19br1SGiFTk+TeiyykQCqrWHYt
bDoXB1S9BX8ux8RRSi53Y9xVN0/EA5pYJpzx8geJ0NikFeAFSQ==
=gL3V
-----END PGP MESSAGE-----

Decrypting Messages
Decrypting this is a relatively painless and simple process. First I saved the message to a text file titled myEncMessage.asc. Once there I entered the following command:

gpg --decrypt myEncMessage.asc

where myEncMessage.asc is the name of the file with the message in it. This command will have it output the message into the console, if you want it to be placed into a file instead, use the following command:

gpg --output myDecMessage.txt --decrypt myEncMessage.asc

Where myDecMessage.txt is the name of the file to export the message to. Alternatively, you can direct the output by using a ">" character:

gpg --decrypt myEncMessage.asc > myDecMessage.txt

The decryption process requires accessing the private key; for this reason, you must provide the password you created when generating the keypair. During the process a prompt will appear, fill in the password and it will decrypt. Here is the output of the command with no output file specified:

You need a passphrase to unlock the secret key for
user: "WhatEverNameYouWant"
4096-bit RSA key, ID , created 2014-12-12 (main key ID)


gpg: encrypted with 4096-bit RSA key, ID , created 2014-12-12
      "WhatEverNameYouWant"
Hello World!

Notice how a recipient is never specified, this is because the ciphertext can be linked to a key automatically. If the user has a message and the appropriate key to decipher it, GnuPG will find it on it's own. To decrypt a message without saving the ciphertext to a file, use the "cat" or "echo" methods outlined above:

cat <<END | gpg -d
> PASTE CIPHERTEXT HERE
> END

OR

echo "PASTE CIHPER TEXT HERE" | gpg -d

You may notice that I used the shorthand "-d" in place of --decrypt.

Signatures and Verification
When sending a message to someone, you know that only the person in control of that key will be able to read it, because they should be the only one with with the private key associated with the public key you encrypted to, and therefore are the only one able to decrypt the message. So how do we verify that a specific party wrote, sent, or posted a message? This is where signatures come in.

Signing messages is way for the originator of a message to prove that the message was created by them, assuming that they are in control of their key. They generate a signature hash around a message that can be verified by anyone with their public key.

There are three common scenarios for the use of clearsigning:
Establishing PGP key lineage. When your current key is set to expire, you might sign a message containing your new key with your old key.
Important announcements from administrators, developers, or vendors.
Proving account ownership.

Clearsigning ?

Here are a few examples from opie_ on clearsigning messages, keys, and verifying keys using the "cat" command. The same can be done using the "echo" method, or by saving text to files and reading or writing from the file.

cat <<END | gpg --clearsign
> Hey! Ho! What's goodie?
> Swiggity Swootie, I'm coming for that booty!
> END

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
.....
-----BEGIN PGP SIGNATURE-----
.....
-----END PGP SIGNATURE-----

You can also nest piped commands to clearsign and then encrypt a message or vise versa (just switch the placement of the two gpg commands to first encrypt and then sign):

cat <<END | gpg --clearsign | gpg -a -r opie_ -e
> This message will be clearsigned and then encrypted.
> Second line just because.
> END

-----BEGIN PGP MESSAGE-----
....
-----END PGP MESSAGE-----

Similarly one could also export and sign their public key with one fell swoop:

gpg -a --export opie_ | gpg --clearsign

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
...
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-------END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----

Verifying Signatures
What good are signatures if we can't verify them?

cat <<END | gpg --verify
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> ...
> -----BEGIN PGP SIGNATURE-----
> ....
> -----END PGP SIGNATURE-----
> END

Output:

gpg: Signature made Mon 03 Dec 2018 02:59:46 PM EST
gpg:                using RSA key 04744DF4701F67517F2010993016D369781721A8
gpg: Good signature from "opie_ <opie@tt3j2x4k5ycaa5zt.onion>" [ultimate]

Note that if any of the text in the message is changed after the signature is made, it will NOT verify as a "good" signature.

cat <<END | gpg --verify
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hey! Ho! What's goodie?
> Swiggity Swootie, I'm coming for that booty!
>
> Make sure to send your bitcoins to: <BAD ADDRESS HERE>
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEBHRN9HAfZ1F/IBCZMBbTaXgXIagFAlwFizIACgkQMBbTaXgX
> IaiWCBAAmq4vnbHex+6JTuFHYyuhZeoyOQNamBUP1IJqiu1tDYrjAsWPrQdjoZdw
> kDNE4asN//Y4lnxlbOwKeBFLM+NdIQui2/3ppbWENp9igGXTk8H7ZCOzH/OHgLTi
> rjZgtVdSVMrWQJKjqeiU7Kr/RvmBk3Gbdy7kUysW9LkfQ1Tu+Bg2NODvMbQoZ2cN
> SCHs+6rskRNbbKzq/TE2EQCYOubuAwj7tgssVH9ZNlIlDr4z8bxAy1iYF+lzJXG3
> UFQldoDZ4d8fqagEVh5PEfHbEy3Wn4ldXgmDcTTDLu1MEnkO7Jy/sxRklMff+lFZ
> SvKyNnYf/9kyo9KR56KxwmESQPru4cxrXl9KDLly/OyrWFQ27fZRyNg8dZMNuZi2
> 46pmDFqoCJ/sAp2K97aJKU1PctLy2pnbc4CIIrN0eDhWkV5zOtuLBOtIdgG/ug57
> IOG/yTKpUvedOil7J954RI4QEGBgVRufsCLabV3H1S8R1X9UfEWjEnpBZ3tlbY15
> KGUptCZ5wjtv8IJPcX25REYBq6xCI7XNiup7YOXDhNpmlKCJMTXDP9A9zn/Q2Vjh
> Meztnx5P9K51tkhCrj0f43CMyeGV561GuaHBKuXNC9DxO5XPBURcHhIxWE3fJyCP
> B8rC+4gqItY0bvgqcyYRYDy2+qMirEiUl+mlxgJWFQsPRWLgsvM=
> =eSMz
> -----END PGP SIGNATURE-----
> END

Output:

gpg: Signature made Mon 03 Dec 2018 02:59:46 PM EST
gpg:                using RSA key 04744DF4701F67517F2010993016D369781721A8
gpg: BAD signature from "opie_ <opie@tt3j2x4k5ycaa5zt.onion>" [ultimate]

Editing Keys ?
If you want to edit any key attributes, run the following command:

gpg --edit-key WhatEverNameYouWant

The following will then appear:

gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/(Expunged) created: 2014-12-25  expires: 2015-12-25  usage: SC
                     trust: ultimate      validity: ultimate
sub  4096R/(Expunged) created: 2014-12-25  expires: 2015-12-25  usage: E
[ultimate] (1). WhatEverNameYouWant

gpg>

You can obtain a list of editing options by running the command "help"

As an example, I'll show you how to edit the trust of a key. Start by running the "trust" command:

gpg> trust

Here is the output:

pub  4096R/(Expunged) created: 2021-04-21  expires: 2021-04-21  usage: SC
                     trust: marginally validity: marginally
sub  4096R/(Expunged) created: 2021-04-21  expires: 2021-04-21  usage: E
[ultimate] (1). WhatEverNameYouWant

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5

I created the key, so there's no reason other than to trust it to its fullest extent, therefore I selected 5.

Do you really want to set this key to ultimate trust? (y/N) y

pub  4096R/(Expunged)  created: 2014-12-12  expires: 2015-12-12  usage: SC
                     trust: ultimate      validity: ultimate
sub  4096R/(Expunged)  created: 2014-12-12  expires: 2015-12-12  usage: E
[ultimate] (1). WhatEverNameYouWant

Useful Commands ?
Here is a list of the most useful commands that the GNU Privacy Guard provides, IMO. All commands will start with "gpg" followed by a space. Remember that shorthand flags start with a single dash "-" and can be combined into one flag (ex. -ear, which is parsed to -e -a -r). Longhand flags start with a double dash "--" and need to be separated by at least a space.

Commands:
--clearsign [file] make a clear text signature
-e, --encrypt encrypt data
-d, --decrypt decrypt data (default)
--verify verify a signature
-k, --list-keys list keys
--fingerprint list keys and fingerprints
-K, --list-secret-keys list secret keys
--gen-key generate a new key pair
--delete-keys remove keys from the public keyring
--delete-secret-keys remove keys from the secret keyring
--sign-key sign a key
--edit-key sign or edit a key
--gen-revoke generate a revocation certificate
--export export keys
--import import/merge keys

Options:
-a, --armor create ascii armored output
-r, --recipient NAME encrypt for NAME
-o, --output use as output file

Read this guide. It's good for you if you are dealing with people on darknet markets and some darknet markets ask you for your public because they need them.

NEVER GIVE ANYONE YOUR PRIVATE KEY.