How To Use GPG on the Command Line

Introduction

I use GPG (also known as GnuPG) software for encrypting files that contain sensitive information (mostly passwords).  As a systems engineer, I do most of my work on remote servers, accessible via command line interface.  Naturally, I find it easier to use the command line version of GPG to directly encrypt and decrypt documents.GnuPG-Logo.svg

GPG (GNU Privacy Guard) is a free open source version of PGP (Pretty Good Privacy) encryption software.  Conceptually, both use the same approach to cryptography (i.e. encryption and decryption).  However, each is uniquely different in its implementation.

What follows is a quick primer on how to install the GPG command line tools, as well as a list of basic commands you are most likely to need.

Installing GPG

GPG can be installed in a number of different ways.  The instructions here will install the core GPG command line tools, which are intended to be used in a terminal.

If, on the other hand, you prefer a graphical user interface (or GUI) for accessing GPG functionality (e.g. encrypting email communications, or encrypting documents in a GUI text editor), refer to the links at the end of this article.

Red Hat / CentOS

yum install gnupg

Ubuntu / Debian

apt-get install gnupg

Mac OS X

The easiest way to install the GPG command line tools on your Mac is to first install Homebrew, a package management system that makes thousands of software packages available for install on your Mac.

Open a Terminal window (Applications > Utilities menu), then enter the following command.

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
When that’s complete, install the GPG software package with the following command.
brew install gnupg

GPG Quick How To

What follows is a very brief introduction to command line usage of GPG.  Think of it as a “quick reference” or a “cheat sheet.”  You should certainly learn more about GPG than what is explained within this post.  It is intended only to get you started.  If you expect to use GPG more extensively, I strongly advise you to read more documentation (see the Links section below).

GPG is powerful encryption software, but it can also be easy to learn — once you understand some basics.  GPG uses a method of encryption known as public key cryptography, which provides a number of advantages and benefits.  However, to obtain these advantages, a minimal level of complexity is required to make it all work.  For an overview of how public key cryptography works, read the Introduction to Cryptography (link at the bottom of this post).

Typographical conventions used in commands:

In all examples below, text that you will need to replace with your own values (e.g. usernames, email addresses, filenames) is shown in “gray italic”.  Text that you will type literally (unchanged) is indicated with “black constant width”.

"gray italic"
"black constant width"

Create your GPG key:

To get started with GPG, you first need to generate your key pair.  That is, you will generate both a private and a public key with a single command.  Enter your name and email address at the prompts, but accept the default options otherwise.

gpg --gen-key

The first key is your private (or secret) key.  You must keep this private key safe at all times, and you must not share it with anyone.  The private key is protected with a password.  Try to make the password as long as possible, but something you will not forget.  If you forget the password, there’s no way to recover it.  For the same reason, you should also make a backup copy of your private key.  (Consider using Time Machine for backups on Mac OS X.)

The second key is your public key, which you can safely share with other people.

The relationship of the private and public key is actually very simple.  Anything that is encrypted using the public key can only be decrypted with the related private key.  Therefore, you will provide your public key to another person, and they will provide you with their public key.  Anything encrypted to your public key can only be decrypted by you.  Anything encrypted to the other person’s public key can only be decrypted by the other person.

Export your public key:

The next step is to export your public key and share it with another person.  That person should do the same, and export their public key.

gpg --export --armor youremail@example.com > mypubkey.asc

Import another person’s public key:

When you import a public key, you are placing it into what is commonly referred to as your GPG “keyring.”

gpg --import theirpubkey.asc

List the public keys in your keyring:

You can now view a list of public keys in your keyring, as well as the name and email address associated with each key.

gpg --list-keys

List private keys in your keyring:

The following command will list the private keys in your keyring.  This will show your own private key, which you created earlier.

gpg --list-secret-keys

Trust a public key:

Once you have imported the other person’s public key, you must now set the trust level of the key.  This prevents GPG from warning you every time you encrypt something with that public key.

Specify the other person’s name or email in the command.

gpg --edit-key glenn

trust (invoke trust subcommand on the key)
5 (ultimate trust)
y (if prompted)
quit

Useful GPG Commands

GPG has many options, most of which you will never need.  Here’s a quick list of the most useful commands you are likely to need.

Encrypt a file:

To encrypt a file named filename.txt for a single individual, specify that individual as a recipient.

gpg --encrypt --recipient glenn filename.txt

This will create a new encrypted file named filename.txt.gpg.

If you want to encrypt a file so that only you yourself can decrypt it, then specify yourself as the recipient.

gpg --encrypt --recipient 'my_name' filename.txt

If you want to encrypt a file so that both you and another person can decrypt the file, specify both you and the other person as recipients.

gpg --encrypt --recipient glenn --recipient 'my_name' filename.txt

If you want to encrypt a file for a group of people, define the group in your gpg.conf file (see section below), and then specify the group as a recipient.

gpg --encrypt --recipient journalists filename.txt

After a while, you’ll want to be more concise and use the short version of the command line options.  Here’s the same command.

 gpg -e -r journalists filename.txt

Decrypt a file to terminal (standard output):

The first version of this command will display the content of a file within the terminal window itself.

gpg --decrypt filename.txt.gpg

Use the –decrypt option only if the file is an ASCII text file.  If it’s a binary file, then omit the –decrypt option, which will write the decrypted file to disk.  At that point, you can open the binary file in whatever application is used to view the file.

Decrypt a file to disk:

Whether the file is ASCII or binary, if you want to make changes to the content of an encrypted file, you must first decrypt it, make your changes, then re-encrypt the file.  As I mentioned in the previous paragraph, you write the decrypted version of a file to disk, by omitting the –decrypt option from the command.

gpg filename.txt.gpg

If the encrypted file was named filename.txt.gpg, the above command will create a decrypted version named filename.txt (with the .gpg extension removed).

Create Groups of People in Your GPG Configuration File

For convenience, you can pre-define a group of people in your GPG configuration file.  This has the benefit of allowing you to encrypt a file to every member of the group by specifying only the group name as the recipient, rather than tediously specifying every individual member of the group.

Your GPG software configuration is stored in your home directory within the ~/.gnupg/gpg.conf file.  Edit this file using your favorite command line text editor (vim, nano, pico, emacs, etc).  While there are numerous settings available in the configuration file, go to the section pertinent to defining groups.

When defining a group, you list the members of the group.  Each member is referenced by some attribute of their public key found in your GPG keyring — typically a person’s name (or partial name, such as first or last name) or an email address (or partial email address).

If you are a member of the group, remember to include yourself in the group!  If you do not list yourself in the group, you won’t be able to decrypt any files you encrypt to the group.

Here’s an example of a group named “journalists”, listing the first name of each person.

group  journalists  =  glenn  laura  ewan  barton

Where To Go From Here

I encourage you to learn more about GPG.  See the Links below.

You may also want to learn about secure methods to erase files from your computer hard drive.  Mac OS X has the “Secure Empty Trash” option within Finder.  There are also numerous third-party tools you can install.

Since we’re on the theme of learning how to use GPG in the command line, you may want to try “bcwipe” — a program to securely erase files within the command line.

On Mac OS X, you can install bcwipe via Homebrew.

brew install bcwipe

Links

General

GUI Tools

 

On the Nature of DevOps

yin_yangLike the Tao Te Ching, those who seek DevOps often come up empty-handed.  Both the Tao and DevOps are elusive.  (Recruiters find it particularly so.)  And yet, if they open their minds, there it will be, right in front of them.

The DevOps that can be spoken is not the eternal DevOps.
The name that can be named is not the eternal name.
The nameless is the origin of Development and Operations.

Today, DevOps is a buzz word.  The term has as many different meanings as the number of people you ask to define it.  Many people today are captivated by the word, but they fail to see beyond, to the essence of what it means.  They seek to find practitioners of DevOps, but are disappointed when they can’t find any.

Officially, I began my career as a systems administrator in 2001.  At that company, the high-level view of the technical organization was as follows.  I worked within the Technical Operations group.

 
                        +-------------+
                        | Software    |
                        | Development |
                        +-------------+
                          /          \
                        /              \
                      /                  \
            +------------+             +-------------+
            | Technical  | ----------- | Release     |
            | Operations |             | Engineering |
            +------------+             +-------------+

From the beginning, I had begun to apply many of the principles that would later become tenets of the DevOps movement.

  • Automation of our operating system installs (Kickstart and Jumpstart).
  • Lots of scripting (Perl, Bash, Python).
  • Configuration management of servers (CFEngine).
  • A central management server, with password-less SSH access to all the other servers.
  • A whole lot of monitoring tools (too many to list here).
  • Code and configurations were in a revision control system.
  • As a company, we also automated our code builds and deployments
    (done by our Release Engineering team).
  • Technical Operations met weekly with our colleagues in both Software Development and Release Engineering — to discuss upcoming releases, the potential impacts of new features to our infrastructure, how best to design those features so that they were scalable, how best to monitor the new services and features so we could identify problems early, as well as planning for additional infrastructure capacity.
  • We also communicated with each other though IRC chat.

That was nearly a decade before the term DevOps was eventually coined in 2009.  We were already doing these things, not because it was cool, but because it was common sense.  We saw the value of investing our time and efforts into doing these things.  We were highly productive at what we did.  We were able to manage a large installation of thousands of servers and storage nodes with a surprisingly small number of people.  We were early adopters of DevOps principles, years before it became fashionable to do so.

Another important point worth mentioning.  The company I worked for invested time and money into training and developing the employees within the Technical Operations department.  As “ops” people, we were encouraged to learn scripting and coding.  In essence, the company developed the people it needed to accomplish the work that needed to be done.  It was a mutually beneficial arrangement.  There was very little employee turnover within the Technical Operations group.  I worked at that company for 8 years, and many of my colleagues had similar tenures there.

So, the next time you find yourself looking for those elusive DevOps engineers that you can’t seem to find, you should think about what you are really looking for.  Ask yourself whether you are really looking for the right things in the right places.  For most of you, I suspect you are not.

The Fed’s Latest Round of Quantitative Easing

I read the following in last weekend’s Wall Street Journal, “Heard on the Street”, p. B16, October 9-10, 2010 …

Being a bear with a capital “B” is tough when the Federal Reserve is juicing markets. The prospect of more extraordinary easing measures Friday pushed the Dow back above 11,000.

But that hasn’t deterred David Rosenberg, Gluskin Sheff’s chief economist.  While the National Bureau of Economic Research (NBER) has said the recession ended in June 2009, Mr. Rosenberg insists we are still in a depression.

That view is based on a less-technical measure of downturns than that used by the NBER.  Mr. Rosenberg says a recession is when government tries “to stimulate the private sector.” A depression is when government tries “to sustain the private sector.” The latter, he argues is very much the case today.

And for those who question the absence of 1930s-style bread lines, Mr. Rosenberg counters that today, thanks to food stamps and other government-assistance programs, “the soup and bread lines are in the mail.”

He makes a good point.  Due to the recession, 1 in 8 Americans now receives food stamps.  If you were to count all those who are eligible, but for whatever reason do not collect, the number is something like 1 in 5 Americans.

Let’s see whether the Fed is successful in stimulating the economy with lower long-term interest rates.  It might work, but it might not.  Personally, I’m not convinced it will.  The Fed is trying to pull a rabbit out of a hat.

Amongst other things, the Fed is also trying to juice housing prices, and I think the juice will help prices to bounce somewhat.  But a dead cat will bounce only so many times.  Eventually, a dead cat is a dead cat.  Don’t get me wrong … Housing will eventually recover, but don’t hold your breath waiting.  It might be a very long time.

And as for the economy, it too will recover, but only when the fundamentals allow it to recover.  Until then, there’s a fair amount of debt that needs to be flushed out of the financial system before that happens.  In the meantime, and to that end, mortgage refinancing might be in order.

Google Chrome Protects Against Malware

Weeks ago, I posted about the many reasons why I enjoy web browsing with Google Chrome.  Today, I just added another reason to like Google Chrome.  Malware protection.

I was clicking on links of search results from www.google.com, when I got the following message: “Warning: Visiting this site may harm your computer!”

I don’t think Chrome is unique with this feature, as many modern web browsers offer some form of this functionality.  Nonetheless, it is the first time I can recall ever being presented with such a warning.

While I did not investigate the exact nature of this particular malware site, it does look to me like Chrome is checking all the content and links on a page.  In this case, it found advertising which contained content from (or a link to) the malware site identified in the warning.  Nice catch.

Because advertising on the web today is often sourced from third party advertising networks, there’s no guarantee that an otherwise respectable web site will not inadvertently display such malware ads.  This form of malware attack recently made its way onto the Star Tribune, just as it has to other popular and well-known web sites (e.g. New York Times).

Having been using the Internet for almost 20 years, I’m pretty “street smart” about viruses, phishing, spyware, scareware, malware, and all the likes.  And as such, I’ve been able to steer clear of these maladies.  Nonetheless, this warning came as a surprise to me, because it was generated by a Top-5 link in the Google search engine results.

Unfortunately, the Internet is still a kind of wild-wild-west, where criminals roam freely.  These unscrupulous types are increasingly using ever-more sophisticated techniques to infect computers, which then give them access to credit card numbers, user passwords, and the means to launch distributed-denial-of-service (DDOS) attacks against web sites.  Many times, a web browser is the vector of such infections.  Thankfully, Google Chrome has been designed with an increased attention toward security.

Gone are the days when visiting seedy web sites might get your computer infected.  Today, you can be infected by the advertising displayed on a seemingly-safe and familiar website.

Links:

Reasons Why I Like Google Chrome

I’ve been using Mac OS X since February 2009, and I have been very happy with the adoption.  Nonetheless, when switching to a different operating system, there’s the inevitable transition period — finding, downloading, trying, and settling in with new applications to get the job done.  I was particularly interested in finding a suitable web browser.

On my quest, I went through a number of browsers on the Mac.  At first, I used Safari, but I was not won-over.  I then dabbled with Opera for a little bit, but I just couldn’t stomach the way it rendered many pages.  Having been a Firefox user on Windows, I settled on using Firefox on the Mac for the subsequent 10 months, because it was nearly identical on Mac and Windows.

Now, it should be noted that I have a diverse set of interests, so I tend to have lots of web browser windows open at the same time, and I’ll often have my web browser open for weeks at a time.  And that’s where Firefox began to lose its luster for me.  Firefox on the Mac, like its Windows variant, gets slow, if left running for any length of time.  It eventually consumes a great deal of memory and CPU on the computer, causing everything to get slow.  I have found this to be the case with nearly every web browser I have tried in recent years.  Sure, the problem may have more to do with bad programming in the the JavaScript and Flash elements on the various web pages, but why settle for that?  I wanted a new, smarter, more-efficient web browser!

Having using Google Chrome on Windows (and liking it), I had been anticipating Chrome on Mac for many months.  Finally, on December 8, 2009, my new browser had arrived.  I switched almost exclusively to Google Chrome (beta) on Mac, from that day forward.  Like many other Google offerings, the “beta” product was already feature-rich and very stable.  (Well, I did have to wait a while for  the Bookmark Manager to be implemented on the Mac version, but eventually, it was.)

There are so many good things I can write about Google Chrome:

  • automatic sync of your bookmarks, seamlessly across all your computers running Chrome,
  • the Task Manager’s visibility into memory and CPU consumed by each open web page,
  • each web page runs as its own process, giving you the ability to kill individual pages (or plugins) that aren’t playing nicely, without affecting the other pages,
  • automatic re-opening of previously-open pages, when I re-launch Chrome (after I close it intentionally, or rarely, when it crashes),
  • the design ideas that make it a really great browser, performance-wise and security-wise,
  • its compatibility with all the web sites I use regularly,
  • availability of a large variety of extensions (i.e. plugins),
  • cross-platform support: same browsing experience on Mac and Windows.

It’s a very fast, snappy, and responsive browser.  And (very important to me), it doesn’t appear to suffer from the same performance problems that plague other web browsers, when they have been running for some time.

Apparently, many other people are also taking notice of Google Chrome.  Here’s a recent article that graphs the market share of the most popular web browsers, as of April 2010.  It is remarkable that in just 16 months, Google Chrome has gone from a 2% up to a 7% market share.

Links: