GnuPG Part 1 – Introduction
GNU Privacy Guard (GnuPG) is the free-software/open source implementation of the OpenPGP encryption standard, most commonly known for email encryption but also used for many general encryption/decryption and signing functions. GnuPG is part of the GNU Project and the alternative to the proprietary PGP cryptographic software suite.
Why Learn GnuPG?
Aside from email encryption, GnuPG is an important piece of software that underpins many critical parts of GNU/Linux and the free-software ecosystem. It is used to encrypt and sign files, software packages, Git code commits, etc. Whether you are a developer, sysadmin, or just a Linux enthusiast, you are likely to encounter it. Learning and tinkering with GnuPG will also provide you with a deep, functional understanding of public key cryptography; and this base knowledge will help you fundamentally understand all other forms of encryption, from SSL/TLS to hardware tokens such as Yubikey and Nitrokey.
Pretty Good Privacy (PGP) was originally developed by Phil Zimmermann in 1991 and has an interesting history. The official PGP software has changed ownership several times and currently exists as proprietary software owned and developed by Symantec (which is now owned by Broadcom). In 1997, PGP Inc. worked with the IETF to create the OpenPGP standard. This standard was used by the Free Software Foundation (FSF) to create GnuPG as part of the GNU Project. The original developer and principal author of GnuPG is Werner Koch.
For these guides I will focus on Linux, although GnuPG is supported across most popular operating systems. Fortunately most GNU/Linux distros come with GnuPG already installed, so I won’t spend time detailing installation instructions here. I also assume anyone looking to learn such software is fully capable of figuring out the installation part ;). Downloads can be found on the official site: GnuPG – Download.
Tutorials and Linux packages may reference gpg1 vs gpg2, referring respectively to the “classic” GnuPG 1.4 and “modern” GnuPG 2.x. In older Linux versions, GnuPG 1 was installed by default and called with the
gpg command. GnuPG 2 had to be installed separately and was called with the
In current releases this is reversed. The gnupg and gpg packages install GnuPG 2, and it is now called with the default
gpg command. If needed, the “classic” gnupg1 package can also be installed and is now called with the
gpg1 command. For these guides I will assume use of GnuPG 2.
GnuPG 1.4, currently provided by the gnupg1 package, is the “classic” standalone, non-modularized version. According to the package description, it is provided mainly for people with the need to use archaic cryptographic objects, such PGPv3 keys to access archived messages. It does not support more recent cryptographic primitives such as ECDSA or EdDSA. It is also sometimes used for embedded and server usage, as it brings fewer dependencies and smaller binaries.
The modern redesign of GnuPG. This has a modular internal design to allow for more flexibility and added functionality. It also provides numerous new features, such as elliptic curve cryptography (ECDSA) with GnuPG 2.2. For practical command line use there is little difference. One functional change to note came with GnuPG 2.1, which stopped storing keys in the pubring.gpg and secring.gpg files. I will detail how keys are currently stored in the next article on creating and managing keys.
The GnuPG software consists of several components used to accomplish various functions. Although it primarily exists as an OpenPGP implementation, it also has components for managing X.509 certificates. GnuPG’s component structure since version 2.1 is illustrated below.
|gpg||The OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool to provide digital encryption and signing services using the OpenPGP standard.|
|gpgsm||A tool similar to gpg to provide digital encryption and signing services on X.509 certificates and the Cryptographic Message Syntax (CMS) protocol. It is mainly used as a back-end for S/MIME mail processing, and includes full-featured certificate management.|
|gpg-agent||The daemon to manage secret (private) keys independently from any protocol. It is used as a back-end for gpg and gpgsm as well as some other utilities.|
|scdaemon||The daemon to manage smartcards. It is usually invoked by gpg-agent and is generally not used directly.|
|dirmngr||A server for managing and downloading certificate revocation lists (CRLs) for X.509 certificates and for downloading the certificates themselves. Dirmngr also handles OCSP requests as an alternative to CRLs. Dirmngr is either invoked internally by gpgsm (from GnuPG 2) or run as a system daemon by the dirmngr-client tool.|
|dirmngr-client||A simple tool to contact a running dirmngr instance and test whether a certificate has been revoked — either by being listed in the corresponding CRL or by running the OCSP protocol.|
Installed components can be displayed using the
gpgconf --list-components command:
GnuPG is an arcane and expansive piece of software that I cannot hope to cover every part of. The aim of these guides is to cover the core aspects and provide base knowledge that will allow you to easily branch out to whatever features your use cases require.