Content

 

Overview

A GPG key a cryptographic toolkit that embodies a digital identity, which GnuPG (GNU Privacy Guard) GPG is a software package that enables secure communication and data authentication. GPG is the OpenPGP An open standard is a free and widely used implementation based on the principles of asymmetric (public key) cryptography.

Each GPG key actually consists of a key pair: a from public key, which can be freely given to anyone, and a from a private (or secret) key (private key), which its owner must guard with the utmost care. This duality enables GPG's two fundamental functions: data encryption (when others use our public key to encrypt messages intended for us) and digital signature (when we use our own private key to verify our identity and the integrity of the data).

Creating, managing, and using GPG keys is most often done from the command line, using gpg using the command. GPG keys are therefore not just technical tools, but the cornerstones of digital trust and security, essential for secure emailing, verifying the authenticity of software packages, and verifying work in version control systems.

 

 

Historical overview

The history of GPG dates back to the early 90s and is inseparable from the original PGP (Pretty Good Privacy) from the software creator, Phil zimmermannIn 1991, Zimmermann created PGP with the goal of making military-grade, strong encryption available to anyone, emphasizing that privacy is a fundamental human right. The software allowed average users to protect their emails and files from prying eyes.

The emergence of PGP coincided with the so-called "crypto wars" (crypto wars) During the 1990s, the US government classified strong cryptographic tools as war materials and strictly restricted their export, citing national security concerns. Because Zimmermann made PGP available on the Internet, allowing it to spread globally, the government investigated him on charges of "illegal arms export." Although the charges were eventually dropped, the case highlighted the political and legal tensions surrounding open-source encryption.

The popularity of PGP and the emergence of different, not always compatible versions made it necessary to create an open standard. IETF (Internet Engineering Task Force) The OpenPGP working group developed the OpenPGP standard, which describes the encryption methods, key formats, and protocols used by PGP-compatible software. This standardization has enabled programs written by different developers to communicate securely with each other.

Building on this open standard, in 1997 Werner Koch launched the GnuPG (GNU Privacy Guard) project within the GNU project. GnuPG's goal was to provide a completely free software alternative to PGP, free from patent and licensing restrictions. Today, GPG has become the de facto reference implementation of the OpenPGP standard and is a core part of most Linux distributions.

 

Structure of a GPG key

A GPG key is not a single, monolithic entity, but a carefully structured collection of multiple cryptographically linked components. Together, these elements form our digital identity. The most important components of a GPG key are:

Key pair (public and private key)

The basis for the operation of GPG is asymmetric cryptography, which is based on a mathematically assigned key pair. This pair consists of two parts:

• Public Key: As the name suggests, this key is public. We can share it with others, post it on our website, or upload it to key servers. The public key can be compared to an open padlock: anyone who wants to send us a secure message can use this "padlock" to lock (encrypt) it.
• Private Key: This is the secret half of the key pair, which We must keep ourselves safe under all circumstances., and we can never give it to anyone else. The private key is the unique key to our lock: only it can open (decrypt) messages encrypted with our public key. We also use the private key to create digital signatures, which prove that a message or file really came from us.

Main key and subkeys

To maximize security, modern GPG keys are hierarchically structured. Instead of using a single key pair for everything, the system uses a from master key and the one assigned to it from subkeys stands

• Primary key: It is the root and most important element of our digital identity. Its primary function is Certification (C), i.e. signing subkeys and user identifiers (UIDs), thus proving their validity. According to best security practice, the private part of the master key should be stored offline in a secure location (e.g. on a separate data medium) and only retrieved when the key structure needs to be modified (e.g. to create a new subkey or revoke an old one).
• Subkeys: These are the "working" keys that we use to perform everyday tasks. Each subkey can have a specific role:
  • Signing subkey (Signing - S): Emails, documents, software packages or Go used to digitally sign commits.
  • Encryption subkey (Encryption - E): We use it to decrypt the data sent to us.
  • Authentication subkey (Authentication - A): It can be used to log in to certain systems, such as SSH connections.
  The huge advantage of this structure is that if a subkey in daily use (e.g. the signing key stored on the laptop) falls into unauthorized hands, we can simply revoke it using the secure master key without having to destroy our entire digital identity.

User ID (UID)

A user ID the component that links the cryptographic key to a real person or entity. A typical UID contains the following information: Valódi Név (Megjegyzés) . A single GPG key can have multiple UIDs, for example if someone uses multiple email addresses. Each UID is digitally signed by the master key, proving that the given identifier really belongs to the owner of the key.

Fingerprint

Public keys are quite long, making manual comparison of them practically impossible. To solve this problem, fingerprint. This is a shortened string of characters (a cryptographic hash) formed from the public part of the key and used as a unique identifier. When you receive a public key from someone, the most reliable way to verify its authenticity is to match the fingerprint with the owner over a secure second channel (e.g., over the phone, in person). This step protects against "man-in-the-middle" attacks, where an attacker tries to pass off their own fake key as yours.

Revocation certificate

A revocation certificate a pre-generated "emergency stop" for our GPG key. This is a special digital signature that irrevocably invalidates the key for the public. It is needed if the private part of the key is lost or falls into unauthorized hands. Since the private key is not required to use the certificate, it is critically important to generate one immediately after creating the key, and store it in a secure location separate from the private key (e.g. printed out or on another encrypted medium).

 

 

How it works in practice

Now that we understand the structure of a GPG key, let's look at how these many components work together to perform the two most important cryptographic operations: encryption and digital signature. In the examples, we will use two characters: Anna and Béla.

encryption

The purpose of encryption is to make a message or file unreadable to anyone except the recipient.

1. Preparation: Anna wants to send a secret message to Béla. To do this, she must first ask Béla public key. Bob can securely email this to her, or Anna can download it from a public key server.
2. The operation: Anna writes the message and then uses GPG software to encrypt it with Bob's public key. GPG creates an unreadable, encrypted block of data (called a ciphertext(for).
3. Sending: Anna sends this encrypted data to Béla. Since the message is encrypted, it doesn't matter how secure the communication channel is; even if someone intercepts the message, they won't be able to read it.
4. The decryption: Béla receives the encrypted message. His own, kept secret with its private key decrypt it using the GPG software and get the original, readable message (the plain text(it).

Key note: What was encrypted with a public key, exclusively can be decrypted with the associated private key. This guarantees that the message can only be read by the intended recipient.

Digital signature

The purpose of a digital signature is not to hide the message, but to verify the identity of the sender (credibility) and proving that the message has not been changed since it was sent (integrity).

1. Preparation: Anna wants to send an important message to Béla, and she wants Béla to be sure that the message really came from her and was not modified in transit.
2. The operation: Anna on her own with its private key digitally signs the message. The GPG software then creates a hash(a unique, mathematical fingerprint) of the message content, then encrypts this hash with Anna's private key. The result is digitalis aláírás, which is attached to the message.
3. Sending: Anna sends the (unencrypted) message and the attached digital signature to Béla.
4. The check: Béla receives the message and the signature. Anna needs to verify it. public keyThe GPG software performs the following steps:
   • He decrypts the digital signature with Anna's public key and gets the original hash that Anna generated.
   • The software also generates a hash from the content of the message received.
   • The two hashes are compared. If the two match, the signature is valid.

A valid signature proves two things: authenticity, since only Anna's private key could create the signature that her public key could validate; and integrity, because if the message had changed by even a single letter, the hashes would not match.

 

Areas of application

The versatility of GPG keys allows them to be used in many areas of digital security. Below we will discuss the most common uses.

Protect emails and files

This is the most classic use of GPG. With the help of add-ons integrated into email programs (e.g. Thunderbird), we can:

• To encrypt emails: Ensuring that only the recipient can read the contents of the letter.
• To digitally sign emails: Confirming the sender's identity and the integrity of the letter.

Similarly, the gpg command can be used to encrypt or sign any file or document before sending or archiving it. This is especially useful for securely storing sensitive data, such as contracts or personal notes.

Software package authentication

One of the cornerstones of security in Linux distributions is GPG-based authentication. The distribution's maintainers digitally sign software packages (e.g., .deb vagy .rpm files) and package repository metadata. When the user uses a package manager (such as apt or the dnf) installs or updates software, the system automatically checks these signatures against the developers' previously imported public keys. If a signature is invalid or missing, the package manager will issue a warning or may even refuse to install it. This process guarantees that the software you install is indeed from the official source and has not been modified along the way.

Git, GitHub, and GitLab

Ensuring the authenticity and integrity of code is critical in software development. The Go version control system allows developers to digitally sign their code with their GPG key ctheir changes (the changes made to the code) and the tag-s (markers of a particular version). When a developer signs a commit, they use their private key to verify that the changes were actually made by them. This signature can be verified by anyone using the developer's public key.

Code repository platforms such as GitHub or the GitLab, they also visually display this layer of security. When a user uploads their GPG public key to their profile, the platform displays a "Verified" label next to signed commits. This little green tick significantly increases trust in the project and its contributors, as it clearly verifies the origin of the code.

Password management and other applications

Other software builds on GPG's robust encryption capabilities:

• Password management: A pass (Password Store) is a popular command-line password manager that follows the UNIX philosophy. It stores passwords in plain text files, but encrypts each file with the user's GPG key. This provides a highly secure and transparent solution for storing passwords.
• SSH authentication: A special subkey with authentication capabilities can be created for GPG keys. The gpg-agent With proper configuration, this subkey can be used to replace SSH keys, allowing us to handle our encryption, signing, and login tasks with a single, well-protected GPG key.

 

 

Web of Trust

One of the most interesting and defining concepts of GPG is the Web of TrustThis model answers the fundamental question of how we know that a given public key really belongs to the person it claims to belong to. GPG's approach is fundamentally different from the key signatures used in web browsers. SSL / TLS from a hierarchical, centralized model of certificates.

While in SSL/TLS systems, central Certificate Authorities (CA) prove ownership of a domain name, while GPG is a decentralized trust model is built. There are no central entities that trust everyone. Trust is built between users themselves, by mutual signing of keys.

This process creates a web of trust. Let's say you trust Anna and you signed her key. Anna trusts Bob and he signed her key. If you set up your own GPG software to trust Anna to carefully verify the identities of others, then your system will also consider Bob's key valid because there is a chain of trust: You → Anna → Bob.

The GPG software calculates the validity of a key based on how many and what people you trust have signed it. A key is considered fully trusted on your system if it has either been signed by you ("ultimate trust") or verified by a sufficient number of people you trust marginally ("marginally trusted") or fully ("fully trusted").

The construction of this decentralized network is served by key-signing party-s (key signing parties), where community members meet in person, verify each other's identities and key fingerprints, and then mutually sign each other's GPG keys, thereby strengthening and expanding the shared web of trust.