Week 3b: Encryption, Decryption & Digital Signatures

Goal

Master practical GPG operations: understanding your keyring, encrypting files for yourself and others, and creating digital signatures that prove authorship and integrity.

Prerequisites: Week 3a (GPG Introduction & Key Generation)

This is Part 2 of 4 - Covers keyring management, encryption operations, and signatures.

1. Understanding Your GPG Keyring

List All Keys

# List public keys
gpg --list-keys

# Output:
pub   rsa4096 2025-10-14 [SC] [expires: 2027-10-14]
      ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234
uid           [ultimate] Alice Cypherpunk <[email protected]>
sub   rsa4096 2025-10-14 [E] [expires: 2027-10-14]

Key anatomy:

Primary key - Master key for signing and certifying
Subkey - Encryption key (can be revoked separately)
uid - User identity
[ultimate] - Trust level (you ultimately trust your own key)

View Key Fingerprint

# Show fingerprint (unique key identifier)
gpg --fingerprint [email protected]

# Output:
pub   rsa4096 2025-10-14 [SC] [expires: 2027-10-14]
      ABCD 1234 ABCD 1234 ABCD 1234 ABCD 1234 ABCD 1234
uid           [ultimate] Alice Cypherpunk <[email protected]>
sub   rsa4096 2025-10-14 [E] [expires: 2027-10-14]

Why fingerprints matter:

Unique identifier for your key
Used to verify you have the correct key
Share this when publishing public key
Others verify fingerprint before trusting your key

Fingerprint verification best practices:

Publish fingerprint on multiple channels (website, social media, business card)
Meet in person to verify fingerprints (key signing party)
Use voice call to read fingerprint (voice biometric verification)
Video call (visual + audio verification)

NEVER just trust a key from email without verification!

List Private Keys

# List secret (private) keys
gpg --list-secret-keys

# Output:
sec   rsa4096 2025-10-14 [SC] [expires: 2027-10-14]
      ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234
uid           [ultimate] Alice Cypherpunk <[email protected]>
ssb   rsa4096 2025-10-14 [E] [expires: 2027-10-14]

Notation:

sec - Secret primary key
ssb - Secret subkey

2. Hands-On: Encryption and Decryption

Encrypting a File to Yourself

# Create test message
echo "Privacy is a human right, not a privilege." > manifesto.txt

# Encrypt to yourself
gpg --encrypt --recipient [email protected] manifesto.txt

# Creates: manifesto.txt.gpg (binary format)

What happened:

GPG found your public key
Encrypted file with your public key
Only your private key can decrypt it

Decrypt the File

# Decrypt (will prompt for passphrase)
gpg --decrypt manifesto.txt.gpg

# Output: Privacy is a human right, not a privilege.

# Decrypt to file
gpg --decrypt --output decrypted.txt manifesto.txt.gpg

ASCII-Armored Encryption (Text-Friendly)

Binary .gpg files don’t work well in emails or text systems. Use ASCII armor:

# Encrypt with ASCII armor
gpg --encrypt --armor --recipient [email protected] manifesto.txt

# Creates: manifesto.txt.asc (text format)
cat manifesto.txt.asc

Output:

-----BEGIN PGP MESSAGE-----

hQIMA9Kj3xK8sF9kAQ//eXampleEncryptedDataGoesHere
RandomBase64EncodedCiphertext...
=abcd
-----END PGP MESSAGE-----

When to use armor:

Sending encrypted messages via email
Posting in forums or chat
Any text-only medium

When to use binary:

Encrypting files locally
Smaller file size (20-30% smaller)
Faster to process

Encrypting for Multiple Recipients

# Encrypt so both Alice and Bob can decrypt
gpg --encrypt --armor \
  --recipient [email protected] \
  --recipient [email protected] \
  shared-document.txt

How this works:

GPG encrypts file once with random symmetric key
Encrypts that symmetric key with each recipient’s public key
Each recipient uses their private key to get symmetric key
Symmetric key decrypts the file

Result: File is only encrypted once, but multiple people can decrypt.

3. Digital Signatures: Proving Authorship

Why Sign Files?

Digital signatures prove:

Authenticity - File was created by you
Integrity - File hasn’t been modified
Non-repudiation - You can’t deny signing it

Real-world uses:

Software releases (verify it’s from real developer)
Git commits (prove you wrote the code)
Legal documents (digital notarization)
Encrypted emails (prove sender identity)

Sign a File (Cleartext Signature)

# Create cleartext signature (original text + signature)
gpg --clearsign announcement.txt

# Creates: announcement.txt.asc

Output format:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is the original message text.
Anyone can read this, but the signature proves I wrote it.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE... [signature data]
=Xy9z
-----END PGP SIGNATURE-----

Cleartext signature:

Message readable without GPG
Signature attached
Good for announcements, emails

Detached Signature

# Create separate signature file
gpg --detach-sign --armor software-release.tar.gz

# Creates: software-release.tar.gz.asc

When to use:

Software releases (distribute file + signature separately)
Large files (signature is small, can verify without re-downloading)
Standard practice for open source distributions

Verify a Signature

# Verify cleartext signature
gpg --verify announcement.txt.asc

# Output:
gpg: Signature made Mon 14 Oct 2025 03:14:15 PM EDT
gpg:                using RSA key ABCD1234...
gpg: Good signature from "Alice Cypherpunk <[email protected]>"

Verify detached signature:

# Verify file against separate signature
gpg --verify software-release.tar.gz.asc software-release.tar.gz

# Good signature = File authentic and unmodified
# BAD signature = File tampered with or signature forged

Sign and Encrypt (Combined)

# Sign AND encrypt in one operation
gpg --sign --encrypt --armor \
  --recipient [email protected] \
  secret-message.txt

This provides:

Confidentiality (encryption) - Only Bob can read
Authentication (signature) - Bob knows it’s from you
Integrity (signature) - Detects tampering

Best practice for sensitive communications.

Up Next

Week 3c covers public key distribution, keyservers, and the Web of Trust for decentralized identity verification.

Key Takeaways

Keyring stores your public and private keys with trust levels
Fingerprints uniquely identify keys and should be verified out-of-band
ASCII armor makes encrypted files text-safe for email/chat
Multiple recipients can decrypt the same encrypted file
Signatures prove authenticity, integrity, and non-repudiation
Sign + Encrypt combined is best practice for sensitive communications

Goal#

1. Understanding Your GPG Keyring#

List All Keys#

View Key Fingerprint#

List Private Keys#

2. Hands-On: Encryption and Decryption#

Encrypting a File to Yourself#

Decrypt the File#

ASCII-Armored Encryption (Text-Friendly)#

Encrypting for Multiple Recipients#

3. Digital Signatures: Proving Authorship#

Why Sign Files?#

Sign a File (Cleartext Signature)#

Detached Signature#

Verify a Signature#

Sign and Encrypt (Combined)#

Up Next#

Key Takeaways#