Or Alice and Bob need an ansible.
The GNU Privacy Guard is an open source implementation of the OpenPGP
standard providing public-key encryption and digital signatures.
In order to utilize public-key encryption, it is required to generate
a keypair with which to sign and encrypt messages. A keypair consists
of a public key and private key; the sender will encrypt messages
using the receiver’s public key, which can then only be decrypted
using the receiver’s private key. For the highest level of security,
it is recommended to use 4096-bit RSA encryption at this time.
$ gpg --gen-key
To quickly generate entropy, start the following as root.
# pacman -S rng-tools # rngd -r /dev/urandom
Upon creating the keypair, it is highly recommended to generate a
revocation certificate. The revocation certificate may be issued in
the event that the private key is compromised or the passphrase is
forgotten to notify senders that communication is longer valid or
secure.
$ gpg -o ~/.gnupg/revoke.asc --gen-revoke alice@example.com
In order to exchange secured messages, the sender must encrypt the
message with receiver’s public key. Public keys may be exported either
as binary (default) or ASCII-armored text using the –armor
option. The following command creates the public key file, alice.gpg,
that the sender requires to encrypt messages to Alice.
$ gpg -o ~/.gnupg/alice.gpg --armor --export alice@example.com
Importing public keys and assigning trust involves verifying and
signing the public key. Here, Alice imports Bob’s public key.
$ gpg --import bob.gpg
It is strongly recommended to verify the public key fingerprint with
the owner
$ gpg --fingerprint $ gpg --keyserver pgp.mit.edu --recv-key
before signing over trust.
$ gpg --sign-key bob@example.com $ gpg --keyserver pgp.mit.edu --send-key bob@example.com $ gpg --keyserver pgp.mit.edu --recv-key alice@example.com
or
$ gpg --edit-key bob@example.com > fpr > sign
Finally, Alice can send and receive encrypted messages to and from
Bob.
$ gpg -o MESSAGE.gpg -r bob@example.com --encrypt MESSAGE
$ gpg -o MESSAGE --decrypt MESSAGE.gpg
In addition to public-key encryption, GnuPG supports digital
signatures. Digital signatures combine the sender’s private key with
the message to certify that both the sender and the message have not
been tampered.
GnuPG provides three commands for creating digital signatures.
The –sign command makes a compressed, binary signature, and may be
encrypted with –encrypt.
$ gpg -o FILE.sig --sign [--encrypt] FILE
The –clearsign command makes a clear text signature.
$ gpg --clearsign FILE
The –detach-sign command makes a detached signature useful for
attachments and signing binary data.
$ gpg -o FILE.sig --detach-sign FILE
The sender’s public key is then used to verify digitally-signed
messages.
$ gpg --verify FILE.sig FILE