Disclaimer: I know enough about security to know that I know next to nothing about security.

Today is my last day as an employee at SparkFun Electronics, and while trying to wrap up a few loose ends, I found myself needing a secure way to send Tyler a private key so he could access a few AWS instances. Luckily, he has a link to his GPG key on his site, so I decided to give that a try. I’ve used GPG in the past, but I was only messing around with it, and never had a legitimate use. This, I’m sad to say, would be my first real use of GPG. Here’s how to send someone an encrypted file using GPG.

Get a copy of the recipient’s public GPG key. In this example, I’m using Tyler’s.

$ curl -O https://tylercipriani.com/tylercipriani.gpg.txt

Import the key.

$ gpg --import tylercipriani.gpg.txt
gpg: key 018FAC02: public key "Tyler Cipriani <tyler@tylercipriani.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Now, tell gpg that you trust the key. You should verify the key’s fingerprint with the owner and other sources before trusting it.

$ gpg --edit-key tyler@tylercipriani.com
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  4096R/018FAC02  created: 2014-02-19  expires: never       usage: SC  
                     trust: unknown       validity: unknown
sub  4096R/EE737D83  created: 2014-02-19  expires: never       usage: E   
[ unknown] (1). Tyler Cipriani <tyler@tylercipriani.com>

gpg> trust
pub  4096R/018FAC02  created: 2014-02-19  expires: never       usage: SC  
                     trust: unknown       validity: unknown
sub  4096R/EE737D83  created: 2014-02-19  expires: never       usage: E   
[ unknown] (1). Tyler Cipriani <tyler@tylercipriani.com>

Please decide how far you trust this user to correctly verify other users keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I do not know or will not say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
                                                             
pub  4096R/018FAC02  created: 2014-02-19  expires: never       usage: SC  
                     trust: ultimate      validity: unknown
sub  4096R/EE737D83  created: 2014-02-19  expires: never       usage: E   
[ unknown] (1). Tyler Cipriani <tyler@tylercipriani.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit

The final step is encrypting the file I wish to send to Tyler (super_secret.txt).

$ gpg --output encrypted.gpg --encrypt --recipient tyler@tylercipriani.com super_secret.txt
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2024-12-08

That’s it. Now I can send encrypted.gpg to Tyler, and he can decrypt it using his private GPG key.