GPG exposes encryption operations to a user. This can be very confusing and overwhelming at the start – and security trainers generally advise against suggesting it to regular activists – but learning this skill is of paramount importance to serious militants, as it allows you to take full control over encryption and do things for yourself without relying on some app that tries to hide everything from you and depends upon server infrastructure (or having a phone) that could go down in an emergency (or not be trusted). GPG can also be used to prove the authenticity of message (whether or not you choose to encrypt it), certifying that it came from you.By knowing how to use GPG for yourself you will be able to encrypt and decrypt messages between parties without relying on the internet or a specific messaging app, and you will be able to add cryptographic signatures that can build webs of trust.
The core concept of GPG is the idea of public keys and private keys. These keys always come together in pairs. A public key is necessary to encrypt and a private key is necessary to decrypt. You can think of a public key as a lockbox that you put a letter into, and a private key is the corresponding key that can open the lockbox.
When someone has a public key (lockbox) for you, they can encrypt a message into an encrypted file or stream of text, and then no one who doesn’t have your corresponding private key can open it.
You can also use your private key to sign other people’s keys, cryptographically proving to anyone that has your public key that you have signed a given key. This can be used to certify to other people who already have your public key that the public key they’ve gotten for Dave actually is Dave’s public key.
“Asymmetric encryption” depends on the existence of one-way functions in mathematics that make it easy to do a math operation one way and very hard to reverse it. The intuitive example given as an explanation is multiplying two prime numbers (numbers that are not divisible by anything besides themselves and 1) it would be easier to multiply them together than to take the result and figure out what numbers can be multiplied together to get it. You may be able to multiply 7759 by 6563 on paper by hand, but if you were handed the result, 50922317 and asked what are the only numbers that multiply together to get it, you wouldn’t know where to begin looking and would have to do a lot more work. Modern asymmetric encryption uses much harder and highly tested and studied mathematical problems that are beyond our discussion here, but all modern economies and much of our technology depends entirely upon it. Such mathematical asymmetries in how hard computation can be is part of what enables resistance to centralized systems. No matter how powerful a supercomputer might be, there are things it can’t feasibly do.
Signal, Tor, even the little padlock in the corner of your browser when you visit an HTTPS website all use asymmetric encryption too, they just hide what’s happening.
GPG exposes more of the core operation of asymmetric encryption so you can use it for yourself in novel situations and have more control over things. Like any DIY operation, there’s potential to do things wrong, but learning how to use GPG is a great skill that can prepare one for situations where encryption is needed but user-friendly apps like Signal and Tor are not available or don’t solve the problem.
GPG is automatically preinstalled on most linux distributions.
To install on Windows, etc, go to https://www.gnupg.org/download/
GPG can be used within a graphic interface using Mozilla Thunderbird and OpenPGP Manager. (PGP and GPG are functionally the same thing, the difference is that GPG is the open source version). Many websites like Tutanota or Protonmail run a version of GPG over email in the background, where key exchange between eg Protonmail email accounts happens silently, but there are dangers to trusting a single email provider. And there are use cases for GPG encryption and signing that do not involve email.
Another graphical interface for GPG is available in the form of Kleopatra (https://apps.kde.org/kleopatra/)
This guide will explain how to run GPG in a terminal window. Being casually familiar with a terminal interface on windows, mac or linux is of vital importance to militants, but there are other guides or introductions to be found a short list of commands to navigate a linux terminal is appended at the end.
In terminal the first term denotes the program being called (gpg) and the terms that follow it are options or ‘flags’ (eg –list-keys). Sometimes an option will take an input (eg –sign-key alexander@riseup.net ).
(Note that if you choose to create and save a key while using Tails OS, GPG will not by default save it to encrypted persistent storage, so after a restart all your keys will be lost. You can enable persistent storage for GPG within Tails or you can manually export your public and private keys to a different USB and re-import them each time you run Tails; please make sure your private key is encrypted.)
The directory in which the following commands are run should be the same directory where given files exist or are intended to be created.
Once GPG is installed you can create a public/private key pair by typing:
gpg –full-generate-key
You will be prompted with a series of options where you will be asked to type responses, an example of choices you could make is:
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: emma
Email address: emma@gmail.com
Comment: nothing
You selected this USER-ID:
“emma (nothing) <emma@gmail.com>”
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You will also be prompted to enter a password to access the private key. Choose a long passphrase (five random dictionary words is standard). You will be asked to enter this password whenever you do something with your private key.
Congratulations! You now have a private key and corresponding public key. You can view each of them by
Listing public keys:
gpg –list-keys
And listing all secret keys:
gpg –list-secret-keys
To be able to encrypt messages to other people, you will want to import the public keys of specific comrades that you wish to communicate with in the future. This can hopefully be done IN PERSON in advance of any situation where you need encrypted coms, in order to be clear that the public key you have for them is, in fact, the corresponding public key to their actual private key.
(Otherwise a government agent could create a public-private key pair merely titled with your comrade’s name and relay to you the public key. Then when you encrypted messages to “their” public key it would really only be readable by the government agent instead. This agent could decide to then relay the message on to your comrade, encrypting it to their actual public key so your comrade will be none the wiser. The agent could even alter the message along the way. Without you and your comrade confirming with one another the other person’s key signature, this is a serious potential risk in high repression scenarios.)
In these examples a key id saved for different keys will be email addresses like “emma@gmail.com” but a key id for a key can be whatever you set them to be.
Export a public key (to be shared):
gpg —armor –export emma@gmail.com > emma_public_key.asc
Import a public key file from someone else to your computer’s gpg keyring:
gpg –import alexander_public.key
Get a fingerprint for a given key file:
gpg –fingerprint alexander_public.key
You can also get a fingerprint for a key you’ve imported into GPG from the key name rather than its file name:
gpg –fingerprint alexander@riseup.net
The fingerprint returned will be something like
7B93 1107 1BCB 3006 8350 7755 E020 C457 BFF2 83CA
This is a unique identifier. If both you and another person are in the same room with your devices and you can directly view the fingerprint both of your computers have fot a given key you can verify that they are the same and thus you have the correct key and not an impostor key that was replaced at some point. This is the only way to truly trust a key, because it could otherwise be replaced automatically along its transit across the internet to your computer by an impostor key.
If you have verified in person with someone that the public key you have for them is correct, you should “sign it” on your gpg installation.
Sign a key locally (within your GPG installation):
gpg –sign-key alexander@riseup.net
Encrypting a file to a public key (and signing it):
gpg –encrypt –sign –armor
–recipient alexander@riseup.net document.txt –output encrypteddoc.txt.asc
Decrypting a file encrypted to your public key:
gpg –decrypt encrypteddoc.txt.asc –output plain.txt
The decrypt option will also attempt to verify the signature.
If it has no signature, it will just decrypt the file.
If it has a signature, but you don’t have the public key, it will decrypt the file but it will fail to verify the signature.
If it has a signature and you have the public key, it will decrypt and verify.
You might want to save your private key(s) in encrypted file containers (eg using another program like VeraCrypt) on a USB. You might also want to distribute your public key to friends.
Export single secret key (to back it up privately):
gpg —armor –export-secret-key emma@gmail.com > emma_secret_key.asc
Export all public keys:
gpg —armor –export > public-all.asc
gpg –export outputs binary data. This cannot directly be displayed as text and so it must be transferred as a file.
gpg –export –armor outputs base64 encoded data, alongside a plaintext header + footer. This can be read and communicated as raw text, so for example it can be passed over other communication channels or pasted directly into an email body. So long as the text isn’t broken up and spaces or paragraphing isn’t added. In the case of say exporting a public key in this “armor” text format, the resulting text can look something like:
—–BEGIN PGP PUBLIC KEY BLOCK—–
9T6cSwE9PGVUwxYRFvrOVfEdtW2rGpQf46blrSRtTrc=
—–END PGP PUBLIC KEY BLOCK—–
All of the above examples use the –armor approach, but you can exclude it and return files in raw binary if you want.
Sign a cleartext document in the same directory you’re in (this wraps it in a signature but leaves it unencrypted) so everyone can read it and anyone who has your public key knows you signed it (will create a different file with both the text and the signature):
gpg —clearsign public_communique.txt
Signing like this can be used in a pinch to sign other people’s keys and distribute that signature on those keys. If we’re friends with Emma and Peter, and have exchanged and certified public keys with both, but Emma and Peter have not verified each other’s keys in person, we can (hopefully with permission!) pass Emma’s public key to Peter and sign Emma’s public key using our own private key. Peter’s copy of our public key will enable him to certify that only someone with our private key could sign the contents, thus allowing us to prove to him that we certify that key is Emma’s public key.
gpg —clearsign emma_public_key.asc
We can also do all this signing in binary, creating files that can’t be read as a stream of seemingly random text (the ‘- – output’ option allows you to specify the name of the file to be created, while the ‘- – sign’ option indicates what file is to be taken as input).
gpg --output public_communique.text.sig --sign public_communique.text
To verify a signature on a doc (if you’ve already imported the signer’s public key into your gpg), you can type
gpg —verify public_communique.txt.sig
When you want to encrypt or decrypt a message back and forth with anyone you’ve gotten a public key from, checked the fingerprint you have matches the same fingerprint they have for their key, you can do it pretty simply.
If you have multiple private keys saved on your computer’s GPG key ring, when you do anything the first one generated will automatically be selected as the key you wish to use.
This will change which UID is the primary one you’re using by default:
gpg –edit-key emma@gmail.com
gpg>list
gpg>uid [new one]
gpg>primary
gpg>save
gpg>quit
GPG makes explicit a web of verification. Never sign someone’s public key unless you’ve verified that said public key is in fact their key. If you haven’t checked Michel’s key and verified it from Michel a state agent could hand you a public key ostensibly for Michel (either as an undercover agent OR by intercepting a message from Michel to you over the internet and replacing Michel’s actual key with a compromised key).
Applications like Tor or Signal hide the choices for trusting public keys being made in the network, or they centralize them. To be certain, both apps are run by solid radicals who work very hard to make this less dangerous to you in various ways, and they’re checked on by other radicals since their work is open source, but while the centralization of both apps makes them simpler to use, it also makes them easier for a state to block or shut down.
Understanding GPG and using it, generating keys, distributing public keys, and signing public keys to relay them is a good exercise in not just preparation for situations where we can’t rely on things like Signal, but it also helps strengthen our understanding of trust networks.
Anarchists are used to understanding that networks, from informal friends to organized cells, must always consciously navigate networks of trust where there are different types of trust. You may trust Michel to always do what she says she’ll do in a meeting, but you may not trust her to show up on time or find a meeting in the woods. You may trust Peter to sign someone’s key only when he’s verified it in person with them, but you may not trust what Peter tells you in a message, encrypted or not.
On the other hand, you may not trust that Eric will only sign public keys he’s actually verified or you may not entirely trust that he isn’t a devious agent. So when Eric signs the public key of someone new and relays it to you, you have to take into account your level of trust in Eric in trusting that key.
To help with verification, if you both meet without your devices, you can print your key fingerprint on slips of paper and pass them to one another in these in-person meetings to then check later at home with your device. In a real pinch can also print public keys or signatures and put them on wheatpasted posters for other people to scan and import. A public key found just on a poster isn’t that trustworthy, but you could at least note if any future communiques you find ostensibly by that crew are signed with a different key (and thus beware)!
For decades in the animal liberation movement many communiques have been signed with GPG keys to enable certification that a single cell or organization was the origin of the communique and actually responsible for the action. A devious agent could not generate a valid signature of a false communique that matches the same public key of prior communiques without actually possessing the private key.
Remember that plugging a USB from someone else into your computer could compromise your computer. It can be necessary in some contexts where there’s no other way to relay files, but a devious adversary could insert a virus on a USB and use that virus to infect each relay point in a DIY sneaker net (where folks pass files and messages around by hand). It’s vital when running a sneaker net to only use devices that aren’t being used for anything else, so someone can’t pass around a USB with a virus and get your emails or use your computer to connect to the internet and snitch on you.
In Syria during the uprising the Assad regime would infect radicals devices and forward infected files to their entire contacts list on Skype that would then compromise more radicals and forward again. This enabled them to abduct, torture and murder thousands.
In Egypt during the uprising the internet was cut off, but some radicals managed to get signal out at limited points very sneaky tricks, and folks would pass USBs and information around to great effect. Graffiti artists helped in very rapidly spreading information and helping the network reach folks.
When anarchists have needed to go underground, they often abruptly lose contact with many comrades because they do not have a safe way to continue communicating. They may lose any device with Signal and the phone number it was attached to. Having keys already generated and public keys signed in a network with their close friends can enable bootstrapping communications and support when alone in a foreign country and/or on the run. It’s very hard to make a new life from scratch, get new contacts or coordinate secret money transfers, or even get a new Signal account trusted, when the enemy controls much of the internet and is actively hunting you.
Keeping private keys safe, encrypted, and their public keys known and verified is critical to any communications network. Just as it is critical, behind the scenes, to keeping Tor and Signal secure.
One downside of GPG is that the same key-pair is used on multiple messages and if the secret private key is ever compromised in the future anyone with it could both generate new signatures and decrypt all messages encrypted with the corresponding public key. This zine is not meant to push GPG a replacement for Signal in its daily use cases for anarchists (eg helping schedule a meeting without phones), but as a guide for how to better understand encryption and prepare to have better options for DIYing communications in severe situations.
There are a great many other options and functionalities in GPG that you can look up online. The above is intended as a cheat sheet for when the internet isn’t accessible. In an absolute pinch, when the internet isn’t available you can type “man gpg” in a linux terminal to access the manual to GPG and see lists of options.