Generate key pairs, encrypt and decrypt files, import trusted keys, and digitally sign documents — all through a simulated terminal environment.
Share with anyone who needs to send you encrypted messages or verify your signatures. Safe to publish on keyservers.
Never shared. Protected by a passphrase. Used to decrypt messages encrypted with your public key and to sign documents.
Run the key generation command. Use gpg --full-generate-key
for the interactive wizard, or the shorthand gpg --gen-key.
The simulator will walk you through the full process.
gpg --full-generate-key or gpg --gen-key
to start the key generation wizard. Either form is accepted.
Key type RSA: The most widely supported algorithm —
safe choice for interoperability.
Key size 4096: Double the minimum. Computationally expensive
to brute-force — the NSA considers 2048 adequate through 2030; 4096
gives you a generous margin.
Expiration: Setting an expiry date forces you to rotate
keys periodically. A key without an expiry that leaks is permanently
compromised.
Your passphrase is the last line of defence if your private key file is stolen. Use a minimum of 20 characters — a short random sentence works well. GPG uses a key-derivation function (KDF) with the passphrase, so brute-force attacks are slow — but a weak passphrase still falls quickly.
Try both commands. List first, then export:
gpg --list-keys to see all keys on your public keyringgpg --export -a "student@hexworth" to produce the ASCII blockgpg --list-keysgpg --export -a "student@hexworth" > public.key-a flag produces ASCII armor — readable text instead of binary.)
pub = master public key. Flags: [SC]
means Sign + Certify.
uid = user identity (name + email).
sub = subkey. Flag: [E] means Encrypt.
GPG uses subkeys so your master key (which never travels the network)
stays safe while the encryption subkey does the day-to-day work.
GPG does not rely on certificate authorities. Instead, you manually verify someone's fingerprint (over a phone call, in person, or via a signed email) and then sign their key. The more respected people have signed a key, the more trustworthy it is considered. This is the web of trust model — decentralised and resilient, but requires active participation.
professor.key). Before you can encrypt messages for them, you
must import the key and verify the fingerprint out-of-band to confirm it
has not been tampered with.
gpg --import professor.keygpg --fingerprint professor@hexworthgpg --import professor.keygpg --fingerprint professor@hexworthAfter importing, GPG assigns unknown trust by default.
You can set trust with gpg --edit-key professor@hexworth
then the trust command. Levels: unknown → undefined
→ marginal → full → ultimate. You only assign
ultimate to your own keys.
A man-in-the-middle could send you a fake public key with the professor's name on it. Without fingerprint verification, you would encrypt to the attacker's key thinking it belongs to the professor. Always verify fingerprints out-of-band — via a voice call, an in-person meeting, or a separate signed channel.
secret.txt) to the professor. Encrypt it with their public
key so that only the professor's private key can decrypt it.
secret.txt for the professor using --encrypt --recipientgpg --encrypt --recipient professor@hexworth secret.txtgpg -e -r professor@hexworth secret.txt--armor (-a) to produce a readable ASCII .asc
file instead of binary .gpg.
GPG does not directly encrypt your file with RSA — RSA is too slow for
large data. Instead GPG generates a random 256-bit session key,
encrypts your file with AES-256 using that session key, then encrypts the
session key itself with the recipient's RSA public key. The .gpg
file contains both the encrypted session key and the AES ciphertext. Only the
private key holder can recover the session key and therefore decrypt the file.
message.gpg. It was encrypted with your public key. Only your
private key — protected by your passphrase — can open it.
gpg --decrypt message.gpggpg --decrypt message.gpggpg -d message.gpggpg --output plain.txt --decrypt message.gpg
The file's session key was locked with your public key. Your private key — which never left your machine — is the only mathematical inverse that can unlock it. Even the professor who encrypted it cannot decrypt it without your private key.
Your private key is stored encrypted on disk. The passphrase decrypts it into memory at the moment of use, then clears it. An attacker with your key file but not your passphrase still cannot decrypt anything.
gpg-agent runs in the background and caches your passphrase for
a configurable TTL (default 10 minutes). This is why you are not prompted on
every single GPG operation in a session. You can configure the TTL in
~/.gnupg/gpg-agent.conf with
default-cache-ttl 600 (seconds).
advisory.txt) and prove it genuinely came from you. You will
sign it with your private key. Anyone with your public key can verify the
signature — and detect if the document was tampered with after signing.
advisory.txt with gpg --sign advisory.txtgpg --verify advisory.txt.gpggpg --sign advisory.txtgpg --verify advisory.txt.gpgsimulate tamper (special command)gpg --clearsign advisory.txt
A digital signature provides non-repudiation: once you sign a document with your private key, you cannot credibly deny having signed it. This is the legal and technical basis for code-signing, software release announcements, and email authentication (OpenPGP). If your private key is compromised and you did not revoke it, a forged signature becomes possible — which is why key revocation certificates matter.
Sign only: Anyone can read the document, but they can
verify it came from you and was not changed.
Encrypt only: Only the recipient can read it, but they
cannot prove who sent it.
Sign then encrypt: Best of both — private and
authenticated. Use gpg --sign --encrypt -r recipient@host file.
Generate a revocation certificate immediately after creating a key pair:
gpg --gen-revoke student@hexworth > student-revoke.asc.
Store it offline. If your private key is ever lost or compromised, publish
the revocation certificate to notify the world that your key should no longer
be trusted.
Complete all six exercises to unlock lab completion credit.