In the past I created a couple of GPG keys on a different machine that I now want to use on my new Kali Linux machine, allowing me to encrypt and decrypt messages. So how can we properly transfer the keys?

I transferred the keys to Windows in the past and remember that it is horrible working GPG/PGP on Windows. Nevertheless I saved both of them in a directory called gnupg. To transfer the keys to your machine, I simply used an external hard drive to copy the directory into and paste it on your file system on your new machine. Then, we have to add the keys to our gpg keyring.

First let us check whether GPG is installed, which should be the case by default. But you can check with

gpg --version

In my case I have version 2.240. Now in fact I had created one key pair under the old version of 2.0 and one key pair under the new version of 2.1. Back then, in 2015, this difference was mainly about how the keys were saved and this had confused me in the past. Now however, the versions got merged so old keys are now saved under the modern way.

Although there are multiple ways to import keys, I will show what I did. The easiest way to import public keys is to actually download them from a key server with for example this command:

gpg --keyserver --recv-keys DEADBEEF

Here DEADBEEF is the short key ID, consisting of the final eight digits of the key. I imported both of the keys. A different way however is to use the following command in the gnupg directory for the key with the GPG 2.0 version.

gpg --import pubring.gpg

You may then also import public keys of other people that you used to encrypt messages for. After all public keys are free to share with everyone and you don’t need any passphrase or secret key to encrypt messages for someone else. To import the secret key, you can enter one of the following commands. Either import the corresponding secring.gpg or if you have the private key saved in an armored file ending in .asc

gpg --import secring.gpg

gpg --import secret-key-DEADBEEF.asc

Note that when you import from an armored file, you must enter your passphrase. If you forgot your password, you will not be able to decrypt the file. Now we also need to import the keys from the key with version 2.1 which were saved in the subdirectory private-keys-v1.d. In my case, despite having one key, I have two files ending in  .key. We can however easily import them by copying them to the local gnupg directory:

cp * ~/.gnupg/private-keys-v1.d

Then enter the following commands to check whether the keys have been successfully added and are at your disposal:

gpg --list-keys

gpg --list-secret-keys

Now let us test it out. Create a new file in any place called example1.txt, either the old-fashioned way or with this command in a directory of your choice:

echo “hello world” > example1.txt

Then encrypt the file using the following command to test that your keys work:

gpg –e –a –u 0xDEADBEEF –r 0xDEADBEEF –o example1enc.txt.asc example1.txt

  • -e is short for –encrypt which you use to tell GPG that you want to encrypt a file
  • -a allows you to armor the file, making it human-readable
  • -u lets you select which key to use to encrypt. You can use the user ID or the short key ID. In my case I have to use the short key ID because both of my keys have the same user ID
  • -r lets you select which is the recipient of the message and is able to decrypt using their private key. Important: Unless you put yourself as a (co-)recipient, you will not be able to decrypt the file!
  • -o lets you specify an output file
  • Finally, example1.txt is the file to encrypt at hand and must be placed last in the command. The file will not disappear or be overwritten unless specified otherwise.

Then, a file called example1enc.txt.asc should appear in your directory. Now let us decrypt the file using the following command:

gpg –d –o example1dec.txt example1enc.txt.asc

  • -d is short for decrypt
  • -o lets you specify an output file
  • txt.asc is the file you want to decrypt

When you hit enter, GPG will first check if you have the right key in your keyring to decrypt the file and if so, it will prompt you to enter your passphrase. After doing so, the file example1dec.txt should appear in your directory. Now check if you can open the file:

cat example1dec.txt

If it says “hello world” then congratulations, you have successfully imported your key pair and tested it. Now you can properly participate in the world of cryptography and send encrypted messages to other people, as well as decrypt any received encrypted messages meant for you.