GPG Walk Through Noobs - Ubuntu Containers

Please Select a Licence from the LICENCE_HEADERS page

And place at top of your page

If no Licence is Selected/Appended, Default will be CC0

Default Licence IF there is no Licence placed below this notice! When you edit this page, you agree to release your contribution under the CC0 Licence

LICENCE: More information about the cc0 licence can be found here:
https://creativecommons.org/share-your-work/public-domain/cc0

The person who associated a work with this deed has dedicated the work to the public domain by waiving all of his or her rights to the work worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.

You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.

Licence:

Statement of Purpose

The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").

Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.

For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.

1. Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:

   the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
   moral rights retained by the original author(s) and/or performer(s);
   publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
   rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
   rights protecting the extraction, dissemination, use and reuse of data in a Work;
   database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
   other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.

2. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.

3. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.

4. Limitations and Disclaimers.

   No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
   Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
   Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
   Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.

Going to learn the basics of GPG in a quick walk through

IMPORTANT NOTE: In the LXC Containers sudo is required - not 100% sure why - is not required when using on normal host (not container)

Step one creating conatiners and logging in

Create 2 ubuntu 24.04 containers foo and bar

lxc launch ubuntu:24.04 foo
lxc exec foo bash
su - ubuntu

lxc launch ubuntu:24.04 bar
lxc exec bar bash
su - ubuntu

and have 2 terminals open logged into both as user ubuntu

Step 2 - update container and install GPG

Update and install gnupg2 in both containers

gnupg2 installs the `gnupg` package, which includes the `gpg` command.

sudo apt update && sudo apt upgrade -y && sudo apt install gnupg2 -y

Verify installation

gpg --version

Step 3 - Creating KeyPairs

IMPORTANT NOTE: In the LXC Containers sudo is required - not 100% sure why - is not required when using on normal host (not container)

Create Key Pair for Container Foo

Generate new GPG key pair

sudo gpg --full-generate-key

Follow prompts:

Choose key type: (9) ECC (default)
Key size: 1024 to 4096 bits ( 3072 default)
Key expiration: 0 = key does not expire
Real name: foo
Email: foo@foo.com
Comment: i am foo
Passphrase: choose a secure passphrase

sudo gpg --full-generate-key OutPut:

ubuntu@foo:~$ sudo gpg --full-generate-key
gpg (GnuPG) 2.4.4; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
Your selection? 
Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection? 
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: foo
Email address: foo@foo.com
Comment: i am foo
You selected this USER-ID:
    "foo (i am foo) <foo@foo.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/107B0222408951691EF6C91B4D9C986B00A60CFE.rev'
public and secret key created and signed.

pub   ed25519 2025-07-08 [SC]
      107B0222408951691EF6C91B4D9C986B00A60CFE
uid                      foo (i am foo) <foo@foo.com>
sub   cv25519 2025-07-08 [E]

Create Key Pair for Container Bar

Generate new GPG key pair

sudo gpg --full-generate-key

Follow prompts:

Choose key type: (1) RSA
Key size: 1024 to 4096 bits ( 3072 default)
Key expiration: 0 = key does not expire
Real name: bar
Email: bar@bar.com
Comment: i am bar
Passphrase: choose a secure passphrase

sudo gpg --full-generate-key:

ubuntu@bar:~$ sudo gpg --full-generate-key
gpg (GnuPG) 2.4.4; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: bar
Email address: bar@bar.com
Comment: i am bar
You selected this USER-ID:
    "bar (i am bar) <bar@bar.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/56107DF2FB1A226BDFED3CC362C74C327D5EB42B.rev'
public and secret key created and signed.

pub   rsa3072 2025-07-09 [SC]
      56107DF2FB1A226BDFED3CC362C74C327D5EB42B
uid                      bar (i am bar) <bar@bar.com>
sub   rsa3072 2025-07-09 [E]

Exchanging Keys

List Keys

sudo gpg --list-keys

ubuntu@bar:~$ sudo gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub   rsa3072 2025-07-09 [SC]
      56107DF2FB1A226BDFED3CC362C74C327D5EB42B
uid           [ultimate] bar (i am bar) <bar@bar.com>
sub   rsa3072 2025-07-09 [E]

Export Public Key

Container Bar

sudo gpg --armor --export bar@bar.com > me_bar_pub_key.asc

cat me_bar_pub_key.asc output:

ubuntu@bar:~$ cat me_bar_pub_key.asc 
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGhutlMBDACZEFt39BkE9ECxJ9mGhDE/kqylsuO8+gPFDe+0uQfjBjS+wMnt
eMTloQ239/xpMvGhftTRu7jZoHCKlK/EhTQKsOYTHTwJhI8z/UC558Dze2PWmSkf
wd86aZBaaZtktsmv+0iGJsXUiw+gb46tg79yHKQ9ZLayB3e5Ecv/HhZ1Xq0ALpQH
1lfEMEfxVeHYf7leFb1QyDbuwPXEMSejUFUY324GigNorZJn7CkbFgooGQl/nZ/S
F08Eu2n4NoZvN5+/IMQw9jz9II+bpuu8mwY1oFLdnzYdnbom3he/1FPsMKXyx7l/
ribk1z/EHRqyS+K/88Hn9sfafICIFWKrd5N8377nmkrZ+hQ/0G0zOxbi8DHSWSGs
+1+cIkafqq7wgGdXaOwoscg8m+/vC1KwozMUjO+rtheKm4xqUHwu/mBU1h5lLxL4
uL1HSEZIhM0KC6DgCQlzTQvvijx86v7QDi3YSp+5MxOJ9y9VuRuvAghhtu83Q+J4
82Qn3Ds9S9xefTMAEQEAAbQcYmFyIChpIGFtIGJhcikgPGJhckBiYXIuY29tPokB
0QQTAQoAOxYhBFYQffL7GiJr3+08w2LHTDJ9XrQrBQJobrZTAhsDBQsJCAcCAiIC
BhUKCQgLAgQWAgMBAh4HAheAAAoJEGLHTDJ9XrQrkLMMAJUsj35tfwPoWcsoHaEM
irrLbHhqC+C39zr6Msuh3OZQ/jaZJqqB8lgqiWweDMB80U0fG1eb6e2hmKwWDxvc
Ium6KJMcFVGrZt7sRrxYF2o5jtpEWqsasXWHn0PO0pu4N7guJQ+q7HVdpygBiEQ7
cm4DI01L+KCbZjFvrlNvdVKV6lhHUN3wi45wqr1GdEE3ssUImXQk33zeWy9dOotT
BCsNLCP6vA/97J8GB9gH6wTBt20+zN2mKuG73x/myB2TvWaxoOBKjWSWJhemJ6ER
1ORzp5ill2K23FSbUJWSWf6q5Vnz0x0PGgTkXzcYM/kZlTDKN/VBEjGj8GS5MWDS
SS2J4qYCv1kdDQItDDB32ibUQR/Mgha6yGcYG+0w2gPfSpHCQm1teAnq59zqNiif
WzMOM08zinyI0VbgTo6uuBMhitxQ2xNYPD5JAuQ3M77DY5tIk+Pje15pCT2TxqxK
DKoMF8YoRbb+1095a7g+rP3Nbx8kTDjjDVmnfKEIwoegerkBjQRobrZTAQwA5Xq1
a/1SOTg6Ybak5lTbsude+AVdhca4Obl1NIhHwX7LWRCfaHuMiEccqDvGrSSbeFoc
SDlCqwR+lg83HaEU+mVZVOIdb8XXPFcRAfzxBHT0Z0Fa/cFOni9DjftV0U5xpLPZ
CAvAFgEYJWnA6zyj0wmTyb9gSo4ejW1Q8S4daBvKi5Ai68hYdGr86k5Rc16KkDAP
enVdPReW8bgEWlB3ui09kCVPrW51KZoBO9sdnZMjE3HVoU0B5pr+O0My35jasLw9
zIcYMxR9X9KwcKL3jB4iSZ+g8JQSZ2LeBf1PX9hfHpVbjfWlbrzdwtD+T/pkHO5B
n29r5/6cJfGXJgR5VQ7XOxH6GO9I55aUGaTUSDPr+SLumJY91mVPpvxKW64+mTzt
U/LfZIbLl76mIs/R1mrG4Sk3/x7KPwoZbvOZn+TFCcAPbtKpvBMCIhWDCXTUD6lm
YIgCho8f7CpBXa/M+5EOjIR7OkaCgUqunC0y14BjKwfSHOtpqDg3QCJ6JZNLABEB
AAGJAbYEGAEKACAWIQRWEH3y+xoia9/tPMNix0wyfV60KwUCaG62UwIbDAAKCRBi
x0wyfV60K0LQC/9NBGhAGk5U7rQGs4cCSho10mWAuR2JSWrxDsXrz5MXEDtUjIrl
rEQd/jcRwIdXUeTL5VIQc6vjnsbRE11DKUIpSAT4RJ53vE6qPPNBUqb/IeWcvXye
LuO5SsABo0Jeg4pFIMLKpyJbucze/mW8OmJRkaSdjIOzvGdeDFfpoyNRS1y0ml+L
mUV7LmCjWX3evS3VYxuCPnFh9ws0CP+Bqhd1M4XdNvQ+UOlRjLpOgF+sok55uoX2
qmpbaEdbhsfzJoU+fkmuX1gVNU1tp6AHrNsRE8s1cbUWFF7otC7lZX7XmmnVWlMT
ebuEdsaaVd37kh3GEgwk7DBkeAfKaPTKBqd0yXvspM6rTiO/HX0/A7qQbAvmKrlT
s9FmsOHDeIIHJM9LyGHKI5n9w5WzoW4n1IyJAuLibr4PlTv0Ck5Uomj2n9V8mJyC
9DtMDbPIqaolLRKmYxFWJmAYNGVJKC2cgmTs9/f9PTBp7XOlL6PUuJnkju5k7ZSr
fDRVOWaor6+4jz0=
=sRdV
-----END PGP PUBLIC KEY BLOCK-----

Container Foo

sudo gpg --armor --export foo@foo.com > me_foo_pub_key.asc

cat me_foo_pub_key.asc output:

ubuntu@foo:~$ cat me_foo_pub_key.asc 
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEaGzhvxYJKwYBBAHaRw8BAQdAreSi7V/fTPbOtIDqPfqcp8gCUA7kxJ45s+yP
7GlrsU20HGZvbyAoaSBhbSBmb28pIDxmb29AZm9vLmNvbT6IkwQTFgoAOxYhBBB7
AiJAiVFpHvbJG02cmGsApgz+BQJobOG/AhsDBQsJCAcCAiICBhUKCQgLAgQWAgMB
Ah4HAheAAAoJEE2cmGsApgz+0EwBAPQEdUfNPZsSg3z5IWzKi3Z6eZXPk2Jz5mdn
/T7RcL5XAPwPfPCPyVjxu6MJ+5ptRtXXe0Qruchbkn09bY/G+HIvCrg4BGhs4b8S
CisGAQQBl1UBBQEBB0C7bpVfaiEpBLBrtL4flajkeYP8RppnrU8/PYy4Y5STLgMB
CAeIeAQYFgoAIBYhBBB7AiJAiVFpHvbJG02cmGsApgz+BQJobOG/AhsMAAoJEE2c
mGsApgz+BLMA+wVv5cYQbz3e7cKOARYXQ0nfzYVBcdo690ehVXixRWZ3AQDbYe3X
atp32bolscNX8YBRO47eMuDONZ3mVikRjH7VBQ==
=aMeG
-----END PGP PUBLIC KEY BLOCK-----

Import Public Key

Swap Key Pairs in LXC - copy nad paste OR push and pull :

Option 1 - Copy and Paste

cat me_foo_pub_key.asc
Copy content and paste in a file in bar container bar-pub.asc and vice versa.

Note: file containing pub key can be called anything, does not require extension .asc as long as you know what it is

Option 2 - Push and Pull

Optional: Create a Dir for the swap on host:

noob@noob-ThinkPad-T470:~$ mkdir keyswap
noob@noob-ThinkPad-T470:~$ cd keyswap/
noob@noob-ThinkPad-T470:~/keyswap$ lxc file pull bar/home/ubuntu/me_bar_pub_key.asc .
noob@noob-ThinkPad-T470:~/keyswap$ lxc file pull foo/home/ubuntu/me_foo_pub_key.asc .
noob@noob-ThinkPad-T470:~/keyswap$ ls
me_bar_pub_key.asc  me_foo_pub_key.asc
noob@noob-ThinkPad-T470:~/keyswap$ lxc file push me_bar_pub_key.asc foo/home/ubuntu/
noob@noob-ThinkPad-T470:~/keyswap$ lxc file push me_foo_pub_key.asc bar/home/ubuntu/

In Container Foo we are going to Import the Public Key for Bar

sudo gpg --import me_bar_pub_key.asc

OutPut:

ubuntu@foo:~$ sudo gpg --import me_bar_pub_key.asc 
gpg: key 62C74C327D5EB42B: public key "bar (i am bar) <bar@bar.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Verify import

sudo gpg --list-keys
OutPut:

ubuntu@foo:~$ sudo gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/root/.gnupg/pubring.kbx
------------------------
pub   ed25519 2025-07-08 [SC]
      107B0222408951691EF6C91B4D9C986B00A60CFE
uid           [ultimate] foo (i am foo) <foo@foo.com>
sub   cv25519 2025-07-08 [E]

pub   rsa3072 2025-07-09 [SC]
      56107DF2FB1A226BDFED3CC362C74C327D5EB42B
uid           [ unknown] bar (i am bar) <bar@bar.com>
sub   rsa3072 2025-07-09 [E]

Do the same for other container - vice versa

Trust Level for Imported Key

Just do this on one container for now -

In container Foo

Edit Bar's key to set trust

sudo gpg --edit-key bar@bar.com

At gpg prompt, type:

trust

Choose option 5 (ultimate trust)

quit

Example of not trusting a public key:

Bar did not place/mark Foo's public key as trusted - and was prompted if sure when encrypting to that recipients public key.

ubuntu@bar:~$ sudo gpg --armor --encrypt --recipient foo@foo.com test.txt
gpg: 50307AF320586962: There is no assurance this key belongs to the named user

sub  cv25519/50307AF320586962 2025-07-08 foo (i am foo) <foo@foo.com>
 Primary key fingerprint: 107B 0222 4089 5169 1EF6  C91B 4D9C 986B 00A6 0CFE
      Subkey fingerprint: 4A5D 347A EA1A 88D6 A69C  51CA 5030 7AF3 2058 6962

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

Encrypt file from Foo to Bar

Create super secret file:

echo "This is a secret message from Foo to Bar!" > secret.txt

Encrypt for Bar

sudo gpg --armor --encrypt --recipient bar@bar.com secret.txt

This creates a file encrypted to bar's public key with an .asc extension.

secret.txt.asc

Send this file to Bar

File Contents:

ubuntu@foo:~$ cat secret.txt.asc 
-----BEGIN PGP MESSAGE-----

hQGMA44ulauDXPBRAQwA23c4BIk9J3CgLno+/M0y15394m6nfqCXDZ272LsaBEcR
xnbOvJFGdDpqPKVphU/2T4hJ2INqq6f47jZt3xinADPIcLD4r6uIhAeRAIEGUFcq
MkfeBuFTlMNDgS8e+B3HSEu58UyBSHxLfGzQF2Y/msG4GV3Em7/C32qEaXlw+5J3
GbYM6xFcR0kKM3rjGQyPPHUTiipR1THHW8C5uUbiywtZqYXBHfj4ahd5iazyBW8f
2Q+abJR987KlEYhcabEvbem/vYjSQIqspXOLgAR+KmSO0w9epbCAkSuwAtHePMT9
QFSBP73+CH9wvdA70EA6mzXY1rer5sDSefMd6w1i95/jxxwQ0jKBS4oJjuzH+L7C
P0Io6iUrKsZ+KOVPSW2+gTQaOpg/N0TGK9SyMVSWnrvqKO+joMkfMmSt/i166UXW
/PQfn8l4ToUflplzHAmdVQ138XJaaEH9Ul6pUEKrsIZ38Vh/AysXpxukDW3JJAUa
qDneeJy0xXSY+CIffcro1HMBCQIQvXTlUw1MexSnpGCbr2y6e/ymT6u3MaZ8lO/T
tCpmKzItlOSLRmbpCNfIEInbNJ94oPCNWLue/tJKsHJvCW9nK9Aq2qDN27o6pUGy
c2wRHN+nOJIYcAcGIsNAogsQVHmLFUm9L3eaA/LZsLsRAic7
=Vdc9
-----END PGP MESSAGE-----

Decrypting file

In container Bar

sudo gpg --decrypt secret.txt.asc > decrypted_secret.txt
Will Be Prompted for your Passphase:
cat decrypted_secret.txt

This is a secret message from Foo to Bar!

Encryption Image

Encrypting a image is the same as encrypting a file

sudo gpg --armor --encrypt --recipient bar@bar.com test_image.jpg

Will end up with a file with the .asc extension test_image.jpg.asc

Decrypt Image

sudo gpg --decrypt test_image.jpg.asc > decrypted_image.jpg

Encryption Directory

To Encrypt a Directory just Archive the Directory and encrypt that

tar -czf secret_folder.tar.gz secret_folder/

And Encrypt the Archive

sudo gpg --armor --encrypt --recipient bar@bar.com secret_folder.tar.gz

secret_folder.tar.gz.asc now encrypted and safe to send over network.

Decrypt Directory

Decrypt the archive

sudo gpg --decrypt secret_folder.tar.gz.asc > decrypted_folder.tar.gz

Extract the archive

tar -xzf decrypted_folder.tar.gz

Symmetric Encryption (Password-based)

Will be prompted to enter PassPhase (this is gonna be the password required to decrypt)

sudo gpg --armor --symmetric msg.txt

A file with .asc entension will be created.

msg.txt.asc

Decrypt Symmetric Encryption

Will be prompted for password

sudo sudo gpg --decrypt msg.txt.asc

The above command will print text file content on terminal, if you want decrypted content stored to file, then:

sudo sudo gpg --decrypt msg.txt.asc > decrypted-file.txt

Signing and Verifying Files

IMPORTANT NOTE: In the LXC Containers sudo is required for signing and verifying due to the same issue as key generation (likely missing /run/user/<uid> directory). This is not typically required on a normal host.

Signing and Encrypting a File (Foo to Bar)

In container Foo, create a file to sign and encrypt:

echo "This is a signed and encrypted message from Foo to Bar!" > secret_signed.txt

Sign and encrypt the file for Bar's public key:

sudo gpg --armor --sign --encrypt --recipient bar@bar.com secret_signed.txt

This creates secret_signed.txt.asc, which is signed by Foo's private key and encrypted for Bar's public key.

cat secret_signed.txt.asc output:

ubuntu@foo:~$ cat secret_signed.txt.asc
-----BEGIN PGP MESSAGE-----

hQGMA44ulauDXPBRAQv/U/tg2p/YuYCA5KLrmRDSLEULp7P7rlQyCWSdCW3N4uL8
vZSDioA7PX/ferpIZWJgh4ulvLG0rWWRWSuzN15C8CCnaFNXd2wzMileMEey6I7b
m+kNO6z6CHWc8K+NU2tFZLr/41s71dNiq2zh9gF4D+MOeGHnVXJWOJoG8bVLI1Db
jGZiwD23rwzzJR+fuIyufO9g/dLkvBzrTbQVgo7o/BLQrzb9osfoQTOeNa+zGYGe
d4728qBmL+vx99yNqA1npw3DpwQSodbMWDTP6VINRzuKFFbNYcz6EqTAyrPInYyi
Rko3qPOAadHWeggdnDse3eKS/Kn5omt7uo5gMrl9G6uX7/xUMQ8yicv3By5RrVS1
O8/4R+ZN2Q8kpsyCRY+NiYisBx+Ekx5+EQHws5L5Ez/YR3hlJEc3hJC9/VhvcPR1
rT3RnHoGo2j+fcOLs41XPezAXSd2DtSxVl/m2O7zg4FIx2DMiVAEGCmPw6eKkDQB
Xo2SjiG5kcs0bvZTAlv71MBDAQkCEADDE0u8CdcQgc6kW/OU8/bHnws1M2qeZjPQ
5pRgWpH49BKBi4eT4TR0Iq7uMjJuInnzEO+CTims+7CC3T6kXv7GOL3EDwbQ0VjJ
mmP4VGvGYu0FaNeJOVkLrMKXepwIFaqjoYWsHDl79h0NdLTdIM6E1BGcDA+A5jJc
ydWR3TEQQE+xC/Rt2hem+OKZE5PZpvAXoIz9rVpE/SHi0+2WrHdw9YjQlcE1Tp1M
/ZFeuX14pnS0dAmpYWXdm9b1uq4aCPSbyMgAUz1NTRLRD79Ya3qL7DqeLUBUY2vN
4WVCmdV22FhbpGniGxld2zhoyjn2LMiuBPF6eUtRPnvcLt6n4Q==
=nKdq
-----END PGP MESSAGE-----

Send secret_signed.txt.asc to Bar (e.g., via lxc file push or copy-paste).

Checking the Signer (Encrypted File)

In Container Bar we did not Trust Foo's public key

Decrypt and verify the signed file:

sudo gpg --decrypt secret_signed.txt.asc > decrypted_signed.txt

GPG will decrypt the file using Bar's private key and verify the signature using Foo's public key. You will be prompted for Bar's passphrase.

sudo gpg --decrypt secret_signed.txt.asc > decrypted_signed.txt output:

ubuntu@bar:~$ sudo gpg --decrypt secret_signed.txt.asc > decrypted_signed.txt
gpg: encrypted with rsa3072 key, ID 8E2E95AB835CF051, created 2025-07-09
      "bar (i am bar) <bar@bar.com>"
gpg: Signature made Wed Jul  9 21:00:20 2025 UTC
gpg:                using EDDSA key 107B0222408951691EF6C91B4D9C986B00A60CFE
gpg: Good signature from "foo (i am foo) <foo@foo.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 107B 0222 4089 5169 1EF6  C91B 4D9C 986B 00A6 0CFE

The output shows the file was signed by foo (i am foo) <foo@foo.com>. "Good signature" confirms the signature is valid (file is authentic and unaltered).
The output shows you did not add 'foo' to trusted signers WARNING: This key is not certified with a trusted signature!
Check the decrypted content:

cat decrypted_signed.txt

This is a signed and encrypted message from Foo to Bar!

Signing Without Encryption

In container Foo, sign a file without encrypting it:

echo "This is a signed but not encrypted message from Foo!" > public_signed.txt sudo gpg --armor --sign public_signed.txt

This creates public_signed.txt.asc, signed by Foo's private key but readable by anyone.
This file public_signed.txt.asc appears as encrypted when you read content but is not - no password required to make readable.

cat public_signed.txt.asc output:

ubuntu@bar:~$ cat public_signed.txt.asc 
-----BEGIN PGP MESSAGE-----

owEBEwLs/ZANAwAKAWLHTDJ9XrQrAaxMYhFwdWJsaWNfc2lnbmVkLnR4dGhu2+RU
aGlzIGlzIGEgc2lnbmVkIGJ1dCBub3QgZW5jcnlwdGVkIG1lc3NhZ2UgZnJvbSBG
b28hCokBswQAAQoAHRYhBFYQffL7GiJr3+08w2LHTDJ9XrQrBQJobtvkAAoJEGLH
TDJ9XrQrtQIL/3xU9S/YekqNt+dx5axx8/elK7gm4CMBvrkxugILdb7H1s2XS/d1
hxBDcRf955vFhiJM3rlC1EpVLEOkrFDIEvIu0NH5A6D6TDNT6ThS+Mcch+35HtFo
dAgZv5nBia4Z9uV2PXSS3JhHxZitFmWNX/YCpPaDaMSPCGZHWSq6Li2gBZ74FvzJ
A91NVSst2cPXdHbuNyScpHl4E/FegLjQlfUwTq/oGvJ8PWW4Ny5zkzpo+QsNO7O7
DU6vcRrry66AzASanUV8NS6fAjuvxWOaRDRaIn3MctzlEXsQPa6rsS9l3/eNcXT2
qYf7xfF5bMOHk4/c2zxM1+vhooPYg5423OGprvU74T4taSaYvbEm08ul+C9L805c
Kk/Z41EDgsDfxGjwf0c3ZfdxkCdVE2xnGxhypxyHan0qTscT+kEnEd67vSGWOXJF
B2Y6JvDj6K4ToUDd27gYZtO29jyIA7Ggj+6GpmqbNYgr8nHpaR7xeixLiLz2snuu
nBrQq8ixE+Z67Q==
=I0Gt
-----END PGP MESSAGE-----

Make Signed Content Readable

This command will take the signed content and output to a readable file called decrypted-file.txt and gpg wil verify signatory.

sudo gpg --output decrypted-file.txt --decrypt public_signed.txt.asc

Note: bar imported and trusted foo's public key

ubuntu@bar:~$ sudo gpg --output decrypted-file.txt --decrypt public_signed.txt.asc 
gpg: Signature made Wed Jul  9 21:15:16 2025 UTC
gpg:                using RSA key 56107DF2FB1A226BDFED3CC362C74C327D5EB42B
gpg: Good signature from "bar (i am bar) <bar@bar.com>" [ultimate]