GnuPG
From Computer Science Community
|
[edit] How do I go about getting a GnuPG key?
[edit] Install GnuPG
If GnuPG is already installed (as it should be on the default Ubuntu install) go ahead and skip this step.
For Ubuntu:
sudo apt-get install gnupg
For Gentoo:
sudo emerge -av gnupg
For Mac OS X: Download .DMG here.
[edit] Generate a GnuPG Key Pair
In a terminal, execute:
$ gpg --gen-key
GPG will reply with something similar to:
gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection?
The default selection is fine for most people. After selecting your key type, GPG will ask you for a key length.
DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
The default is generally fine for most, although if you're more paranoid you may want to opt for a longer key. GPG will then ask you to set the length the key is valid for.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
My current key is set to never expire, though some people prefer to have a key expire after a few years. After you confirm the length your key is valid for, GPG will ask you for your real name, email address, and a comment (which is optional).
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Real Name
Email address: real@domain.org
Comment:
GPG will then ask you to double check the information you entered. You can modify your input if you need at this point.
You selected this USER-ID:
"Real Name <real@domain.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
Now you need to decide on a passphrase. Pick a good passphrase. A combination of letters, numbers, punctuation and a length 12 or greater should be sufficient. It should be hard to guess and not consist of words in a dictionary.
Enter passphrase:
After entering your passphrase, GPG will need to generate some random data to create your key. Move your mouse, access your disk and give it some time.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
After this finishes, your keys have been successfully created!
gpg: /home/real/.gnupg/trustdb.gpg: trustdb created
gpg: key F0915361 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/F0915361 2007-12-01
Key fingerprint = 5B7D 77B7 FCB9 E09A 222F 917A 16DD 2894 F091 5361
uid Real Name <real@domain.org>
sub 4096g/64799B76 2007-12-01
[edit] Post Key Creation
These following steps are optional, but encouraged. Although an optional step at this point, generating a revocation certificate is strongly encouraged.
[edit] Generate a Revocation Certificate
A revocation certificate will allow you to revoke your public key in case it becomes compromised. First you need to determine the id of the key you want to generate the revocation certificate for.
real@domain ~ $ gpg --list-keys /home/real/.gnupg/pubring.gpg ------------------------------- pub 1024D/F0915361 2007-12-01 uid Real Name <real@domain.org> sub 4096g/64799B76 2007-12-01
In this example, the key we want to generate the revocation certificate for is `F0915361'. To generate the certificate execute:
real@domain ~ $ gpg --output revcert.asc --gen-revoke F0915361
GPG will then verify that you really want to generate a revocation key.
sec 1024D/F0915361 2007-12-01 jimmy john <jimmy@john.com> Create a revocation certificate for this key? (y/N)
Input the reason for revoking the key, followed by an optional description. Finally, confirm your decision.
Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 0 Enter an optional description; end it with an empty line: > Reason for revocation: No reason specified (No description given) Is this okay? (y/N) y
GPG then will ask you for your passphrase. If you enter the correct passphrase, GPG will spit out a revocation certificate and some good advice.
You need a passphrase to unlock the secret key for user: "Real Name <real@domain.org>" 1024-bit DSA key, ID F0915361, created 2007-12-01 ASCII armored output forced. Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others!
[edit] Uploading Your Key to a Keyserver
Sending your key to a keyserver allows people easy access to your public key.
The first step is to determine the Id if the key to be sent to the server.
real@domain ~ $ gpg --list-keys /home/real/.gnupg/pubring.gpg ------------------------------- pub 1024D/F0915361 2007-12-01 uid Real Name <real@domain.org> sub 4096g/64799B76 2007-12-01
The key we're going to send to the server is `F0915361'.
gpg --keyserver pgp.mit.edu --send-key F0915361
And that's all there is to it.
[edit] Obtaining a key from a keyserver
To obtain another person's public key from a keyserver the following command is used:
gpg --keyserver <keyserver> --search-keys <email>
So if I want to get johndoe@asdf.com's public key off of the MIT keyserver the command would look like:
gpg --keyserver pgp.mit.edu --search-keys johndoe@asdf.com
[edit] Signing a trusted person's key
The signing of keys allows people to verify keys and their owners.
To sign a trusted person's key, you must first import their key into your keyring using the above section. Next, run
$ gpg --list-keys
to determine the ID of the key you'd like to sign.
Now, you must verify the key you're about to sign actually belongs to the person you think it does. If you don't know the person, verifying an ID is a good way to authenticate their identity. After you've verified the person's identity, ask them for the fingerprint to their key. It should match the output of:
gpg --fingerprint <KeyID>
If it doesn't you should NOT sign the key. If it does you can go ahead and sign the key now using the command:
gpg --sign-key <KeyID>
GnuPG will ask you a few questions about the key you're about to sign. After you've signed the key, you can either return the key to it's owner, or if you retrieved the key from a keyserver, upload it back to the server with the command:
gpg --keyserver <keyserver> --send-key <KeyID>
[edit] What else can I do with my GPG key?
[edit] Sign/Encrypt Documents
[edit] To sign a document
$ gpg --output signed_file.gpg --sign --recipient recip@their.domain.com file_to_sign
[edit] To encrypt a document
$ gpg --output encrypted_file.gpg --encrypt --recipient recip@their.domain.com file_to_encrypt
[edit] To sign and encrypt a document
$ gpg --output signed_and_encrypted.gpg --sign --encrypt --recipient recip@their.domain.com file_sign_and_encrypt
[edit] Decrypting an encrypted document
This will decrypt the document and verify the signature if the document has been signed.
gpg --output document_decrypted --decrypt encrypted_doc.gpg
[edit] Revoking your public key
In the event that you lose control of your private key or it becomes compromised, you can revoke your public key by importing your revocation certificate that you generated when you created your key and then uploading your key to the keyserver:
gpg --import <revocation.asc> gpg --keyserver <keyserver> --send-key <KeyID>
