Using GPG
Please Note: Be sure not to store your secret key on a time-sharing host such as shell.uoregon.edu. It is considered best practice to not store keys on hosts with untrusted accounts. If such a host stores your secret key and becomes compromised, you will have to revoke your key.
Creating a new key with GPG
Generating a revocation certificate
Building your web of trust
A word on keyservers
Sending your key to the keyservers
Retrieving a key from a keyserver
Signing a key
Publishing a key
Resources
Creating A New Key With GPG
To create a new key will have to make some initial decisions:
- What kind of key? The default, which we recommend, is to use DSA and ElGamal
- How large of a key? The default key size is 1024 bits, however 2048 bits is a good choice
- Be sure to use a strong passphrase and keep it in a safe place!
- It is good practice to generate a revocation certificate in case you forget your passphrase or if your private key is compromised or lost. (See below)
Code
|
[jersmith@host ~]$ gpg --gen-key
gpg (GnuPG) 1.2.6; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: failed to create temporary file `/home/jersmith/.gnupg/.#lk0x9a48868.host.uoregon.edu.1322':
No such file or directory
gpg: /home/jersmith/.gnupg: directory created
gpg: new configuration file `/home/jersmith/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/jersmith/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/jersmith/.gnupg/secring.gpg' created
gpg: keyring `/home/jersmith/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024)
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct (y/n)? y
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Jerry Smith "
Real name: Jerry Smith
Email address: jersmith@host.uoregon.edu
Comment: Test ... to be destroyed
You selected this USER-ID:
"Jerry Smith (Test ... to be destroyed) "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
Enter passphrase:
Repeat passphrase:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++++++++++++.+++++.+++++++++++++++.++++++++++.+++++..++++++++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++++++++++++..+++++.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
gpg: /home/jersmith/.gnupg/trustdb.gpg: trustdb created
public and secret key created and signed.
key marked as ultimately trusted.
pub 1024D/795B3078 2007-10-18 Jerry Smith (Test ... to be destroyed)
Key fingerprint = 6407 43AA 9C96 C3E3 4EEC 33AC D851 FCB9 35D2 304D
sub 1024g/795B3078 2007-10-18
|
Revoking Your Old Key
If you already had an old PGP/GPG that you need to revoke, you will need to create a revocation certificate. Depending on the version of PGP was used to create the key you will use one of the commands below and follow the instructions:
1. Old PGP style
2. New GPG Style
|
%[jersmith@host ~]$ gpg --gen-revoke 795B3078
sec 1024D/795B3078 2007-10-18 Jerry Smith (Test ... to be destroyed)
Create a revocation certificate for this key?
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? <3>
Enter an optional description; end it with an empty line:
> I forgot my pass-phrase and had to generate a new key
>
Reason for revocation: Key is no longer used
I forgot my pass-phrase and had to generate a new key
Is this okay?
You need a passphrase to unlock the secret key for
user: "Jerry Smith (Test ... to be destroyed) "
1024-bit DSA key, ID 795B3078, created 2007-10-18
Enter passphrase:
ASCII armored output forced.
Revocation certificate created.
|
Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others!
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: A revocation certificate should follow
iH4EIBECAD4FAkcXvsE3HQNJIGZvcmdvdCBteSBwYXNzLXBocmFzZSBhbmQgaGFk
IHRvIGdlbmVyYXRlIGEgbmV3IGtleQAKCRDYUfy5NdIwTSa0AJ9fJorIbExIE9sX
BfaYg3qtutuOuQCfYZHP60VdLjqoHjSLSUts5rkAFyY=
=+oL4
-----END PGP PUBLIC KEY BLOCK-----
|
Once you have the revocation certificate, you can print it for archival purposes and you will need to submit it to the keyservers, if you ever need to revoke your key. You can do this by going directly to the keyserver webpage and submitting the armored revocation key.
Building your Web of Trust
A Word On Keyserver's
- There are several servers where you may publish your key. It is recommended that you publish your key to either http://pgp.mit.edu or http://keyserver.net. These keyservers mirror their keys to many other keyservers on the internet.
- Your pass-phrase is extremely important. Make a note of it in a safe place
- You will want to generate a revocation certificate for this key and keep it in a safe place. Just in case you do forget your pass-phrase or need need to revoke the key. See instructions above.
Sending Your Key to the Keyservers
You will want to send your key to the global keyservers so people can easily find it.
Building Your Web Of Trust
Now that you have generated your PGP key and submitted it to the global keyserver, you are ready to start building your web of trust. The following sections deal with this process. Another option is to participate in [WWW] PGP Signing Parties. Whichever way you decide to do it, you need to be very careful with which and whose keys you sign.
Retrieving A Key From A Keyserver
If you do not know the keyid of the user's key you are searching for, you can search for the user's key using a username or email address. This is done using the --search-keys option.
|
[jersmith@host ~]$ gpg --keyserver pgp.mit.edu --search-keys jersmith@uoregon.edu
gpg: searching for "jersmith@uoregon.edu" from hkp server pgp.mit.edu
(1) Jerry Smith
Jerry Smith (This is not a comment)
1024 bit DSA key 795B3078, created: 2004-03-04
Enter number(s), N)ext, or Q)uit >
|
At the prompt, you can enter the number of the key to import, hit N to page through results, or Q to quit and do nothing.
Alternatively, you can also --recv-keys option. Here is an example:
|
[jersmith@host ~]$ gpg --keyserver pgp.mit.edu --recv-keys 795B3078
gpg: requesting key 795B3078 from hkp server pgp.mit.edu
gpg: key 795B3078: "Jerry Smith " 6 new signatures
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 2 signed: 15 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 15 signed: 5 trust: 3-, 0q, 0n, 12m, 0f, 0u
gpg: Total number processed: 1
gpg: new signatures: 6
|
Signing A Key
First, verify that you have the correct key. This should be done using the PGP fingerprint:
|
[jersmith@host ~]$ gpg --fingerprint jersmith@uoregon.edu
pub 1024D/795B3078 2004-03-04
Key fingerprint = 3EFB 33B7 051C 16B4 03BD 85F3 32FE 7E8D A852 499F
uid Jerry Smith
uid Jerry Smith (This is not a comment)
sub 2048g/795B3078 2004-03-04
|
Take the fingerprint and confirm with the person whose key you wish to sign that you have the correct key.
Once you have confirmed you have the correct key, you can then sign their key. This is done with the --sign-key option.
|
[jersmith@host ~]$ gpg --sign-key 67FCABE5
pub 1024D/795B3078 created: 2003-05-29 expires: never usage: CSA
trust: unknown validity: unknown
sub 2048g/795B3078 created: 2003-05-29 expires: never usage: E
[ unknown] (1). Hans A. Smith
pub 1024D/795B3078 created: 2003-05-29 expires: never usage: CSA
trust: unknown validity: unknown
Primary key fingerprint: 8D66 51A8 E120 B781 C298 2C38 031A BFB5 67FC ABE5
Hans A. Smith
Are you sure that you want to sign this key with your
key "Jerry Smith " (A852499F)
Really sign? (y/N) y
You need a passphrase to unlock the secret key for
user: "Jerry Smith "
1024-bit DSA key, ID 795B3078, created 2004-03-04
Enter passphrase:
|
Publishing A Key
After signing a person's public key, you should publish that key to the keyservers. This is done with the --send-keys option.
|
[jersmith@host ~]$ gpg --keyserver pgp.mit.edu --send-keys 795B3078
gpg: sending key 795B3078 to hkp server pgp.mit.edu
|
Resources
http://www.gnupg.org/
http://www.gnupg.org/gph/en/manual.html
