About GPG | University of Oregon: Information Security
Information Security Information Services home

Using GPG

Please Note: Be sure not to store your secret key on a time-sharing host such as shell.uoregon.edu. It is considered best practice to not store keys on hosts with untrusted accounts. If such a host stores your secret key and becomes compromised, you will have to revoke your key.

Creating a new key with GPG
Generating a revocation certificate
Building your web of trust
A word on keyservers
Sending your key to the keyservers
Retrieving a key from a keyserver
Signing a key
Publishing a key
Resources


Creating A New Key With GPG

To create a new key will have to make some initial decisions:

  • What kind of key? The default, which we recommend, is to use DSA and ElGamal
  • How large of a key? The default key size is 1024 bits, however 2048 bits is a good choice
  • Be sure to use a strong passphrase and keep it in a safe place!
  • It is good practice to generate a revocation certificate in case you forget your passphrase or if your private key is compromised or lost. (See below)

Code

[jersmith@host ~]$ gpg --gen-key gpg (GnuPG) 1.2.6; Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: failed to create temporary file `/home/jersmith/.gnupg/.#lk0x9a48868.uoregon.edu.1322': No such file or directory gpg: /home/jersmith/.gnupg: directory created gpg: new configuration file `/home/jersmith/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/jersmith/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/jersmith/.gnupg/secring.gpg' created gpg: keyring `/home/jersmith/.gnupg/pubring.gpg' created Please select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. About to generate a new ELG-E keypair. minimum keysize is 768 bits default keysize is 1024 bits highest suggested keysize is 2048 bits What keysize do you want? (1024) Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct (y/n)? y You need a User-ID to identify your key; the software constructs the user id from Real Name, Comment and Email Address in this form: "Jerry Smith " Real name: Jerry Smith Email address: jersmith@uoregon.edu Comment: Test ... to be destroyed You selected this USER-ID: "Jerry Smith (Test ... to be destroyed) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. Enter passphrase: Repeat passphrase: We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++++++++++++++++++++++++++++++++.+++++.+++++++++++++++.++++++++++.+++++..++++++++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ++++++++++++++++++++..+++++.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gpg: /home/jersmith/.gnupg/trustdb.gpg: trustdb created public and secret key created and signed. key marked as ultimately trusted. pub 1024D/795B3078 2007-10-18 Jerry Smith (Test ... to be destroyed) Key fingerprint = 6407 43AA 9C96 C3E3 4EEC 33AC D851 FCB9 35D2 304D sub 1024g/795B3078 2007-10-18


Revoking Your Old Key

If you already had an old PGP/GPG that you need to revoke, you will need to create a revocation certificate. Depending on the version of PGP was used to create the key you will use one of the commands below and follow the instructions:

1. Old PGP style
% pgp -kd
2. New GPG Style
%[jersmith@host ~]$ gpg --gen-revoke 795B3078 sec 1024D/795B3078 2007-10-18 Jerry Smith (Test ... to be destroyed) Create a revocation certificate for this key? Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? <3> Enter an optional description; end it with an empty line: > I forgot my pass-phrase and had to generate a new key > Reason for revocation: Key is no longer used I forgot my pass-phrase and had to generate a new key Is this okay? You need a passphrase to unlock the secret key for user: "Jerry Smith (Test ... to be destroyed) " 1024-bit DSA key, ID 795B3078, created 2007-10-18 Enter passphrase: ASCII armored output forced. Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others!

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: A revocation certificate should follow iH4EIBECAD4FAkcXvsE3HQNJIGZvcmdvdCBteSBwYXNzLXBocmFzZSBhbmQgaGFk IHRvIGdlbmVyYXRlIGEgbmV3IGtleQAKCRDYUfy5NdIwTSa0AJ9fJorIbExIE9sX BfaYg3qtutuOuQCfYZHP60VdLjqoHjSLSUts5rkAFyY= =+oL4 -----END PGP PUBLIC KEY BLOCK-----

Once you have the revocation certificate, you can print it for archival purposes and you will need to submit it to the keyservers, if you ever need to revoke your key. You can do this by going directly to the keyserver webpage and submitting the armored revocation key.


Building your Web of Trust


A Word On Keyserver's

  • There are several servers where you may publish your key. It is recommended that you publish your key to either http://pgp.mit.edu/ or http://www.keyserver.net/. These keyservers mirror their keys to many other keyservers on the internet.
  • Your pass-phrase is extremely important. Make a note of it in a safe place
  • You will want to generate a revocation certificate for this key and keep it in a safe place. Just in case you do forget your pass-phrase or need need to revoke the key. See instructions above.


Sending Your Key to the Keyservers

You will want to send your key to the global keyservers so people can easily find it.

gpg --keyserver www.keyserver.net --send-keys 795B3078 gpg: sending key 795B3078 to hkpserver www.keyserver.net


Building Your Web Of Trust

Now that you have generated your PGP key and submitted it to the global keyserver, you are ready to start building your web of trust. The following sections deal with this process. Another option is to participate in [WWW] PGP Signing Parties. Whichever way you decide to do it, you need to be very careful with which and whose keys you sign.


Retrieving A Key From A Keyserver

If you do not know the keyid of the user's key you are searching for, you can search for the user's key using a username or email address. This is done using the --search-keys option.

[jersmith@host ~]$ gpg --keyserver pgp.mit.edu --search-keys jersmith@uoregon.edu gpg: searching for "jersmith@uoregon.edu" from hkp server pgp.mit.edu (1) Jerry Smith Jerry Smith (This is not a comment) 1024 bit DSA key 795B3078, created: 2004-03-04 Enter number(s), N)ext, or Q)uit >

At the prompt, you can enter the number of the key to import, hit N to page through results, or Q to quit and do nothing.

Alternatively, you can also --recv-keys option. Here is an example:

[jersmith@host ~]$ gpg --keyserver pgp.mit.edu --recv-keys 795B3078 gpg: requesting key 795B3078 from hkp server pgp.mit.edu gpg: key 795B3078: "Jerry Smith " 6 new signatures gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 2 signed: 15 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 15 signed: 5 trust: 3-, 0q, 0n, 12m, 0f, 0u gpg: Total number processed: 1 gpg: new signatures: 6


Signing A Key

First, verify that you have the correct key. This should be done using the PGP fingerprint:

[jersmith@host ~]$ gpg --fingerprint jersmith@uoregon.edu pub 1024D/795B3078 2004-03-04 Key fingerprint = 3EFB 33B7 051C 16B4 03BD 85F3 32FE 7E8D A852 499F uid Jerry Smith uid Jerry Smith (This is not a comment) sub 2048g/795B3078 2004-03-04

Take the fingerprint and confirm with the person whose key you wish to sign that you have the correct key.

Once you have confirmed you have the correct key, you can then sign their key. This is done with the --sign-key option.

[jersmith@host ~]$ gpg --sign-key 67FCABE5 pub 1024D/795B3078 created: 2003-05-29 expires: never usage: CSA trust: unknown validity: unknown sub 2048g/795B3078 created: 2003-05-29 expires: never usage: E [ unknown] (1). Hans A. Smith pub 1024D/795B3078 created: 2003-05-29 expires: never usage: CSA trust: unknown validity: unknown Primary key fingerprint: 8D66 51A8 E120 B781 C298 2C38 031A BFB5 67FC ABE5 Hans A. Smith Are you sure that you want to sign this key with your key "Jerry Smith " (A852499F) Really sign? (y/N) y You need a passphrase to unlock the secret key for user: "Jerry Smith " 1024-bit DSA key, ID 795B3078, created 2004-03-04 Enter passphrase:


Publishing A Key

After signing a person's public key, you should publish that key to the keyservers. This is done with the --send-keys option.

[jersmith@host ~]$ gpg --keyserver pgp.mit.edu --send-keys 795B3078 gpg: sending key 795B3078 to hkp server pgp.mit.edu


Resources

http://www.gnupg.org/
http://www.gnupg.org/gph/en/manual.html