- Install GnuPG
- Generate public and private keys
- Set GPGKEY environment variable in .bashrc
- Configure GnuPG with ~/.gnupg/gpg.conf
- Export ASCII-armored version of your public key
- Publish your key to key severs, website, etc.
- Get your key signed so you are in the "strongly connected set"
- Export revocation key
- Back up your keys
- Setting up your keys on a different computer
- Adding a secondary user ID to your key
- Using gpg-agent in daemon mode
- Revoke and unrevoke keys
- Note on the difference and relation between gnupg and gnupg2
- References
Install GnuPG
Macports
$ sudo port install gnupg
<snip>
$ which gpg
/opt/local/bin/gpg
There is also a gnupg2
which provides S/MIME
support and gpg-agent
and extended smartcard
support.
$ sudo port install gnupg2
Homebrew
$ brew install gnupg
$ brew install gnupg2
Generate public and private keys
$ gpg --gen-key
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Foo Bar
Email address: foo@bar.com
Comment:
You selected this USER-ID:
"Foo Bar <foo@bar.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..........+++++
..+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
................+++++
...+++++
gpg: /home/usr1/foo/.gnupg/trustdb.gpg: trustdb created
gpg: key 306807EF marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/306807EF 2011-06-05
Key fingerprint = 4D7E 594E 626D A51E 87C7 0419 704A 04B0 3068 07EF
uid Foo Bar <foo@bar.com>
sub 2048R/A793EF59 2011-06-05
$
Set GPGKEY environment variable in .bashrc
Add export GPGKEY=306807EF to ~/.bashrc
.
Restart the gpg-agent
and source
.bashrc
to activate the GPGKEY
:
$ killall -9 gpg-agent
$ eval $(gpg-agent --daemon)
gpg-agent[48390]: directory `/Users/foobaruser/.gnupg' created
gpg-agent[48390]: directory `/Users/foobaruser/.gnupg/private-keys-v1.d' created
gpg-agent[48391]: gpg-agent (GnuPG) 2.0.17 started
$ source ~/.bashrc
Configure GnuPG with ~/.gnupg/gpg.conf
Adding key servers
keyserver hkp://keys.gnupg.net
keyserver hkp://pool.sks-keyservers.net
# C.f. http://en.wikipedia.org/wiki/Key_server_(cryptographic) for a list of key servers
keyserver hkp://subkeys.pgp.net
keyserver hkp://pgp.mit.edu
#keyserver hkp://keys.nayr.net
Export ASCII-armored version of your public key
$ gpg --armor --output fooatbardotcom_public_key.asc --export foo@bar.com
$ ls
fooatbardotcom_public_key.asc
Put the fooatbardotcom_public_key.asc
on your
website, in your Dropbox, or send it to other people.
Publish your key to key severs, website, etc.
To your homepage
- display ASCII-armored version of your PGP public key
- give link to trust path and statistics
http://pgp.cs.uu.nl/stats/XXX.html
where XXX is your key ID
To a key server via command line
$ gpg --send-keys --keyserver hkp://subkeys.pgp.net $GPGKEY
gpg: sending key 306807EF to hkp server subkeys.pgp.net
gpg: keyserver timed out
gpg: keyserver send failed: keyserver error
Key servers: http://pgp.surfnet.nl:11371/ hkp://subkeys.pgp.net hkp://pgp.mit.edu http://keys.gnupg.net
To a key server via web browser
- Visit
http://keys.gnupg.net/
in a browser. - Paste the content of
fooatbardotcom_public_key.asc
into the text field in "Submit a key" section of the page, and click "Submit this key to the keyserver!"
Get your key signed so you are in the "strongly connected set"
-
visit
http://www.biglumber.com/
-
add your public key to the server
-
request a login token, it will be encrypted and sent to the email associated with the public key.
-
Check email from
spider@biglumber.com
; Download it. It is just a file callednoname
. You can view it withmore
or a text editor. It looks likehQEMA3TQ0Htyb4f8AQf/dGI5l8akLVAccu3zTTurEkoqVvZo3iWa7uAeZ+OsUuW9 Ev0XKnTFKrEUd0sI1LebZfuQv13no/3FweppVuqYAInRxdc2U4fANhNkEpmTNjI2 ...
-
Decrypt it
$ gpg --decrypt ./noname You need a passphrase to unlock the secret key for user: "Foo Bar <barfoo@gmail.com>" 2048-bit RSA key, ID XXXXXXXX, created 2011-06-04 (main key ID XXXXXXXX) gpg: encrypted with 2048-bit RSA key, ID XXXXXXXX, created 2011-06-04 "Foo Bar <barfoo@gmail.com>" Someone (hopefully you) has just requested that we email a login token for bigbarmber.com to the owner of this key: Name: Foo Bar Fingerprint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Email: barfoo@gmail.com You can now login to the site and add, edit, or delete listings by visiting the URL below and entering your password: http://bigbarmber.com/x/web?enter=1 Password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX If you did NOT make this request, then somebody is abusing the system and we would like to know about it. This is the information we have about the request: IP: XXX.XXX.XXX.XXX HOST: 221.205.177.140.in-addr.arpa domain name pointer proxy3.bar.com. BROWSER: Mozilla/5.0 (Macintosh; Intel macOS 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.71 Safari/534.24 TIME: Sat Jun 4 22:59:10 2011 (GMT) Please email abuse@bigbarmber.com if this is the case. Otherwise, email us at help@bigbarmber.com with any questions or problems. You can also use the feedback link at the site instead of the emails above, if you wish. Please sign any correspondance (clearsign preferred) to verify yourself as owner of the key. Thanks and enjoy, bigbarmber.com
-
Use the password and URL to login and add your listing (name, country, city, URL). After that you should have a listing page
http://bigbarmber.com/x/web?sn=Foo+Bar
-
Find someone close to sign keys. Physically meet the person, verify his/her identity, then sign his/her public key. See Ubuntu Documentation: GnuPrivacyGuardHowto.
Export revocation key
$ gpg --output fooatbardotcom_revoke_key.asc --gen-revoke $GPGKEY
sec 2048R/306807EF 2011-06-05 Foo Bar <foo@bar.com>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "Foo Bar <foo@bar.com>"
2048-bit RSA key, ID 306807EF, created 2011-06-05
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
$
Back up your keys
$ gpg --list-keys
$ gpg -ao fooatbardotcom_public_key.asc --export $GPGKEY
$ gpg --list-secret-keys
$ gpg -ao fooatbardotcom_private_key.asc --export-secret-keys $GPGKEY
$ gpg -ao fooatbardotcom_revoke_key.asc --gen-revoke $GPGKEY
$ gpg --export-ownertrust > ownertrust
If your environment variable GPGKEY
isn't defined
in .bashrc
, look for the line that starts something
like "sec 1024D/" from gpg --list-keys
command. The
part after key type (such as 1024D
or
2048R
) is the key ID.
Store securely the files
fooatbardotcom_public_key.asc
,
fooatbardotcom_private_key.asc
, and
foobaratdotcom_revoke_key.asc
. For example store it in
a password protected archive file on a USB drive, and keep the USB
drive safe.
Setting up your keys on a different computer
Copy the public and private keys to other computers.
Import keys
gpg --import fooatbardotcom_public_key.asc
gpg --import fooatbardotcom_private_key.asc
Restore trust data:
gpg --import-ownertrust XXXownertrustfile
Adding a secondary user ID to your key
$ gpg --edit-key $GPGKEY
<snip>
gpg> adduid
Real name: Foo Bar
Email address: foobar@hotmail.com
Comment: secondary email
You selected this USER-ID:
"Foo Bar (second user id) <foobar@hotmail.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a passphrase to unlock the secret key for
user: "Foo Bar <foobar@gmail.com>"
2048-bit RSA key, ID XXXXXXXX, created 2011-06-04
pub 2048R/XXXXXXXX created: 2011-06-04 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048R/XXXXXXXX created: 2011-06-04 expires: never usage: E
[ultimate] (1) Foo Bar <foobar@gmail.com>
[ unknown] (2). Foo Bar (secondary email) <foobar@hotmail.com>
gpg> uid foobar@hotmail.com
pub 2048R/XXXXXXXX created: 2011-06-04 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048R/XXXXXXXX created: 2011-06-04 expires: never usage: E
[ultimate] (1) Foo Bar <foobar@gmail.com>
[ unknown] (2). Foo Bar (secondary email) <foobar@hotmail.com>
gpg> trust
...
gpg> 5
...
gpg> save
Using gpg-agent in daemon mode
See "Invoking GPG-AGENT." The GNU Privacy Guard Manual.
Revoke and unrevoke keys
If your private key is lost or compromised, your encryption is not safe. And your key pair is no longer useful for encyrpting data. You probably want to revoke the key pair in that situation:
$ gpg --import revoke.asc
$ gpg --keyserver keyserver.ubuntu.com --send-key $GPGKEY
At the unlikely event where you need to unrevoke keys, follow instructions at Ubuntu Documentation: GnuPrivacyGuardHowto
Note on the difference and relation between gnupg
and gnupg2
On superuser.com, there's a discussion about the difference and relation between GnuPG and GnuPG2. Here is an excerpt:
Source: http://superuser.com/questions/655246/are-gnupg-and-gnupg2-compatible-with-each-other/
gpg2 is a redesigned version of gpg -- but changes are mostly on internal level. The newer version is split into multiple modules, for example there are also modules for X.509 (used by S/MIME).
From man gpg2:
In contrast to the standalone version gpg, which is more suited for server and embedded platforms, this version is commonly installed under the name gpg2 and more targeted to the desktop as it requires several other modules to be installed.
gpg will stay for embedded and server usage, as it brings less dependencies and smaller binaries.
From man gpg:
This is the standalone version of gpg. For desktop use you should consider using gpg2.
To directly answer your question:
Should I install both, or just one is enough? Does it matter which one I install first matter at all?
Just install both. They don't interfere anyway. Install gpg (if not installed anyway) for other applications that access it (like package managers, mail clients, ...), and gpg2 for "direct use" on the command line.
If I installed both, are both compatible with each other?
Both implement the OpenPGP protocol, so they're compatible to each other regarding data shared among them. Additionally, they're (mostly) using the same commands and options, so most of the time you could switch between them arbitrarily.