Bookmark and Share

Install GnuPG

Macports

$ sudo port install gnupg
<snip>
$ which gpg
/opt/local/bin/gpg

There is also a gnupg2 which provides S/MIME support and gpg-agent and extended smartcard support.

$ sudo port install gnupg2

Homebrew

$ brew install gnupg
$ brew install gnupg2

Generate public and private keys

$ gpg --gen-key
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Foo Bar
Email address: foo@bar.com
Comment: 
You selected this USER-ID:
    "Foo Bar <foo@bar.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..........+++++
..+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
................+++++
...+++++
gpg: /home/usr1/foo/.gnupg/trustdb.gpg: trustdb created
gpg: key 306807EF marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/306807EF 2011-06-05
      Key fingerprint = 4D7E 594E 626D A51E 87C7  0419 704A 04B0 3068 07EF
uid                  Foo Bar <foo@bar.com>
sub   2048R/A793EF59 2011-06-05

$

Set GPGKEY environment variable in .bashrc

Add export GPGKEY=306807EF to ~/.bashrc.

Restart the gpg-agent and source .bashrc to activate the GPGKEY:

$ killall -9 gpg-agent
$ eval $(gpg-agent --daemon)
gpg-agent[48390]: directory `/Users/foobaruser/.gnupg' created
gpg-agent[48390]: directory `/Users/foobaruser/.gnupg/private-keys-v1.d' created
gpg-agent[48391]: gpg-agent (GnuPG) 2.0.17 started
$ source ~/.bashrc

Configure GnuPG with ~/.gnupg/gpg.conf

Adding key servers

keyserver hkp://keys.gnupg.net
keyserver hkp://pool.sks-keyservers.net

# C.f. http://en.wikipedia.org/wiki/Key_server_(cryptographic) for a list of key servers
keyserver hkp://subkeys.pgp.net
keyserver hkp://pgp.mit.edu
#keyserver hkp://keys.nayr.net

Export ASCII-armored version of your public key

$ gpg --armor --output fooatbardotcom_public_key.asc --export foo@bar.com
$ ls 
fooatbardotcom_public_key.asc

Put the fooatbardotcom_public_key.asc on your website, in your Dropbox, or send it to other people.

Publish your key to key severs, website, etc.

To your homepage

  • display ASCII-armored version of your PGP public key
  • give link to trust path and statistics http://pgp.cs.uu.nl/stats/XXX.html where XXX is your key ID

To a key server via command line

$ gpg --send-keys --keyserver hkp://subkeys.pgp.net $GPGKEY
gpg: sending key 306807EF to hkp server subkeys.pgp.net
gpg: keyserver timed out
gpg: keyserver send failed: keyserver error

Key servers: http://pgp.surfnet.nl:11371/ hkp://subkeys.pgp.net hkp://pgp.mit.edu http://keys.gnupg.net

To a key server via web browser

  • Visit http://keys.gnupg.net/ in a browser.
  • Paste the content of fooatbardotcom_public_key.asc into the text field in "Submit a key" section of the page, and click "Submit this key to the keyserver!"

Get your key signed so you are in the "strongly connected set"

  • visit http://www.biglumber.com/

  • add your public key to the server

  • request a login token, it will be encrypted and sent to the email associated with the public key.

  • Check email from spider@biglumber.com; Download it. It is just a file called noname. You can view it with more or a text editor. It looks like

      hQEMA3TQ0Htyb4f8AQf/dGI5l8akLVAccu3zTTurEkoqVvZo3iWa7uAeZ+OsUuW9
      Ev0XKnTFKrEUd0sI1LebZfuQv13no/3FweppVuqYAInRxdc2U4fANhNkEpmTNjI2
      ...
    
  • Decrypt it

      $ gpg --decrypt ./noname
      You need a passphrase to unlock the secret key for
      user: "Foo Bar <barfoo@gmail.com>"
      2048-bit RSA key, ID XXXXXXXX, created 2011-06-04 (main key ID XXXXXXXX)
    
      gpg: encrypted with 2048-bit RSA key, ID XXXXXXXX, created 2011-06-04
            "Foo Bar <barfoo@gmail.com>"
    
      Someone (hopefully you) has just requested that we email a 
      login token for bigbarmber.com to the owner of this key:
    
      Name: Foo Bar
      Fingerprint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      Email: barfoo@gmail.com
    
      You can now login to the site and add, edit, or delete listings 
      by visiting the URL below and entering your password:
    
      http://bigbarmber.com/x/web?enter=1
    
      Password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    
      If you did NOT make this request, then somebody is abusing the 
      system and we would like to know about it. This is the 
      information we have about the request:
    
      IP: XXX.XXX.XXX.XXX
      HOST: 221.205.177.140.in-addr.arpa domain name pointer proxy3.bar.com.
      BROWSER: Mozilla/5.0 (Macintosh; Intel macOS 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.71 Safari/534.24
      TIME: Sat Jun  4 22:59:10 2011 (GMT)
    
      Please email abuse@bigbarmber.com if this is the case. Otherwise, 
      email us at help@bigbarmber.com with any questions or problems. 
      You can also use the feedback link at the site instead of the
      emails above, if you wish. Please sign any correspondance 
      (clearsign preferred) to verify yourself as owner of the key.
    
      Thanks and enjoy,
      bigbarmber.com
    
  • Use the password and URL to login and add your listing (name, country, city, URL). After that you should have a listing page http://bigbarmber.com/x/web?sn=Foo+Bar

  • Find someone close to sign keys. Physically meet the person, verify his/her identity, then sign his/her public key. See Ubuntu Documentation: GnuPrivacyGuardHowto.

Export revocation key

$ gpg --output fooatbardotcom_revoke_key.asc --gen-revoke $GPGKEY

sec  2048R/306807EF 2011-06-05 Foo Bar <foo@bar.com>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
> 
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Foo Bar <foo@bar.com>"
2048-bit RSA key, ID 306807EF, created 2011-06-05

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!
$ 

Back up your keys

$ gpg --list-keys
$ gpg -ao fooatbardotcom_public_key.asc --export $GPGKEY
$ gpg --list-secret-keys
$ gpg -ao fooatbardotcom_private_key.asc --export-secret-keys $GPGKEY
$ gpg -ao fooatbardotcom_revoke_key.asc --gen-revoke $GPGKEY
$ gpg --export-ownertrust > ownertrust

If your environment variable GPGKEY isn't defined in .bashrc, look for the line that starts something like "sec 1024D/" from gpg --list-keys command. The part after key type (such as 1024D or 2048R) is the key ID.

Store securely the files fooatbardotcom_public_key.asc, fooatbardotcom_private_key.asc, and foobaratdotcom_revoke_key.asc. For example store it in a password protected archive file on a USB drive, and keep the USB drive safe.

Setting up your keys on a different computer

Copy the public and private keys to other computers.

Import keys

gpg --import fooatbardotcom_public_key.asc
gpg --import fooatbardotcom_private_key.asc

Restore trust data:

gpg --import-ownertrust XXXownertrustfile

Adding a secondary user ID to your key

$ gpg --edit-key $GPGKEY
<snip>
gpg> adduid
Real name: Foo Bar
Email address: foobar@hotmail.com
Comment: secondary email
You selected this USER-ID:
    "Foo Bar (second user id) <foobar@hotmail.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a passphrase to unlock the secret key for
user: "Foo Bar <foobar@gmail.com>"
2048-bit RSA key, ID XXXXXXXX, created 2011-06-04


pub  2048R/XXXXXXXX  created: 2011-06-04  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/XXXXXXXX  created: 2011-06-04  expires: never       usage: E   
[ultimate] (1)  Foo Bar <foobar@gmail.com>
[ unknown] (2). Foo Bar (secondary email) <foobar@hotmail.com>

gpg> uid foobar@hotmail.com

pub  2048R/XXXXXXXX  created: 2011-06-04  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/XXXXXXXX  created: 2011-06-04  expires: never       usage: E   
[ultimate] (1)  Foo Bar <foobar@gmail.com>
[ unknown] (2). Foo Bar (secondary email) <foobar@hotmail.com>

gpg> trust
...

gpg> 5
...

gpg> save

Using gpg-agent in daemon mode

See "Invoking GPG-AGENT." The GNU Privacy Guard Manual.

Revoke and unrevoke keys

If your private key is lost or compromised, your encryption is not safe. And your key pair is no longer useful for encyrpting data. You probably want to revoke the key pair in that situation:

$ gpg --import revoke.asc
$ gpg --keyserver keyserver.ubuntu.com --send-key $GPGKEY

At the unlikely event where you need to unrevoke keys, follow instructions at Ubuntu Documentation: GnuPrivacyGuardHowto

Note on the difference and relation between gnupg and gnupg2

On superuser.com, there's a discussion about the difference and relation between GnuPG and GnuPG2. Here is an excerpt:

Source: http://superuser.com/questions/655246/are-gnupg-and-gnupg2-compatible-with-each-other/

gpg2 is a redesigned version of gpg -- but changes are mostly on internal level. The newer version is split into multiple modules, for example there are also modules for X.509 (used by S/MIME).

From man gpg2:

In contrast to the standalone version gpg, which is more suited for server and embedded platforms, this version is commonly installed under the name gpg2 and more targeted to the desktop as it requires several other modules to be installed.

gpg will stay for embedded and server usage, as it brings less dependencies and smaller binaries.

From man gpg:

This is the standalone version of gpg. For desktop use you should consider using gpg2.

To directly answer your question:

Should I install both, or just one is enough? Does it matter which one I install first matter at all?

Just install both. They don't interfere anyway. Install gpg (if not installed anyway) for other applications that access it (like package managers, mail clients, ...), and gpg2 for "direct use" on the command line.

If I installed both, are both compatible with each other?

Both implement the OpenPGP protocol, so they're compatible to each other regarding data shared among them. Additionally, they're (mostly) using the same commands and options, so most of the time you could switch between them arbitrarily.

References

blog comments powered by Disqus