Use GnuPG to Protect Your
Data
Use
GnuPG to Protect Your Data
Sandro
Tosi, 26 November
2005
Following a nice guide appeared
on Linux Journal, available in Part1,
Part2
and Part3,
I try show how I've done to create my personal encryption keys pair. I
don't try to substitute the previous articles, but only to provide a
fast guide to create keys and publish the public one.
1. GnuPG installation
On a Debian system this task is
as easy as type:
#
apt-get install
gnupg gnupg-doc
on a root terminal (you can
decide not to install documentation
package, but it's often a good thing have the docs at hands).
2. Key Generation
It's time to generate the pair
of keys (in bold highlighted when you need to insert data):
$ gpg --gen-key
gpg
(GnuPG) 1.4.2; Copyright (C)
2005 Free Software Foundation, Inc.
This
program comes with
ABSOLUTELY NO WARRANTY.
This
is free software, and you
are welcome to redistribute it
under
certain conditions. See the
file COPYING for details.
gpg:
directory
`/home/morph/.gnupg' created
gpg:
new configuration file
`/home/morph/.gnupg/gpg.conf' created
gpg:
WARNING: options in
`/home/morph/.gnupg/gpg.conf' are not yet active during this run
gpg:
keyring
`/home/morph/.gnupg/secring.gpg' created
gpg:
keyring
`/home/morph/.gnupg/pubring.gpg' created
Please
select what kind of key
you want:
(1) DSA and Elgamal
(default)
(2) DSA (sign only)
(5) RSA (sign only)
Your
selection? 1
DSA
keypair will have 1024 bits.
ELG-E
keys may be between 1024
and 4096 bits long.
What
keysize do you want? (2048) 2048
Requested
keysize is 2048 bits
Please
specify how long the key
should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key
is valid for? (0) 0
Key
does not expire at all
Is
this correct? (y/N) Y
You
need a user ID to identify
your key; the software constructs the user ID
from
the Real Name, Comment and
Email Address in this form:
"Heinrich
Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real
name: Sandro Tosi
Email
address:
matrixhasu@gmail.com
Comment: [Enter]
You
selected this USER-ID:
"Sandro Tosi
<matrixhasu@gmail.com>"
Change
(N)ame, (C)omment, (E)mail
or (O)kay/(Q)uit? O
You
need a Passphrase to protect your secret key.
Enter passphrase: [A passphrase]
Repeat passphrase: [The
same passphrase]
We
need to generate a lot of
random bytes. It is a good idea to perform
some
other action (type on the
keyboard, move the mouse, utilize the
disks)
during the prime
generation; this gives the random number
generator
a better chance to gain
enough entropy.
++++++++++.++++++++++++++++++++.++++++++++++++++++++.++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++.++++++++++++++++++++>.+++++............
.................................+++++
We
need to generate a lot of
random bytes. It is a good idea to perform
some
other action (type on the
keyboard, move the mouse, utilize the
disks)
during the prime
generation; this gives the random number
generator
a better chance to gain
enough entropy.
+++++++++++++++++++++++++..++++++++++..+++++....++++++++++++++++++++...++++++++
+++++++++++++++++..++++++++++++++++++++.+++++.++++++++++++++++++++..+++++++++++
++++>+++++.....+++++>..+++++...+++++^^^
gpg:
/home/morph/.gnupg/trustdb.gpg: trustdb created
gpg:
key 17102227 marked as
ultimately trusted
public
and secret key created and
signed.
gpg:
checking the trustdb
gpg:
3 marginal(s) needed, 1
complete(s) needed, PGP trust model
gpg:
depth: 0
valid: 1 signed:
0 trust: 0-, 0q,
0n, 0m, 0f, 1u
pub
1024D/17102227
2005-11-26
Key fingerprint = 56A8 942A 6AD5 0937 36D9 4E3C 86E5 6153
1710
2227
uid
Sandro Tosi <matrixhasu@gmail.com>
sub
2048g/B5F0F46D
2005-11-26
3. Send the key to a keyserver
This way, your key will be
spread across other keyservers and other
guys can download from them and not from your website or receive it
directly from you (many time impossible):
$
gpg --keyserver pgp.mit.edu --send-key 17102227
gpg:
sending key 17102227 to hkp
server pgp.mit.edu
so that can be retrieved this
way:
$
gpg --keyserver pgp.mit.edu --recv-key 17102227
gpg:
requesting key 17102227 from
hkp server pgp.mit.edu
gpg:
key 17102227: "Sandro Tosi
<matrixhasu@gmail.com>" not changed
gpg:
Total number processed: 1
gpg:
unchanged: 1
it's listed as unchanged since
that kay is already in my keyring
(it's mine...).
4. Share you key
You've generated your keys
pair, and you've uploaded the public key
to a public server everyone can connect to, so you're left only to
spread the coordinates to obtain the key.
First you can publish your key
fingerprint (mine is CE33 53BB
501F 1150 39D0 DC24 02E9 3057 444D D950) or the
key ID, the last 8 digit of the
fingerprint (444DD950).
If you sent the key to a
keyserver, you can publish the keyserver
name and the key ID.
Or you can create an armor key
version
$
gpg --export --armor -o ~/a/place/my-public-key.asc
to be imported by the recipient
with
$
gpg --import my-public-key.asc
5. Revoke the key
Many things can force you to
remove your key: someone read your
.gnupg directory, or you fell unconfident that private key is secure.
The first thing to do, every
time you generate a key, is to generate
its revoke key:
$
gpg --gen-revoke KEYID > revoke.asc
Now to revoke really the key,
type
$
gpg --import revoke.asc
$
gpg --keyserver <server>
--send-key KEYID
And your key is revoked.
5. Conclusion
You've seen how to create and
publish a GnuPG key. Take a look at
the articles mentioned above for a deeper review of the tool or surf to
the homepage
of
GnuPG project.
|