Home Page

Tips page

University Page

Programming

Debian & Linux

Some works

About me

Del.icio.us Bookmarks

BOINC Combined Statistics

Site Statistics

Contact me sending an e-mail (antispam defense activated)

debian

hacker emblem

blogger

GeoURL

View Sandro Tosi's profile on LinkedIn

This is my Google PageRank

Use GnuPG to Protect Your Data

Use GnuPG to Protect Your Data

 Sandro Tosi, 26 November 2005


Following a nice guide appeared on Linux Journal, available in Part1, Part2 and Part3, I try show how I've done to create my personal encryption keys pair. I don't try to substitute the previous articles, but only to provide a fast guide to create keys and publish the public one.

1. GnuPG installation

On a Debian system this task is as easy as type:

# apt-get install gnupg gnupg-doc

on a root terminal (you can decide not to install documentation package, but it's often a good thing have the docs at hands).

2. Key Generation

It's time to generate the pair of keys (in bold highlighted when you need to insert data):

$ gpg --gen-key
gpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: directory `/home/morph/.gnupg' created
gpg: new configuration file `/home/morph/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/morph/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/morph/.gnupg/secring.gpg' created
gpg: keyring `/home/morph/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) Y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Sandro Tosi
Email address: matrixhasu@gmail.com
Comment: [Enter]
You selected this USER-ID:
    "Sandro Tosi <matrixhasu@gmail.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

Enter passphrase: [A passphrase]
Repeat passphrase: [The same passphrase]

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.++++++++++++++++++++.++++++++++++++++++++.++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++.++++++++++++++++++++>.+++++............
.................................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++..++++++++++..+++++....++++++++++++++++++++...++++++++
+++++++++++++++++..++++++++++++++++++++.+++++.++++++++++++++++++++..+++++++++++
++++>+++++.....+++++>..+++++...+++++^^^
gpg: /home/morph/.gnupg/trustdb.gpg: trustdb created
gpg: key 17102227 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/17102227 2005-11-26
      Key fingerprint = 56A8 942A 6AD5 0937 36D9  4E3C 86E5 6153 1710 2227
uid                  Sandro Tosi <matrixhasu@gmail.com>
sub   2048g/B5F0F46D 2005-11-26

3. Send the key to a keyserver

This way, your key will be spread across other keyservers and other guys can download from them and not from your website or receive it directly from you (many time impossible):

$ gpg --keyserver pgp.mit.edu --send-key 17102227
gpg: sending key 17102227 to hkp server pgp.mit.edu

so that can be retrieved this way:

$ gpg --keyserver pgp.mit.edu --recv-key 17102227
gpg: requesting key 17102227 from hkp server pgp.mit.edu
gpg: key 17102227: "Sandro Tosi <matrixhasu@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

it's listed as unchanged since that kay is already in my keyring (it's mine...).

4. Share you key

You've generated your keys pair, and you've uploaded the public key to a public server everyone can connect to, so you're left only to spread the coordinates to obtain the key.

First you can publish your key fingerprint (mine is CE33 53BB 501F 1150 39D0  DC24 02E9 3057 444D D950) or the key ID, the last 8 digit of the fingerprint (444DD950).

If you sent the key to a keyserver, you can publish the keyserver name and the key ID.

Or you can create an armor key version

$ gpg --export --armor -o ~/a/place/my-public-key.asc

to be imported by the recipient with

$ gpg --import my-public-key.asc

5. Revoke the key

Many things can force you to remove your key: someone read your .gnupg directory, or you fell unconfident that private key is secure.

The first thing to do, every time you generate a key, is to generate its revoke key:

$ gpg --gen-revoke KEYID > revoke.asc

Now to revoke really the key, type

$ gpg --import revoke.asc
$ gpg --keyserver <server> --send-key KEYID

And your key is revoked.

5. Conclusion

You've seen how to create and publish a GnuPG key. Take a look at the articles mentioned above for a deeper review of the tool or surf to the homepage of GnuPG project.