Differences between version 64 and predecessor to the previous major change of GPG/PGPNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 64 | Last edited on Sunday, May 14, 2006 1:39:51 pm | by CraigBox | Revert |
| Older page: | version 63 | Last edited on Sunday, May 14, 2006 1:29:37 pm | by CraigBox | Revert |
@@ -1,5 +1,5 @@
-PGP stands
for "Pretty Good Privacy". An open-source version (that is compatible with PGP) is called GPG, for "[GNU] Privacy Guard". You can [get GnuPG from its webpage|http://www.gnupg.org]; Debian/Ubuntu users can type <tt>apt-get install gnupg</tt>.
+tands
for "Pretty Good Privacy". An open-source version (that is compatible with PGP) is called GPG, for "[GNU] Privacy Guard". You can [get GnuPG from its webpage|http://www.gnupg.org]; Debian/Ubuntu users can type <tt>apt-get install gnupg</tt>.
Below, we give examples of how to set up GPG ready for use on your system.
!!! __Creating And Managing Keys__
@@ -7,82 +7,76 @@
!! Graphical programs to help out
! SeaHorse
-There is a graphical interface to key management called [Seahorse|http://seahorse.sourceforge.net/]. It makes it easy to see who has signed whose keys, and you can edit/create keys as well as sign and encrypt/decrypt messages. It is still in development, and does not use protected memory (ie it is not setuid), so don't type your passphrase into it if others have access to your machine (and you are paranoid). There is an official debian
package (apt-get install seahorse).
+There is a graphical interface to key management called [Seahorse|http://seahorse.sourceforge.net/]. It makes it easy to see who has signed whose keys, and you can edit/create keys as well as sign and encrypt/decrypt messages. It is still in development, and does not use protected memory (ie it is not setuid), so don't type your passphrase into it if others have access to your machine (and you are paranoid). There is an official Debian
package (<tt>
apt-get install seahorse</tt>
).
!GNU Privacy Assistant
-This is another front-end to [GPG], which is more complete and polished than SeaHorse. Debian users can simply "
apt-get install gpa", although I'm not sure about Debian 3 (Woody). Currently, version .6 uses [GTK2] in testing and unstable
.
+This is another front-end to [GPG], which is more complete and polished than SeaHorse. Debian users can simply <tt>
apt-get install gpa</tt>
.
----
!Notes about keys
+
* Keys have at least two parts -- a public key and a private key. Only the key creator should have access to the private key - often it is protected by a "passphrase" so that you need to know the pass phrase to unscamble the private key. This is used for example on a machine that other people might have access to.
* There are different types of keys, using different algorithms. [DSA] can only be used for signing. ElGamal is used for encrypting. [RSA] is another encryption algorithm, and can be used for signing or for encrypting. Usually a GPG key will have the main public/private key for signing/verifying, and another pair as a sub-key for encryption/decryption. You are asked what type you want when you create a key (see below). The default is to create DSA and ElGamal keys so you can both sign and encrypt messages. If you create a sign-only key and later want to add another key so you can encrypt, you can do this interactively:
-
$ gpg --edit-key <keyid-or-email>
- ...
- Secret key is available.
- ...
- Command> addkey
- Key is protected.
- Enter passphrase:
- Please select what kind of key you want:
- ...
- Command> save
+<pre>
+
$ gpg --edit-key <keyid-or-email>
+...
+Secret key is available.
+...
+Command> addkey
+Key is protected.
+Enter passphrase:
+Please select what kind of key you want:
+...
+Command> save
+</pre>
+
Don't forget to upload your key to a KeyServer again so everyone else can see this!
* A 10 byte [MD5] check-sum of the public key is called a "fingerprint" and is used to uniquely identify keys (in hexadecimal). You can refer to all the parts of a key with this ID. The last 4 bytes of the fingerprint can be used as a key ID in most places.
Here is an example:
-
$ gpg --list-keys --fingerprint jrm21
- pub 1024D/D3F9478C 2002-09-17 John R. !
McPherson <jrm21@cs.waikato.ac.nz>
-
Key fingerprint = EAC5 0592 EA7C 6F22 0548 CE09 83B7 E09C D3F9 478C
- sub 1024g/148FC512 2002-09-17
+<pre>
+
$ gpg --list-keys --fingerprint jrm21
+pub 1024D/D3F9478C 2002-09-17 John R. ~
McPherson <jrm21@cs.waikato.ac.nz>
+
Key fingerprint = EAC5 0592 EA7C 6F22 0548 CE09 83B7 E09C D3F9 478C
+sub 1024g/148FC512 2002-09-17
+</pre>
# The command lists all keys matching the string "jrm21", and prints out the keys' fingerprints.
# The public key is using 1024 bit DSA. (Remember that DSA is used for signing). This key's ID is the last 4 bytes of the fingerprint, D3F9478C.
# This key has a subkey, which uses 1024-bit ElGamal. This key is used for encrypting and decrypting. However, to encrypt something for this user, you can use the "main" key's ID - you do not need to refer to the subkey's ID when encrypting.
----
!!Creating a Key
-Under linux
, you must first create a public key/private key pair. Assuming you have GPG installed, you can use the command
- $
gpg --gen-key
-
+Under Linux
, you must first create a public key/private key pair. Assuming you have GPG installed, you can use the command <tt>
gpg --gen-key</tt>
to create a pair - you will have to answer a few easy questions.
-__Note__: If you're generating your key on a remote FreeBSD box, it may not have enough entropy to generate the required amount of random data. To get around it add:
-
rand_irqs="14"
-
-
rndcontrol -q -s 14 ''This
is not persistent however''
+__Note__: If you're generating your key on a remote FreeBSD box, it may not have enough entropy to generate the required amount of random data. To get around it add: <tt>
rand_irqs="14"</tt>
to your /etc/rc.conf and reboot, or: <tt>
rndcontrol -q -s 14</tt>, which
is not persistent.
This allows the system to get entropy from IRQ 14 which will be your IDE controller, so access your disk and you'll get enough entropy
-Then you can find your key ID:
- $
gpg --list-keys
+Then you can find your key ID: <tt>
gpg --list-keys</tt>
-And submit it to a GPG KeyServer:
-
$ gpg --send-key --keyserver the.earth.li <your public key ID>
+And submit it to a GPG KeyServer: <tt>
$gpg --send-key --keyserver the.earth.li <your public key ID></tt
>
-Go
register yourself as being someone where
people can
come and sign your key:
http://www.biglumber.com/index.html
+If you like, you can now
register yourself as being interested in having other
people come and sign your key at [biglumber|
http://www.biglumber.com/index.html].
----
!!Finding Other Keys
-To get a key by it's keyid you can use:
- $
gpg --recv-key ''keyid''
+To get a key by it's keyid you can use <tt>
gpg --recv-key ''keyid''</tt>.
-You will need to tell gpg which keyserver to use. You can either add "
--keyserver <domain name>"
to every command, or add a line like
-
keyserver wwwkeys.pgp.net
-$HOME
/.gnupg/gpg.conf file (create it if it doesn't exist).
+You will need to tell gpg which keyserver to use. You can either add <tt>
--keyserver <domain name></tt>
to every command, or add a line like <tt>
keyserver wwwkeys.pgp.net</tt>
to the ''~
/.gnupg/gpg.conf''
file (create it if it doesn't exist).
-To get a key by email address you need to either use the web interfaces on the key servers (http://the.earth.li/) or if you are running a recent version of gpg(1) (more recent than the one in Debian 3.) you can use:
-
gpg --search-key ''email@address''
+To get a key by email address you need to either use the web interfaces on the key servers (http://the.earth.li/) or if you are running a recent version of gpg(1) (more recent than the one in Debian 3.) you can use <tt>
gpg --search-key ''email@address''</tt>.
-Also for recent versions of gpg(1) (1.2.1 and later) you can also do:
-
gpg --refresh-keys
-
+Also for recent versions of gpg(1) (1.2.1 and later) you can also do <tt>
gpg --refresh-keys</tt>
to download any new signatures for all of the keys in your keyring.
For example, quoted from PerryLorier:
+
''Perry's gpg-id is''
''pub 1024D/2F33F144 2000-09-23 Perry Lorier (Local network) <perry@coders.tla>''
''Key fingerprint = 0A5F E3C9 8CF7 7FB7 378D 3C1C 7008 11A7 2F33 F144''
@@ -106,69 +100,65 @@
gpg --import key.asc
For example, you can find Red Hat's public key at [http://www.redhat.com/solutions/security/news/publickey.html]
Here is what a full key looks like. ''Disclaimer: do __NOT__ import this key off this page, as it may have been tampered with (being a public wiki)'':
-
Type bits/keyID Date User ID
- pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc. (security@redhat.com)
- sub 2048g/961630A2 1999-09-23
+<pre>
+
Type bits/keyID Date User ID
+pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc. (security@redhat.com)
+sub 2048g/961630A2 1999-09-23
-
-----BEGIN PGP PUBLIC KEY BLOCK-----
- Version: GnuPG v1..0 (GNU/Linux)
- Comment: For info see http://www.gnupg.org
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1..0 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
-
mQGiBDfqVDgRBADBKr3Bl6PO8BQ0H8sJoD6p9U7Yyl7pjtZqioviPwXP+DCWd4u8
- HQzcxAZ57m8ssA1LK1Fx93coJhDzM130+p5BG9mYSWShLabR3N1KXdXQYYcowTOM
- GxdwYRGr1Spw8QydLhjVfU1VSl4xt6bupPbWJbyjkg5Z3P7BlUOUJmrx3wCgobNV
- EDGaWYJcch5z5B1of/41G8kEAKii6q7Gu/vhXXnLS6m15oNnPVybyngiw/23dKjS
- ZVG7rKANEK2mxg1VB+vc/uUc4k49UxJJfCZg1gu1sPFV3GSa+Y/7jsiLktQvCiLP
- lncQt1dV+ENmHR5BdIDPWDzKBVbgWnSDnqQ6KrZ7T6AlZ74VMpjGxxkWU6vV2xsW
- XCLPA/9P/vtImA8CZN3jxGgtK5GGtDNJ/cMhhuv5tnfwFg4b/VGo2Jr8mhLUqoIb
- E6zeGAmZbUpdckDco8D5fiFmqTf5+++pCEpJLJkkzel/32N2w4qzPrcRMCiBURES
- PjCLd4Y5rPoU8E4kOHc/4BuHN903tiCsCPloCrWsQZ7UdxfQ5LQiUmVkIEhhdCwg
- SW5jIDxzZWN1cml0eUByZWRoYXQuY29tPohVBBMRAgAVBQI36lQ4AwsKAwMVAwID
- FgIBAheAAAoJECGRgM3bQqYOsBQAnRVtg7B25Hm11PHcpa8FpeddKiq2AJ9aO8sB
- XmLDmPOEFI75mpTrKYHF6rkCDQQ36lRyEAgAokgI2xJ+3bZsk8jRA8ORIX8DH05U
- lMH27qFYzLbT6npXwXYIOtVn0K2/iMDj+oEB1Aa2au4OnddYaLWp06v3d+XyS0t+
- 5ab2ZfIQzdh7wCwxqRkzR+/H5TLYbMG+hvtTdylfqIX0WEfoOXMtWEGSVwyUsnM3
- Jy3LOi48rQQSCKtCAUdV20FoIGWhwnb/gHU1BnmES6UdQujFBE6EANqPhp0coYoI
- hHJ2oIO8ujQItvvNaU88j/s/izQv5e7MXOgVSjKe/WX3s2JtB/tW7utpy12wh1J+
- JsFdbLV/t8CozUTpJgx5mVA3RKlxjTA+On+1IEUWioB+iVfT7Ov/0kcAzwADBQf9
- E4SKCWRand8K0XloMYgmipxMhJNnWDMLkokvbMNTUoNpSfRoQJ9EheXDxwMpTPwK
- ti/PYrrL2J11P2ed0x7zm8v3gLrY0cue1iSba+8glY+p31ZPOr5ogaJw7ZARgoS8
- BwjyRymXQp+8Dete0TELKOL2/itDOPGHW07SsVWOR6cmX4VlRRcWB5KejaNvdrE5
- 4XFtOd04NMgWI63uqZc4zkRa+kwEZtmbz3tHSdRCCE+Y7YVP6IUf/w6YPQFQriWY
- FiA6fD10eB+BlIUqIw80VgjsBKmCwvKkn4jg8kibXgj4/TzQSx77uYokw1EqQ2wk
- OZoaEtcubsNMquuLCMWijYhGBBgRAgAGBQI36lRyAAoJECGRgM3bQqYOhyYAnj7h
- VDY/FJAGqmtZpwVp9IlitW5tAJ4xQApr/jNFZCTksnI+4O1765F7tA==
- =3AHZ
- -----END PGP PUBLIC KEY BLOCK-----
+mQGiBDfqVDgRBADBKr3Bl6PO8BQ0H8sJoD6p9U7Yyl7pjtZqioviPwXP+DCWd4u8
+HQzcxAZ57m8ssA1LK1Fx93coJhDzM130+p5BG9mYSWShLabR3N1KXdXQYYcowTOM
+GxdwYRGr1Spw8QydLhjVfU1VSl4xt6bupPbWJbyjkg5Z3P7BlUOUJmrx3wCgobNV
+EDGaWYJcch5z5B1of/41G8kEAKii6q7Gu/vhXXnLS6m15oNnPVybyngiw/23dKjS
+ZVG7rKANEK2mxg1VB+vc/uUc4k49UxJJfCZg1gu1sPFV3GSa+Y/7jsiLktQvCiLP
+lncQt1dV+ENmHR5BdIDPWDzKBVbgWnSDnqQ6KrZ7T6AlZ74VMpjGxxkWU6vV2xsW
+XCLPA/9P/vtImA8CZN3jxGgtK5GGtDNJ/cMhhuv5tnfwFg4b/VGo2Jr8mhLUqoIb
+E6zeGAmZbUpdckDco8D5fiFmqTf5+++pCEpJLJkkzel/32N2w4qzPrcRMCiBURES
+PjCLd4Y5rPoU8E4kOHc/4BuHN903tiCsCPloCrWsQZ7UdxfQ5LQiUmVkIEhhdCwg
+SW5jIDxzZWN1cml0eUByZWRoYXQuY29tPohVBBMRAgAVBQI36lQ4AwsKAwMVAwID
+FgIBAheAAAoJECGRgM3bQqYOsBQAnRVtg7B25Hm11PHcpa8FpeddKiq2AJ9aO8sB
+XmLDmPOEFI75mpTrKYHF6rkCDQQ36lRyEAgAokgI2xJ+3bZsk8jRA8ORIX8DH05U
+lMH27qFYzLbT6npXwXYIOtVn0K2/iMDj+oEB1Aa2au4OnddYaLWp06v3d+XyS0t+
+5ab2ZfIQzdh7wCwxqRkzR+/H5TLYbMG+hvtTdylfqIX0WEfoOXMtWEGSVwyUsnM3
+Jy3LOi48rQQSCKtCAUdV20FoIGWhwnb/gHU1BnmES6UdQujFBE6EANqPhp0coYoI
+hHJ2oIO8ujQItvvNaU88j/s/izQv5e7MXOgVSjKe/WX3s2JtB/tW7utpy12wh1J+
+JsFdbLV/t8CozUTpJgx5mVA3RKlxjTA+On+1IEUWioB+iVfT7Ov/0kcAzwADBQf9
+E4SKCWRand8K0XloMYgmipxMhJNnWDMLkokvbMNTUoNpSfRoQJ9EheXDxwMpTPwK
+ti/PYrrL2J11P2ed0x7zm8v3gLrY0cue1iSba+8glY+p31ZPOr5ogaJw7ZARgoS8
+BwjyRymXQp+8Dete0TELKOL2/itDOPGHW07SsVWOR6cmX4VlRRcWB5KejaNvdrE5
+4XFtOd04NMgWI63uqZc4zkRa+kwEZtmbz3tHSdRCCE+Y7YVP6IUf/w6YPQFQriWY
+FiA6fD10eB+BlIUqIw80VgjsBKmCwvKkn4jg8kibXgj4/TzQSx77uYokw1EqQ2wk
+OZoaEtcubsNMquuLCMWijYhGBBgRAgAGBQI36lRyAAoJECGRgM3bQqYOhyYAnj7h
+VDY/FJAGqmtZpwVp9IlitW5tAJ4xQApr/jNFZCTksnI+4O1765F7tA==
+=3AHZ
+-----END PGP PUBLIC KEY BLOCK-----
+</pre>
-''Of course, if
you are using the WebOfTrust, you can import it off the website and it doesn't matter if someone has tampered with it because any tampering will get cause the CryptographicHash not to match and so it won't be trusted anyway.'' --- StuartYeates
+If
you are using the WebOfTrust, you can import it off the website and it doesn't matter if someone has tampered with it because any tampering will get cause the CryptographicHash not to match and so it won't be trusted anyway.
----
!!!General Notes
-!
How do I delete/cancel a key?
+;
How do I delete/cancel a key? : <tt>gpg --gen-revoke <key-id></tt>. Copy the text from this output somewhere very safe, because anyone can use this to revoke your PGP key.
-
gpg --gen-
revoke <key-id>
+; How do I ''use'' a revocation cert once you've generated one? : <tt>
gpg --import
revoke.asc</tt><br/><tt>gpg --send-key
<key-id></tt
>
-Copy
the text from this output somewhere very safe
, because anyone can use this
to revoke
your PGP
key.
+; How do you change your primary uid? : In 1..7+ there is a "primary" command when you use --edit-key which makes
the __currently selected__ uid your primary uid. So
, to change
your UID, you do:
+<pre>
+gpg --edit-
key ''your@email
.address''
+> list
+''the uid number you want eg:''
+> 1
+> primary
+> save
+</pre>
-!How do I ''use'' a revocation cert once you've generated one?
-
- gpg --import revoke.asc
- gpg --send-key <key-id>
-
-!How do you change your primary uid?
-
-In 1.0.7+ there is a "primary" command when you use --edit-key which makes the __currently selected__ uid your primary uid. So to change your uid you do:
- gpg --edit-key ''your@email.address''
- > list
- ''the uid number you want eg:''
- > 1
- > primary
- > save
I spent ages trying to figure out what the parameter to "primary" was, when in fact it has none. Doh!
This is the same for deleting a uid with "deluid". You don't say
> deluid 2
@@ -177,21 +167,20 @@
> deluid
!!Periodic Maintenance
-
gpg --rebuild-keydb-caches
-
-
+<tt>
gpg --rebuild-keydb-caches</tt>
increases the speed of many operations for existing keyrings.
!!How to get all the keys of people who have signed your key
-
+<pre>
sig 21100060 2005-02-05 [[User ID not found]
+</pre>
So, who are all these numbers that have signed my key?
-
gpg --with-colons --list-sigs <your-key-id> | \
- cut -f 5 -d':' | xargs gpg --recv-key
-
+<pre>
gpg --with-colons --list-sigs <your-key-id> | \
+cut -f 5 -d':' | xargs gpg --recv-key
+</pre>
----
!!!How to verify files with gpg/pgp
(2003). After the famous ftp.gnu.org compromise, the [FSF] changed their policy - instead of uploading package [MD5] checksum to the ftp server, package maintainers now GPG-sign the packages. This makes it impossible for a cracker to modify a package without anyone noticing, since the cracker can't generate the signature (unless they managed to compromise or steal the person's private key).
@@ -201,45 +190,41 @@
this creates a .asc file to go with the tar.bz2. When you receive a file, and it's .asc file, you do
gpg --verify foo.tar.bz2.asc foo.tar.bz2
which should say something like "Good signature from ''someone''". Your web of trust should be large enough to verify this key (if it's not you need to find more people who have keys to sign). You should also verify "someone" is someone you trust to release this tarball.
-See Also
WhySignEmail
+See also
WhySignEmail.
----
!!!"There is no indication that this key really belongs to the owner"
This error is the result of a breakdown of trust. There can be several issues:
It can occur on your own keys if the trust database is deleted. The solution is to use:
-
+<pre>
gpg --edit 0x012345678
...
trust
-
+</pre>
and tell [GPG] that you trust yourself. It can also occur if you are trying to send encrypted email to someone whose key you haven't signed, the solution is to sign their key or use --trusted-key for this operation.
----
!!!Recover a public key from the corresponding secret key
-
+<pre>
gpg --export-secret-key 0x12345678 | gpgsplit --no-split --secret-to-public | gpg --import
-
+</pre>
----
!!!Extend the lifetime of, or "unexpire", a key
-Generating keys with expiry dates is good because it allows the keys to be flushed from keyservers and keyrings aftre a fixed length of time and limits the period revocation certificates have to be circulated. However, often it is advisable to extend the life of a key which is embedded in the web of trust. This can be done using the command:
+Generating keys with expiry dates is good because it allows the keys to be flushed from keyservers and keyrings aftre a fixed length of time and limits the period revocation certificates have to be circulated. However, often it is advisable to extend the life of a key which is embedded in the web of trust.
-
gpg --edit 0x12345678
-
-
+This can be done using the command <tt>
gpg --edit 0x12345678</tt>,
and then the "expire" option. Some signatures have expiry dates within them which co-incide with the expiry date of the key. There is no way to extend these, except to get the signer to sign the updated key.
----
!!!Ensuring compatibility with old versions of [PGP]/[GnuPG]:
-There is a
comprehensive table of what algorithms are supported by every version:
-
-
+[A
comprehensive table of what algorithms are supported by every version of PGP/GnuPG|
https://netfiles.uiuc.edu/ehowes/www/pgp-summ.htm] is available.
!!!See also
* [GnuPG Keysigning Party HOWTO | http://www.cryptnet.net/fdp/crypto/gpg-party.html]
* [GPGMailClients], for integrating encryption into your favourite email client.
* [KeySigningScripts]
----
Part of CategoryCryptography
