Difference between revisions of "GnuPG"

From Hack Sphere Labs Wiki
Jump to: navigation, search
(Uploading Your Key to Key Servers)
(Uploading Your Key to Key Servers)
Line 132: Line 132:
 
  keyserver.pgp.com
 
  keyserver.pgp.com
  
{{Note| stinkfoot.org, wwwkeys.stinkfoot.us.pgp.net, subkeys.pgp.net same - submitting via ldap://keyserver.pgp.com listed me @ stinkfoot.org}}
+
{{Note| stinkfoot.org, wwwkeys.stinkfoot.us.pgp.net, subkeys.pgp.net same - submitting via ldap://keyserver.pgp.com listed me @ them}}
  
 
So far through my submissions pgp.mit.edu updates fast.  The others I am still waiting on.
 
So far through my submissions pgp.mit.edu updates fast.  The others I am still waiting on.

Revision as of 10:27, 30 October 2011

Info

PGP encryption of email and files. Since PGP is not free GnuPG comes to the rescue.

Quote:

GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880 . GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME.

More information: http://www.gnupg.org/

Installation

Archlinux

pacman -Sv gnupg gnupg2 pinentry

You should use gpg-agent to manage the interactions between your software:

gpg-agent is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. It can be activated by adding following line in ~/.gnupg/gpg.conf:

use-agent

This tells GnuPG to use the agent whenever it needs the password. However, the agent needs to run already. To autostart it, create the following file and make it executable:

Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.
sudo chmod 0755 /etc/profile.d/gpg-agent.sh
sh /etc/profile.d/gpg-agent.sh

Generate a Key

gpg --gen-key
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)

Select (1) to both sign and encrypt

What keysize do you want? (2048)

I select 4096 because why not? If it had 1 million. You should select it too :p

Key is valid for? (0)

I put forever because I will revoke when I need to. If you want forward secrecy (only physical) then you may want to define a time limit so however many years from now people are not sending you emails or whatever with old keys. It will expire and you will have to create a new one with a better key size. I just like the control. You can figure out the other reasons to make them expire.

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Dennis Kaarsemaker
Email address: dennis@kaarsemaker.net
Comment: Tutorial key
You selected this USER-ID:
    "Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>"
You need a Passphrase to protect your secret key.

You will be asked for your passphrase twice. Usually, a short sentence or phrase that isn't easy to guess can be used. Make it something you can remember and long. The first letter of each word in a sentence, etc. You would be asked to tap on the keyboard or do any of the things you normally do in order for randomization to take place. This is done so that the encryption algorithm has more human-entered elements, which, combined with the passphrase entered above, will result in the user's private key.

Note: Forgetting your passphrase will result in your key being useless. Carefully memorize your passphrase.

After you are done:


gpg: key D8FC66D2 marked as ultimately trusted
public and secret key created and signed.

pub   1024D/D8FC66D2 2005-09-08
      Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2
uid                  Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>
sub   2048g/389AA63E 2005-09-08

The key in this example is D8FC66D2.

For keysigning parties you will need the key fingerprint. Although PGP keys are generally used with personal computers for Internet-related applications, key signing parties themselves generally do not involve computers, since that would give adversaries increased opportunities for subterfuge. Rather, participants write down a string of letters and numbers, called a public key fingerprint, which represents their key.

You should set your key as the default key by editing ./bashrc and adding

export GPGKEY=D8FC66D2
killall -q gpg-agent
eval $(gpg-agent --daemon)
source ~/.bashrc

Creating Revocation Certificate

A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way. It is recommended to create a revocation certificate when you create your key. Keep your revocation certificate on a medium that you can safely secure, like a thumb drive in a locked box.

gpg --output revoke.asc --gen-revoke $GPGKEY
Note: Anybody having access to your revocation certificate can revoke your key, rendering it useless.

Making an ASCII Armored Version of Your Public Key

gpg --output mykey.asc --export -a $GPGKEY

Uploading Your Key to Key Servers

Some servers seem to accept http sends and ldap sends. The pgp seems to only work with ldap. You can submit the armoured version of your key via most of these sites http interfaces. I am going to submit my key to a decent amount of key servers to test. I will also post the results here.

I am going to try http first, then ldap, and post the results that way.

http:

gpg --send-keys --keyserver the.server.name $GPGKEY

keyserver.ubuntu.com
pgp.mit.edu
keys.kfwebs.net

ldap:

gpg --send-keys --keyserver ldap://keyserver.pgp.com $GPGKEY

keyserver.pgp.com
Note: stinkfoot.org, wwwkeys.stinkfoot.us.pgp.net, subkeys.pgp.net same - submitting via ldap://keyserver.pgp.com listed me @ them

So far through my submissions pgp.mit.edu updates fast. The others I am still waiting on.

Searching a Server For Your Key

gpg --keyserver pgp.mit.edu --search-keys webdawg
gpg --keyserver pgp.mit.edu --search-keys webdawg@gmail.com
gpg --keyserver pgp.mit.edu --search-keys K3Y1D01