Difference between revisions of "GnuPG"
(→Uploading Your Key to Key Servers) |
(→Uploading Your Key to Key Servers) |
||
Line 132: | Line 132: | ||
keyserver.pgp.com | keyserver.pgp.com | ||
− | {{Note| stinkfoot.org, wwwkeys.stinkfoot.us.pgp.net, subkeys.pgp.net same - submitting via ldap://keyserver.pgp.com listed me @ | + | {{Note| stinkfoot.org, wwwkeys.stinkfoot.us.pgp.net, subkeys.pgp.net same - submitting via ldap://keyserver.pgp.com listed me @ them}} |
So far through my submissions pgp.mit.edu updates fast. The others I am still waiting on. | So far through my submissions pgp.mit.edu updates fast. The others I am still waiting on. |
Revision as of 10:27, 30 October 2011
Contents
Info
PGP encryption of email and files. Since PGP is not free GnuPG comes to the rescue.
Quote:
GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880 . GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME.
More information: http://www.gnupg.org/
Installation
Archlinux
pacman -Sv gnupg gnupg2 pinentry
You should use gpg-agent to manage the interactions between your software:
gpg-agent is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. It can be activated by adding following line in ~/.gnupg/gpg.conf:
use-agent
This tells GnuPG to use the agent whenever it needs the password. However, the agent needs to run already. To autostart it, create the following file and make it executable:
sudo chmod 0755 /etc/profile.d/gpg-agent.sh sh /etc/profile.d/gpg-agent.sh
Generate a Key
gpg --gen-key
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only)
Select (1) to both sign and encrypt
What keysize do you want? (2048)
I select 4096 because why not? If it had 1 million. You should select it too :p
Key is valid for? (0)
I put forever because I will revoke when I need to. If you want forward secrecy (only physical) then you may want to define a time limit so however many years from now people are not sending you emails or whatever with old keys. It will expire and you will have to create a new one with a better key size. I just like the control. You can figure out the other reasons to make them expire.
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Dennis Kaarsemaker Email address: dennis@kaarsemaker.net Comment: Tutorial key You selected this USER-ID: "Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>"
You need a Passphrase to protect your secret key.
You will be asked for your passphrase twice. Usually, a short sentence or phrase that isn't easy to guess can be used. Make it something you can remember and long. The first letter of each word in a sentence, etc. You would be asked to tap on the keyboard or do any of the things you normally do in order for randomization to take place. This is done so that the encryption algorithm has more human-entered elements, which, combined with the passphrase entered above, will result in the user's private key.
After you are done:
gpg: key D8FC66D2 marked as ultimately trusted public and secret key created and signed. pub 1024D/D8FC66D2 2005-09-08 Key fingerprint = 95BD 8377 2644 DD4F 28B5 2C37 0F6E 4CA6 D8FC 66D2 uid Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net> sub 2048g/389AA63E 2005-09-08
The key in this example is D8FC66D2.
For keysigning parties you will need the key fingerprint. Although PGP keys are generally used with personal computers for Internet-related applications, key signing parties themselves generally do not involve computers, since that would give adversaries increased opportunities for subterfuge. Rather, participants write down a string of letters and numbers, called a public key fingerprint, which represents their key.
You should set your key as the default key by editing ./bashrc and adding
export GPGKEY=D8FC66D2
killall -q gpg-agent eval $(gpg-agent --daemon) source ~/.bashrc
Creating Revocation Certificate
A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way. It is recommended to create a revocation certificate when you create your key. Keep your revocation certificate on a medium that you can safely secure, like a thumb drive in a locked box.
gpg --output revoke.asc --gen-revoke $GPGKEY
Making an ASCII Armored Version of Your Public Key
gpg --output mykey.asc --export -a $GPGKEY
Uploading Your Key to Key Servers
Some servers seem to accept http sends and ldap sends. The pgp seems to only work with ldap. You can submit the armoured version of your key via most of these sites http interfaces. I am going to submit my key to a decent amount of key servers to test. I will also post the results here.
I am going to try http first, then ldap, and post the results that way.
http:
gpg --send-keys --keyserver the.server.name $GPGKEY
keyserver.ubuntu.com pgp.mit.edu keys.kfwebs.net
ldap:
gpg --send-keys --keyserver ldap://keyserver.pgp.com $GPGKEY
keyserver.pgp.com
So far through my submissions pgp.mit.edu updates fast. The others I am still waiting on.
Searching a Server For Your Key
gpg --keyserver pgp.mit.edu --search-keys webdawg gpg --keyserver pgp.mit.edu --search-keys webdawg@gmail.com gpg --keyserver pgp.mit.edu --search-keys K3Y1D01