GPG keys
From UMaine Supercomputer
The quick way - Follow this first, then come back if you want more detail
The document on this page is fairly in-depth and provides screen-dumps of every command you have to type in. If you just want to get things done quick, go here GPG Keys -- The Fast Method
Why?
GPG keys are essential for secure communication over the Internet. Not only do they ensure that your correspondence can only be read by the intended recipients, but they also provide a means for the recipients to be sure that you are, in fact, the real sender. The benefit herein should be obvious.
Getting the Packages
We will be using the GNU Privacy Guard (GnuPG) package, a free, open-source implementation of OpenPGP. The project's website can be found at GnuPG. From there you can get packages Linux, OS X, FreeBSD, and Windows. We leave the initial installation documentation to their own excellent references.
Creating a Key
We must first generate a public/private key-pair.
cluster_user@tempest ~ $ gpg --gen-key gpg (GnuPG) 1.4.2.2; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details.
If this is the first time you have run gpg, some directories will be created:
gpg: directory `/home/cluster_user/.gnupg' created gpg: new configuration file `/home/cluster_user/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/cluster_user/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/cluster_user/.gnupg/secring.gpg' created gpg: keyring `/home/cluster_user/.gnupg/pubring.gpg' created
We select the default DSA and Elgamal key type. 1024 bits is secure enough for most email, and the default ELG-E of 2048 bits is fine as well.
Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits
You may choose any of the following expiration lengths. Longer is obviously easier, however shorter is more secure. We will be generating a revocation certificate later on, so an infinite period is ok.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Now we enter our personal information that will be attached to this key pair:
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Cluster User Email address: cluster_user@maine.edu Comment: You selected this USER-ID: "Cluster User <cluster_user@maine.edu>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
Finally, we get to enter a passphrase to which, essentially, is what you will use to encrypt/decrypt/sign electronic messages. This passphrase should be the most secure password you have ever used. While easy to memorize, it should be very long. Should someone gain knowledge of your passphrase, they will essentially be able to become you online. Once you have entered and confirmed your strong passphrase, follow the printed advice and wiggle your mouse a bit, check your email, browse to slashdot, etc.
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++++++++++++..++++++++++++++++++++++++++++++.+++++.+++++.+++++.++++++++++++++++++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++++++++++++++++++++++.+++++.+++++++++++++++++++++++++.+++++...+++++++++++++++.+++++..
gpg: /home/cluster_user/.gnupg/trustdb.gpg: trustdb created
gpg: key 1A4DAE57 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/1A4DAE57 2006-07-03
Key fingerprint = AD85 400C 396F CD1C 80E5 518A 2910 82E8 1A4D AE57
uid Cluster User <cluster_user@maine.edu>
sub 2048g/9C9BA43E 2006-07-03
If everything has worked according to plan, your key should have been imported into your keyring.
cluster_user@tempest ~ $ gpg --list-keys /home/cluster_user/.gnupg/pubring.gpg --------------------------------- pub 1024D/CE3047CC 2006-07-03 uid Cluster User <cluster_user@maine.edu> sub 2048g/2DDB4E44 2006-07-03
Creating a Revocation Certificate
IMPORTANT: This must be preformed NOW. Should your private key become compromised or if you forget your passphrase, this is the only way to let the world know that your public key is no longer valid. You should store this certificate in a very safe place.
cluster_user@sibyl ~ $ gpg --output ~/.gnupg/revoke.asc --gen-revoke 1A4DAE57 sec 1024D/1A4DAE57 2006-07-03 Cluster User <cluster_user@maine.edu> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > Reason for revocation: Key has been compromised (No description given) Is this okay? (y/N) y You need a passphrase to unlock the secret key for user: "Cluster User <cluster_user@maine.edu>" 1024-bit DSA key, ID 1A4DAE57, created 2006-07-03 ASCII armored output forced. Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others!
That's it, we're ready to begin encrypting, decrypting and signing documents.
Adding Another Email Address
We've created a keypair that is associated with cluster_user@maine.edu. However, there may exist other email addresses that we would also like to use securely. One could go through the entire process of creating a new keypair for this separate address, but that is only confusing and requires more work. The easiest way it to just add another email to our current keypair.
cluster_user@sibyl ~ $ gpg --edit-key 1A4DAE57
gpg (GnuPG) 1.4.2.2; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Secret key is available.
pub 1024D/1A4DAE57 created: 2006-07-03 expires: never usage: CS
trust: ultimate validity: ultimate
sub 2048g/9C9BA43E created: 2006-07-03 expires: never usage: E
[ultimate] (1). Cluster User <cluster_user@maine.edu>
Command> adduid
Real name: Cluster User
Email address: cluster_user@umit.maine.edu
Comment:
You selected this USER-ID:
"Cluster User <cluster_user@umit.maine.edu>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a passphrase to unlock the secret key for
user: "Cluster User <cluster_user@maine.edu>"
1024-bit DSA key, ID 1A4DAE57, created 2006-07-03
pub 1024D/1A4DAE57 created: 2006-07-03 expires: never usage: CS
trust: ultimate validity: ultimate
sub 2048g/9C9BA43E created: 2006-07-03 expires: never usage: E
[ultimate] (1) Cluster User <cluster_user@maine.edu>
[ unknown] (2). Cluster User <cluster_user@umit.maine.edu>
Command> quit
Save changes? (y/N) y
It's as easy as that. Let's just check and make sure everything worked.
cluster_user@sibyl ~ $ gpg --list-keys gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /home/cluster_user/.gnupg/pubring.gpg ------------------------------------- pub 1024D/1A4DAE57 2006-07-03 uid Cluster User <cluster_user@umit.maine.edu> uid Cluster User <cluster_user@maine.edu> sub 2048g/9C9BA43E 2006-07-03
Once we submit our public keys to a keyserver, anyone will be able to search for us by our real name, or either email account and securely communicate with us.
Sending the Public Key to Others
The public key has been generated, yet it is not ready to be sent to anyone else quite yet. Currently, the ~/.gnupg/pubring.gpg file is just binary data. We need to convert this to ASCII text in order for it to be nice and portable. The --armor flag tells gpg to export the key as an ASCII file. The file will be saved in your working directory as "public_key", and we again refer to ourselves by the Key ID, 1A4DAE57.
cluster_user@sibyl ~ $ gpg --armor --output public_key --export 1A4DAE57 cluster_user@sibyl ~ $ cat public_key -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2.2 (GNU/Linux) mQGiBESpXLURBAC/EdQQjDY2+wu8u2GABm/+jaliEDbhDk9A2n3G+hGLHh/yaQHw tkUqv+mbjqe6WlXb6TWwB0XpT+YqX76D620TcCke+ZG2sPuqsmgxePUzm4sxbpMP oL/FLmk+snw+duIW4SgNupTpP7kAwTh2XJxN/UeH9DsAxCRbaHUOWdrcLwCggMrC WVAJUgUdhRsN48rNAV76OU0EALiHsiXP8XyH155MPRLRh4yMzWVShlDDtBM+cFLG pKcbOVkVq2juLLNLHM5CFBlnWOhwA5/TsI2FSsozv9KcIoFTMo4CVstB4x1LgO30 Rcs1MPLyvNWhBMmi0x9Ni0f5rKI1cbJT7lirHgVZhHA/GxIv9kjtrsnvz8AwXUdn nWQGA/9nn3AYwyyU+aM1RvrRWTDbID08r7pTHUMWTZLLSoJvV1NaWCaMPx1u0P+W d2WGyWH4dYsQ7FqThUDA6OcdPNUHSvF2/xTfaw/u/YfiaZvsBD8hv5HbBJKOCeUq AczgmUhC6OX53lDqB6Auewg1JLdGxQg/BBNY4C3whC0ofzl8KLQlQ2x1c3RlciBV c2VyIDxjbHVzdGVyX3VzZXJAbWFpbmUuZWR1PohgBBMRAgAgBQJEqVy1AhsDBgsJ CAcDAgQVAggDBBYCAwECHgECF4AACgkQKRCC6BpNrlfr/gCfeZ0gL2XSPUCRP1lj HLVSJeUwufMAnjE221tpkW5kUQWj73bVPyEwILR2tCpDbHVzdGVyIFVzZXIgPGNs dXN0ZXJfdXNlckB1bWl0Lm1haW5lLmVkdT6IYAQTEQIAIAUCRKlebgIbAwYLCQgH AwIEFQIIAwQWAgMBAh4BAheAAAoJECkQgugaTa5XK7gAn1IQ39gC8Yhsf6L1CQPZ leWY5LuKAJ91ppvCYOYpLu79b0JEpXz2oDVXybkCDQREqVy5EAgAuYNoREfWE/i/ nhCLNn58bRnxeRSs+NVmEcC18Ufh7iEQ7nNklSzkhjA+LIzIYVfYtOfyBHj/Ycde dSyTU6u8D86lmtQcDga41i1Ydo1pmF/1eoL+dYqywMV7qzKK0qMClAByhSuzdyM1 JOigDuNYZEP4Gqcrg0FlpVThUx3ru5AlDkuTGkUjXrZLom1Q5GkYqpRstnbAUuJH 0aoFrgZxPxyyMlPe6wUgPQUZzTyWpjgQVwC9n5d6aMYPlD7Th+oXrGXCgaaNxenm V9+ls7n6OnwMAXzkgp+9Wt8dbDunff/qBf2Zp7PrRt+VeT7kfISF2faFLYgGAbuY bX4dzfaefwADBQf+I1Sj94keQN3FyqTk7v2EnPqEKpw2LnieGluYGY4Ob68zspQI NYTR0GwDk+pAt67xoaTKLXb3xOvNpEGUpjaJyFZdIDBenVaDmyy/33VB+14CKXAO KncyDci8wJrpyDQ+yVPPZtJW/XcqWSWU2pxTi/SJQsL/+knPcDyrXJ8QoPrTH4sT O8E/dgxX4bWsvnY6yJK/y8M5JhfAOs7ZOQhzhBYyFJX628zcUCcSpRwan/CqhXB8 CRRCRKH2YArgHRKMC0U+oRtcqN4L+CpbugW/WVGTT+h506hFjaO0bDcQDt28HNlq FKlEaIxQeBjJkhQJGgz/DWYBQ56gx4aHnF36BIhJBBgRAgAJBQJEqVy5AhsMAAoJ ECkQgugaTa5X6GsAn1Vs3Wt7JtsdsCZkwkKSYTu9CN13AJ9engCu8cwoTIICMUoF F0s6QNkeag== =5ou0 -----END PGP PUBLIC KEY BLOCK----- cluster_user@sibyl ~ $
The above public_key file is what we would ask you to send to us in order to begin the process of getting an account on the clusters (in-message-body ascii text please). However, now that you've come this far, you may as well finish the task and allow the world to search for you public key. We will keep both the key you send us on file, and utilize the public keyservers pgp.mit.edu and subkeys.pgp.net to check for any updated keys. Life is easier for everyone if you keep your keys up to date on the keyservers. The following command sends your public key to pgp.mit.edu:
cluster_user@sibyl ~ $ gpg --keyserver pgp.mit.edu --send-key 1A4DAE57 gpg: sending key 1A4DAE57 to hkp server pgp.mit.edu
That's it. If you like you may send to other keyservers as well. However this is not necessary as the major keyservers sync with each other regularly. If you experience any problems, such as a long delay before failure, you probably need to open TCP/UDP port 11371.
Searching for Keys
You've submitted your key to the keyserver so that everyone can search for you. It'd probably be nice if you knew how to search as well. If you'd like to send an encrypted message to your friend Fred, who has already been through the above steps, you'll first need to import his public key to your keychain.
cluster_user@sibyl ~ $ gpg --keyserver pgp.mit.edu --search fred@maine.edu gpg: searching for "fred@maine.edu" from hkp server pgp.mit.edu (1) Fred <fred@maine.edu> 1024 bit DSA key CE3047CF, created: 2006-07-03 (2) Fred <fred@maine.edu> 1024 bit DSA key 44AFA61F, created: 2005-03-15 (revoked) Enter number(s), N)ext, or Q)uit > 1 gpg: requesting key CE3047CCF from hkp server pgp.mit.edu gpg: key CE3047CF: public key "Fred <fred@maine.edu>" imported gpg: Total number processed: 1 gpg: imported: 1
As you can see, Fred was very responsible and created a revocation certificate when he made his first key. Later, Fred had some reason to revoke his first key and created another one, the one you selected to import to your keychain. We know everything was successful because we also issued the command:
cluster_user@sibyl ~ $ gpg --list-keys /home/cluster_user/.gnupg/pubring.gpg ------------------------------------- pub 1024D/1A4DAE57 2006-07-03 uid Cluster User <cluster_user@umit.maine.edu> uid Cluster User <cluster_user@maine.edu> sub 2048g/9C9BA43E 2006-07-03 pub 1024D/CE3047CF 2006-07-03 uid Fred <fred@maine.edu> sub 2048g/2DDB4E44 2006-07-03
Now that that you have Fred's public key from the keyserver, it would be responsible to give Fred a call, or meet him in person to check his key's fingerprint.
cluster_user@sibyl ~ $ gpg --edit-key fred@maine.edu
gpg (GnuPG) 1.4.2.2; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/CE3047CF created: 2006-07-03 expires: never usage: CS
trust: unknown validity: unknown
sub 2048g/2DDB4E44 created: 2006-07-03 expires: never usage: E
[ unknown] (1). Fred <fred@maine.edu>
Command> fpr
pub 1024D/CE3047CF 2006-07-03 Fred <fred@maine.edu>
Primary key fingerprint: 2D28 0169 E63C 8ED2 7547 62FF 64BB 0187 CE30 47CF
Once you've checked the fingerprint, you can sign Fred's key, indicating that you are sure it is him.
cluster_user@sibyl ~ $ gpg --edit-key fred@maine.edu
gpg (GnuPG) 1.4.2.2; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/CE3047CC created: 2006-07-03 expires: never usage: CS
trust: unknown validity: unknown
sub 2048g/2DDB4E44 created: 2006-07-03 expires: never usage: E
[ unknown] (1). Fred <fred@maine.edu>
Command> sign
Really sign all user IDs? (y/N) y
pub 1024D/CE3047CF created: 2006-07-03 expires: never usage: CS
trust: unknown validity: unknown
Primary key fingerprint: 2D28 0169 E63C 8ED2 7547 62FF 64BB 0187 CE30 47CF
Fred <fred@maine.edu>
Are you sure that you want to sign this key with your
key "Cluster User <cluster_user@umit.maine.edu>" (1A4DAE57)
Really sign? (y/N) y
You need a passphrase to unlock the secret key for
user: "Cluster User <cluster_user@umit.maine.edu>"
1024-bit DSA key, ID 1A4DAE57, created 2006-07-03
Command> check
uid Fred <fred@maine.edu>
sig!3 CE3047CF 2006-07-03 [self-signature]
sig! 1A4DAE57 2006-07-03 Cluster User <cluster_user@umit.maine.edu>
Command>
Encrypting and Decrypting
While there exist GnuPG plugins for nearly every major email client, discussing each is far beyond the scope of this document, so we'll stick to the command line and assume you just send the data as an attachment to a normal email. First, let's prepare the file "secure_docs" to be sent to Fred. Again we use --armor to get armored ASCII output.
cluster_user@sibyl ~ $ gpg --armor --output secure_docs.gpg --recipient fred@maine.edu --encrypt secure_docs
You may also want to sign the document so that Fred knows it was from you, this can be done by simply addding --sign. Of course you have to enter your passphrase now.
cluster_user@sibyl ~ $ gpg --armor --output secure_docs.gpg --recipient fred@maine.edu --sign --encrypt secure_docs You need a passphrase to unlock the secret key for user: "Cluster User <cluster_user@umit.maine.edu>" 1024-bit DSA key, ID 1A4DAE57, created 2006-07-03
If Fred sent you an encrypted and signed document and you had his public key in your keyring, you could decrypt and validate the signature of the file just as easily:
cluster_user@sibyl ~ $ gpg --output file_from_fred --decrypt file_from_fred.gpg
I forgot my passphrase!
This is exactly why we made the revocation certificate. First you'll want to import the certificate into your own keychain. Assuming you saved it as ~/.gnupg/revoke.asc:
cluster_user@sibyl ~ $ gpg --import .gnupg/revoke.asc gpg: key 1A4DAE57: "Cluster User <cluster_user@umit.maine.edu>" revocation certificate imported gpg: Total number processed: 1 gpg: new key revocations: 1 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
Then you need to let a few keyservers know:
cluster_user@sibyl ~ $ gpg --keyserver pgp.mit.edu --send-key 1A4DAE57 gpg: sending key 1A4DAE57 to hkp server pgp.mit.edu
Keeping Keys up to Date
GnuPG has a nice command to sync your keychain with a keyserver.
cluster_user@sibyl ~ $ gpg --refresh-keys gpg: refreshing 2 keys from hkp://subkeys.pgp.net gpg: requesting key 1A4DAE57 from hkp server subkeys.pgp.net gpg: requesting key CE3047CF from hkp server subkeys.pgp.net
You should probably run this every now and then to make sure your keys are current.
