Just Enough gpg...

You are going to attend a Key Signing Party. The voice in your head says: Great, just what do I wear?? That part is simple, wear something comfortable. However, you will have a better time if you arrive prepared and that is the object of this short tutorial: just enough gpg to participate in the party.

Before you arrive

Fast gpg key setup

Preparation

A good write up can be found in the original LinuxGazette.

This work will be done from the command line, so fire up your console tool of choice--eterm, xterm, konsole or TTY. To make sure gpg is installed, just call it asking for version information. Use this command line recipe, it works. Some of the GUI helpers aren't helpful due to install quirks and assumptions. There isn't much typing involved--really. Most of the length of this page is a display of actual output you will see. It is provided to impart a warm fuzzy feeling of familiarity.

[pea@oak pea]$ gpg --version

gpg (GnuPG) 1.2.0
Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160
Compress: Uncompressed, ZIP, ZLIB

If you did not get a response, go back and install gpg.

$ gpg --gen-key

Use defaults, answer four questions.

GENERATE A KEY

Issue the command gpg --gen-key. Take the default choices, fill in a couple of lines and you've generated your key. Read through gpg's output below for a bit of explaination on some of the questions.

[pead@oak pead]$ gpg --gen-key

gpg (GnuPG) 1.2.0; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: keyring `/home/pead/.gnupg/secring.gpg' created

We will use the default settings for this initial key set generation.

Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024)
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      [n]  = key expires in n days
      [n]w = key expires in n weeks
      [n]m = key expires in n months
      [n]y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct (y/n)? y

Now enter your identity information. Enter your real name. Then enter the email address you want this key associated with. Since this is your first key, use your regular, real email address. There is additional comment field that can be used for title or company name. This is useful later when you generate additional keys for work addresses. For this run you can safely leave this blank.

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Paul Demo Ahlquist
Email address: pead@ahlquist.org
Comment: --this is optional--
You selected this USER-ID:
    "Paul Demo Ahlquist (--this is optional--) <pead@ahlquist.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

Next, gpg asks for your passphrase. This is a passphrase not a password. A passphrase is just that, a phrase; longer than a password and, hopefully, something you can remember. There are many opinions on what and how to create an optimal passphrase. Some prefer long strings of of random characters, digits and punctuation. Myself, I lean toward long phrases with a bit of creative miz'pellin' and misplaced punctuation. The important thing is that you remember your passphrase. Some examples:

A passphrase is just that, a phrase

That last example was a bit much, but the point is to get some length in there and break up dictionary attacks.

You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.++++++++++++++++++++++++++++++++++++++++.++++++++++++++++++++++++
++++++++++++++++.++++++++++++++++++++++++++++++++++++++++.+++++.+++++..
....................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.++++++++++++++++++++++++++++++.++++++++++.+++++++++++++++.+++++.+++++
.+++++.+++++++++++++++++++++++++++++++++++..++++++++++.+++++.++++++++++
....................>+++++........+++++................+++++^^^
gpg: /home/pead/.gnupg/trustdb.gpg: trustdb created
public and secret key created and signed.
key marked as ultimately trusted.

pub  1024D/F6F1B31C 2005-02-14 Paul Demo Ahlquist (--this is optional--)
                                    <pead@ahlquist.org>
     Key fingerprint = 4F01 CA12 0B76 8756 C4E1  2828 7036 DA9E F6F1 B31C
sub  1024g/6F6987AC 2005-02-14

Your key is complete.

If your session fails something like what is shown below, just rerun gpg --gen-keys. Some older versions of gpg needed two passes to initially setup all of the config files and keyrings.

[pead@oak pead]$ gpg --gen-key

gpg (GnuPG) 1.2.0; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: /home/pead/.gnupg: directory created
gpg: new configuration file `/home/pead/.gnupg/gpg.conf' created
gpg: keyblock resource `/home/pead/.gnupg/secring.gpg': file open error
gpg: keyring `/home/pead/.gnupg/pubring.gpg' created
	:
	:
...... during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++..++++++++++.+++++.+++++++++++++++++++++++++++++++++++.++
+++++++++.+++++........+++++^^^^^^^^^^^^^
gpg: no writable secret keyring found: eof
Key generation failed: eof

Some terms

key-id

A key specifier, either the key ID of your primary keypair or any part of a user ID that identifies your keypair.

The last eight digits of your key fingerprint are commonly used as a key-id. Your email address, also, can be used as a key-id.

For more, man gpg and search on "How to specify a user ID"

Fingerprint

You have no doubt seen the long hex string that appears in my mail sig. That is my key fingerprint. The key fingerprint can be used a quick way to verify a key. The last eight digits are commonly used as a key specifier or identifier.

[pead@oak pead]$ gpg --fingerprint pead@ahl

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
pub  1024D/F6F1B31C 2005-02-14 Paul Demo Ahlquist (--this is optional--)
                               <pead@ahlquist.org>
     Key fingerprint = 4F01 CA12 0B76 8756 C4E1  2828 7036 DA9E F6F1 B31C
sub  1024g/6F6987AC 2005-02-14

For the Key signing party you will need your key fingerprint and your email address. You might want to print some small slips with this information to exchange with others. Copy the output of " gpg --fingerprint [keyID]", paste many times to a text editor and print this sheet. You have the info you need for the Key Signing Party!

Publish Your Key

Now you will want to publish your keys on a public keyserver. This is so others can obtain your public key. Why? If someone wishes to encrypt information to you, they will need your public key to do so. This step is quick and easy.

[pead@oak pead]$ gpg --keyserver pgp.mit.edu --send-key  'F6F1B31C'

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: success sending to `pgp.mit.edu' (status=200)

You may have read that there are many keyservers. You do not have to post to all of them. Similar to the magic of DNS, keyservers share among themselves; in a short while your key will make its way to the other keyservers.

Create a Revocation Certificate

Next, create a Revocation Certificate which is used to cancel or invalidate your key from the keysever network. This step is not strictly necessary at this point, however, this is a good time to do this-- before your key is compromised. Store the revocation cert in a separate place-- on a floppy then place in a safety box. You may even print a copy to place in your safe box.

The "F6F1B31C" at the end of the command line below is a key specifier for the example key. It is the last eight digits of the key finger print. The email address for this key, "pead@ahlquist.org", could have been used instead.

[pead@oak pead]$ gpg --output revoke.asc --gen-revoke 'F6F1B31C'

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

sec  1024D/F6F1B31C 2005-02-14   Paul Demo Ahlquist (--this is optional--)
                                 <pead@ahlquist.org>

Create a revocation certificate for this key? yes
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
> use in an emergency
>
Reason for revocation: Key has been compromised
use in an emergency
Is this okay? y

You need a passphrase to unlock the secret key for
user: "Paul Demo Ahlquist (--this is optional--) <pead@ahlquist.org>"
1024-bit DSA key, ID F6F1B31C, created 2005-02-14

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

"The certificate should not be stored where others can access it since anybody can publish the revocation certificate and render the corresponding public key useless. "


TTFN

How to sign, encrypt and return a key to its owner, is the next step after the meeting.


[22:35:10] <paulv> you should mention that it uses a special port...11371
[22:35:31] <paulv> "hkp" according to services,
                   tcp/udp "OpenPGP HTTP Keyserver"
[22:39:14] <pea>   that shouldn't (??) i'll footnote that, as
                   most folks shouldn't have trouble there...
                   home firewalls should conntrack the outgoing
[22:40:32] <paulv> yeah
Browse Happy logo

Standards Compliant Markup is encouraged. XHTML:: CSS:: 508.