GPG (GnuPG) notes
Setting PGP keys
This is just a fast howto for myself (and who is interested) in setting up PGP keys and sign others keys.
I used to follow "GPG: the Best Free Crypto You Aren't Using, Part II of lI", but it is a lot outdated (2001!), even GnuPG_ options are different from the current version of GnuPG.
GPG: the Best Free Crypto You Aren't Using, Part II of II
So, after talking with some guys in IRC, I decided to make this simple guide for myself and for who is interested. I'm using GnuPG 1.4.10 to setup and manage the keys.
Generating the keys
With GnuPG (which main command-line tool is
gpg), let's create the keys
by executing the following command::
$ gpg --gen-key
Then, we are going to answer the following questions:
1. *Kind of key.* I actually don't know the answer. Maybe it is a good idea to stick to the defaults?
I thought that alternative (1) RSA and RSA (default), is stronger, but I heard that the best alternative is (2) DGA and Elgamal. Anybody know the answer? For DSA + Elgamal, select 2.
2. *What keysize do you want?* Usually, stick with the defaults is a good idea, but you can chose a bigger number to make the cryptography stronger (and slower).
3. *How long the key should be valid?* You want it to expire? Or prefer to make it last forever?
4. *Is this correct?* I hope so...
5. *Your real name.*
6. *Your e-mail address.*
8. *Everything is Ok?*
9. *Enter a passphrase*
At the moment of generating the key, GnuPG will ask you to insert entropy in the system, by using the computer. Pressing the keyboard, moving the mouse, accessing the disk and so on.
After that, your keys are created.
Upload the public key to a keyserver
After creating the key, you should upload it to a keyserver. Before that, retrieve your key id::
$ gpg --fingerprint
Get you id (the line that starts with "pub", the hex number after the slash), and use it in the next command (in the place of the "<id>" string)::
$ gpg --keyserver pgp.mit.edu --send-keys <id>
*Note*: A friend of mine said that it doesn't matter what server you put your key (pgp.mit.edu, keys.gnupg.net etc.), because servers sync frequently. Is it right?
Importing and signing other's keys
Another person can give you her/his key id. You should import and sign her/his key in order to build the "Web of Trust::
$ gpg --recv-keys <id> $ gpg --sign-keys <id> $ gpg --keyserver pgp.mit.edu --send-keys <id>
Web of Trust
People have to make the same thing with your key, in order to add you to the "Web of Trust".
Publishing your public key
You key id should be enough to make someone download your public key from a PGP server. But if you want to let a public key somewhere, export it::
$ gpg -a --export your@email > pgp.asc
Encrypting a file
Just use the
--encrypt flag) and
$ gpg -e -r email@example.com myfile
It will create a file called
myfile.gpg with your public key. The
option will create the same file, but with an ASCII output.
Decrypting a file
The command is::
$ gpg -d -o output input.gpg
This will decrypt your file using your private key. If you don't use
it will output to the standard output.