home | tech | misc | code | bookmarks (broken) | contact | README


GPG (GnuPG) notes

Setting PGP keys

Introduction

This is just a fast howto for myself (and who is interested) in setting up PGP keys and sign others keys.

I used to follow the GPG: the Best Free Crypto You Aren't Using, Part II of II, but it is a lot outdated (2001!), even GnuPG options are different from the current version of GnuPG.

So, after talking with some guys in IRC, I decided to make this simple guide for myself and for who is interested. I'm using GnuPG 1.4.10 to setup and manage the keys.

Generating the keys

With GnuPG (which main command-line tool is gpg), let's create the keys by executing the following command:

$ gpg --gen-key

Then, we are going to answer the following questions:

1. Kind of key. I actually don't know the answer. Maybe it is a good idea to stick to the defaults?

Note

I thought that alternative (1) RSA and RSA (default), is stronger, but I heard that the best alternative is (2) DGA and Elgamal. Anybody know the answer? For DSA + Elgamal, select 2.

2. What keysize do you want? Usually, stick with the defaults is a good idea, but you can chose a bigger number to make the cryptography stronger (and slower).

3. How long the key should be valid? You want it to expire? Or prefer to make it last forever?

4. Is this correct? I hope so...

5. Your real name.

6. Your e-mail address.

7. Comment.

8. Everything is Ok?

9. Enter a passphrase

At the moment of generating the key, GnuPG will ask you to insert entropy in the system, by using the computer. Pressing the keyboard, moving the mouse, accessing the disk and so on.

After that, your keys are created.

Upload the public key to a keyserver

After creating the key, you should upload it to a keyserver. Before that, retrieve your key id:

$ gpg --fingerprint

Get you id (the line that starts with "pub", the hex number after the slash), and use it in the next command (in the place of the "<id>" string):

$ gpg --keyserver pgp.mit.edu --send-keys <id>

Note

A friend of mine said that it doesn't matter what server you put your key (pgp.mit.edu, keys.gnupg.net etc.), because servers sync frequently. Is it right?

Importing and signing other's keys

Another person can give you her/his key id. You should import and sign her/his key in order to build the Web of Trust:

$ gpg --recv-keys <id>
$ gpg --sign-keys <id>
$ gpg --keyserver pgp.mit.edu --send-keys <id>

People have to make the same thing with your key, in order to add you to the Web of Trust.

Publishing your public key

You key id should be enough to make someone download your public key from a PGP server. But if you want to let a public key somewhere, export it:

$ gpg -a --export your@email > pgp.asc

Basic usage

Encrypting a file

Just use the -e (--encrypt flag) and -r flags:

$ gpg -e -r foo@bar.com myfile

It will create a file called myfile.gpg with your public key. The -a option will create the same file, but with an ASCII output.

Decrypting a file

The command is:

$ gpg -d -o output input.gpg

This will decrypt your file using your private key. If you don't use -o it will output to the standard output.