GnuPrivacyGuardHowto
This page describes how to use gpg to create a keypair, sign other keys and data and use a keyserver
Installing the neccessary packages
There are several useful gpg packages:
- gnupg
- gpg-agent, pinentry-gtk2
- gpa
gnupg is the core package, it is installed by default on Ubuntu systems. gpg-agent and pinentry-gtk2 are packages that facilitate no having to enter the password for your key every time you want to use it. gpa is a graphical interface to gpg.
pinentry-gtk2 is not available in hoary, a backported breezy package can be found on http://seveas.ubuntulinux.nl/
Configuration
Run gpg once:
gpg < /dev/null
This command will fail, but that's ok. It created an inital configuration in ~/.gnupg/ Open this file in your favorite editor. BBrowse through it and change what you like. A few useful things to change are:
- keyserver-options auto-key-retrieve
- use-agent
The former makes gpg automatically retrieve gpg keys when verifying signatures. The latter makes you use gpg-agent, which is very useful if you use gpg a lot but don't like typing your password all the time.
Now create the file ~/.gnupg/gpg-agent.conf with the following content: {{{pinentry-program /usr/bin/pinentry-gtk-2 default-cache-ttl 86400 max-cache-ttl 86400}}}
This will make gpg-agent use pinentry-gtk2 and it will remember your password for 24 hours.
Generating a key
Both gpg and gpa can generate you a new key
gpg
Run the command
gpg --gen-key
It will ask what kind of key you want. The default choice (1) is preferred, since the others cannot be used for encryption. A keysize (question 2) of 2048 (which is the default) is also a good choice.
Most people make their keys valid until infinity (question 3). If you do this don't forget to revoke the key when you no longer use it (see later).
It will then ask you for your name and E-mail address. Make sure that the name on the key matches the name in your passport! You can add extra e-mailaddresses to the key later.
it will now ask you for a password twice. Remember this password carefully, there is no way to recover it when it's lost.
A complete session looks like this: {{{dennis@mirage ~ $ gpg --gen-key Please select what kind of key you want:
- (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only)
Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid.
- 0 = key does not expire
<n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years
Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Dennis Kaarsemaker Email address: dennis@kaarsemaker.net Comment: Tutorial key You selected this USER-ID:
"Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..++++++++++++++++++++.++++++++++.+++++.+++++.+++++.+++++++++++++++.++++++++++..+++++>+++++..............>+++++.............+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++.+++++++++++++++.++++++++++..+++++.+++++++++++++++..+++++.+++++.+++++++++++++++.+++++++++++++++++++++++++++++++++++++++++++++..++++++++++++++++++++++++++++++>+++++.......................................................................>+++++....<.+++++.>.+++++.<+++++.............................>.+++++......<+++++..>+++++..+++++^ gpg: key D8FC66D2 marked as ultimately trusted public and secret key created and signed.
pub 1024D/D8FC66D2 2005-09-08
- Key fingerprint = 95BD 8377 2644 DD4F 28B5 2C37 0F6E 4CA6 D8FC 66D2
uid Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net> sub 2048g/389AA63E 2005-09-08}}}
gpa
Start gpa, and in its menu choose Keys -> New Key. This opens a new window where you can fill in the required information. See the previous section for recommendations.
gpg.conf
Now that you created a key, open gpg.conf again and set the key ID of this new key as default-key. Another nice trick to do is adding this line to your .bashrc:
export GPGKEY=B52A7216
(Use your key id instead of B52A7216 of course)
Now restart the gpg-agent and source your .bashrc again:
killall -q gpg-agent eval $(gpg-agent --daemon) source ~/.bashrc
Uploading the key
After creating the key, you can upload it to the keyserver so that other people can download your key. You do this with the following command:
gpg --send-keys $GPGKEY
Getting your key signed
The whole point of all this GPG business is to create a web of trust. By signing someones key, you state that you have checked that the person that uses a certain key is who he says he is and really is in control of the private key. This way a complete network of people who trust each other can be created.
This network is called the Strongly connected set and information about it can be found at http://www.cs.uu.nl/people/henkp/henkp/pgp/pathfinder/
How do you properly sign a key?
Since a signature means that you checked and verified that a certain public key belongs to a certain person who is in control of the accompanying private key, you need to follow these guidelines when signing peoples keys:
- Keysigning is always done after meeting in person
During this meeting you hand each other your key fingerprint and at least one government issued identification paper with a photograph. These fingerprints are usua;;y distributed as fingerprint slips, crated by a script such as gpgkey2ps (package: signing-party)
- You check whether the name on the key corresponds with the name on the passport and whether the person in front of you is indeed who he says he is.
Having done these two checks, you only need to check whether this person is in control of the private key. You do this by sending him/her back his/her signed public key, encrypted with his public key. The caff program makes this part very easy. You need to create a file named .caffrc in your homedir (only once) with the following content:
$CONFIG{owner} = q{Your full name here}; $CONFIG{email} = q{The emailaddress used in your key here}; $CONFIG{keyid} = [ qw{last 16 characters of your key fingerprint here} ];
Now you can simply run the following command:
caff key_id_of_other_persons_key
When you receive signed keys from others, you get them as attachment, save these attachments and import them with gpg. You can then send this signature to the keyservers so other people can know about it.
gpg --import filename_of_saved_signature gpg --send-keys $GPGKEY
Signing data
When you've set up GPG and have a key in the strong set, it is time to sign the Ubuntu Code Of Conduct if you want to become an Ubuntu member. Signing is done in 3 easy steps:
Download the code of conduct from https://launchpad.net/codeofconduct/1.0
Run the command
gpg --clearsign UbuntuCodeofConduct-1.0.txt
Upload the contents of UbuntuCodeofConduct-1.0.txt.asc on https://launchpad.net/codeofconduct/1.0/+sign
Note: You can also sign keys and files with the GPA gui. A howto will be written shortly.