GnuPG stands for GNU Privacy Guard.
GnuPG is an open implementation of OpenPGP ( Pretty Good Privacy ) standard as defined in RFC 4880. In this article we will cover the installation and the basics of generating keys using gnupg.
This article is part of our ongoing series on Cryptography. If you are new to cryptography, refer to our earlier article on Introduction to Cryptography.
On Debian based systems, use the following command to install GnuPg tool.
# apt-get install gnupg
The first step to use GnuPg is to create the public and private key pairs. The following command is used to create the keys.
$ gpg --gen-key
The above command will act in Interactive mode. The following explains various input that needs to be given to the above gpg command.
1. Choose the algorithm to be used for key generation
gpg: directory `/home/lakshmanan/.gnupg' created gpg: new configuration file `/home/lakshmanan/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/lakshmanan/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/lakshmanan/.gnupg/secring.gpg' created gpg: keyring `/home/lakshmanan/.gnupg/pubring.gpg' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?
Each algorithm has its own advantages and disadvantages. Choose the one you prefer, or use the default RSA algorithm. Press 1 or Enter.
2. Select the key size
Once the algorithm is selected, it will ask for the key size.
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
In general, bigger the key size, the more secure it is. Practically 2048 should be sufficient. Type your key size or press Enter to accept the default.
3. Key validity
The next input we need to provide is how long does the key is valid.
Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0)
Type 0 if you don’t want the key to expire.
It will again ask for a confirmation. Press Y
Key does not expire at all Is this correct? (y/N) y
4. Create User ID and Password
Each key will be mapped with a user id and password. Now it asks for your name, E-Mail and passphrase
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: lakshmanan Email address: email@example.com Comment: My test GPG keys You selected this USER-ID: "lakshmanan (My test GPG keys) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. Enter Passphrase
5. Final Output Keys
In-order to generate a unique key, the system needs more random bytes. So perform some operations which access the disk, network etc…, so that the system will get enough random bytes.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 39 more bytes) +++++ +++++
Once sufficient random bytes is available, the keys will be generated.
gpg: /home/lakshmanan/.gnupg/trustdb.gpg: trustdb created gpg: key A7344E7D marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/A7344E7D 2012-10-12 Key fingerprint = 3AE0 7948 C880 E5F7 F0A1 E16A 6EBB 3931 A734 4E7D uid lakshmanan (My test GPG keys) sub 2048R/96F8EF9B 2012-10-12
Now we have generated the key pairs to use with GnuPg. The above output provides some important information such as
We will be using this Key-Id for doing various operations as we will see later.
6. List the Key Pairs
You can list the key’s that got generated using –list-keys and –list-secret-keys option
$ gpg --list-keys /home/lakshmanan/.gnupg/pubring.gpg ----------------------------------- pub 2048R/A7344E7D 2012-10-12 uid lakshmanan (My test GPG keys) sub 2048R/96F8EF9B 2012-10-12 $ gpg --list-secret-keys /home/lakshmanan/.gnupg/secring.gpg ----------------------------------- sec 2048R/A7344E7D 2012-10-12 uid lakshmanan (My test GPG keys) ssb 2048R/96F8EF9B 2012-10-12
7. Export Your Public Keys
Now we have generated a key pair. The next step is to publish your public key in internet ( Key Servers ), so that other person can use that public key to send message to you.
$ gpg --armor --export --output lakshmanan_pubkey.gpg lakshmanan
Now the file ‘lakshmanan_pubkey.gpg’ will have my public key. You can also use your Key-Id or Mail address as argument to this command.
$ gpg --armor --export --output lakshmanan_pubkey.gpg A7344E7D or $ gpg --armor --export --output lakshmanan_pubkey.gpg firstname.lastname@example.org
Now you can send the file to the people you converse with.
8. Submit Keys to a Key-Server
Exporting your public key and sending it to individuals will be cumbersome, if you converse with many person. In that case, you can upload your public key to a server name “Key-Sever”. So people who want your key can get that from the key server.
$ gpg --send-keys --keyserver keyserver.ubuntu.com A7344E7D
Now you should have some basic understanding of GnuPG. In the future article of this series, we will explain how to encrypt, decrypt and digitally sign your messages using GnuPG.
Comments on this entry are closed.
As you are generating a RSA key I believe you have missed a step in the above instructions I had to creat a sub key for encryption (although your output already shows a sub key sub 2048R/96F8EF9B 2012-10-12).
gpg –edit-key KEYID
follow questions etc..
Thanks for very nice and useful article…
1. Write a command line in a batch file called “1_GenerateKey.bat” to generate the PGP public key pair for yourself. Specify the following information for the key:
a. RSA key
b. Used for both signing and encrypting.
c. Key size: 2048 bits,
d. Validity until 1 September, 2013.
e. Real name is the real name of one student of the group.
f. Email address is the real email address of the same student of the group.
Can you please give me practical example how can i use gpg in real world.
Waiting for your reply..
I use Kubuntu and have gpg installed as a default program.
First point. What is the difference between pgp and gpg?
I have downloaded a programme from a website and the page talks of using keys to validate the program.
Second point. Am I correct in assuming that the key must be imported into gpg before a validation can take place. Can validations be done ‘on the fly’?
I am wondering how validations can help.
Is it not possible to put a programme on a website, and place a key there that will fit, and the user (downloader) will note consistency on analysis. As for downloading keys, could someone not upload a key to a server that will show consistence on using gpg when the program itself may be problematic?
Point three. Should keys be used that are published a website, or only those available via servers?
No doubt, I will be back
Ps. Is there a good forum for gpg discussions
Thanks for the info. It is really very helpful.
I have a question here, in GPG is there a way to send an alert just before the public key is about to expire.