Pretty Good Privacy
30 Jan 2016Pretty Good Privacy is a cryptographic computer program used to encrypt and authenticate messages. GnuPG is the free replacement to this program. It is an implementation of the OpenPGP Message Format.
Today’s post will be about the creation of GPG keys, using them to encrypt and authenticate a message as well as the verification process.
Creating your keys
First job is to create your credentials. These keys are what people are going to use that certify that something was from you.
To generate your keys:
You’re then asked what kind of key that you want:
The default of RSA and RSA
is fine. This says that we’ll use RSA keys to sign and encrypt our messages.
Size and expiration are specified next.
In my example here, I’ve chosen a key length of 2048
and a key won’t expire. Now you’re asked for your Real Name, E-mail address and Comment. It’s a good idea to use real or correct values for Real Name and E-mail address as people will see these and use them as a visual indicator to authenticate you. In the Comment field, I normally put the key’s purpose (email/personal/office/etc).
After some generation, the key generation process will present you with your fingerprint details. The 8 HEX chars that identify your public key are significant. This is the ID that you’ll use to reference this key.
At any point you can take a look at this fingerprint information with the following:
Backup your keys
You always need a way that you can get hold of your keys. In the next steps we’re going to export your private and public keys to file.
It’s important to backup your private key in case you lose it. Your hard drive crashes, or house gets flooded. You need another copy of your secret put somewhere else. So, you can get a text copy of the key with the following.
You need to be able to freely distribute your public key to people as this certificate is what people will use to verify messages sent by you are actually send by you! It’s also what’s used in the encryption process for messages sent to you.
Sending to a keyserver
So that other people will have the opportunity to look up your public key for authentication or decryption purposes, you’ll need to send your public key to a key server.
By default, this sends the key out to keys.gnupg.net
.
You can change this behavior and send your key to another server by specifying the keyserver using the --keyserver
switch.
Certificate revocation
It’s also a good idea to generate and store away a revocation certificate so that at any time, you can revoke your generated certificate.
If you do need to execute on this, it’s just about importing this revocation certificate into the store.
To let everyone know about it, you also need to push the certificate out to the key server.
Testing it out
There are heaps of different programs that integrate with GnuPG, but for today’s purposes we’re just going to create a simple text message; sign and verify it.
So, let’s create a message:
We can use a binary format to sign and verify:
This should be pretty straight forward. The more familiar text armored messages are done using the --clearsign
switch: