Skip to content

Instantly share code, notes, and snippets.

@miketweaver

miketweaver/pgp.md

Last active July 6, 2017 18:49
Show Gist options
  • Save miketweaver/75bcbc61fde81d703ef5a6c34e85ce97 to your computer and use it in GitHub Desktop.
Save miketweaver/75bcbc61fde81d703ef5a6c34e85ce97 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pgp.md

GPG Practical Exercise

Create your master keys

  • Create gnupg folder

    $ mkdir -p ~/.gnupg/

  • Add extra security

    $ cat >> ~/.gnupg/gpg.conf <<EOF
> personal-digest-preferences SHA256
> cert-digest-algo SHA256
> default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
> EOF

  • Set correct permissions

    $ chmod -R 700 ~/.gnupg/

  • Generate a keypair

    $ gpg2 --full-generate-key
or
$ gpg2 --gen-key

Select RSA.
Keysize: 4096
Rest is default… 
Choose a large passphrase. (32+)

  • Delete extra sub key

    $ gpg --list-keys yourname
$ gpg --edit-key YOURMASTERKEYID
gpg>key 1
gpg>delkey
gpg>save

  • If the revocation certificate wasn’t generated, generate a revocation certificate

    $ gpg --armor --output <your key id>.asc.revoke --gen-revoke <your key id>

  • Send your public key to the key server

    $ gpg --send-keys --keyserver pgp.mit.edu <your key id>

Create some SubKeys for daily use

  • Backup your GnuPG files

    $ umask 077; tar -cf $HOME/gnupg-backup.tar -C $HOME .gnupg

  • Find your key ID:

    $ gpg --list-keys yourname

  • Create signing subkey

    $ gpg --edit-key YOURMASTERKEYID
gpg> addkey
Please select what king of key you want:
    (3) DSA (sign only)
    (4) RSA (sign only)
    (5) Elgamal (encrypt only)
    (6) RSA (encrypt only)
Your selection? 4
What key size do you want? 4096
Key is valid for? 6m

  • Create encrypting subkey

    gpg> addkey
Please select what king of key you want:
    (3) DSA (sign only)
    (4) RSA (sign only)
    (5) Elgamal (encrypt only)
    (6) RSA (encrypt only)
Your selection? 6
What key size do you want? 4096
Key is valid for? 6m

gpg> save

  • Send your public subkeys to the key server

    $ gpg --send-keys --keyserver pgp.mit.edu <your key id>

  • If everything looks good, remove your backup.

    $ rm $HOME/gnupg-backup.tar

Save all your keys

  • Now you should back these up somewhere safe.

    $ umask 077; tar -cf $HOME/gnupg-ALLKEYS-backup.tar -C $HOME .gnupg

  • Move them to an encrypted USB.

    $ mv $HOME/gnupg-ALLKEYS-backup.tar usbdrive-location/

  • These keys you should keep locked up and not access unless creating new sub keys.

Remove your master private key

  • Get keygrip for masterkey (pub)

    $ gpg2 --with-keygrip --list-key YOURMASTERKEYID

  • Remove keygrip file

    $ rm $HOME/.gnupg/private-keys-v1.d/KEYGRIP.key

  • Verify that gpg -K shows a sec# instead of just sec for your private key. That means the secret key is not really there.

    $ gpg -K

  • Change the passphrase protecting the subkeys. This way if your everyday passphrase is compromised, the private master key will remain safe from someone with access to the backup: the private key material on the backup, including the private master key, are protected by the old passphrase.

    $ gpg --edit-key YOURMASTERKEYID passwd

Save your subkeys

  • Now you should back these up somewhere safe.

    $ umask 077; tar -cf $HOME/gnupg-SUBKEYS-backup.tar -C $HOME .gnupg

  • Move them to an encrypted USB.

    $ mv $HOME/gnupg-SUBKEYS-backup.tar usbdrive-location/

  • These are the keys you should use and save to your daily computers.

Extra Things

  • Display your fingerprint

    $ gpg --fingerprint <your key id>

  • Retrieve the someone else's public key from the keyserver

    $ gpg --recv-keys --keyserver pgp.mit.edu <their key id>

  • Verify their key's fingerprint

    $ gpg --fingerprint <their key id>

  • After verifying their fingerprint(s), sign their keys

    $ gpg --sign-key <their key id>

  • Edit the key and set your level of trust

    $ gpg --edit-key <their key id>
gpg> trust
Your decision? (1-5)
gpg> quit

  • Export the public key(s) you signed and send them to their owners

    $ gpg --armor --output <their key id/email address>.asc  --export <their key id>

  • Import your signed keys that you received

    $ gpg --import <filename>.asc

  • Compose a message (recommend that you save it to a text file - You can securely delete it later with the srm/shred commands).

  • Encrypt and Sign your message, and send it to the people you exchanged keys with earlier.

    $ gpg --armor --output message.asc --sign --encrypt message

  • Decrypt and verify the message you received

    $ gpg --output message --decrypt message.asc

(Optional)

  • Send your signed public key to the key server

$ gpg --send-keys --keyserver pgp.mit.edu 


-  View your/others keys on the key server's web interface

https://pgp.mit.edu

-  Sign an existing file (for example a pdf), and send it (and the generated signature) to someone else

$ gpg --armor --output file.pdf.sig.asc --detach-sign file.pdf


-  Verify the signature and file you received

$ gpg --verify file.pdf.sig.asc file.pdf


## Useful Links

- http://keyring.debian.org/creating-key.html
- https://wiki.debian.org/Subkeys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment