-
Create gnupg folder
$ mkdir -p ~/.gnupg/
-
Add extra security
$ cat >> ~/.gnupg/gpg.conf <<EOF > personal-digest-preferences SHA256 > cert-digest-algo SHA256 > default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed > EOF
-
Set correct permissions
$ chmod -R 700 ~/.gnupg/
-
Generate a keypair
$ gpg2 --full-generate-key or $ gpg2 --gen-key Select RSA. Keysize: 4096 Rest is default… Choose a large passphrase. (32+)
-
Delete extra sub key
$ gpg --list-keys yourname $ gpg --edit-key YOURMASTERKEYID gpg>key 1 gpg>delkey gpg>save
-
If the revocation certificate wasn’t generated, generate a revocation certificate
$ gpg --armor --output <your key id>.asc.revoke --gen-revoke <your key id>
-
Send your public key to the key server
$ gpg --send-keys --keyserver pgp.mit.edu <your key id>
-
Backup your GnuPG files
$ umask 077; tar -cf $HOME/gnupg-backup.tar -C $HOME .gnupg
-
Find your key ID:
$ gpg --list-keys yourname
-
Create signing subkey
$ gpg --edit-key YOURMASTERKEYID gpg> addkey Please select what king of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) Your selection? 4 What key size do you want? 4096 Key is valid for? 6m
-
Create encrypting subkey
gpg> addkey Please select what king of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) Your selection? 6 What key size do you want? 4096 Key is valid for? 6m gpg> save
-
Send your public subkeys to the key server
$ gpg --send-keys --keyserver pgp.mit.edu <your key id>
-
If everything looks good, remove your backup.
$ rm $HOME/gnupg-backup.tar
-
Now you should back these up somewhere safe.
$ umask 077; tar -cf $HOME/gnupg-ALLKEYS-backup.tar -C $HOME .gnupg
-
Move them to an encrypted USB.
$ mv $HOME/gnupg-ALLKEYS-backup.tar usbdrive-location/
-
These keys you should keep locked up and not access unless creating new sub keys.
-
Get keygrip for masterkey (pub)
$ gpg2 --with-keygrip --list-key YOURMASTERKEYID
-
Remove keygrip file
$ rm $HOME/.gnupg/private-keys-v1.d/KEYGRIP.key
-
Verify that gpg -K shows a sec# instead of just sec for your private key. That means the secret key is not really there.
$ gpg -K
-
Change the passphrase protecting the subkeys. This way if your everyday passphrase is compromised, the private master key will remain safe from someone with access to the backup: the private key material on the backup, including the private master key, are protected by the old passphrase.
$ gpg --edit-key YOURMASTERKEYID passwd
-
Now you should back these up somewhere safe.
$ umask 077; tar -cf $HOME/gnupg-SUBKEYS-backup.tar -C $HOME .gnupg
-
Move them to an encrypted USB.
$ mv $HOME/gnupg-SUBKEYS-backup.tar usbdrive-location/
-
These are the keys you should use and save to your daily computers.
-
Display your fingerprint
$ gpg --fingerprint <your key id>
-
Retrieve the someone else's public key from the keyserver
$ gpg --recv-keys --keyserver pgp.mit.edu <their key id>
-
Verify their key's fingerprint
$ gpg --fingerprint <their key id>
-
After verifying their fingerprint(s), sign their keys
$ gpg --sign-key <their key id>
-
Edit the key and set your level of trust
$ gpg --edit-key <their key id> gpg> trust Your decision? (1-5) gpg> quit
-
Export the public key(s) you signed and send them to their owners
$ gpg --armor --output <their key id/email address>.asc --export <their key id>
-
Import your signed keys that you received
$ gpg --import <filename>.asc
-
Compose a message (recommend that you save it to a text file - You can securely delete it later with the srm/shred commands).
-
Encrypt and Sign your message, and send it to the people you exchanged keys with earlier.
$ gpg --armor --output message.asc --sign --encrypt message
-
Decrypt and verify the message you received
$ gpg --output message --decrypt message.asc
(Optional)
-
Send your signed public key to the key server
$ gpg --send-keys --keyserver pgp.mit.edu
- View your/others keys on the key server's web interface
https://pgp.mit.edu
- Sign an existing file (for example a pdf), and send it (and the generated signature) to someone else
$ gpg --armor --output file.pdf.sig.asc --detach-sign file.pdf
- Verify the signature and file you received
$ gpg --verify file.pdf.sig.asc file.pdf
## Useful Links
- http://keyring.debian.org/creating-key.html
- https://wiki.debian.org/Subkeys