Tuesday, September 8, 2015

How to generate a GPG keypair ?

Create your own PGP keypair
After installation of GPG, the very next step is to generate your own GPG private-public key pair.

GPG can be used as a command line tool. Using various command line options of GPG, you can generate key-pair or do encryption, decryption and signing. In this blog I would explain how to generate GPG key-pairs and manage it.

How to generate a new keypair in GPG ?

To generate a new key-pair, use the command line option:

# gpg --gen-key

This will ask you couple of questions.

1. Select what kind of key you want. Here you can select DSA or RSA. On selecting RSA, this will generate an RSA key-pair which will enable you to both sign and encrypt.

2. Select the size of the key. Bigger the size of the key, more secure is the encryption and more is the time taken for encryption and decryption. I would suggest selecting 4096 bits is good enough.

3. Specify how long the key should be valid. Press '0' if you do not want the key-pair to expire. Otherwise you can specify the days, weeks, months and years.

4. Give your user-id to identify the key. You can give your user-id in the format: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

5. Give your real name.

6. Here comes the most important part. Give your passphrase. You should select a passphrase that is known only to you and a difficult and unique one. This passphrase is the only thing to protect your private key. Ideally, you should not use dictionary words as passphrase.

7. Congrats! You have generated your key-pair.

How to generate a Revocation Certificate in GPG ?

The next important step is to generate revocation certificate. Once you generate a key-pair, you should immediately create the revocation certificate. If your private key is stolen or lost, this revocation certificate can be used to notify others that your public key should no longer be used. But you can still use your revoked public key to verify signatures with which a document is signed earlier.

To create the revocation certificate, use the following command:

# gpg –output revoke-cer.asc –gen-revoke <user-id>

Store the revocation certificate in a different place than your master key-pair.

How to list GPG keys ?

PGP has a concept of keyring. To communicate with a group of people, you need to have their public keys in your keyring. To list the keys in your public keyring, type the following command:

# gpg –list-keys

Initially this will list only your keys. Once you import someone else's public key to your keyring, it will list that too.

How to export GPG public key ?

You need to export your public key to share it with others, so that they can add that to their keyring. To export your public key in a file, use the following command:

# gpg –output public-key.asc –export <user-id>

This exports the key in binary format, which is inconvenient at times. To export the key in ASCII-armored format, use the –armor option.

# gpg –armor –output public-key.asc –export <user-id>

This will represent the key in ASCII format. Once you open the file of an exported public key in ASCII armored format, it will show some readable characters, though they are encrypted.

How to export GPG private key ?


You can export your private key and keep it in a safe place. Use the following command for that:

# gpg –armor –output private-key.asc –export-secret-key <user-id>

Make sure you keep it in safe place and never ever share it with others.

How to import GPG public key of others in own keyring ?

To communicate with someone, you need to import her public key to your  keyring first. To import others' public key to your keyring type the following command:

# gpg –import pub-key-jake.asc

If you list the keys in your keyring using –list-keys option, it would show the imported key now.

Happy Communication!

No comments:

Post a Comment