GnuPG
GnuPG
Configuration
This configuration will ensure you are signed keys with SHA512 and that you are using up to date ciphering algorithms.
~/.gnupg/gpg.conf
# Suppress the initial copyright message no-greeting # Disable inclusion of the version string in ASCII armored output no-emit-version # Disable comment string in clear text signatures and ASCII armored messages no-comments # Refuse to run if GnuPG cannot get secure memory require-secmem # Long keyids are more collision-resistant than short keyids keyid-format 0xlong # List all keys along with their fingerprints with-fingerprint # Do not merge primary user ID and primary key in --with-colon # listing mode and print all timestamps as seconds since # 1970-01-01 fixed-list-mode # Show usage information for keys and subkeys in the standard key listing list-options show-usage # Show policy URLs in the --list-sigs or --check-sigs listings list-options show-policy-urls # Show all signature notations in the -list-sigs or --check-sigs listings list-options show-notations # Show any preferred keyserver URL in the --list-sigs or --check-sigs listings list-options show-keyserver-urls # Display the calculated validity of user IDs during key listings list-options show-uid-validity # Show revoked and expired user IDs in key listings list-options show-unusable-uids # Show revoked and expired subkeys in key listings list-options show-unusable-subkeys # Show signature expiration dates (if any) during --list-sigs or --check-sigs listings list-options show-sig-expire # Display any photo IDs present on the key that issued the signature verify-options show-photos # Show policy URLs in the signature being verified verify-options show-policy-urls # Show all signature notations in the signature being verified verify-options show-notations # Show any preferred keyserver URL in the signature being verified verify-options show-keyserver-urls # Display the calculated validity of the user IDs on the key that issued the signature verify-options show-uid-validity # Show revoked and expired user IDs during signature verification verify-options show-unusable-uids # Enable PKA lookups to verify sender addresses verify-options pka-lookups # Locate a key using DNS CERT, as specified in RFC4398 auto-key-locate cert # Locate a key using DNS PKA auto-key-locate pka # Locate a key using whatever keyserver is defined using the --keyserver option auto-key-locate keyserver # Use name as your keyserver keyserver http://keys.gnupg.net keyserver http://subset.pool.sks-keyservers.net # Automatically fetch keys as needed from the keyserver when verifying # signatures or when importing keys that have been revoked by a revocation # key that is not present on the keyring keyserver-options auto-key-retrieve # When searching, include keys marked as "revoked" on the keyserver keyserver-options include-revoked # If the key in question has a preferred keyserver URL, then use that preferred # keyserver to refresh the key from keyserver-options honor-keyserver-url # If auto-key-retrieve is set, and the signature being verified has a PKA # record, then use the PKA information to fetch the key keyserver-options honor-pka-record # Tell the keyserver helper program how long (in seconds) to try and perform # a keyserver action before giving up keyserver-options timeout=10 # To make use of the agent, you have to run an agent as daemon and use the option use-agent # This allows the user to safely override the algorithm chosen by the recipient # key preferences, as GPG will only select an algorithm that is usable by all recipients personal-cipher-preferences AES256 CAMELLIA256 AES192 CAMELLIA192 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 personal-compress-preferences ZLIB BZIP2 Uncompressed # This preference list is used for new keys and becomes the default for "setpref" in the edit menu default-preference-list AES256 CAMELLIA256 AES192 CAMELLIA192 SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 Uncompressed # Message digest algorithm used when signing a key cert-digest-algo SHA512 # Command line that should be run to view a photo ID photo-viewer feh --quiet --borderless --title 'GnupG KeyID 0x%K' -
~/.gnupg/gpg-agent.conf
# Set the minimal length of a passphrase min-passphrase-len 10 # Set the minimal number of digits or special characters required in a passphrase min-passphrase-nonalpha 3 # Ask the user to change the passphrase since the last change max-passphrase-days 90 # Enable the OpenSSH Agent protocol enable-ssh-support
Create keys
Considering you are using GnuPG 2.1.x
Main points here:
- Create a master key that can only certify sub keys
- Create one sub key per capabilities
- Use a short validity for subkey, you will be able to change the expiration date later
- Generate a revocation certification as soon as you can
Strong passphrase
Please use as much strong passphrase as you can, an interesting tool is pwqgen from http://www.openwall.com/passwdqc
Master key
IMPORTANT: Make sure Current allowed actions only contains Certify
$ gpg --full-gen-key --expert Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) Your selection? 11 Possible actions for a ECDSA key: Sign Certify Authenticate Current allowed actions: Sign Certify (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? S Possible actions for a ECDSA key: Sign Certify Authenticate Current allowed actions: Certify (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? Q Please select which elliptic curve you want: (1) Curve 25519 (2) NIST P-256 (3) NIST P-384 (4) NIST P-521 (5) Brainpool P-256 (6) Brainpool P-384 (7) Brainpool P-512 Your selection? 1 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 5y Key expires at Thu Aug 27 20:31:20 2020 IST Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Spank Me Email address: spank-me@example.org Comment: You selected this USER-ID: "Spank Me <spank-me@example.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 0xDA21EEA505BCFD8C marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 2 signed: 0 trust: 1-, 0q, 0n, 0m, 1f, 0u gpg: next trustdb check due at 2016-10-01 pub ed25519/0xDA21EEA505BCFD8C 2015-08-29 [] [expires: 2020-08-27] Key fingerprint = B753 380A DF9D 4CEB 6C40 57E1 DA21 EEA5 05BC FD8C uid [ultimate] Spank Me <spank-me@example.org>
Create a signing sub key
IMPORTANT: Make sure Current allowed actions only contains Sign
$ gpg --expert --edit-key 0xDA21EEA505BCFD8C
Secret key is available.
pub ed25519/0xDA21EEA505BCFD8C
created: 2015-08-29 expires: 2020-08-27 usage: C
trust: ultimate validity: ultimate
[ultimate] (1). Spank Me <spank-me@example.org>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 11
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions: Sign
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? Q
Please select which elliptic curve you want:
(1) Curve 25519
(2) NIST P-256
(3) NIST P-384
(4) NIST P-521
(5) Brainpool P-256
(6) Brainpool P-384
(7) Brainpool P-512
Your selection? 1
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Mon Aug 28 20:35:48 2017 IST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
pub ed25519/0xDA21EEA505BCFD8C
created: 2015-08-29 expires: 2020-08-27 usage: C
trust: ultimate validity: ultimate
sub ed25519/0xF7AEBA108ED4B536
created: 2015-08-29 expires: 2017-08-28 usage: S
[ultimate] (1). Spank Me <spank-me@example.org>
gpg> saveCreate an encryption subkey
IMPORTANT: Make sure Current allowed actions only contains Encrypt
$ gpg --expert --edit-key 0xDA21EEA505BCFD8C
Secret key is available.
pub ed25519/0xDA21EEA505BCFD8C
created: 2015-08-29 expires: 2020-08-27 usage: C
trust: ultimate validity: ultimate
sub ed25519/0xF7AEBA108ED4B536
created: 2015-08-29 expires: 2017-08-28 usage: S
[ultimate] (1). Spank Me <spank-me@example.org>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 8
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? Q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Mon Aug 28 20:37:37 2017 IST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
pub ed25519/0xDA21EEA505BCFD8C
created: 2015-08-29 expires: 2020-08-27 usage: C
trust: ultimate validity: ultimate
sub ed25519/0xF7AEBA108ED4B536
created: 2015-08-29 expires: 2017-08-28 usage: S
sub rsa4096/0x1530C8C687B6B514
created: 2015-08-29 expires: 2017-08-28 usage: E
[ultimate] (1). Spank Me <spank-me@example.org>
gpg> saveCreate an authentication subkey
IMPORTANT: Make sure Current allowed actions only contains Authenticate
$ gpg --expert --edit-key 0xDA21EEA505BCFD8C
Secret key is available.
pub ed25519/0xDA21EEA505BCFD8C
created: 2015-08-29 expires: 2020-08-27 usage: C
trust: ultimate validity: ultimate
sub ed25519/0xF7AEBA108ED4B536
created: 2015-08-29 expires: 2017-08-28 usage: S
sub rsa4096/0x1530C8C687B6B514
created: 2015-08-29 expires: 2017-08-28 usage: E
[ultimate] (1). Spank Me <spank-me@example.org>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 11
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions: Sign
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions:
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? A
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? Q
Please select which elliptic curve you want:
(1) Curve 25519
(2) NIST P-256
(3) NIST P-384
(4) NIST P-521
(5) Brainpool P-256
(6) Brainpool P-384
(7) Brainpool P-512
Your selection? 1
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Mon Aug 28 20:44:55 2017 IST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
pub ed25519/0xDA21EEA505BCFD8C
created: 2015-08-29 expires: 2020-08-27 usage: C
trust: ultimate validity: ultimate
sub ed25519/0xF7AEBA108ED4B536
created: 2015-08-29 expires: 2017-08-28 usage: S
sub rsa4096/0x1530C8C687B6B514
created: 2015-08-29 expires: 2017-08-28 usage: E
sub ed25519/0xBD1A0E7154D62B03
created: 2015-08-29 expires: 2017-08-28 usage: A
[ultimate] (1). Spank Me <spank-me@example.org>
gpg> saveGenerate a revocation certificate
$ gpg --output GPG-0xDA21EEA505BCFD8C.asc --gen-revoke 0xDA21EEA505BCFD8C sec ed25519/0xDA21EEA505BCFD8C 2015-08-29 Spank Me <spank-me@example.org> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 0 Enter an optional description; end it with an empty line: > Reason for revocation: No reason specified (No description given) Is this okay? (y/N) y ASCII armored output forced. Revocation certificate created.
IMPORTANT: Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others!
Publish your keys
$ gpg --send-keys 0xDA21EEA505BCFD8C gpg: sending key 0xDA21EEA505BCFD8C to http server keys.gnupg.net
Get public key from another user
$ gpg --search-keys spank-you@example.org
Sign a key
First of all, you need to give a call to the person owning the key you want to sign. Ask him to give you the fingerprint and give it a manual check. An easy way for your peer to give you the fingerpint is to use the ICAO (International Civil Aviation Organization) code.
$ gpg --list-secret-keys --with-icao-spelling spank-you@example.org sec# ed25519/0xA3B5C016618D9AAA 2014-11-10 [C] [expires: 2019-11-09] Key fingerprint = D71B FE62 F66F 3C8B 1A25 A461 A3B5 C016 618D 9AAA "Delta Seven One Bravo Foxtrot Echo Six Two Foxtrot Six Six Foxtrot Three Charlie Eight Bravo One Alfa Two Five Alfa Four Six One Alfa Three Bravo Five Charlie Zero One Six Six One Eight Delta Niner Alfa Alfa Alfa"
You need to compare the given speech with your local version of the key:
$ gpg --list-public-keys --with-icao-spelling spank-you@example.org pub ed25519/0xA3B5C016618D9AAA 2014-11-10 [C] [expires: 2019-11-09] Key fingerprint = D71B FE62 F66F 3C8B 1A25 A461 A3B5 C016 618D 9AAA "Delta Seven One Bravo Foxtrot Echo Six Two Foxtrot Six Six Foxtrot Three Charlie Eight Bravo One Alfa Two Five Alfa Four Six One Alfa Three Bravo Five Charlie Zero One Six Six One Eight Delta Niner Alfa Alfa Alfa"
Once you have been able to verify the fingerprint, you can sign the key, otherwise delete the bad version of the key you have.
$ gpg --sign-key spank-you@example.org
pub ed25519/0xA3B5C016618D9AAA
created: 2014-11-10 expires: 2019-11-09 usage: C
trust: unknown validity: unknown
sub rsa4096/0x0308C025A303334F
created: 2015-08-20 expires: 2015-09-13 usage: E
[ unknown] (1). Spank You <spank-you@example.org>
pub ed25519/0xA3B5C016618D9AAA
created: 2014-11-10 expires: 2019-11-09 usage: C
trust: unknown validity: unknown
Primary key fingerprint: D71B FE62 F66F 3C8B 1A25 A461 A3B5 C016 618D 9AAA
Spank You <spank-you@example.org>
Are you sure that you want to sign this key with your
key "Spank Me <spank-me@example.org>" (0xDA21EEA505BCFD8C)
Really sign? (y/N) yThen share to the world the signature you have just made
$ gpg --send-keys spank-you@example.org gpg: sending key spank-you@example.org to http server keys.gnupg.net
Encrypt data
$ gpg --encrypt --sign --recipient spank-you@example.org --armor --output /tmp/very-secret-message.gpg /tmp/clear-text.txt