A Practical Guide to GPG – Part 1 Generate Your Keypair
This tutorial series will teach you how to use GPG in Linux terminal. I will not tell you a bunch of theory to overwhelm you. Instead, I show you quick and dirty examples to get you started, and explain the basic theory along the way.
This is part 1 of this series. At the end of this post, you should be able to generate your own public/private keypair and a revocation certificate. This certificate is used to revoke your public/private keypair when your private key is compromised or you forget the passphrase for your private key.
GPG can be used for encryption and for signing. This software is pre-installed on most Linux distributions. Currently the stable version is GPG 2.0. I’m using the modern version GPG 2.1 on archlinux. When it comes to security software, I always recommend installing the latest version.
Check Your GPG Version
First Let’s check out the version of GPG on your system and some interesting tidbits. The following is my GPG info.
[[email protected] ~]$ gpg --version gpg (GnuPG) 2.1.11 libgcrypt 1.6.4 Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2
As you can see, I’m using gpg 2.1.11 which is the latest version at the time of this writting (Feb 1, 2016). We also know that the config directory is ~/.gnupg. This directory will hold our public/private key files. The default option file is ~/.gnupg/gpg.conf and ~/.gnupg/dirmngr.conf. It also tells us what algorithms are supported.
If you look closely, you can see that the insecure hash algorithm SHA1 is still supported in version 2.1.11. SHA1 is obosolete and you don’t want to use it to generate signature.
Create Your Public/Private Key Pair and Revocation Certificate
Use gpg –full-gen-key command to generate your key pair.
[[email protected] ~]$ gpg --full-gen-key gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?
It asks you what kind of key you want. Notice there’re four possiblities. The default is to create a RSA public/private key pair and also a RSA signing key. Let’s hit Enter to select the default.
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
Next it asks you the key length. The default is 2048 bits long. 1024 RSA key is obsolete. The longer 4096 RSA key will not provide more security than 2048 RSA key. So hit Enter to select the default.
Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0)2y
After that it asks you how long the key should be valid, 2 years is fine. You can always update the expiration time later on.
Key expires at Wed 31 Jan 2018 01:08:28 PM CST Is this correct? (y/N)y
Now it asks you if it’s correct. Notice that the default is No. So press y then Enter to confirm it’s correct.
GnuPG needs to construct a user ID to identify your key. Real name: Xiao Guoan Email address: [email protected] Comment:
And now we need to provide some user identification information for the key. This is important because this information will be included in our key. It’s one way of indicating who is owner of this key. The email address is a unique identifier for a person. You can leave Comment blank.
You selected this USER-ID: "Xiao Guoan <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Now it asks you to enter a passphrase to protect your private key. Enter a good and long passphrase and remember it. Because if you forget this passphrase, you won’t be able to unlock you private key.
Once you enter and confirm your passphrase. GPG will generate your keys.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
It will take a while for GPG to generate your keys. So you can now do other stuff.
It took about 4 minutes on my system to generate my key pair.
gpg: key 4F0BDACC marked as ultimately trusted gpg: directory '/home/matrix/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/matrix/.gnupg/openpgp-revocs.d/F0461D8F7F64F70A5BBED42E02C87F194F0BDACC.rev' public and secret key created and signed. gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: PGP gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2018-01-31 pub rsa2048/4F0BDACC 2016-02-01 [S] [expires: 2018-01-31] Key fingerprint = F046 1D8F 7F64 F70A 5BBE D42E 02C8 7F19 4F0B DACC uid [ultimate] Xiao Guoan <[email protected]> sub rsa2048/E02A4EED 2016-02-01  [expires: 2018-01-31]
This first line tells us that GPG created a unique identifier for public key. This unique identifier is in hex format. When someone wants to download you public key, they can refer to you public key via your email address or this hex value.
The third line tells us that GPG created a revocation certificate and its directory. Your should never share you private key with anyone. If you private key is compromised, you can use revocateion certificate to revoke your key. That means you tell the rest of the world that the old public key shall not be used any more. I recommend you to open this revocation certificate with your text editor to see what’s inside there.
Let’s look at the last three lines. They tell us the public key is 2048 bits using RSA algorithm. The public key ID 4F0BDACC matchs the last 8 bits of key fingerprint. The key fingerprint is a hash of your public key.
It also lists our user ID information: your name and your email address. And it also indicates the subkey which is 2048 bits using RSA algorithm and the unique identifier of the subkey.
Now you can find that there are two files created under ~/.gnupg/private-keys-v1.d/ directory. These two files are binary files with .key extension.
Export Your Public Key
Others need your public key to send encrypted message to you and only your private key can decrypt it. Use the following command to export your public key.
--armor option means that the output is ASCII armored. The default is to create the binary OpenPGP format.
user-id is your email address.
gpg --armor --export user-id > pubkey.asc
The exported public key is written to
Export Your Private Key
Issue the following command to export your private key.
gpg --export-secret-keys --armor user-id > privkey.asc
The exported key is written to
Protect Your Private Key and Revocation Certificate
Your private key should be kept in a safe place, like an encrypted flash drive. Treat it like your house key. Only you can have it and don’t lose it. And you must remember your passphrase, otherwise you can’t unlock your private key.
You should also protect your revocation certificate. If others have your revocation certificate, they can immediately revoke your public/private keypair and generate a fake public/priavte keypair.
In part 2 we will look at how to encrypt message with your public key and how to decrypt it with your private key. Take care!