Gpg: Difference between revisions
Line 211: | Line 211: | ||
gpg --sign-key <key_id> |
gpg --sign-key <key_id> |
||
gpg --keyserver hera.be-leu01.nxp.com --send-keys <key_id> |
gpg --keyserver hera.be-leu01.nxp.com --send-keys <key_id> |
||
</source> |
|||
== Changing primary ID (eg. new professional activity) == |
|||
<source lang=bash> |
|||
gpg --list-key # Find your key |
|||
gpg --list-key Mylastname |
|||
gpg --list-sig Mylastname |
|||
gpg --edit-key Mylastname |
|||
> help |
|||
> list |
|||
> adduid |
|||
# Real name: Myfirstname Mylastname |
|||
# Email address: myfirstname.mylastname@mycompany.com |
|||
# Comment: |
|||
# ... |
|||
> uid 1 # Select old id |
|||
> revuid |
|||
# Really revoke this used ID? (y/N) y |
|||
# ... |
|||
> uid 5 # Select new id |
|||
> primary |
|||
</source> |
</source> |
Revision as of 05:48, 10 April 2015
Cheat sheet from Hera, by Philippe Teuwen.
setting this keyserver as default
- Edit {{file:~/.gnupg/gpg.conf}:
keyserver hkp://hera.be-leu01.nxp.com
If you do so you won't need to specify the keyserver manually anymore as option in the commands given in the next sections.
- On WinPT
- "Keyserver" menu → right-click somewhere in the white area → "Add" -> HKP Keyserver, Hostname: hera.be-leu01.nxp.com, Port: 11371 → "Add" → Select your keyserver and press "Set default".
- If you've previously set a proxy, be sure it's disabled (cf "Change proxy")
encrypting (and signing) a file
gpg [[--local-user|-u <yourself@nxp.com>] --sign|-s] # if you want to sign (opt with another key than your main key)
[--armor|-a] # if you want to armor (ASCII) the output, else it's binary
--encrypt|-e
--recipient|-r <someone@nxp.com>
[--encrypt-to <second_recipient@nxp.com>] # if you want other people to be able to decrypt as well
[--encrypt-to <yourself@nxp.com>] # if you want yourself to be able to decrypt as well
[--output|-o <file.asc>]
<file>
decrypting (and verifying) a file
gpg [--decrypt|-d]
[--output|-o <file>]
<file.asc>
So, yes, without any option gpg will decrypt/verify.
searching a key on the keyserver
gpg --keyserver hera.be-leu01.nxp.com
--search <someone> # search only on full words
From here you can directly import a key by providing its numeral (1, 2, 3...)
importing a key from the keyserver
gpg --keyserver hera.be-leu01.nxp.com
--recv-keys <key_id> # key-id is the last 8 bytes of the fingerprint
exporting a key to the keyserver
gpg --keyserver hera.be-leu01.nxp.com
--send-keys <key_id> # key-id is the last 8 bytes of the fingerprint
importing a key from a file
gpg --import <pubkey.asc>
exporting your publickey to a file
gpg --armor|-a --output|-o <yourpubkey.asc> --export <yourself@nxp.com>
gpg --fingerprint <yourself>|grep -i fingerprint
printing the fingerprint of an exported keyfile
gpg --with-fingerprint <exported_keyfile>|grep -i fingerprint
signing a key (see also below)
gpg --sign-key <someone>
Then you can upload it to the keyserver
- On WinPT
When signing, don't forget to un-check the "Sign local only" box otherwise your signature cannot be exported to the server.
trusting a key owner
How far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.)
gpg --edit-key <someone>
Command> trust => Choose the proper trust level Command> quit => save changes
Remember that trust is not exported and purely local
revoking a subkey or a UID (old email address,...)
gpg --edit-key <yourself>
=> select UID(s) or subkey(s) by its numeral: 1, 2, 3... Command> uid/key <n> Command> revuid/revkey Command> quit => save changes
Then you can upload it to the keyserver
extracting a session key
If you're forced to by a decryption order...
gpg --show-session-key --output|-o /dev/null <encrypted_file>
This will give you a long string: the session key. It can be used to decrypt that file
gpg --override-session-key <9:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF> <encrypted_file>
Installing GnuPG software
- Under linux
- gnupg and many frontends are available for your favorite distribution
- quintuple-agent helps caching the passphrase
- gnupg can be configured through ~/.gnupg/gpg.conf with e.g.
keyserver hera.be-leu01.nxp.com encrypt-to <yourself>
- Under Windows
You can install everything at once via http://www.gpg4win.org Choose to install the following when prompted:
- GnuPG, of course
- WinPT, a GUI frontend offering a keyring manager and file en/decryption manager
- GPA, the Gnu Privacy Assistant, another keyring manager and file en/decryption manager
- GPGee, for integration of the gpg tools in the Windows Explorer
- Possibly GPGol or Claws if you use another MUA than Lotus Notes...
Creating keys
Creating fresh keys
Choose preferably RSA keys >= 2048 bits.
E.g. create first a RSA key for signing only then add a RSA encryption key:
gpg --expert --gen-key
# => RSA (sign only)
# => 2048 or bigger
# => validity: forever is ok
# => your name & email
# => choose a strong passphrase and be sure not to forget it!
gpg --edit-key <yourself>
# Command> addkey
# => re-type your passphrase
# => RSA (encrypt only)
# => 2048 or bigger
# => validity: forever is ok
# Command> quit
# => save changes
Importing a secret key from PGP
If you've already a PGP key you can import it into GnuPG: Under PGP, choose to export your key and ack to export also the secret key, tell where to put your ascii file, e.g. mykey.asc With GnuPG, import the ascii file with the following command:
gpg --import --allow-secret-key-import < <mykey.asc>
Recovering a public key from a secret key
In case you destroyed your public key and cannot fetch it from the keyserver, you can reconstruct it:
gpg --export-secret-key <myname> | gpgsplit --no-split --secret-to-public |gpg import
Generating a revocation certificate, just in case...
Print it and keep it safe in case your key is compromised or you definitively forgot your passphrase:
gpg --gen-revoke <yourself>
Verifying a download using signature
Reference [1]
gpg --verify signaturefilename
If you get an error message about the key not found, get the key first
# gpg: Signature made Sun 28 Jun 2009 02:20:52 BST using DSA key ID 2F9532C8
# gpg: Can't check signature: public key not found
gpg --recv-keys 2F9532C8 # If needed, EDIT ~/.gnupg/gpg.conf to add/select the correct keyserver
Otherwise, if the key is found, and signature is good you should get:
gpg: Signature made Sun 28 Jun 2009 02:20:52 BST using DSA key ID 2F9532C8 gpg: Good signature from "Guillermo Gonzalez < guillermo.gonzalez@canonical.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: CDD8 87C2 C5CE CD1A C593 8EEF 698A D97E 2F95 32C8
Then, go check the key fingerprint. If needed, adapt key trust, or sign the key.
Signing keys the right way
Signing keys involve more than a few GPG commands as it implies trust. Get the public key of someone, either via keyserver or import file
- Get the owner of the key in contact with you
- Verify his identity (authenticate the owner)
- Show him the fingerprint of his key from your computer (when you want to sign the soft will show you the fingerprint)
- He must verify his fingerprint and make sure you are about to sign *his* key (the owner authenticates his key)
- Sign the key, in an exportable way
- Send the signed key to the server
Skipping the social aspect, a signature via gpg will look like:
gpg --keyserver hera.be-leu01.nxp.com --search <someone>
# either import interactively the key or find the key_id and get it:
gpg --keyserver hera.be-leu01.nxp.com --recv-keys <key_id>
gpg --sign-key <key_id>
gpg --keyserver hera.be-leu01.nxp.com --send-keys <key_id>
Changing primary ID (eg. new professional activity)
gpg --list-key # Find your key
gpg --list-key Mylastname
gpg --list-sig Mylastname
gpg --edit-key Mylastname
> help
> list
> adduid
# Real name: Myfirstname Mylastname
# Email address: myfirstname.mylastname@mycompany.com
# Comment:
# ...
> uid 1 # Select old id
> revuid
# Really revoke this used ID? (y/N) y
# ...
> uid 5 # Select new id
> primary