Main Menu

search

You are here

Home

GPG - Generate Public & Private Keys

[last updated: 2023-07-11]
GnuPG encryption home page
-----

This page still in development ...

  • See below for Fingerprint.
    and link to Revocation Certificate.
    -------------------------------------------------

  • Do you have any keys defined/installed on this computer?
    • $ gpg --list-keys --keyid-format LONG [ optional search parameter ]
      • This command will list all the keys that you've generated on or imported into your computer.
      • The search parameter can be the email associated with the key, the comment (or some keyword substring) from your comment field,
        either short or long key id from either your public or private key, ... or blank.
      • Command output will be of the form:
            pub rsa3072/CF6182CBCA2B4D43 2023-07-07 [SC] [expires: 2023-07-14]
                D7CDDD102502B7E2280F8976CF6182CBCA2B4D43
            uid [ultimate] jrabe1 (GPG-1) <jayrabe1@hotmail.com>
            sub rsa3072/C30A196DFC99D170 2023-07-07 [E] [expires: 2023-07-14]
        • The "pub" defines the first line as your public key.
        • The "CF6..." following the first rsa3072 is your 16-hex-char "long key id."
          This is the last 16-hex-chars of the fingerprint
        • The last half of that, the 8-hex-char "CA2B4D43" is your "short key id."
          This is the last 8-hex-chars of the fingerprint
        • The "[SC]" denotes this (pub) key as a "signing" and "certification" key
        • The "uid" defines your "user id", with the trust value in brackets, then your "real name", the comment field in parentheses, and your email.
        • The "D7CDDD..." is your 40-hex-char fingerprint
        • The "sub" defines a sub-key, with the 16-hex-char following rsa3072 again being your long key id.
        • The "[E]" defines this sub-key as your "encryption" key.

        • If the key has expired, then no "sub" ie. secret key will be listed.
    • $ gpg --list-secret-keys --keyid-format long
      returns exactly the same thing, except the first line is labeled "sec" instead of "pub",
      and the last line is labeled "ssb" instead of "sub",
      but everything else in the output is identical.
      ----------------------------

    • Edit details of a key with this:
        $ gpg --edit-key [ key ID ]

      -------------------------------------------------

    • Generate public and private keys - Three methods:
      See: https://itslinuxfoss.com/generate-pgp-keys-with-gpg/
      • First method (recommended):
        • This method requires your email.
          It will prompt you through the process
          of selecting your choices for all the options available.
              $ gpg --full-generate-key
        • Enter "1" to select the default encryption Type
          Press Enter to select the default bit length.
          Enter the time duration that you want the key to be valid:
              enter a single digit for # of days
              or eg. "1w" for a week, etc. per prompt
          Enter "y" to confirm
          Enter your name and email.
          Enter your desired passphrase
            While the actual encryption/decryption keys you generate are many dozens of bytes long,
            this passphrase/password can be as short as you want,
            though of course longer/more-complex is better.
        • The returned printout from executing this command will tell you:
            gpg: key CF6182CBCA2B4D43 marked as ultimately trusted
            gpg: revocation certificate stored as '/home/jay/.gnupg/openpgp-revocs.d/D7CDDD102502B7E2280F8976CF6182CBCA2B4D43.rev'
            public and secret key created and signed.
            pub rsa3072 2023-07-07 [SC] [expires: 2023-07-14]
            D7CDDD102502B7E2280F8976CF6182CBCA2B4D43
            uid jay rabe
            The "D7CDDD1..." is the fingerprint of my public key.
            The "CF618..." is the "key ID"

        -------------------------------------------------

      • Second method:
        •     $ gpg --quick-generate-key [user]
          Enter any name you want as user.
          Enter "Y" to confirm and proceed.
        • Enter your desired passphrase, then enter again to confirm when prompted.
        • Press random keys on the keyboard while it generates the key to assist the random number generator that's used.

        -------------------------------------------------

      • Third method:
        • $ gpg --gen-key
          However this command may be obsolete for my version of gpg...

      -------------------------------------------------

    • Revocation certificate:
      If your "private key becomes known to others, then you will need to disassociate the old keys from your identity."
      The revocation certificate allows you to do that.
      As such it is a powerful tool and must be guarded carefully.
      ----------------------------------------

    • Generate a Fingerprint:
      • The fingerprint is like a checksum. It is used to verify the integrity/authenticity of public keys, whether yours or someone you're communicating with.
        The "--full-generate-key" option will automatically create the fingerprint of the public key you've generated. This will allow people you communicate with to determine that your public key is valid.
        Likewise, people that you communicate with must give you the fingerprint of their public key so you can confirm their key is valid.

      • Here's how the fingerprint works:
        • There is a calculation algorithm in gpg that will take all the bytes in the public key, whether yours or someone else's,
          and calculate a hex number composed of 10 groups of 4 hex characters.
            eg:
            ABC4 4563 F456 56FD 6C7E 973F DD5F A33A 4FF1 04AB
        • If you calculate a fingerprint on your computer, using your public key,
          and someone that you're communicating with, likewise calculates the fingerprint of your public key, but does so on their computer,
          the fingerprints should match. This verifies their validity.

      • There are several ways to calculate a fingerprint:
        •     $ gpg --fingerprint
          This command will perform the calculation algorithm on your public key on your computer
          and return the 40-char fingerprint (along with a bunch of other stuff...)
        •     $ gpg --fingerprint [ keyOwnerEmail ]
        •     $ gpg --fingerprint [ keyOwnerName ]

        ----------------------------------------

      -------------------------------------------------

Powered by Drupal