Main Menu

search

You are here

Home

GPG - Sharing Public Keys

[last updated: 2023-12-15]
GnuPG encryption home page
-----

This page is mostly done, just a little thin in places ...

  • Remember: Files will be encrypted such that only the intended recipient can decrypt them.
    Therefore...
  • Public keys must be shared between message sender and recipient.
    • In order to encrypt a message, you must have the public key of the recipient.
    • In order to decrypt a message, you must have the public key of the sender.
    • Bottom line: in order to share encrypted messages with a person,
      each of you must have the public key of the other person.

    ------------------------------

  • To proceed from this point, you must have already created your public and private keys.

  • Share your public key with the person you're communicating with (both sender and recipient must perform these steps):
      1: export your public key out of your gpg program into a file
      2: give your public key (file) to your communication partner
            get your communication partner's public key
      3: verify the validity of any key you receive
      4: (you may) sign the key you've received
      5: import the public key that you received into your own gpg program
      ------------------------------

    • 1: export your public key out of the gpg program and into a file.
      •       $ gpg --export -a -o [ outputFileName ]
      • This command will create the filename you specify. The -o option (== the -output option) instructs gpg to output/create a file in your current directory.
        The -a option (== the -armor option) will instruct gpg to create an ascii (ie. text) file of your public key.
        The created file will have a " .key " (I think?) extension. It is now ready to be sent to whoever you're communicating with.
      • This command assumes you only have one public key defined/installed in your system.
        In this case the --export will default to your (single) public key.
          If you have more than one, you will need to further specify which one you want to export.
          • $ gpg --export -a -o [ outputFileName ] [ keyid or uid search param ]
          • The keyid or uid search parameter can be any (unique) subset of either the keyid or the uid.
            eg. 8- or 16-hex-char keyid, username, real name, comment, email attached to the key, etc.

      ------------------------------

    • 2: share your public key:
      Get your public key into the hands of the person you're communicating with:
      Two ways to do this:
      • Give them (email attachment or whatever) the key file you exported
      • -or- Upload your key to a key server:
        • Public keyservers:
          • Public keyservers are online sites that maintain a collection of public keys.
            They typically (I'm guessing here...) identify a key owner by their email and/or name.
          • There are many keyserver sites, but AFAIK they all synchronize with each other,
            so they all contain the same data.
          • if you want your public key to be easily accessible to other people,
            then you must export/upload your public key to your choice of keyserver.
        • Upload your public key to a server:
                $ gpg --send-keys --keyserver pgp.mit.edu [ keyID? ]

        • Download the public key of the person you're communicating with from a server:
          • you can search, find, and download their key from the keyserver.
          • For example, if you choose to use the popular keyserver at mit.edu,
            then execute this command to find their public key:
              $ gpg --keyserver pgp.mit.edu --search-keys [ theirEmail ]
                  -or-
              $ gpg --keyserver pgp.mit.edu --search-keys [ their Name ]
          • The search command may return several possible matches for your search parameters.
            They'll be returned in a numbered list.
            Enter the number of the one you want, press Enter, and it will be downloaded and imported.
            Type "1" if there is only one match.
          • verify that the name and email address returned by the import command are what you expect.
            another method:
            gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --search username@domain.com

      ------------------------------

    • 3: verify the validity of the key you've received or downloaded:

      Verify Fingerprint:

      • The procedure is:
        You calculate, using gpg on your computer, a fingerprint from the key file that you download from the keyserver.
            $ gpg --fingerprint [ theirEmail ]
        The sender similarly calculates a fingerprint using gpg on their computer,
        then sends you the fingerprint they calculate.
        You compare the two fingerprints. If they match, you've validated their public key.

      ------------------------------

    • 4: Sign the key you've received or downloaded:
      • If you don’t sign their key, you can still use it to encrypt and decrypt their messages,
        but you will be prompted to confirm every time you use it because the key is unsigned.
      • Sign it with:
            $ gpg --sign-key [ theirEmail ]

      ------------------------------

    • 5: Import a public key into your gpg program:
      After you have downloaded (or otherwise received) a public key from someone,
      you must import it into your gpg program in order to use it:
            $ gpg --import [ keyFileName.key ]
        Verify that the name and email returned with the import command match the person who sent you the key file.

      ------------------------------

Powered by Drupal