How To Set up GPG

25 Oct 2023 - rich

It has been a while since I last setup my gpg keys. I am going through the process again so that I can solicit some of my friends and co-workers to sign my keys for me. Because environments vary, I am going to skip how to install gpg, other than providing a link to some information that might be able to get you started.
I am assuming here that you already have gpg installed.

Gnu Privacy Guard (GPG)

Installation (sorta)

most linux distributions already have this installed. If not, it is as simple as using your package manager to load the package gnupg.

e.g. to install on Rocky/Alma/Centos:

sudo apt-get update
sudo apt-get install gnupg

For Windows, that is something more alien to me… follow the directions.

you can also check here for images and tools to download…

Installation Binaries

GnuPG binary releases

In general we do not distribute binary releases but leave that to the common Linux distributions. However, for some operating systems we list pointers to readily installable releases. We cannot guarantee that the versions offered there are current. Note also that some of them apply security patches on top of the standard versions but keep the original version number.

OS	Where	Description
Linux	download  sig	GnuPG Desktop® AppImage with the current GnuPG
Windows	Gpg4win	Full featured Windows version of GnuPG
 	download sig	Simple installer for the current GnuPG
 	download sig	Simple installer for GnuPG 1.4
OS X	Mac GPG	Installer from the gpgtools project
 	GnuPG for OS X	Installer for GnuPG
Debian	Debian site	GnuPG is part of Debian
RPM	rpmfind	RPM packages for different OS
Android	Guardian project	Provides a GnuPG framework
VMS	antinode.info	A port of GnuPG 1.4 to OpenVMS
RISC OS	home page	A port of GnuPG to RISC OS

Generate your own GPG Key

if you are just working through the setup and have only just verified or installed GPG, the next step to do is generate your own gpg key…

$ gpg –full-generate-key

gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card

Your selection? 1

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (3072) 4096

Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y

Key expires at Fri 25 Oct 2024 02:02:28 PM EDT
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Enter Your Real Name Here
Email address: your@email-address.com

Comment:
You selected this USER-ID:
    "Your Real Name Here<you@email_address.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/<user-id>/.gnupg/trustdb.gpg: trustdb created
gpg: key XXXXXXXXXXXX marked as ultimately trusted
gpg: directory '/home/<user-id>/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/<user-id>/.gnupg/openpgp-revocs.d/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.rev'
public and secret key created and signed.

pub   rsa4096 2023-10-26 [SC] [expires: 2024-10-25]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid                      Your Real Name <you@your-email-address.com>
sub   rsa4096 2023-10-26 [E] [expires: 2024-10-25]

Generate Revocation Certificat Now - Not Later

You will want to create your revocation certificate now… not later! Don’t wait until you have a problem and need to try to remember what to do or how to create your revocation certificate or where that information is.

Also, you will want to restrict access by changing the permissions on this file and then perhaps, save the file somewhere safe where only you will have access to it.

After you have created and saved your revocation certificate, if you should need it (because you want to revoke your certificate, then just use this… that is all you need to do.

$ gpg –output ./revocation___.crt --gen-revoke your-email@email-example.com


sec  rsa4096/XXXXXXXXXXXXXXXX 2023-XX-XX <your real name> <your-email@address.com>

Create a revocation certificate for this key? (y/N) y

Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 0

Enter an optional description; end it with an empty line:
> revoke my certificate 
>
Reason for revocation: No reason specified
revoke <your-email@address.com> 2023-XX-XX

Is this okay? (y/N) y
ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

References