25 Oct 2023 - rich
It has been a while since I last setup my gpg keys. I am going through the process again so that I can solicit some of my friends and co-workers to sign my keys for me.
Because environments vary, I am going to skip how to install gpg, other than providing a link to some information that might be able to get you started.
I am assuming here that you already have gpg installed.
most linux distributions already have this installed. If not, it is as simple as using your package manager to load the package gnupg.
e.g. to install on Rocky/Alma/Centos:
sudo apt-get update
sudo apt-get install gnupg
For Windows, that is something more alien to me… follow the directions.
you can also check here for images and tools to download…
GnuPG binary releases
In general we do not distribute binary releases but leave that to the common Linux distributions. However, for some operating systems we list pointers to readily installable releases. We cannot guarantee that the versions offered there are current. Note also that some of them apply security patches on top of the standard versions but keep the original version number.
OS Where Description
Linux download sig GnuPG Desktop® AppImage with the current GnuPG
Windows Gpg4win Full featured Windows version of GnuPG
download sig Simple installer for the current GnuPG
download sig Simple installer for GnuPG 1.4
OS X Mac GPG Installer from the gpgtools project
GnuPG for OS X Installer for GnuPG
Debian Debian site GnuPG is part of Debian
RPM rpmfind RPM packages for different OS
Android Guardian project Provides a GnuPG framework
VMS antinode.info A port of GnuPG 1.4 to OpenVMS
RISC OS home page A port of GnuPG to RISC OS
if you are just working through the setup and have only just verified or installed GPG, the next step to do is generate your own gpg key…
$ gpg –full-generate-key
gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Fri 25 Oct 2024 02:02:28 PM EDT
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Enter Your Real Name Here
Email address: your@email-address.com
Comment:
You selected this USER-ID:
"Your Real Name Here<you@email_address.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/<user-id>/.gnupg/trustdb.gpg: trustdb created
gpg: key XXXXXXXXXXXX marked as ultimately trusted
gpg: directory '/home/<user-id>/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/<user-id>/.gnupg/openpgp-revocs.d/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.rev'
public and secret key created and signed.
pub rsa4096 2023-10-26 [SC] [expires: 2024-10-25]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid Your Real Name <you@your-email-address.com>
sub rsa4096 2023-10-26 [E] [expires: 2024-10-25]
You will want to create your revocation certificate now… not later! Don’t wait until you have a problem and need to try to remember what to do or how to create your revocation certificate or where that information is.
Also, you will want to restrict access by changing the permissions on this file and then perhaps, save the file somewhere safe where only you will have access to it.
After you have created and saved your revocation certificate, if you should need it (because you want to revoke your certificate, then just use this… that is all you need to do.
$ gpg –output ./revocation_
sec rsa4096/XXXXXXXXXXXXXXXX 2023-XX-XX <your real name> <your-email@address.com>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
> revoke my certificate
>
Reason for revocation: No reason specified
revoke <your-email@address.com> 2023-XX-XX
Is this okay? (y/N) y
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!