26 Oct 2023 - rich
There are different ways in which you get and import someone’s public key. It can be sent to you as a text file or it could have been uploaded by someone to a public key server.
Here are a few ways to import another person’s public key. If you can verify the identity of that person, you can also sign their public key. When you do this, you are certifying the identity of that person, so please use caution.
If someone has sent you their public key in a text file, the command to import that peron’s key is to do the following:
$ gpg --import name_of_pub_key_file
Two popular public key servers are:
These sites will allow you to add your pgp key and verify that it has been added.
You can also look up the public key of others by name or email or whatever…
To search for someone using one of these public key servers, just enter a command similar to:
$ gpg --keyserver pgp.mit.edu --search-keys <search parameters>
$ gpg --keyserver keys.openpgp.org --search-keys rich@terrorgrump.com
gpg: data source: http://keys.openpgp.org:11371
(1) Rich Goldstein <rich@terrorgrump.com>
4096 bit RSA key C6D6D917A8D0CB4E, created: 2023-10-26
Keys 1-1 of 1 for "rich@terrorgrump.com". Enter number(s), N)ext, or Q)uit >
$ gpg --keyserver pgp.mit.edu --search-keys rich@terrorgrump.com
gpg: data source: http://pgp.mit.edu:11371
(1) Rich Goldstein <rich@terrorgrump.com>
4096 bit RSA key C6D6D917A8D0CB4E, created: 2023-10-26, expires: 2024-10-25
Keys 1-1 of 1 for "rich@terrorgrump.com". Enter number(s), N)ext, or Q)uit > 1
While you can freely distribute your generated public key file and people can use this to contact you in a secure way, it is important to be able to trust that the key belongs to who you think it does during the initial public key transmission.
How do you know that the person giving you the public key is who they say they are? In some cases, this may be simple. You may be sitting right next to the person with your laptops both open and exchanging keys. This should be a pretty secure way of identifying that you are receiving the correct, legitimate key.
But there are many other circumstances where such personal contact is not possible. You may not know the other party personally, or you may be separated by physical distance. If you never want to communicate over insecure channels, verification of the public key could be problematic.
Luckily, instead of verifying the entire public keys of both parties, you can simply compare the “fingerprint” derived from these keys. This will give you a reasonable assurance that you both are using the same public key information.