Introduction

"GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate." From The GNU Privacy Handbook

This page describes how to use OpenPGP keys. For a brief description of what OpenPGP is see the next section. The package gnupg (including the command gpg) is installed on all Ubuntu systems. The package description says in part: "GnuPG 1.4 is the standalone, non-modularized series. In contrast to the version 2 series, shipped with the gnupg2 package, it comes with no support for S/MIME and some other tools useful for desktop environments, but also with less dependencies." This page mainly describes how to use the gpg command.

Some Terminology

The terms "OpenPGP", "PGP", and "GnuPG / GPG" are often used interchangeably. This is a common mistake, since they are distinctly different.

Graphical Interfaces

There are several programs which provide a graphical interface to the GnuPG system.

Generating an OpenPGP Key

To generate a key:

Setting the key to be the default

It is probably a good idea to set this key as default in your ~/.bash_profile or ~/.profile. Doing this will allow applications using GPG to automatically use your key.

Adding Encryption Capabilities

Creating a revocation certificate

A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way. It is recommended to create a revocation certificate when you create your key. Keep your revocation certificate on a medium that you can safely secure, like a thumb drive in a locked box.

To create a revocation certificate, enter:

gpg --output revoke.asc --gen-revoke $GPGKEY

and follow the instructions. Note: you will need the passphrase. The revocation certificate may be printed and/or stored as a file.

IconsPage/warning.png Anybody having access to your revocation certificate can revoke your key, rendering it useless.

Making an ASCII armored version of your public key

Some keyservers allow you to paste an ASCII armored version of your public key in order to upload it. This method is often preferred, because the key comes directly from the user and the user can see that the key has been successfully uploaded.

To create an ASCII armored version of your public key, enter:

gpg --output mykey.asc --export --armor $GPGKEY

IconsPage/example.png This is the command using our example (key-id = D8FC66D2):

gpg --output mykey.asc --export --armor D8FC66D2

Uploading the key to Ubuntu keyserver

This section explains how to upload your public key to a keyserver so that anyone can download it. Once you have uploaded it to one keyserver, it will propagate to the other keyservers. Eventually most of the keyservers will have a copy of your key. You can accelerate the process by uploading your key to several keyservers.

To upload the key, enter:

gpg --send-keys --keyserver keyserver.ubuntu.com $GPGKEY

IconsPage/example.png Using our example (key-id = D8FC66D2), the command is:

gpg --send-keys --keyserver keyserver.ubuntu.com D8FC66D2

To upload the key using a web browser:

Note that keyserver.ubuntu.com is only reachable via IPv4.

Reading OpenPGP E-mail

OpenPGP implementations can be used to digitally sign, encrypt, and decrypt email messages for heightened security. You can validate your keys with Launchpad, and under some situations, Launchpad will send you signed or encrypted email. You would then use OpenPGP support in your mail reader to decrypt these messages or verify a message's digital signature. Of course, you can also use the OpenPGP support in your mail reader to trade encrypted messages with your colleagues, or sign your own messages so that others can have better assurances that the email that appears to come from you actually does come from you.

The instructions below are not intended to provide you with detailed information on OpenPGP, its various implementations, or its use. These instructions simply provide links that can help you set up your mail reader to be compatible with OpenPGP signed and/or encrypted email.

We need your help to flesh out these instructions!

Linux mail readers

This section is not all inclusive. Please feel free to add additional mail clients.

Evolution

Evolution has built-in support for OpenPGP. Look under the Security tab when you edit accounts.

KMail

Kmail / Kontact has built-in support For Gutsy, and later releases, everything required is installed by default. See the Kmail GPG page for details.

Claws Mail

Claws Mail supports OpenPGP through the plugin claws-mail-pgpinline

Thunderbird

Mutt

Miscellaneous/all platforms (web mail)

This section in need of expansion. Please feel free to add any additional plugins for Firefox or other browsers.

Gmail

It's All Text!

Validation with Launchpad

You need to validate a key with Launchpad (that is, import it into Launchpad) in order to be able to sign the Ubuntu Code of Conduct (and thus become an Ubuntero) and to build packages using HCT.

OpenPGP keys and Launchpad

To import a key you need the key fingerprint. To list all keys and their fingerprints, enter:

gpg --fingerprint

A fingerprint will look something like this:

95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2

To import a key:

Validating using Firefox and FireGPG

Signing Data

Signing data is helpful in verifying if the data from a person is indeed from that person. A typical scenario is described below.

Signing the Ubuntu Code Of Conduct

When you've generated a key and imported it, it is time to sign the Ubuntu Code Of Conduct if you want to become an Ubuntu member or Ubuntero:

  1. Download the code of conduct from https://launchpad.net/codeofconduct/2.0/+download.

  2. Enter:

    gpg --clearsign UbuntuCodeofConduct-2.0.txt
  3. Upload the contents of UbuntuCodeofConduct-2.0.txt.asc on https://launchpad.net/codeofconduct/2.0/+sign

Getting your key signed

The whole point of all this is to create a web of trust. By signing someone's public key, you state that you have checked that the person that uses a certain keypair, is who they says they are and really is in control of the private key. This way a complete network of people who trust each other can be created. This network is called the Strongly connected set. Information about it can be found at http://pgp.cs.uu.nl/

In summary,

  1. Locate someone that lives near you and can meet with you to verify your ID. Sites like http://www.biglumber.com/ are useful for this purpose

  2. Arrange for a meeting. Bring at least one ID with photo and printed fingerprint of your OpenPGP key, ask the same from the person you will be meeting with.
  3. Print copies of your public key
    • get the last eight digits of your fingerprint: 0995 ECD6 3843 CBB3 C050 28CA E103 6EED 0123 4567

    • terminal: gpg --fingerprint 01234567 >> key.txt

    • print the resulting key.txt file and bring as many copies to the meeting as you expect to have people sign
  4. Meet, verify your IDs and exchange OpenPGP key fingerprints
  5. Sign the key of the person you've just met. Send him/her the key you've just signed.
  6. Update your keys on the keyserver, the signature you've just created will be uploaded.

Keysigning Guidelines

Since a signature means that you checked and verified that a certain public key belongs to a certain person who is in control of the accompanying private key, you need to follow these guidelines when signing peoples keys:

During the Event

  1. Keysigning is always done after meeting in person
  2. During this meeting you hand each other your OpenPGP key fingerprint and at least one government issued ID with a photograph. These key fingerprints are usually distributed as key fingerprint slips, created by a script such as gpg-key2ps (package: signing-party)

  3. You check whether the name on the key corresponds with the name on the ID and whether the person in front of you is indeed who they say they are.

After the Event

You now have the printed public key information from the other participants.

Example key IDs for the other participants will be E4758D1D, C27659A2, and 09026E7B. Replace these IDs with the key IDs you received from the other participants.

  1. Retrieve the keys:

    gpg --recv-keys E4758D1D C27659A2 09026E7B
  2. Sign the keys:

    gpg --sign-key E4758D1D
    gpg --sign-key C27659A2
    gpg --sign-key 09026E7B
  3. Export the keys:

    gpg --armor --export E4758D1D --output E4758D1D.signed-by.01234567.asc
    gpg --armor --export C27659A2 --output C27659A2.signed-by.01234567.asc
    gpg --armor --export 09026E7B --output 09026E7B.signed-by.01234567.asc
  4. Email the key users (use the email address that was part of the key's user ID) and attach the corresponding signature file - or - send their signed key to the key server:

    gpg --send-keys --keyserver keyserver.ubuntu.com E4758D1D
  5. Once you receive your signed key import them to your keyring:

    gpg --import 01234567.signed-by.E4758D1D.asc
    gpg --import 01234567.signed-by.C27659A2.asc
    gpg --import 01234567.signed-by.09026E7B.asc
  6. You should see your keys:

    gpg --list-sigs 01234567
  7. Send your keys to the keyserver:

    gpg --send-keys 01234567

Congrats - you have now entered a web of trust or enlarged an existing one.

Backing up and restoring your keypair

Why should you back up your keypair? If you lose your keypair:

If you lose your keypair you should revoke your key. This cannot be done without a revocation certificate.

Backing up your public key

Backing up your private key

Restoring your keypair

To restore your keypair:

Make sure you protect these files!

Revoking a keypair

In the event your keys are lost or compromised, you should revoke your keypair. This tells other users that your key is no longer reliable.

IconsPage/warning.png For security purposes, there is no mechanism in place to revoke a key without a revocation certificate. As much as you might want to revoke a key, the revocation certificate prevents malicious revocations. Guard your revocation certificate with the same care you would use for your private key.

Un-revoking a keypair

If you unintentionally revoke a key, or find that your key has in fact not been lost or compromised, it is possible to un-revoke your key. First and foremost, ensure that you do not distribute the key, or send it to the keyserver.

Changing your Passphrase

To change your passphrase:

You have now changed the passphrase.

Tips and Tricks

Related Articles

Resources


CategorySoftware CategorySecurity

GnuPrivacyGuardHowto (last edited 2022-04-27 02:00:20 by eslerm)