My scrapbook about anything which I learned or want to remember, Sometime about tech tips, thoughts and rambling. If you find anything useful don't forget to give thumbs-up :)

Breaking

Sunday, November 5, 2023

Intro to GnuPG (GPG) - Generating Keys

GnuPG aka GPG is widely use in IT word to secure communication, data encryption, digital signature and many more. It is always a first choice of security personnel to make use of GPG as it is little hard to break (considering today's computational power).  GPG make use of many cryptography concept which includes symmetric ciphers
public-key ciphers, and one-way hashing. In this p
ost, we are only going to focus to create/generate GPG key. 

        Very first thing you need is the command line tool to generate the keys which you can download from here for your operating system. I advise you to use the latest version whenever possible. 

How to generate GPG keys:

  • Open terminal
  • Considering you are using the latest version of GPG command line, run the below command to generate the GPG key (Keep in mind, it is going to ask multiple questions, answer them truthfully as much as possible) - 
    gpg --full-generate-key
    • Now, very first thing is the Algorithm to generate the GPG key, if you are generating it first time, press Enter to choose the default but if you are generating for any application, choose the algorithm which is supported by your application encryption/decryption logic. 
    • Based on the algorithm selected, it might ask for the key length, provide the maximum length for better security unless you have some specific requirement to fill. 
    • Next, To select the validity period, I advise to input "1y" for 1 year but remember you have to rotate the key when it get expire. If this seems like a hassle, choose default by pressing Enter for "No Expiration"
    • Verify, all your selections are correct
    • Provide your Name, Email ID and Description about key usage
    • Most Important - Provide a passphrase for key security, longer the better but DO NOT forget the passphrase, If you forget it, there is NO WAY you can recover, So choose, Wisely
    • If all information is accurate, provide input to generate the key. 
    • (Optional) For better entropy generation, keep moving your mouse when system is trying to generate the key. 
  • Your GPG key is generated and stored in your home directory (~/.gnupg/pubring.kbx). 
  • To list all your GPG keys, you can run below command - 
  • gpg --list-keys --keyid-format=long
  • gpg command will generated 3 things - Private and Public gpg key and Revocation certificate. Revocation certificate is required when you want to revoke your key if compromised, it is just to tell the world that this key is not valid anymore. Remember, This will only mark your key invalid, it will not block the bad actor to encrypt/decrypt the message with stolen key of yours. So It is a good idea to revoke your key when compromised that way all other user will be aware if someone trying to be you with your compromised key. 
  • Though, gpg command will generate the revocation key but in case it is not generated, you can generate the certificate via below command - 
  • gpg --gen-revoke KEYID > KEYID.revoke.asc
  • So, next, let's export the keys for safekeeping - 
    # Export Public Key 
    gpg --armor --export KEYID > KEYID.pub
    
    # Export Secret Key
    gpg --armor --export-secret-keys KEYID > KEYID.key
  • Upload Your Public key on KeyServers to let world know about your key - 
    
    # Upload Public key on keyserver/s
    gpg --keyserver hkps://
    keys.openpgp.org --send-key KEYID # or gpg --keyserver https://keyserver.ubuntu.com --send-key KEYID # or gpg --keyserver https://pgp.mit.edu --send-key KEYID   
  • Search Public Keys - 
    # Search Keys
    gpg --keyserver hkps://keys.openpgp.com --search KEYID
    # or gpg --keyserver https://keyserver.ubuntu.org --search KEYID
    # or gpg --keyserver https://pgp.mit.edu --search KEYID
     
  •  Import Public Keys - 
    # Import Keys from file
    gpg --import PUBLIC-KEY-FILE
    # Import from Keyserver gpg --keyserver https://keys.openpgp.com --recv-keys KEYID
    # or gpg --keyserver https://keyserver
    .ubuntu.org --recv-keys KEYID
    # or gpg --keyserver https://pgp.mit.edu --recv-keys KEYID
  • List keys (public) in your keyring via below command  - 
    # List Public Keys in local keyring
    gpg --list-keys
     
  • List Secret keys (private) in your keyring via below command 
    # List Secret Keys in local keyring
    gpg --list-secret-keys

In next post, We will learn about Revocation Certificate. 

Video:


Like the below page to get the update  
Facebook Page      Facebook Group      Twitter Feed      Telegram Group

No comments:

Post a Comment

Disclaimer

The postings on this site are my own and don't necessarily represent IBM's or other companies positions, strategies or opinions. All content provided on this blog is for informational purposes and knowledge sharing only.
The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of his information.