Howto setup your GnuPG (GPG) keysI wanted to set up a working GPG configuration to be able to send encyrpted and/or signed emails.
What I didIf you don't have any keys yet then you have to generate a new one. This needs some random data so take your time (took about 8 minutes on my netbook which lets me think that it really waits for some random data from different sources).
Open a terminal and type:
You will be asked for your identity (name and email address you want to use). You may add more identities later, but note that all identities you associate with this key will always be associated with it. Revoking identities does not remove them, it only invalidates them.
Now check your new key:
Your key will have a short ID, let's assume its
in this example, and your name is Trent Reznor. Let's make some backup files now by exporting your keys to some text files. I don't need to say that you have to handle your private keys and your revocation certificates with care!
If you want to use your keys for your lifetime time it's a good idea to print them on paper and store them in a safe location. Do NOT share your private key nor your revocation certificate.
- If you share your private key others might take your identity and read your encrypted emails.
- If you share your revocation certificate others might invalidate your keys.
# To add more identities/mail addresses gpg --edit-key
> adduid # This is the file you want to share with others! gpg --output pubkey_ABCD1234.Trent.Reznor.ascii --armor --export ABCD1234 # Now create a revocation certificate. # The purpose of the revocation certificate is to have a safe key that allows # yout to invalidate keys you once uploaded to any key server. gpg --output revocation_cert_ABCD1234.Trent.Reznor.ascii --gen-revoke ABCD1234 gpg --output privkey_ABCD1234.Trent.Reznor.ascii --armor --export-secret-keys ABCD1234
Now publish your new key to a key server.
heise.de recommended pool.sks-keyservers.net, which seems to be a distributed service.
# Send key to a public server, in this case gpg --keyserver pool.sks-keyservers.net --send-key 0xABCD1234
If you made some mistakes just remove your identities and run an update.
This happened to me: I had my 'primary identity' and added some email addresses of my 'secondary identity'. I uploaded my key to a key server and now my identities (I wanted to separate) will _always_ be associated with each other :(
Revoking my keys will not remove this part of information. It will only be invalidated but still visible to everyone (and marked as revoked). So carefully choose the identities you want to use with your key. If unsure create more keys for other identities.
To make changes:
# To remove Identities from the key # Note that your keys change then! gpg --edit-key
> revuid # Then update your certs by revoking them (use your revocation certificate) gpg --import revocation_cert_ABCD1234.ascii # And update the modified keys on the server gpg --keyserver pool.sks-keyservers.net --refresh-keys ABCD1234 # OR gpg --keyserver pool.sks-keyservers.net --send-keys 0xABCD1234
Use your keys to encrypt and/or sign emails# Now install enigmail sudo apt-get install enigmail # Enigmail: attach public key # sign public key (don't forget to check fingerprint!) # (to display fingerprint:) gpg --fingerprint
Edit 2016-02-18Export public key as ASCII text file:gpg -a --output <filename/rsa_pub.ascii> --export ABCD1234Export public key as binary text file:gpg --output <filename/rsa_pub> --export ABCD1234
Export private key as ASCII text file (do NOT share):gpg -a --export-secret-keys ABCD1234 > <filename/rsa.ascii>Export private key as binary text file (do NOT share):gpg --export-secret-keys ABCD1234 > <filename/rsa>