First of all, we will set some configuration for GnuPG. As you may know,serious attack on SHA1 have been found and the US government choose to not rely on SHA1. We may want to go for something stronger too.
To create the default configuration file for GPG, we run
$ gpg --list-key gpg: directory `/home/tchetch/.gnupg' created gpg: new configuration file `/home/tchetch/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/tchetch/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/tchetch/.gnupg/pubring.gpg' created gpg: /home/tchetch/.gnupg/trustdb.gpg: trustdb created
The configuration file is now in ~/.gnupg/gpg.conf. As we said before we want to move to something stronger than SHA1 and go for SHA256 or SHA512 (you to choose the best option). So we add (or modify if those options exist already) in the file:
personal-digest-preferences SHA256 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
The first line define SHA256 for signing (–clearsign or –sign). So when you sign a mail, the SHA256 will be used instead of the default SHA1.
Second line is for key signing. When you sign key SHA256 will be used.
The last line set preferences order for new key. As we don't have key (right now), we won't need to change preferences.
We now generate our key. This is easy :
$ gpg --gen-key
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring `/home/tchetch/.gnupg/secring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 5
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Tchetch
Email address: tchetch@example.com
Comment:
You selected this USER-ID:
"Tchetch <tchetch@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 283 more bytes)
.+++++
..........+++++
gpg: key 9E24D04F marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/9E24D04F 2010-02-10
Key fingerprint = 3052 DDB7 9715 9B32 4DB9 1711 3746 F2EA 9E24 D04F
uid Tchetch <tchetch@example.com>
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.
So now GPG asks you a lot of question. The first one is “Please select what kind of key you want”. So you have to make a decision. I won't tell you choose this one or this one. Maybe the default one is good, indeed it's good enough. In this example I took the last one because it's a sign-only key. So I will need to create a subkey for encryption, which will be the next step of this document.
Then you have to give the key size. Bigger is the key, safer it is but more time it will take when using it and some [other OpenGPG tools might not support long key. Again you to choose …
Then the duration of your key. You may want to change your key every 5 years for example (which might be good). Here you see I've been stupid. I've generated an example key and I did not set “1 day”. Instead my example key is valid forever.
Following questions are easy to answer.
Finally it tells that I've got a key, with ID 9E24D04F (pub 2048R/9E24D04F 2010-02-10).
You should create a revocation certificate for each reason. Indeed you may need them without having the private key (which is needed to create revocation certificate). So generate each revocation reason into files, then concatenate all this file into one, print them 3 times and keep all of those print into a secure and different place (one to your bank, one to your mother (you trust her more than your bank) and one at hand). You should put those revocation certificate into a sealed envelope.
$ gpg --output rev1.asc --gen-revoke 9E24D04F sec 2048R/9E24D04F 2010-02-10 Tchetch <tchetch2@example.com> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > Default revocation for compromise > Reason for revocation: Key has been compromised Default revocation for compromise Is this okay? (y/N) y You need a passphrase to unlock the secret key for user: "Tchetch <tchetch2@example.com>" 2048-bit RSA key, ID 9E24D04F, created 2010-02-10 ASCII armored output forced. Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others!
I tell you, I was stupid, I set my key to never expire. So I'll change that.
$ gpg --edit-key 9E24D04F
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 2048R/9E24D04F created: 2010-02-10 expires: never usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Tchetch <tchetch@example.com>
Command> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1
Key expires at Thu Feb 11 12:43:48 2010 UTC
Is this correct? (y/N) y
You need a passphrase to unlock the secret key for
user: "Tchetch <tchetch@example.com>"
2048-bit RSA key, ID 9E24D04F, created 2010-02-10
pub 2048R/9E24D04F created: 2010-02-10 expires: 2010-02-11 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Tchetch <tchetch@example.com>
Command> save
You see. Pretty easy no ?
I want an encryption key now. So again we edit our key and use the command addkey :
Command> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Tchetch <tchetch@example.com>"
2048-bit RSA key, ID 9E24D04F, created 2010-02-10
Please select what kind of key you want:
(2) DSA (sign only)
(4) Elgamal (encrypt only)
(5) RSA (sign only)
(6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1
Key expires at Thu Feb 11 12:47:16 2010 UTC
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
......+++++
.+++++
pub 2048R/9E24D04F created: 2010-02-10 expires: 2010-02-11 usage: SC
trust: ultimate validity: ultimate
sub 2048R/E7E84442 created: 2010-02-10 expires: 2010-02-11 usage: E
[ultimate] (1). Tchetch <tchetch@example.com>
Command> save
You see, it asks you the same kind of question for than key generation. You have to choose an encrypt only key (we already have a sign only key). Choosing between Elgamal or RSA is left to you, as the key size.
You may have a second mail address, and you want to use it with the same key. So pretty easy, add a new uid with command adduid :
Command> adduid
Real name: Tchetch
Email address: tchetch2@example.com
Comment:
You selected this USER-ID:
"Tchetch <tchetch2@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a passphrase to unlock the secret key for
user: "Tchetch <tchetch@example.com>"
2048-bit RSA key, ID 9E24D04F, created 2010-02-10
pub 2048R/9E24D04F created: 2010-02-10 expires: 2010-02-11 usage: SC
trust: ultimate validity: ultimate
sub 2048R/E7E84442 created: 2010-02-10 expires: 2010-02-11 usage: E
[ultimate] (1) Tchetch <tchetch@example.com>
[ unknown] (2). Tchetch <tchetch2@example.com>
Command> save