Generate GPG Keys
Run:
gpg --gen-key
You will be asked:
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?
Hit ENTER to select default.
Next, you will be asked:
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
Hit ENTER to select default 2048 length.
Next, you will be asked:
Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0)
Hit ENTER to select default 0 i.e. key does not expire.
It will again ask you to confirm your choice.
Key does not expire at all Is this correct? (y/N)
Press ‘y’ this time.
Then it will ask you for your:
Real name: Email address: Comment:
Enter your details. You can use comment to enter something like purpose of the key.
Next you will be asked to enter passphrase twice. Remember this passphrase.
Next, you may see a message like:
generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 281 more bytes)
Just open another terminal window and run some commands which generates plenty of activity.
My favorite is running a disk write performance benchmark using:
dd bs=1M count=1024 if=/dev/zero of=test conv=fdatasync
You will something like:
gpg: key 0B2B9B37 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/0B2B9B37 2014-05-01 Key fingerprint = 4AEC D912 EA8F D319 F3A7 EF49 E8F8 5A12 0B2B 9B37 uid rtCamp (S3 Backup) <admin@example.com> sub 2048R/3AA184AD 2014-05-01
Output all this, line containing: pub 2048R/0B2B9B37 2014-05 -01
is most important.
0B2B9B37
is your GPG Key in this case.
List Keys
In case you forget to copy your key, you can find it list keys commands.
List Public Keys
gpg --list-keys
You will see something like:
/root/.gnupg/pubring.gpg ------------------------ pub 1024D/CD2EFD2A 2009-12-15 uid Percona MySQL Development Team <mysql-dev@percona.com> sub 2048g/2D607DAF 2009-12-15 pub 2048R/0B2B9B37 2014-05-01 uid rtCamp (S3 Backup) <admin@example.com> sub 2048R/3AA184AD 2014-05-01
List Private Keys
gpg --list-secret-keys
You may notice lesser number of keys. It’s perfectly fine as you might have others public key in your keyring which earlier command displayed. (e.g. Percona public key).
Export Keys
If you lose your private keys, you will eventually lose access to your data!
Export Public Key
gpg --export -a "rtCamp" > public.key
Export Private Key
gpg --export-secret-key -a "rtCamp" > private.key
Now don’t forget to backup public and private keys.
You can email these keys to yourself using swaks command:
swaks --attach public.key --attach private.key --body "GPG Keys for `hostname`" --h-Subject "GPG Keys for `hostname`" -t admin@example.com
Importing Keys
If you ever have to import keys then use following commands.
Import Public Key
gpg --import public.key
Import Private Key
gpg --allow-secret-key-import --import private.key
Deleting Keys
At time you may want to delete keys.
Delete Public key
gpg --delete-key "Real Name"
Delete Private key
gpg --delete-secret-key "Real Name"
Generate Fingerprint
Sometime you need to generate fingerprint.
gpg --fingerprint
Will show something like:
pub 2048R/0B2B9B37 2014-05-01 Key fingerprint = 4AEC D912 EA8F D319 F3A7 EF49 E8F8 5A12 0B2B 9B37 uid rtCamp (S3 Backup) <sys@rtcamp.com> sub 2048R/3AA184AD 2014-05-01
Encrypt Data
gpg -e -u "Sender (Your) Real Name" -r "Receiver User Name" file.txt
This will encrypt file.txt
using receiver’s public key.
Encrypted file will have .gpg
extension. In this case it will be file.txt.gpg
which you can send across.
I think -u
is not necessary for encryption. It basically adds senders fingerprint (which we saw above). This way receiver can verify who sent message.
Decrypt Data
gpg -d file.txt.gpg
Decrypt command will pick correct secret key (if you have one).