Quick-n-Dirty GPG Welcome to the QND Guide to GPG. QND guides contain a lot of "what" information and very little "why" information. Reading the GPG Documentation at http://www.gnupg.org/docs.html is highly recommended. This document contains seven sections, which cover making sure you have GPG and that it is installed correctly, making a key pair, making a revocation certificate, dealing with keyservers, and advertising your key. This QND guide is at present oriented toward RPM-based distributions, but in future, instructions for other distros will be included, or possibly it will be branched into Distro-specific versions. This is a draft copy. Comments and suggestions are welcome. BEFORE YOU START ---------------- Read this guide all the way to the end before you do anything. After you have read this entire guide and understand what to do, proceed to Step 1. 1) DO YOU HAVE GPG? ------------------- In a shell, type: which gpg This should return the path to gpg, probably /usr/bin/gpg. If it finds it, go to Step 2. If it doesn't, continue with this step. If you're here, that means you didn't find gpg when you typed which gpg. In that case, you will need to download a GPG package from your distribution's FTP site or a mirror. After downloading it, su to root in a shell, change to the directory where you downloaded the RPM, and type: rpm -Uvh name-of-gpg-rpm-here which gpg should now give you the location of gpg, probably /usr/bin/gpg. 2) MAKE GPG SUID ROOT --------------------- Skip this step if you do not have root access to the computer you are using. SU to root, then type: chmod +s /path/to/gpg/from/step1/gpg Example: chmod +s /usr/bin/gpg This is to make GPG use secure memory. Exit root and go back to your normal userid. 3) GENERATE A KEY PAIR ---------------------- Type: gpg --gen-key NOTE: If you have not generated a key pair before, you will see messages like these: ---------- gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: /home/newbie/.gnupg: directory created gpg: /home/newbie/.gnupg/options: new options file created gpg: you have to start GnuPG again, so it can read the new options file ---------- This is normal. Now, we will repeat the previous step once more. Type: gpg --gen-key -Accept the default for the key type (just hit enter). -Enter 2048 for the suggested key size. -It will ask if you really need it. Yes. -It will ask for how long the key should be valid. Enter 0 (default). -It will ask if that is correct. Yes. - Userid section. Enter your first and last name. - Enter your email address. - Optional comment. Leave blank. - Confirm the userid you entered. Enter O(kay) here if it's acceptable. Your userid is your name + email address + optional comment, like this: Ima Newbie (This is my comment) IMPORTANT: Next is the passphrase section. Let's start with a subsection called... ========================= Your passphrase is very important. It should be long (a sentence, not just a word), and contain mixed-case letters along with numbers and punctuation. Obscuring words by plugging in numbers that look like them is good. For example 3 for E/e, 4 for A/a, 0 for O/o, 1 for L/l, 7 for T/t, etc, is advisable. This is in the style used by 31337 H4x0rs. If you understand those two words, you get the idea. DO NOT store your passphrase on your computer. EVER. Keep it offline in a secure place. Taped to your monitor, or anywhere else in the vicinity of your computer, does not constitute a safe place. If you can memorize it, that is best. Treat your passphrase as being more valuable than the root password. It is. ========================= Now, the key pair will be generated. You will be asked to perform some other action such as typing or moving the mouse while this is being done, to generate good random data. Do it right away, generating the key pair takes only a few seconds. 4) GENERATE A KEY REVOCATION CERTIFICATE ---------------------------------------- You will need this in case your private key is ever compromised or you lose your passphrase. Do it now, because if you wait until that happens, it's too late. You won't be able to do it then. Type: gpg --gen-revoke "YOUR-USERID-HERE" Your userid is your name + email address + optional comment, like this: Ima Newbie (This is my comment) EXAMPLE: gpg --gen-revoke "Ima Newbie " The revocation certificate generator will ask you these questions. Answers immediately follow them. - Create a recovation certificate? y - Select reason: 2 - Optional description: (leave blank) - Is this OK? y - Enter passphrase: YOUR-PASSPHRASE-HERE You will see the revocation certificate on your screen. It will look like this: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org Comment: A revocation certificate should follow -----END PGP PUBLIC KEY BLOCK----- Cut and paste this somewhere and print it and/or store it on a CD or floppy (CD is better, floppies aren't reliable). Both printing it and storing it on a CD or floppy is best. DO NOT store the revocation certificate on your computer, ever, for the same reasons you should never store your passphrase on your computer. Keep this revocation certificate secure, also for the same reasons you should keep your passphrase secure. 5) SEND YOUR PUBLIC KEY TO A KEY SERVER --------------------------------------- cd ~/.gnupg Type: gpg --list-keys You will see something like this: pub 1024D/DF12B4EF 2002-07-27 Jonathan Byrne But it will have your public key info here. The part you want is after pub 1024D/ - in my case, it's DF12B4EF. That's my key ID. Connect to the Internet, then type this command, putting your key ID in the obvious place: gpg --keyserver pgp.mit.edu --send-keys YOUR-KEY-ID Repeat the same command with a different keyserver: gpg --keyserver www.keyserver.net --send-keys YOUR-KEY-ID 6) GET MY PUBLIC KEY --------------------- gpg --keyserver pgp.mit.edu --recv-keys DF12B4EF You are now ready to both send and receive GPG-encrypted or signed files. How to do those things will be covered in another document. 7) TELLING OTHERS ABOUT YOUR KEY -------------------------------- The easiest way to advertise your key to others is to put it in your .signature file so it is included in your email. My .signature contains this: GPG key: DF12B4EF (5399 C834 3ABB C3AF 610C 5345 D5D6 E6EA DF12 B4EF) gpg --keyserver pgp.mit.edu --recv-keys DF12B4EF Two lines, with my key, my key fingerprint, and the command to get my key from a keyserver. ====================================