Encryption is a process of embedding plain text data in such a way that it cannot be decoded by outsiders. It is necessary to encrypt data to prevent misuse. The GNU Privacy Guard (GPG) application allows you to encrypt and decrypt information. It is based on the use of a pair of keys, one public and one private (or secret). Data encrypted with one key can only be decrypted with the other. To encrypt a message to you, someone would use your public key to create a message that could only be unlocked with your private key. To sign information, you would lock it with your private key, allowing anyone to verify that it came from you by unlocking it with your public key.
Modern Linux distributions have gpg already installed on them. If not present, install it.
on Centos
on Ubuntu
1) Create gpg key
The most precious part of a PGP key block is its master signing key. The master signing key of a PGP key block is rarely needed (mostly when editing/extending the PGP key block itself and when signing other people's keys). You can only trust you generated PGP key to the extent you trust the software environment and/or the computer generating it. I have generated keys using GPG, by executing the following command gpg -gen-key Now I need to export the key pair to a file; i.e., private and public keys to private.pgp and public.pgp, respect.
When installing gnupg package, we need to understand the concept to use gpg as well.
Generating a new keypair
To encrypt your communication, the first thing to do is to create a new keypair. GPG is able to create several types of keypairs, but a primary key must be capable of making signatures.
Your prompt can be handled for a very long time without finishing if you see the message below
'Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 285 more bytes)'
The problem is caused by the lack of entropy (or random system noise). So cancel the process and check the available entropy
You can see it is not enough. We can install a package to solve the lack of entropy with rngd which is a random number generator utility used to check immediately the available entropy
Now can start again with the
gpg --gen-key command and the process will be fine. We have only installed it without anything else. In certain distributions, you need to use rngd before the gpg process.
3) Generating a revocation certificate
After your keypair is created you should immediately generate a revocation certificate to revoke your public key if your private key has been compromised in any way or if you lose it. Create it when you create your key. The process requires your private key, passphrase.
The argument BAC361F1 is the key ID. It must be a key specifier, either the key ID of your primary keypair or any part of a user ID that identifies your keypair like [email protected]. The generated certificate will be saved in
revoke_key.asc file. Store it where others can't access it because anybody having access to it can revoke your key, rendering it useless. If the --output option is omitted, the result will be placed on standard output.
4) Making an ASCII armored version of your public key
Some keyservers allow you to paste an ASCII armored version of your public key in order to upload it directly. This method is most preferred because the key comes directly from the user who can see that the key has been successfully uploaded.
5) Exchanging keys
In order to communicate with others, you must exchange public keys. To do it, you must be able to list your keys. There is some commands to list your public keyring
Export a public key
Now that you have generated a key pair, the next step is to publish your public key on internet ( Keyservers ) so that other person can use it to send you a message. You can use either the key ID or any part of the user ID may be used to identify the key to export. There are two commands but with the first command, the key is exported in a binary format and can be inconvenient when it is sent through email or published on a web page. So, we will use the second command for ASCII armored method.
The output will be redirected to my_pubkey.gpg file which has the content of the public key to provide for communication.
Submit your public keys to a keyserver
Once you have this ASCII-armored public key, you can manually paste it into a form at a public key server like pgp.mit.edu
Because someone seems to have sent you their public key, there's no reason to trust that it's from that person unless you have validated it.
Import a public key
As others persons can use your public key to send you a message, you can import public from people you trust in to communicate with them.
![]() Conclusion
Now we have notions on the principles to use and generate a public key. You know how GnuPG is functioning and you can use it for secure communication. GPG encryption is only useful when both parties use good security practices and are vigilant.
Read Also:Generate Public Pgp Key Linux Download
A readme and a script to generate PGP keys using GnuPG, using the current best practices.
Its goal is to provide a concise and up-to-date description of best practices regarding the usage of GnuPG. A basic understanding of public key cryptography, and GnuPG in particular is assumed.
If something is not clear or you're new to PGP, then make sure to start with the Glossary below.
Some quick insights
The PGP algorithm needs an extra parameter, a key, to sign or encrypt data. That parameter is a cryptographic keypair, usually one of the subkeys from a PGP key block. New subkeys can be freely generated and published, so forward secrecy can be achieved by publishing new subkeys, as long as the secret part of the master signing keypair has not been compromised. Therefore the most precious part of a PGP key block is its master signing key, because whenever new information is attached to the key block (e.g. a new subkey is generated), this new data must be signed by the secret part of the master signing keypair, otherwise conforming programs will reject the new unsigned or improperly signed part of the PGP key block. In this scheme publishing valid additions to the key block is only possible by people who know the secret part of the master signing key. This is ideally you, and you only.
So, to conclude: keep the secret part of your master signing key safe!
Generating a key
Windows cmd generate ssh key. The aim is to generate a digital identity that can serve to identify you and to facilitate secret communication with you in the future.
Things to consider:
Even more thoughts here.
Using GnuPG
GnuPG properly operates with a PGP key block that is missing the secret part of its master signing key, as long as it's not needed for an operation. Therefore it's a good idea not to store the secret part of the master signing key in the regularly used gpg home directory, but rather generate and handle it in a safer environment; e.g. generate and handle it using a live CD without Internet connection, and store it on a pendrive dedicated to this purpose. Then only attach it when needed (e.g. when signing other people's keys or when your own keyblock needs to be modified).
This script generates (with defaults in parens):
Once the exported files have been generated, you can import them into the gpg homedir's on your devices (by default
~/.gnupg ). Where you should import and what depends on the level of security you want to achieve, but keeping the master key offline is advised as described above.
(the '#' character in the output shows that the secret part of the master signing key is missing)
SmartCards and other hardware keys
SmartCards and USB cryptographic tokens are specialized simple computers that perform cryptographic operations. They are designed to keep the secret keys secret even against physical attacks. They are much more secure than storing a key on a personal computer, but they are not flawless ⁽¹⁾⁽²⁾. Usually they can store three separate keys for signing, encryption, and authentication. The secret keys can be either uploaded or generated on the cards themselves, so that they never get exposed to less secure environments.
Some laptops have internal smart card readers, and higher security external readers have their own PIN entry keyboard.
Further information on using smart cards on Linux: Debian wiki, Using an OpenPGP SmartCard, OpenSC – tools and libraries for smart cards, GnuPG wiki.
Glossary
Alternatives and/or further readingCredits
Written by Attila Lendvai [email protected] (Key fingerprint: 2FA1 A9DC 9C1E BA25 A59C 963F 5D5F 45C7 DFCD 0A39).
If you've found this useful, then tips are welcome:
Comments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |