How to Make GPG Keys Fast – IMPORTING TO KEY SERVERS
##################################################
Before generating a key, open up 2 shells, and go into a screen with each (so if PC turns off it can still generate the keys).
First make sure gpg is installed (google how to install gpg – its just a single apt-get command that Im too lazy to look up)..Aw okay I looked it up:
# apt-get update
# apt-get install gnupg
Make sure you know how your keys are setup before you generate them:
# gpg –list-keys
When you generate your keys, they will go into some database in ~/.gnupg and also into that list. We will need to extract them from that list if you want a hardcopy (which Im sure we all do)
# gpg –key-gen
The first 3 questions I just answer with defaults to get a never expiring 2048 but RSA/DSA key.
Select 1 for default DSA/RSA
0 for Never expire (or whatever you want for the expiration)
2048 for 2048 bit key
Real Name, put your real name, thats the point of gpg keys (Spaces and Capital letters are fine)
Real Name: John H. Doe
Real Name (for example below): RealNameWouldGoHere
Email, put your real email so people wont have hard times trying to contact you if keys dont work
Email: john@doe.com
Email (for example below): your@email.com
Comment, put a comment or your alias (I put my alias)
Comment: theonlyjohndoe
Comment (for example below): comment
NOTE: keys are for sharing public content so you want to use your real email so people can reach you to verify real identity
Then verify a good strong passphrase two times
Unlike SSH keys where people seldom pick a passphrase, DO NOT forget to put a passphrase here
Now comes the generating ENTROPY time
Easiest way, download the program stress
NOTE the entropy will be generated if you just leave it on (maybe you might have to wait over night). With this stress trick I didnt wait over 5 minutes.
# apt-get install stress
I found the best way to generate stress fast is to use –hdd argument
# stress –cpu 8 –io 4 –vm 4 –vm-bytes 64M –hdd 2
Just run “stress” to see what those options will do or “man stress”. I doubt you want to run it on superoverkill on a production server.
Verify key generated with
# gpg –list-keys
Some of the output (I trimed lots out)
pub 2048R/D04BFEBB 2014-06-15
uid RealNameWouldGoHere (AliasOrComment) <your@email.com>
# gpg -K
OR
# gpg –list-secret-keys
–list-secret-keys will show the private key(which you dont give to anyone but yourself – that means dont give it out to public key servers)
–list-keys will show the public keys (which you can give out to anyone, including public key servers)
HOW TO EXPORT PUBLIC KEY
#########################
You will only be giving this one, even to gpg servers that want to verify you and keep your key (public key is what they need)
# gpg -a –output mykey-public.gpg –export “your@email.com”
Instead of “your@email.com” you can put your realname (just surround it by quotes, if you used spaces), or use your Key ID which is right after the forward slash, so in this case my key id is D04BFEBB
So we can identify the same key using the following:
your@email.com
RealNameWouldGoHere
D04BFEBB
So all these will generate the same key
# gpg -a –output mykey-public.gpg –export “your@email.com”
# gpg -a –output mykey-public.gpg –export “RealNameWouldGoHere”
# gpg -a –output mykey-public.gpg –export “D04BFEBB”
With the John Doe guy:
# gpg -a –output mykey-public.gpg –export “john@doe.com”
# gpg -a –output mykey-public.gpg –export “John H. Doe”
NOTE: I just always use quotes around the ID, EMAIL or REAL NAME
NOTE: -a is for armor, or text armor, so that keys are in ASCII readable, without -a, the output is binary and hard to copy paste between notepads and keep track of with human eyes
NOTE: this is the key that we want to redistribute to others
HOW TO EXPORT PRIVATE KEY
##########################
Make sure noone gets their hands on this one, its just for you.
Also with this, you can identify which key to download with the KEY ID, the email, and the Real Name (use quotes just incase has spaces – I just always use quotes)
# gpg –export-secret-keys -a D04BFEBB > mykey-priv.asc2
Again these methods also work and would generate the same key:
# gpg –export-secret-keys -a “your@email.com” > mykey-priv.asc2
# gpg –export-secret-keys -a “RealNameWouldGoHere” > mykey-priv.asc2
NOTE: -a is for armor, or text armor, so that keys are in ASCII readable, without -a, the output is binary and hard to copy paste between notepads and keep track of with human eyes
WHATS NEXT:
############
* https://www.gnupg.org/gph/en/manual.html
* https://www.digitalocean.com/community/tutorials/how-to-use-gpg-to-encrypt-and-sign-messages-on-an-ubuntu-12-04-vps
* http://stuff.imeos.org/persistent/gpg-cheatsheet.pdf
* http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html
* https://rtcamp.com/tutorials/linux/gpg-keys/
IMPORT KEY TO PUBLIC SERVER
############################
You can also import your key to public servers.
Why good?
If someone downloads an encrypted file that needs your key, well and they dont have it. The gpg program can tell them which public key they are missing (it will tell them the missing ID). For example when your “sources.list” for apt is pointing to a repo that needs a gpg key for authentication, and your missing that key – you can contact the keys servers to recv that key:
For example if my key was missing and needed, the one with key id: D04BFEBB
You can either A) find me and download the public key
(which remember we generated like this: # gpg -a –output mykey-public.gpg –export “John H. Doe”)
Or B) they can find a server which has the key and download from it
# gpg –keyserver subkeys.pgp.net –recv D04BFEBB
But before a server has your key you need to import it. You can send it via CLI or webgui.
To send a key to a server:
# gpg –keyserver certserver.pgp.com –send-key your@email.com
Also im sure you can use the key ID: D04BFEBB
# gpg –keyserver certserver.pgp.com –send-key D04BFEBB
Where
certserver.pgp.com is a keyserver (its an actual valid one)
You can also use a webgui if it provides one, like this keyserver:
https://sks-keyservers.net/i/
Or this one:
http://pgp.mit.edu/
SCRIPT TO FIX MISSING GPG KEYS
###############################
IF missing a key, get the missing ID, then either a) find the key online, or b) use a keyserver and located by ID
If want to download from keyserver:
# gpg –keyserver certserver.pgp.com –recv-key 0xBB7576AC
NOTE: this puts the key in your “gpg –list-key” database which is held in ~/.gnupg
http://askubuntu.com/questions/127326/how-to-fix-missing-gpg-keys
# apt-get update 2> /tmp/keymissing; for key in $(grep “NO_PUBKEY” /tmp/keymissing |sed “s/.*NO_PUBKEY //”); do echo -e “\nProcessing key: $key”; gpg –keyserver subkeys.pgp.net –recv $key && sudo gpg –export –armor $key | apt-key add -; done
Highly energetic blog, I enjoyed that a lot. Will there be a part 2?