A new and stronger GPG key on OS X Lion
Written by Arvinder Singh / June 29, 2012 / 7 mins read / Filed under Gpg, / Pgp, / Security
I have moved to a new GPG key to a new 4096-bit RSA key. You can read context here, reason here, a gentle introduction here, and a tutorial for OS X here. Others have done it too.
The purpose of the post is for my own documentation, you are welcome to follow along on a unix or mac machine. You are welcome to suggest corrections or sign my key or request me to sign yours. If you want a graphical tool for OS X, look at GPGTools.
PGP vs GPG
From the wisdom of masses:
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security of e-mail communications.
GNU Privacy Guard (GnuPG or GPG) is a GPL Licensed alternative to the PGP suite of cryptographic software.
In few words, GPG is open source (and arguably enhanced) implementation of PGP functionality.
Update conf file
On recommendation of Daniel Kahn Gillmor, it is a good idea to start making signatures using stronger digests by default.
cat >>~/.gnupg/gpg.conf <<EOF
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
EOF
I also recommend changing charset to utf-8 if you want to use non-ascii characters in your name.
cat >>~/.gnupg/gpg.conf <<EOF
charset utf-8
EOF
Generate a key
On the command line
gpg --gen-key
You will see:
gpg (GnuPG/MacGPG2) 2.0.18; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
Choosing selection 1 or 2, you can generate encrytion key as well along with the sign key in one step. Else you can add it later by passing command gpg --edit-key your-key-id
and then addkey
followed by a save
after making choices. Here we’ll choose option 1.
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Although it may be an overkill for now, computation is cheap and I choose 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Choose validity. I chose 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Arvinder Singh Kang
Email address: askang@olemiss.edu
Comment: askang
You selected this USER-ID:
"Arvinder Singh Kang (askang) <askang@olemiss.edu>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
Choose a strong passphrase, but remember to write it down and store in a safe place.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 9C83CDFE marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2015-08-18
pub 4096R/9C83CDFE 2012-06-30
Key fingerprint = D1A0 786C 5784 85B3 5691 3706 D419 4322 9C83 CDFE
uid Arvinder Singh Kang (askang) <askang@olemiss.edu>
sub 4096R/C4D48A73 2012-06-30
Add another uid
~> gpg --edit-key 0x9C83CDFE
gpg (GnuPG/MacGPG2) 2.0.18; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/9C83CDFE created: 2012-06-30 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/C4D48A73 created: 2012-06-30 expires: never usage: E
[ultimate] (1). Arvinder Singh Kang (askang) <askang@olemiss.edu>
gpg> adduid
Real name: Arvinder Singh Kang
Email address: punjcoder@gmail.com
Comment: punjcoder
You selected this USER-ID:
"Arvinder Singh Kang (punjcoder) <punjcoder@gmail.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a passphrase to unlock the secret key for
user: "Arvinder Singh Kang (askang) <askang@olemiss.edu>"
4096-bit RSA key, ID 9C83CDFE, created 2012-06-30
pub 4096R/9C83CDFE created: 2012-06-30 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/C4D48A73 created: 2012-06-30 expires: never usage: E
[ultimate] (1) Arvinder Singh Kang (askang) <askang@olemiss.edu>
[ unknown] (2). Arvinder Singh Kang (punjcoder) <punjcoder@gmail.com>
gpg> save
~ ❯
Set primary UID
~ ❯ gpg --edit-key 0x9C83CDFE
gpg (GnuPG/MacGPG2) 2.0.18; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/9C83CDFE created: 2012-06-30 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/C4D48A73 created: 2012-06-30 expires: never usage: E
[ultimate] (1). Arvinder Singh Kang (punjcoder) <punjcoder@gmail.com>
[ultimate] (2) Arvinder Singh Kang (askang) <askang@olemiss.edu>
gpg> list
pub 4096R/9C83CDFE created: 2012-06-30 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/C4D48A73 created: 2012-06-30 expires: never usage: E
[ultimate] (1). Arvinder Singh Kang (punjcoder) <punjcoder@gmail.com>
[ultimate] (2) Arvinder Singh Kang (askang) <askang@olemiss.edu>
gpg> uid 2
pub 4096R/9C83CDFE created: 2012-06-30 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/C4D48A73 created: 2012-06-30 expires: never usage: E
[ultimate] (1). Arvinder Singh Kang (punjcoder) <punjcoder@gmail.com>
[ultimate] (2)* Arvinder Singh Kang (askang) <askang@olemiss.edu>
gpg> primary
You need a passphrase to unlock the secret key for
user: "Arvinder Singh Kang (punjcoder) <punjcoder@gmail.com>"
4096-bit RSA key, ID 9C83CDFE, created 2012-06-30
pub 4096R/9C83CDFE created: 2012-06-30 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/C4D48A73 created: 2012-06-30 expires: never usage: E
[ultimate] (1) Arvinder Singh Kang (punjcoder) <punjcoder@gmail.com>
[ultimate] (2)* Arvinder Singh Kang (askang) <askang@olemiss.edu>
~ > save
List your keys
To list public keys
gpg --list-keys
To list private keys
gpg --list-secret-keys
Manage your keys
Create a directory in the home directory to manage your GPG keys.
cd
mkdir keymat
cd keymat
It is a good idea to create an ascii armored file for your public key
gpg -ao publickey.asc --export askang@olemiss.edu
keymat ❯ cat publickey.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: punjcoder
mQINBE/uSUoBEAC1oxy/UzOVg8xf9ppvLzR0OiBWnAADK7whYkZNhez9oT1UewR0
ybG+9WxVO3PbqUyka++qKuMCQNbtJw5ZpPpmv7F54WZg7kAnajiktz//X1uiVhak
3nvpKCS3tQP2Q2w9iJxzY0ivut2cV9Yv74WYn0p6ROV2gtvAC7xdITzvsi/JscqT
MvyioTl+gW94qVeSkk2pnTAp55RTyTD1OxggE5IqfyvXhQigxnjCNdSk68bto/rf
LAzkNIU4VpRsg4Wh5m0F9TSKlXlx/uygjx88BdT4ZOQORc6azqTPEX+kTMUb63UI
PaIYfim6q/mES28h70bn4iJynGobq7/hnuuntrzDjwnkFBs0pTIPqGbL99fAclvO
Tu2DLo920e/W6kt7lqBqQaRoOzVnoTI8XsHPldF6GKrIz9xU89g1PGB0zI4CtmNJ
HlFw8FwBQx3NKvhJTNBwspdFaQUBJvCFzob0bz5MgTnRKNW52e7k7Q+ECNJpykMF
KTyK5FrLU8+Qyk0kvJzvJzufwjR5kCLUhg89f/DtRRR5fg83IUHp+9Dd/QBDPiZP
hWaCwguIZ+QHc/0LQp+TliiQnD9tnBUbzLWgGjLZ0h6jJGVZxJsc72vzvP8voCa/
QXk5fIAZl1dI0G1jR6aZz8g+ODUiz4IK33VMYYxKPLdM8LMDpputJXOGOQARAQAB
tDVBcnZpbmRlciBTaW5naCBLYW5nIChwdW5qY29kZXIpIDxwdW5qY29kZXJAZ21h
aWwuY29tPokCNwQTAQgAIQUCT+5MRQIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIX
gAAKCRDUGUMinIPN/orXEACutDTVrKNXRxLpI7rQhan/ypQamHKlc3iBifI6BR68
CnwQXD7nUtmNfPdhdI+F0iQVPaROAE2v987BoE6wtNwzo936JwDA0iAbv1nP3it0
W87zqy3ly5ipCxnKVHcaknA4OnXF2008J3TwJhQbZlYAHpQZM0L/Y6vBEYDVURY+
ibW4CW0EZQCXzbDUJOrLvcnJeovoqSHiNhaQZINl9JHfIaK9Ry44WTeOXSIwUFv4
LlfQ0ohG4/B+xA6J2mncsKcrQFcnV1vwlwX0+TRtO5GHZ2lwoUAfnHM/Wtx1Zw4h
tYjRON2Y7iB1q/23pBRUBFJMqnrBIZMkl8p9xphesyGYiUdEPEK5iiHdhP3kEhQJ
pbZR+DBAL0ciT16R0zoh/Sb6pI2qPucMxSKcFiyhgvHTwBtvwWTZuXrcx5YetFNd
3tkMoivmdqql33uTKItbnhRCSHiCf3ZcYKCZvBpaZnlldKvVraWSOoaGMhSGFm2e
t2dR4735l5q9CZltOU6C1WZf5Engc6MpoFfVXj8IrzRkA9KCCijllTyDzk3BfFSX
yI2jkMoxUBBdKc4MJ4xrQii9tebjN6jPsPvVQWZ7Ne4Z2928C9R4uRR+zeTZ4988
Us/6+V7uUSdjOQXaDpxV/scQSDUWk5loNpqY56p2kWB2Sc6Z9LlmDJ1goQUfLkCh
rLQxQXJ2aW5kZXIgU2luZ2ggS2FuZyAoYXNrYW5nKSA8YXNrYW5nQG9sZW1pc3Mu
ZWR1PokCOgQTAQgAJAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCT+5NHQIZ
AQAKCRDUGUMinIPN/t6oD/9AzJh2DYB7yk8U5wvfT3rcBGV66k9XwPh3BSqPjtje
b6jthTS8d+5gMIdbaOrPmwsXI4duRUexKvO9956cXiDTb6q6VfihPpEBfwKuPnih
hcMRcJS8xU3UhDB6I714BtZqh4OHT/CZZTWbor6Pxx7+FKGDAJ/CYz5RRn1g7xHJ
eLPyeyy5i7hiqZ8n0KboRm870tMa6AeVsl9CxcKjZwFKPwsqEYNbFWXsP2ZbXoTo
ocQLsx/YAR4bg+Z7ViMOJfQa/hhuXlIqBnFNDkf8TXmYZcJaqeJOoJZCC5F1xFr+
wwTyxI6Rp2201camHA7NHW6oRbL6uJffBRRrh0jCgrSdn8KxvMaqLIdYSXHL5p8V
QDWATKzV5WKS+MsQVZEmyVp0RxKb+92UUNHd62+/uMC3T9zwc5b5wVgPcTGxERUd
F+K92j1L124qJYcy8qjvsYkPCmJU6YxXvVFn+8USqRMTKIsQ0k6pBpe9KYbhCXHu
WQKbH7Q1vahtGIML6yJ3ToewAU98mQQsMH1XESemC0ar2RcPcWq1iNT/IOSV9bLp
0/ChnvkwloBfof4E7YdG3Jkhw9HSOTfmiupUUHSwTeilpAPF3XKZc83VHKV/NmX8
zJfCBb+7tVbDNk5Zdrjtunamu1U2JWXCV8r/TBbTIAY4k4eg2keOt0A5ddKmUXsg
R7kCDQRP7klKARAAm/tX5KW1kak5Qk95j8AsHOd0bxutjpc5owcpPHWUeliZ0XPe
3ISPWYCu808eu3/3XCErIKNnJh3aE7Hu6TWud4g2ayX4RDwv17Au1YdMjBJ+4JZj
P/9/tmOwlsTDJ1OmH8QEXhtc+YFtuGnBgwlzCpmFfioILkmXS1i8D08GXc32fiTf
+u+al24/yCHdNM8Fv9DmAtkB6qkrZpL7uZhBL7H9Eiu2Z5AhEUqkTIJJWvAECbmd
Ey0GM8Ed9YFiqESJNOJL71E2gM9Zti8jxdKk0F4QTY6i5F61PL6/74qQIC5KxjAz
V2PU53s4DBmi3JRHLDD57uiHxh7cgd1mXRP4Mm9Cw3T/MmwkYwo72MD8nlavx5KJ
D17GWj1Y7zb1LP48Ilgz+DvKS3QS0GCCUu6qRSiv9Sk2Mkw7IWctFWDr25gAB8I5
LE8ZTL/bROC1TtH86S0Uvuq/Fg2m+p83lzlEuCH+qHTjqAd76ZBQeXRQXLC1DBUT
YYYjCCUM40XI+lVRi0e5oZkAz7wy+riC0fLBtloz1BvdUkmIR+QZTxSV5yaEkdxS
DM91DSjfDrPASs4rE9VVsdD2gD3XXWQEUNpIGvVZn0SkGlTfnRH2+N4PckPoYFFt
7H3aVwnGUHsNp7pTsnpmZgbH+OrRvbB/pR1xesrtsd8n8iVeA02GiL8sl70AEQEA
AYkCHwQYAQgACQUCT+5JSgIbDAAKCRDUGUMinIPN/ldDD/0ZYyas9/G94j91aZgZ
oZLOdVSlHqoF2PnRfUt1rlr+y3/X+x65gYf9shDBxg/8W9QBXaIfzhREfdqo0++V
Fbh1wx5HjuGa3DLU2XVtcIS+msC8lgRjScwO858UsJX7GWRK9LfV2OpMqkPLrNKY
67pe4s9SBkq4mMWXkCOIWxdUL4dmKe0bcJPcqYTduNo+2lsbIU7BrNvrZW+d+MOi
aOCs2vRer8bzN31NoiDRVzK7FtRhQBU0dwH+2kJwoli2ypqsI1d3ZQMswjffcHE/
FVpBwrBfwZgFT8ItLhhdYLzNyrBeBRSmN8Zn1U8duqRL2GfUWvFIp7v5YJ+zvNZO
eCNqO4Slq82dfzetGMtS/eWhSicbrq9xoDn4vEPLePPf2oBjWHip6OaxdlmoBzjy
qS7Aq8tk/IlCKTv7OT4FMtDdWY6PdYQDFuLuC3kkR+KAj8+Yn2AYMsTYcE6SqslA
AQ4nV+czTwntvANKPAQWFBjvoul6mMOxMdx7sPQQ7WNE/wbmvdVe9EioPUcU5wcy
lfm8hKIcrED3MBDbchl5jIBoZmsKSNTwmjuxaz+wPxsVIBJ7QYAyb2zoJ+L2hi6L
MQZ/x2RhiPa3NK9RyWg3OoHVTIoadMFj/Tz4lEr3dAipwKGrQDSxVh6/AqPHl1Lg
khrjv/9sd++iuJ5AaPglAvFOgA==
=GrMm
-----END PGP PUBLIC KEY BLOCK-----
keymat ❯
Now send key to the server
keymat ❯ gpg --send-keys 9C83CDFE
gpg: sending key 9C83CDFE to hkp server keys.gnupg.net
Now generate a revoke certificate
gpg -ao revokecert.asc --gen-revoke 9C83CDFE
And an ascii armoured file for your private key
gpg -a --export-secret-keys 9C83CDFE| gpg -aco privatekey.pgp.asc
Now store your revoke certificate and private key off your computer in a safe place.
You can now use your GPG key to sign and encrypt data using assymetric key encryption mechanism. For a details refer to gnupg documentation located here.
Ask others you know to sign your key to build a web of trust.