From 863b170334fb55b1736d657e371278eee025bf0f Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Sun, 31 Dec 2023 00:04:36 +0100 Subject: [PATCH] Mention -u option for key signing, fix formatting --- content/posts/gnupg/index.md | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/content/posts/gnupg/index.md b/content/posts/gnupg/index.md index 4f123a7..e3dfda1 100644 --- a/content/posts/gnupg/index.md +++ b/content/posts/gnupg/index.md @@ -2,10 +2,10 @@ title: Introduction to encryption with GnuPG date: 2022-04-10 tags: [privacy, linux, encryption] -sources: - - "[GnuPG documentation](https://gnupg.org/documentation/index.html)" - - "[Arch Wiki on GnuPG](https://wiki.archlinux.org/title/GnuPG)" - - "[RedHat guide on GnuPG](https://www.redhat.com/sysadmin/getting-started-gpg)" +sources: + - "[GnuPG documentation](https://gnupg.org/documentation/index.html)" + - "[Arch Wiki on GnuPG](https://wiki.archlinux.org/title/GnuPG)" + - "[RedHat guide on GnuPG](https://www.redhat.com/sysadmin/getting-started-gpg)" --- GnuPG (short for GNU Privacy Guard), also known as just GPG is a public-key cryptography implementation. This allows @@ -27,7 +27,7 @@ key should be given to anyone freely. This kind of structure is very useful, because it allows others to have some information (public key) with which they can encrypt files in a way that they'll only be decryptable with the private key, which they don't have, so after deleting the original file, even they wouldn't then be able to decrypt that file, making it safe to have it stored on -their system. +their system. If both parties then create their own key pairs and share the public keys between each other, it allows for a secure communication between them, even if there were someone monitoring their communication, because both parties only ever @@ -52,10 +52,10 @@ If you're on basically any Linux distribution, you'll most likely already have g managers require the packages to be signed by the maintainers, and this is done with the use of GnuPG. But in the unlikely case that you wouldn't have it installed, you'll probably be able to find it in your package manager, under `gpg`, or `gnupg` name, if neither works, try adding `2` behind them, signifying the version. If for some reason the -package isn't in the package manager (very unlikely), you can also build it from +package isn't in the package manager (very unlikely), you can also build it from [source](https://github.com/gpg/gnupg). -If you're on Windows (why would you do that to yourself?), you can install +If you're on Windows (why would you do that to yourself?), you can install [gpg4win](https://www.openpgp.org/software/gpg4win/), which is a ported version of gpg. ## Creating your key @@ -67,6 +67,7 @@ gpg --full-gen-key ``` This will ask a few questions, that will configure the key, most notably this will be: + - **Key type** - Which you will most likely want to keep at the default value (RSA and RSA) - **Key size** - Where you should prefer the biggest possible size (probably 4096 bits), to make brute-force attacks really hard @@ -81,7 +82,7 @@ This will ask a few questions, that will configure the key, most notably this wi files and got the key, it wouldn't be useful without the passphrase. But having to enter a passphrase each time can be annoying, ultimately you have to choose if you want convenience, or more security. -After this, GPG will generate the actual keys, containing the configuration you entered using *entropy*. Entropy +After this, GPG will generate the actual keys, containing the configuration you entered using _entropy_. Entropy describes the amount of unpredictability that exists in your system. This is used to securely generate a random value (the key), which couldn't easily be reconstructed (computers are generally bad at creating truly random values). @@ -102,7 +103,7 @@ gpg --list-keys [your-email] You can also leave out the email, and just run `gpg --list-keys`, to see all keys that are in your GPG database. This will likely contain a lot of keys that were added by your package manager, but your key should be present in there too. -If you instead just want to see the keys which you have the secret/private key for (so probably only your own keys), +If you instead just want to see the keys which you have the secret/private key for (so probably only your own keys), you can also run `gpg --list-secret-keys`. The key ID is the long string (probably on the second line), looking like this: @@ -179,10 +180,13 @@ gpg --sign-key [key-id] Where, once again, `[key-id]` can be replaced by the received key's email address, or the ID. +Note: You can specify `--local-user [key-id]`/`-u [key-id]` to select which key to sign with, if you don't wish to use +your default key. You can also sign with multiple keys by chaining the option + After you've signed the key, you should help the key's issuer to take the advantage of your signing and send them that signed version, so that when they're distributing their key to someone else, if that someone already has your key imported and they trust you, they can find out that you've trusted this key in that it's information (name, email) is -in fact correct. +in fact correct. ```sh gpg --output ./signed-key.key --export --armor [key-id] @@ -255,7 +259,7 @@ Note that you will want to export both private key, and a public key to then use ## File encryption with GPG Now that you've generated your key and exchanged the public parts with the other parties, you can finally actually get -to communicating with the other party in a fully end-to-end encrypted way! +to communicating with the other party in a fully end-to-end encrypted way! ### Encryption @@ -301,7 +305,7 @@ given signed file wasn't tampered with and is legitimate. Signing a file require verified by anyone with a matching public key. When you create a digital signature file like this, if someone were to edit the original file, the signature would no longer match to that file, and they wouldn't be able to generate a new one, at least not without your private key. This is why you see many linux installation media (ISOs) also provide a -signature file, which was signed with the private keys of the maintainers. +signature file, which was signed with the private keys of the maintainers. ### Full signatures @@ -373,6 +377,7 @@ messages to your friends. However I wanted to talk a bit more about many different places where GPG is often used, and maybe where you can use it: + - A very common use-case, which I've already mentioned a bit about is the use in package managers. This is because with package managers, it's hard for the owners of these to set up world-wide mirror servers across the entire world and maintain each and every one of them, so instead, they rely on other people to set their own mirrors and make them @@ -403,5 +408,5 @@ it: whenever you'd actually need them Oh and, in case you'd want to send me something encrypted, feel free to get my public key from `keys.openpgp.org`, -registered under email: `itsdrike@protonmail.com`. You can also get it from my website as a file +registered under email: `itsdrike@protonmail.com`. You can also get it from my website as a file [here](https://s.itsdrike.com/gpg).