mirror of
https://github.com/ItsDrike/itsdrike.com.git
synced 2025-01-23 20:14:33 +00:00
Mention -u option for key signing, fix formatting
This commit is contained in:
parent
5d4407b541
commit
863b170334
GPG key ID:
FA2745890B7048C0
|
|
@ -2,10 +2,10 @@
|
||||||
title: Introduction to encryption with GnuPG
|
title: Introduction to encryption with GnuPG
|
||||||
date: 2022-04-10
|
date: 2022-04-10
|
||||||
tags: [privacy, linux, encryption]
|
tags: [privacy, linux, encryption]
|
||||||
sources:
|
sources:
|
||||||
- "[GnuPG documentation](https://gnupg.org/documentation/index.html)"
|
- "[GnuPG documentation](https://gnupg.org/documentation/index.html)"
|
||||||
- "[Arch Wiki on GnuPG](https://wiki.archlinux.org/title/GnuPG)"
|
- "[Arch Wiki on GnuPG](https://wiki.archlinux.org/title/GnuPG)"
|
||||||
- "[RedHat guide on GnuPG](https://www.redhat.com/sysadmin/getting-started-gpg)"
|
- "[RedHat guide on GnuPG](https://www.redhat.com/sysadmin/getting-started-gpg)"
|
||||||
---
|
---
|
||||||
|
|
||||||
GnuPG (short for GNU Privacy Guard), also known as just GPG is a public-key cryptography implementation. This allows
|
GnuPG (short for GNU Privacy Guard), also known as just GPG is a public-key cryptography implementation. This allows
|
||||||
|
|
@ -27,7 +27,7 @@ key should be given to anyone freely.
|
||||||
This kind of structure is very useful, because it allows others to have some information (public key) with which they
|
This kind of structure is very useful, because it allows others to have some information (public key) with which they
|
||||||
can encrypt files in a way that they'll only be decryptable with the private key, which they don't have, so after
|
can encrypt files in a way that they'll only be decryptable with the private key, which they don't have, so after
|
||||||
deleting the original file, even they wouldn't then be able to decrypt that file, making it safe to have it stored on
|
deleting the original file, even they wouldn't then be able to decrypt that file, making it safe to have it stored on
|
||||||
their system.
|
their system.
|
||||||
|
|
||||||
If both parties then create their own key pairs and share the public keys between each other, it allows for a secure
|
If both parties then create their own key pairs and share the public keys between each other, it allows for a secure
|
||||||
communication between them, even if there were someone monitoring their communication, because both parties only ever
|
communication between them, even if there were someone monitoring their communication, because both parties only ever
|
||||||
|
|
@ -52,10 +52,10 @@ If you're on basically any Linux distribution, you'll most likely already have g
|
||||||
managers require the packages to be signed by the maintainers, and this is done with the use of GnuPG. But in the
|
managers require the packages to be signed by the maintainers, and this is done with the use of GnuPG. But in the
|
||||||
unlikely case that you wouldn't have it installed, you'll probably be able to find it in your package manager, under
|
unlikely case that you wouldn't have it installed, you'll probably be able to find it in your package manager, under
|
||||||
`gpg`, or `gnupg` name, if neither works, try adding `2` behind them, signifying the version. If for some reason the
|
`gpg`, or `gnupg` name, if neither works, try adding `2` behind them, signifying the version. If for some reason the
|
||||||
package isn't in the package manager (very unlikely), you can also build it from
|
package isn't in the package manager (very unlikely), you can also build it from
|
||||||
[source](https://github.com/gpg/gnupg).
|
[source](https://github.com/gpg/gnupg).
|
||||||
|
|
||||||
If you're on Windows (why would you do that to yourself?), you can install
|
If you're on Windows (why would you do that to yourself?), you can install
|
||||||
[gpg4win](https://www.openpgp.org/software/gpg4win/), which is a ported version of gpg.
|
[gpg4win](https://www.openpgp.org/software/gpg4win/), which is a ported version of gpg.
|
||||||
|
|
||||||
## Creating your key
|
## Creating your key
|
||||||
|
|
@ -67,6 +67,7 @@ gpg --full-gen-key
|
||||||
```
|
```
|
||||||
|
|
||||||
This will ask a few questions, that will configure the key, most notably this will be:
|
This will ask a few questions, that will configure the key, most notably this will be:
|
||||||
|
|
||||||
- **Key type** - Which you will most likely want to keep at the default value (RSA and RSA)
|
- **Key type** - Which you will most likely want to keep at the default value (RSA and RSA)
|
||||||
- **Key size** - Where you should prefer the biggest possible size (probably 4096 bits), to make brute-force attacks
|
- **Key size** - Where you should prefer the biggest possible size (probably 4096 bits), to make brute-force attacks
|
||||||
really hard
|
really hard
|
||||||
|
|
@ -81,7 +82,7 @@ This will ask a few questions, that will configure the key, most notably this wi
|
||||||
files and got the key, it wouldn't be useful without the passphrase. But having to enter a passphrase each time can
|
files and got the key, it wouldn't be useful without the passphrase. But having to enter a passphrase each time can
|
||||||
be annoying, ultimately you have to choose if you want convenience, or more security.
|
be annoying, ultimately you have to choose if you want convenience, or more security.
|
||||||
|
|
||||||
After this, GPG will generate the actual keys, containing the configuration you entered using *entropy*. Entropy
|
After this, GPG will generate the actual keys, containing the configuration you entered using _entropy_. Entropy
|
||||||
describes the amount of unpredictability that exists in your system. This is used to securely generate a random value
|
describes the amount of unpredictability that exists in your system. This is used to securely generate a random value
|
||||||
(the key), which couldn't easily be reconstructed (computers are generally bad at creating truly random values).
|
(the key), which couldn't easily be reconstructed (computers are generally bad at creating truly random values).
|
||||||
|
|
||||||
|
|
@ -102,7 +103,7 @@ gpg --list-keys [your-email]
|
||||||
You can also leave out the email, and just run `gpg --list-keys`, to see all keys that are in your GPG database. This
|
You can also leave out the email, and just run `gpg --list-keys`, to see all keys that are in your GPG database. This
|
||||||
will likely contain a lot of keys that were added by your package manager, but your key should be present in there too.
|
will likely contain a lot of keys that were added by your package manager, but your key should be present in there too.
|
||||||
|
|
||||||
If you instead just want to see the keys which you have the secret/private key for (so probably only your own keys),
|
If you instead just want to see the keys which you have the secret/private key for (so probably only your own keys),
|
||||||
you can also run `gpg --list-secret-keys`.
|
you can also run `gpg --list-secret-keys`.
|
||||||
|
|
||||||
The key ID is the long string (probably on the second line), looking like this:
|
The key ID is the long string (probably on the second line), looking like this:
|
||||||
|
|
@ -179,10 +180,13 @@ gpg --sign-key [key-id]
|
||||||
|
|
||||||
Where, once again, `[key-id]` can be replaced by the received key's email address, or the ID.
|
Where, once again, `[key-id]` can be replaced by the received key's email address, or the ID.
|
||||||
|
|
||||||
|
Note: You can specify `--local-user [key-id]`/`-u [key-id]` to select which key to sign with, if you don't wish to use
|
||||||
|
your default key. You can also sign with multiple keys by chaining the option
|
||||||
|
|
||||||
After you've signed the key, you should help the key's issuer to take the advantage of your signing and send them that
|
After you've signed the key, you should help the key's issuer to take the advantage of your signing and send them that
|
||||||
signed version, so that when they're distributing their key to someone else, if that someone already has your key
|
signed version, so that when they're distributing their key to someone else, if that someone already has your key
|
||||||
imported and they trust you, they can find out that you've trusted this key in that it's information (name, email) is
|
imported and they trust you, they can find out that you've trusted this key in that it's information (name, email) is
|
||||||
in fact correct.
|
in fact correct.
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
gpg --output ./signed-key.key --export --armor [key-id]
|
gpg --output ./signed-key.key --export --armor [key-id]
|
||||||
|
|
@ -255,7 +259,7 @@ Note that you will want to export both private key, and a public key to then use
|
||||||
## File encryption with GPG
|
## File encryption with GPG
|
||||||
|
|
||||||
Now that you've generated your key and exchanged the public parts with the other parties, you can finally actually get
|
Now that you've generated your key and exchanged the public parts with the other parties, you can finally actually get
|
||||||
to communicating with the other party in a fully end-to-end encrypted way!
|
to communicating with the other party in a fully end-to-end encrypted way!
|
||||||
|
|
||||||
### Encryption
|
### Encryption
|
||||||
|
|
||||||
|
|
@ -301,7 +305,7 @@ given signed file wasn't tampered with and is legitimate. Signing a file require
|
||||||
verified by anyone with a matching public key. When you create a digital signature file like this, if someone were to
|
verified by anyone with a matching public key. When you create a digital signature file like this, if someone were to
|
||||||
edit the original file, the signature would no longer match to that file, and they wouldn't be able to generate a new
|
edit the original file, the signature would no longer match to that file, and they wouldn't be able to generate a new
|
||||||
one, at least not without your private key. This is why you see many linux installation media (ISOs) also provide a
|
one, at least not without your private key. This is why you see many linux installation media (ISOs) also provide a
|
||||||
signature file, which was signed with the private keys of the maintainers.
|
signature file, which was signed with the private keys of the maintainers.
|
||||||
|
|
||||||
### Full signatures
|
### Full signatures
|
||||||
|
|
||||||
|
|
@ -373,6 +377,7 @@ messages to your friends.
|
||||||
|
|
||||||
However I wanted to talk a bit more about many different places where GPG is often used, and maybe where you can use
|
However I wanted to talk a bit more about many different places where GPG is often used, and maybe where you can use
|
||||||
it:
|
it:
|
||||||
|
|
||||||
- A very common use-case, which I've already mentioned a bit about is the use in package managers. This is because with
|
- A very common use-case, which I've already mentioned a bit about is the use in package managers. This is because with
|
||||||
package managers, it's hard for the owners of these to set up world-wide mirror servers across the entire world and
|
package managers, it's hard for the owners of these to set up world-wide mirror servers across the entire world and
|
||||||
maintain each and every one of them, so instead, they rely on other people to set their own mirrors and make them
|
maintain each and every one of them, so instead, they rely on other people to set their own mirrors and make them
|
||||||
|
|
@ -403,5 +408,5 @@ it:
|
||||||
whenever you'd actually need them
|
whenever you'd actually need them
|
||||||
|
|
||||||
Oh and, in case you'd want to send me something encrypted, feel free to get my public key from `keys.openpgp.org`,
|
Oh and, in case you'd want to send me something encrypted, feel free to get my public key from `keys.openpgp.org`,
|
||||||
registered under email: `itsdrike@protonmail.com`. You can also get it from my website as a file
|
registered under email: `itsdrike@protonmail.com`. You can also get it from my website as a file
|
||||||
[here](https://s.itsdrike.com/gpg).
|
[here](https://s.itsdrike.com/gpg).
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue