GPG: what is it?

Asked by Márcio Vinícius on 2005-11-03

I didn't understand anything about GPG key... I'm new in Launchpad and I found an "Edit GPG Keys", I clicked the link. The page just doesn't say what is a GPG key. What is it?
The page also doesn't explain well how do I "import" one. You say "use gpg --gen-key" and "use gpg --send-key <key-id>" and "gpg --fingerprint <key-id>". What does it mean? How or where should I "use" it?

Question information

Language:
English Edit question
Status:
Solved
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Solved by:
Fred Chu
Solved:
2005-11-03
Last query:
2005-11-08
Last reply:
2005-11-03
Fred Chu (zhuzhu) said : #1
Fábio Nogueira (fnogueira) said : #2

Oi Márcio..

Você terá que instalar o GNUPG na sua máquina.. criar um chave pública.. e assinar o documento do Ubuntu para se tornar um membro.

[]'s

Valeu Fábio, acho que já me achei... (embora ainda não tenha entendido a utilidade prática disso).

Thanks, Fred. I think now I understand it a little better...

miked (miked11) said : #4

This solution does not really answer this part of the question, the GNU Privacy Hand book does not break it down enough to fill in the blanks.
"The page also doesn't explain well how do I "import" one. You say "use gpg --gen-key" and "use gpg --send-key <key-id>" and "gpg --fingerprint <key-id>"

miked (miked11) said : #5

Generating a new keypair

The command-line option --gen-key is used to create a new primary keypair.

alice% gpg --gen-key
gpg (GnuPG) 0.9.4; Copyright (C) 1999 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (4) ElGamal (sign and encrypt)
Your selection?

GnuPG is able to create several different types of keypairs, but a primary key must be capable of making signatures. There are therefore only three options. Option 1 actually creates two keypairs. A DSA keypair is the primary keypair usable only for making signatures. An ElGamal subordinate keypair is also created for encryption. Option 2 is similar but creates only a DSA keypair. Option 4[1] creates a single ElGamal keypair usable for both making signatures and performing encryption. In all cases it is possible to later add additional subkeys for encryption and signing. For most users the default option is fine.

You must also choose a key size. The size of a DSA key must be between 512 and 1024 bits, and an ElGamal key may be of any size. GnuPG, however, requires that keys be no smaller than 768 bits. Therefore, if Option 1 was chosen and you choose a keysize larger than 1024 bits, the ElGamal key will have the requested size, but the DSA key will be 1024 bits.

About to generate a new ELG-E keypair.
              minimum keysize is 768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024)

The longer the key the more secure it is against brute-force attacks, but for almost all purposes the default keysize is adequate since it would be cheaper to circumvent the encryption than try to break it. Also, encryption and decryption will be slower as the key size is increased, and a larger keysize may affect signature length. Once selected, the keysize can never be changed.

Finally, you must choose an expiration date. If Option 1 was chosen, the expiration date will be used for both the ElGamal and DSA keypairs.

Please specify how long the key should be valid.
         0 = key does not expire
      <n> = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

For most users a key that does not expire is adequate. The expiration time should be chosen with care, however, since although it is possible to change the expiration date after the key is created, it may be difficult to communicate a change to users who have your public key.

You must provide a user ID in addition to the key parameters. The user ID is used to associate the key being created with a real person.

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <email address hidden>"

Real name:

Only one user ID is created when a key is created, but it is possible to create additional user IDs if you want to use the key in two or more contexts, e.g., as an employee at work and a political activist on the side. A user ID should be created carefully since it cannot be edited after it is created.

GnuPG needs a passphrase to protect the primary and subordinate private keys that you keep in your possession.

You need a Passphrase to protect your private key.

Enter passphrase:

There is no limit on the length of a passphrase, and it should be carefully chosen. From the perspective of security, the passphrase to unlock the private key is one of the weakest points in GnuPG (and other public-key encryption systems as well) since it is the only protection you have if another individual gets your private key. Ideally, the passphrase should not use words from a dictionary and should mix the case of alphabetic characters as well as use non-alphabetic characters. A good passphrase is crucial to the secure use of GnuPG.

This only covers part of creating a gpg key.

miked (miked11) said : #6

OpenPGP keys

You can register your OpenPGP keys, which are created by software such as GnuPG. These are used to sign codes of conduct, modify bugs through the email interface, and to build and upload packages using Soyuz.
Importing an OpenPGP key

   1. Ensure you already have a key. In a terminal window, enter:

      gpg --list-keys <email address hidden>

      If you have no key, create one:

      gpg --gen-key

   2. Ensure the key has been uploaded to a keyserver. To do this:

      gpg --send-key key-id

   3. Enter your key fingerprint. Use:

      gpg --fingerprint key-id

      Fingerprint:
      Example: 27E0 7815 B47C 0397 90D5 8589 27D9 A27B F3F9 6058

I need help with # 2. Ensure the key has been uploaded to a keyserver. To do this:

      gpg --send-key key-id
what is the key-id in this application ?

miked (miked11) said : #7

root@HewittRand-desktop:~# gpg --gen-key
gpg (GnuPG) 1.4.6; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 2
DSA keypair will have 1024 bits.
Please specify how long the key should be valid.
         0 = key does not expire
      <n> = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <email address hidden>"

Real name: Heinrich Heine
Email address: <email address hidden>
Comment: Der Dichter
You selected this USER-ID:
    "Heinrich Heine (Der Dichter) <email address hidden>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++++++++++++.+++++.++++++++++.+++++++++++++++++++++++++.+++++++++++++++++++++++++++++++++++.+++++++++++++++.+++++>+++++..+++++.................................................+++++

Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 70 more bytes)
[oij[oiu[ouih[ouih[ouih[ouh[ouih[oho[h[ouh[ouh[oh[ouh[ouh[ouhuiohuohouhouhouho[uhiopuhpiyhopuiyouyggfctrdxrzrszrszrszsredzsrzrszrzrsezrsedzredxtredxtrextredxgpg: key BC9920F1 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u
pub 1024D/BC9920F1 2008-02-01
      Key fingerprint = 73AB 420B 507E 78AD 6DC2 0530 28E5 99D3 BC99 20F1
uid Heinrich Heine (Der Dichter) <email address hidden>

Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.
root@HewittRand-desktop:~#

miked (miked11) said : #8

root@HewittRand-desktop:~# gpg --send-key key-id
gpg: "key-id" not a key ID: skipping
root@HewittRand-desktop:~# gpg --send-key BC9920F1
gpg: no keyserver known (use option --keyserver)
gpg: keyserver send failed: bad URI
root@HewittRand-desktop:~# gpg --send-key key-BC9920F1
gpg: "key-BC9920F1" not a key ID: skipping
root@HewittRand-desktop:~# gpg --send-key key-id BC9920F1
gpg: "key-id" not a key ID: skipping
gpg: no keyserver known (use option --keyserver)
gpg: keyserver send failed: bad URI
root@HewittRand-desktop:~#

miked (miked11) said : #9

#3. Enter your key fingerprint. Use:

      gpg --fingerprint key-id

      Fingerprint:
      Example: 27E0 7815 B47C 0397 90D5 8589 27D9 A27B F3F9 6058
seems easy since it says:
Key fingerprint = 73AB 420B 507E 78AD 6DC2 0530 28E5 99D3 BC99 20F1

miked (miked11) said : #10

root@HewittRand-desktop:~# gpg --send-key pub 1024D/BC9920F1
gpg: "pub" not a key ID: skipping
gpg: "1024D/BC9920F1" not a key ID: skipping
root@HewittRand-desktop:~# gpg --send-key 1024D/BC9920F1
gpg: "1024D/BC9920F1" not a key ID: skipping
root@HewittRand-desktop:~#