Saturday, April 23, 2005

Simple GnuPG Key Creation

I was recently asked to provide my GnuPG public key to facilitate sharing encrypted documents. I realized I needed to set up a public key with my richard at taosecurity dot com mailing address. Here's how I did it. First I installed the FreeBSD security/gnupg-devel package. Then I was ready to begin. I started by creating my key. Where necessary I've modified my email address in the listing below to spoil simple harvesting methods.

orr:/home/richard$ gpg --gen-key
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: directory `/home/richard/.gnupg' created
gpg: new configuration file `/home/richard/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/richard/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/richard/.gnupg/secring.gpg' created
gpg: keyring `/home/richard/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) heinrichh@duesseldorf.de"

Real name: Richard Bejtlich
Email address: richard_at_taosecurity_dot_com
Comment:
You selected this USER-ID:
"Richard Bejtlich richard_at_taosecurity_dot_com"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

Enter passphrase:

Repeat passphrase:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.
gpg: /home/richard/.gnupg/trustdb.gpg: trustdb created
gpg: key 752B57C7 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/752B57C7 2005-04-23
Key fingerprint = 2B43 9A2E 6925 D581 5E34 FD6B 020C E655 752B 57C7
uid Richard Bejtlich richard_at_taosecurity_dot_com
sub 2048g/8BA44991 2005-04-23

That's it. I then listed my keys.

orr:/home/richard$ gpg --list-keys
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/richard/.gnupg/pubring.gpg
--------------------------------
pub 1024D/752B57C7 2005-04-23
uid Richard Bejtlich richard_at_taosecurity_dot_com
sub 2048g/8BA44991 2005-04-23

orr:/home/richard$ gpg --list-secret-keys
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/richard/.gnupg/secring.gpg
--------------------------------
sec 1024D/752B57C7 2005-04-23
uid Richard Bejtlich richard_at_taosecurity_dot_com
ssb 2048g/8BA44991 2005-04-23

Here's how to see the key fingerprint. The fingerprint is a way to describe my key in shorthand form.

orr:/home/richard$ gpg --fingerprint
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/richard/.gnupg/pubring.gpg
--------------------------------
pub 1024D/752B57C7 2005-04-23
Key fingerprint = 2B43 9A2E 6925 D581 5E34 FD6B 020C E655 752B 57C7
uid Richard Bejtlich richard_at_taosecurity_dot_com
sub 2048g/8BA44991 2005-04-23

To make my public key available in ASCII form, I exported it to a file.
orr:/home/richard$ gpg --export --armor richard_at_taosecurity_dot_com
> richard_at_taosecurity_dot_com.key.gpg.asc
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

You can access my public key here.

Now I wanted to create a revocation key, to assist me in removing my public key from a keyserver should my private key ever be compromised.

orr:/home/richard$ gpg --gen-revoke richard_at_taosecurity_dot_com >
richard_at_taosecurity_dot_com.com.revoke.gpg.asc
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

sec 1024D/752B57C7 2005-04-23 Richard Bejtlich richard_at_taosecurity_dot_com

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
Revoke

Reason for revocation: No reason specified
Revoke
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Richard Bejtlich richard_at_taosecurity_dot_com"
1024-bit DSA key, ID 752B57C7, created 2005-04-23

Enter passphrase:

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
orr:/home/richard$ chmod 400 richard_at_taosecurity_dot_com.revoke.gpg.asc

Finally, I wanted to make this new public key available on public keyservers. I have to specify my public key ID 752B57C7, which is seen in the --list-keys output above and is also the last eight characters of my key fingerprint.

orr:/home/richard$ gpg --send-keys 752B57C7
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: sending key 752B57C7 to hkp server subkeys.pgp.net

I also submitted my public key to www.keyserver.net, which has a Web-accessible search form. By default GnuPG sent my key to subkeys.pgp.net, Web page. To search the pgp.net keyservers, visit www.pgp.net/pgpnet/wwwkeys.html.

If someone cares to send me a message encrypted with my public key, a future blog entry will show how to decrypt it.

2 comments:

Anonymous said...
This comment has been removed by a blog administrator.
dghnfgj said...
This comment has been removed by a blog administrator.