You are here: Home Cheat Sheets OpnePGP Key Management

OpnePGP Key Management

Little snippets for creating and managing OpenPGP keys.

Creating a OpenPGP key

This is the interactive method

$ gpg --gen-key
gpg (GnuPG) 1.2.6; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
  (1) DSA and ElGamal (default)
  (2) DSA (sign only)
  (4) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
             minimum keysize is  768 bits
             default keysize is 1024 bits
   highest suggested keysize is 2048 bits
What keysize do you want? (1024)
Requested keysize is 1024 bits
Please specify how long the key should be valid.
        0 = key does not expire
     <n>  = key expires in n days
     <n>w = key expires in n weeks
     <n>m = key expires in n months
     <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct (y/n)? y

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
   "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: sender
Email address: sender@example.com
Comment:
You selected this USER-ID:
   "sender <sender@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
....skipped
public and secret key created and signed.
key marked as ultimately trusted.

pub  1024D/5537AB2E 2007-12-04 sender <sender@example.com>
     Key fingerprint = 58E9 A14C 8DB0 EEE2 1249  751C 081D D01C 5537 AB2E
sub  1024g/FE19554A 2007-12-04

Creating it in batch mode

  • Create a file foo.batch with the following content
\%echo Generating a standard key
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
Subkey-Length: 1024
Name-Real: Foo Bar
Name-Comment: foo account
Name-Email: foo@bar.com
Expire-Date: 0
\%pubring foo.pub
\%secring foo.sec
\%commit
\%echo done
  • Run
gpg --gen-key --batch foo.batch

Importing

  • To import keys into the keyring, run
gpg --import foo.pub
gpg --import foo.sec

Listing

  • To see what's there run
gpg --list-keys

Exporting

  • To export these again run
gpg --armor --export foo@bar.com > foo.asc
gpg --armor --export-secret-keys foo@bar.com >> foo.asc

The first gets the public key into foo.asc and the secong appends the private key. The --armor base64 encodes the keys.

  • To get all keys in the keyring run
gpg --armor --export > keys.asc
gpg --armor --export-secret-keys >> keys.asc

Passphrases

  • To zap the passphrase for automated setups
gpg --edit-key foo@bar.com
gpg (GnuPG) 1.2.6; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Secret key is available.

pub  1024D/B03EF617  created: 2008-04-11 expires: never      trust: -/-
sub  2048g/0AF2C575  created: 2008-04-11 expires: never
(1). foo@bar.com <foo@bar.com>

Command> passwd
Key is protected.

You need a passphrase to unlock the secret key for
user: "foo@bar.com <foo@bar.com>"
1024-bit DSA key, ID B03EF617, created 2008-04-11

Enter the new passphrase for this secret key.

You don't want a passphrase - this is probably a *bad* idea!

Do you really want to do this? y

Command> q
Save changes? y
  • You basically provide the current password at the first prompt and the hit enter for the next 2 prompts.

Making it trusted

gpg --edit-key foo@bar.com
gpg (GnuPG) 1.2.6; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Secret key is available.

pub  2048R/9A4F4D4E  created: 2008-01-15 expires: never      trust: -/-
sub  2048R/BFFE346E  created: 2008-01-15 expires: never
(1). foo <foo@bar.com>

Command> trust
pub  2048R/9A4F4D4E  created: 2008-01-15 expires: never      trust: -/-
sub  2048R/BFFE346E  created: 2008-01-15 expires: never
(1). foo <foo@bar.com>

Please decide how far you trust this user to correctly
verify other users' keys (by looking at passports,
checking fingerprints from different sources...)?

1 = Don't know
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? y

pub  2048R/9A4F4D4E  created: 2008-01-15 expires: never      trust: u/-
sub  2048R/BFFE346E  created: 2008-01-15 expires: never
(1). foo <foo@bar.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

Command> q
Document Actions

Copyright © 2007-2015 Mario Theodoridis. All rights reserved. Content licensed under AFL.   Impressum   Datenschutz
Content from the underlying Plone CMS is © 2000-2009 by the Plone Foundation