Install gnupg;
$ sudo prt-get depinst gnupg
Create a skeleton configuration to be copied by useradd to each user home directory;
$ sudo mkdir /etc/skel/.gnupg $ sudo cp /usr/share/gnupg/gpg-conf.skel /etc/skel/.gnupg/gpg.conf
$ chmod 700 ~/.gnupg $ chmod -R 600 ~/.gnupg/*
Options for creating a DSA and ElGamal key;
Generate keys;
$ gpg2 --full-gen-key gpg (GnuPG) 2.1.11; Copyright (C) 2020 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 2 DSA keys may be between 1024 and 3072 bits long. What keysize do you want? (2048) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 6m Key expires at Tue May 30 20:29:36 2017 WEST Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: User Name Email address: user@machine.example.org Comment: user at external dot org You selected this USER-ID: "User Name (user at core) <user@machine.example.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
This will create the follow files;
.gnupg/pubring.gpg .gnupg/random_seed .gnupg/secring.gpg .gnupg/trustdb.gp
List keys;
$ gpg --list-keys /home/droid/.gnupg/pubring.kbx ------------------------------ pub dsa3072/EE29B7D3 2016-05-30 [SC] [expires: 2017-05-30] uid [ultimate] User Name (user at core ) <user@machine.example.org> sub elg2112/9BC2DC12 2016-05-30 [E] [expires: 2017-05-30]
In this case pub key ID is EE29B7D3, add to .profile;
export GPGKEY=0xEE29B7D3
Key Management;
$ gpg --list-keys $ gpg --list-secret-keys $ gpg --fingerprint $ gpg --delete-key UID $ gpg --delete-secret-key $ gpg --edit-key UID
$ gpg --edit-key KEYID adduid
Follow the instructions and then select the user you want to revoque, where N is the UID of the user;
$ gpg --edit-key KEYID uid N revuid save
Public keys can be exported in binary format or ASCII-armored format. To export binary format;
$ gpg --list-keys
$ gpg --output user.gpg --export user@localhost
Generate an ASCII version of your public key;
$ gpg --armor --output user.asc --export 'User Name'
The primary public key's ID is referenced in the pub line after the key size, for example the key created above, the short key ID is EE29B7D3:
gpg --keyserver search.keyserver.net --send-key EE29B7D3
Is very easy to import public keys;
$ gpg --import user.gpg
To list imported keys;
$ gpg --list-keys
Configure GnuPG to automatically fetch public keys, uncomment following line to ~/.gnupg/gpg.conf;
keyserver-options auto-key-retrieve
And add a server, in this example wwwkeys.pgp.net;
keyserver wwwkeys.pgp.net keyserver search.keyserver.net keyserver pgp.mit.edu
Test your configuration as described by Justin R. Miller Mutt Gnupg Howto;
$ gpg --recv-keys 0xC9C40C31
Confirm;
gpg --list-keys justin
To be abble to decrypt the document we need to include public key in the recipient list;
$ gpg --output index.html.gpg --encrypt \ --recipient user@localhost \ --recipient bob@localhost \ index.html
To decrypt the file;
$ gpg --output index.html --decrypt index.html.gpg
A digital signature certifies and timestamps a document. If the document is subsequently modified in any way, a verification of the signature will fail. A digital signature can serve the same purpose as a hand-written signature with the additional benefit of being tamper-resistant. Example on how to sign a file;
To send document uncompressed and wrapped in an ASCII-armored signature;
$ gpg --clearsign index.html
Verify signature;
$ gpg --verify index.html.asc
To encrypt and sign a file;
$ gpg --output index.html.gpg --sign --encrypt \ --recipient bob@localhost \ index.html
To decrypt;
$ gpg --output index.html --decrypt index.html.gpg
You should see this message on the output;
gpg: Good signature from "User (user at localhost) <user@localhost>"
Detached signatures create a separate file for signature;
$ gpg --output index.html.sig --detach-sig index.html
Now you can send index.html.sig and on the other end;
$ gpg --verify index.html.sigTools Index
This is part of the Tribu System Documentation. Copyright (C) 2020 Tribu Team. See the file Gnu Free Documentation License for copying conditions.