Key management for Pretty Good Privacy (PGP)

In order to begin protecting our privacy, such as protecting exchanging of private messages or protecting the storage of private files, by using signed and encrypted communication with the Pretty Good Privacy (PGP) standard, we need to prepare our key rings, create our own key, share it and make it trustworthy.

Our key rings will consist of a secure key ring, which will contain our key or keys, and a public key ring, which will contain the public keys, that has been shared with us by other people.

Our key will consist of a DSA key, that is used for signing, and an El Gamal key of maximum strength, that is used for encryption.

It will be possible to derivate a public key from our key, which can be shared with other people.

It will be possible to derivate a fingerprint from our key, which can be used by other people to validate it by comparing it to the fingerprint, that was given to them in a trusted form.

It will be possible to have our key signed by other people in order to make it trustworthy.

In this example, we will use the command line interface of GNU Privacy Guard.

We create our key. We choose DSA and Elgamal. We choose a key size of 4096 bits. We choose a key, that will not expire. We set a strong pass phrase, that is more than 20 characters long, contains small letters, capital letters, numbers and special characters.

gpg --gen-key

We call in the key for editing, add information about our preferred key server, confirm the key and note the the key fingerprint. The key fingerprint will be used for building trust later. While a key is called in for editing, other changes can be made, such as changing pass phrase, date of expire and more. These changes will not affect the key fingerprint.

gpg --edit-key 01234567
keyserver
fpr
save

We store our public key on a public key server and prefix the hexidecimal identifier with a zero.

gpg --list-keys
gpg --keyserver pgp.mit.edu --send-key 01234567

We want to have a trustworthy key. In other words, we want to have our key signed by other people. We can do this by meeting up with other people, such as a key signing party, and share our public key and fingerprint of our public key. Now, they can download our public key from the public key server, sign it and return our signed key to the public key server.

We want to help others gain a trustworthy key in the same way, we did with our key. We download their public key from the public key server, validate it, sign it and return the signed key.

gpg --keyserver pgp.mit.edu --recv-key 01234568
gpg --fingerprint 01234567
gpg --edit-key 01234567
check
sign
check
save
gpg --keyserver pgp.mit.edu --send-key 01234568

We want to refresh the public keys in our public key ring from time to time. This will help us stay updated with signed keys and changes in keys. We can do this in an automated way by using a public key server.

gpg --keyserver pgp.mit.edu --refresh-keys

We want to back up our key in order to survive the loss of our key or secure key ring. If this happens, and we can not restore it, there is no way to recover the encrypted data. We attach our external storage device, export our key and store our external storage device in a safe place, far away in another time and galaxy.

gpg --list-keys
gpg --armor --output /mnt/ext/public.asc --export 01234567
gpg --armor --output /mnt/ext/secret.asc --export-secret-keys 01234567

We can restore our key by using the following procedure.

gpg --import /mnt/ext/key-secret.asc
gpg --import /mnt/ext/key-public.asc
gpg --list-keys