Key management for Pretty Good Privacy (PGP)

In order to begin protecting our privacy, such as protecting exchanging of private messages or protecting the storage of private files, by using signed and encrypted communication with the Pretty Good Privacy (PGP) standard, we need to prepare our key rings, create our own key, share it and make it trustworthy.

Our key rings will consist of a secure key ring, which will contain our key or keys, and a public key ring, which will contain the public keys, that has been shared with us by other people.

Our key will consist of a DSA key, that is used for signing, and an El Gamal key of maximum strength, that is used for encryption.

It will be possible to derivate a public key from our key, which can be shared with other people.

It will be possible to derivate a fingerprint from our key, which can be used by other people to validate it by comparing it to the fingerprint, that was given to them in a trusted form.

It will be possible to have our key signed by other people in order to make it trustworthy.

In this example, we will use the command line interface of GNU Privacy Guard.

We create our key. We choose DSA and El Gamal. We choose a key size of 4096 bits. We choose a key, that will not expire. We set the real name, the mail address and the comment. We set a strong pass phrase, that is more than 20 characters long, contains small letters, capital letters, numbers and special characters.

gpg --gen-key

We call in the key for editing, add information about our preferred key server, confirm the key and note the the key fingerprint. The key fingerprint will be used for building trust later. While a key is called in for editing, other changes can be made, such as changing pass phrase, date of expire and more. These changes will not affect the key fingerprint.

gpg --edit-key 012345678
keyserver
fpr
save

We store our public key on a public key server and prefix the hexadecimal identifier with a zero.

gpg --list-keys
gpg --keyserver pgp.mit.edu --send-key 012345678

We want to be able to validate signatures from other people. In order to do that, we need to have their public key in our key ring. We get other people’s public keys from the public key servers by their key fingerprint or key identification (ID). The ID is just a part of the fingerprint.

gpg --keyserver pgp.mit.edu --recv-key 0123456789ABCDEF0123456789ABCDEF
gpg --keyserver pgp.mit.edu --recv-key 012345678

We want to have a trustworthy key. In other words, we want to have our key signed by other people. We can do this by meeting up with other people, such as a key signing party, and share our public key and fingerprint of our public key. Now, they can download our public key from the public key server, sign it and return our signed key to the public key server.

We want to help others gain a trustworthy key in the same way, we did with our key. We download their public key from the public key server, validate it, sign it with our default key and return the signed key to the public key server.

gpg --keyserver pgp.mit.edu --recv-key 012345678
gpg --default-key 087654321 --edit-key
fpr
check
sign
check
save
gpg --keyserver pgp.mit.edu --send-key 012345678

We want to refresh the public keys in our public key ring from time to time. This will help us stay updated with signed keys and changes in keys. We can do this in an automated way by using a public key server.

gpg --keyserver pgp.mit.edu --refresh-keys

We want to back up our key in order to survive the loss of our key or secure key ring. If this happens, and we can not restore it, there is no way to recover the encrypted data. We attach our external storage device, export our key and store our external storage device in a safe place, far away in another time and galaxy.

gpg --list-keys
gpg --armor --output /mnt/ext/public.asc --export 012345678
gpg --armor --output /mnt/ext/secret.asc --export-secret-keys 012345678

We can restore our key by using the following procedure.

gpg --import /mnt/ext/key-secret.asc
gpg --import /mnt/ext/key-public.asc
gpg --list-keys

We can delete a public key using the following procedure.

gpg --delete-key 012345678


We can delete our secret key and public key by using the following procedure.

gpg --delete-secret-and-public-key 012345678


Print Friendly