Problem finding my pgp public key
- Thread starter zer0day00
- Start date
-
- Tags
- pgp public key
Using PGP / GPG, a guide for the impatient
This article is a quick guide to using GnuPG (aka GPG). There you will find basic commands, examples of use, and instructions on how to screw GPG into mail clients. The following assumes that you are familiar with how GPG works and is not required to explain, for example, what is asymmetric cryptography, public and private key, digital signature, and so on. Over the decades of its existence, no one has particularly succeeded in cracking GPG, which kind of hints to us that it is a fairly reliable solution for both encrypted messaging and just file encryption.
Terminology
There is some confusion about terminology. For example, not everyone can clearly explain how PGP differs from GPG. Let's figure it out.
Basic GnuPG Commands
Generating keys:
It is a good idea to choose the RSA algorithm and the 4096-bit key length.
Important! Don't forget the password for the private key.
A common problem is a message like this:
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 204 more bytes)
It is solved by installing a demon for collecting entropy:
View the list of keys:
Obtaining a fingerprint key:
Output example:
Fingerprints are used primarily to verify that a valid key has been imported from a keyserver (see below). They are not used for searching.
To display more secure long ids, use the keyid-format option:
Short keyids are convenient for manipulating keys locally. You should always use long id's for searches and check fingerprints. In recent versions of GPG, long ids are used by default.
Delete key:
Export the public key in text form (you can write on all fences):
Export private key in plain text (key is still encrypted with master password, can be used for backup in Git ):
Public key import:
Private key import:
If you do not specify --allow-secret-key-import, only the public key is imported, and when you try to sign something, you will receive strange errors like:
Exporting public key to keyserver:
Important! After you have uploaded the key to the keyserver, it will be impossible to delete it, just make a revoke. Make sure you make a reliable backup of your key. If you have never worked with PGP / GPG before, I strongly advise you to first practice using email addresses in the example.ru zone.
It doesn't really matter which keyserver you specify. For example, there are also keys.gnupg.net as well as others. They all exchange data with each other from time to time. It makes sense to do send-keysit on several servers at once, so that all PGP / GPG users can see them faster. Synchronization of servers, according to my observations, takes 10-15 minutes.
Hint: to avoid specifying all the time --keyserver, just add to ~ / .bashrc:
Importing a public key with keyserver:
In the PGP / GPG world, there is a so-called web of trust. In a nutshell, this means that GPG does not trust the key, unless it is signed by someone you trust. In addition, if you trust Petya, and Petya trusts Kolya, then you automatically trust Kolya. In particular, by default, when verifying a signature and other actions, the GPG will swear like this:
WARNING: This key is not certified with a trusted signature!
There is no indication that the signature belongs to the owner.
To fix this, we say:
Then in dialogue we talk trust, hit 5 ("I trust ultimately"), talk quit. Other keys can be signed with the command tsign. By the way, in the same place you can change the password for your key (command passwd), change the expiration date of the key in any direction (command expire), add the name / email (command adduid), delete the name / email (command revuid), see the encryption algorithms used by default (showpref) and do other interesting things.
Note: What to do when the key is expired? In this case, you can change the expiration date to a later one and reload the key. Or create a new key, sign it with the old one, and upload the new key to the keyserver. No revoke is required.
You can sign anyone's key and upload the signed key to the server, thereby confirming that the key really belongs to the person specified in the description:
On some other machine, you can download the key again and see who signed it:
From time to time, it is worth updating the keys, in case the keys have new signatures, or some keys have been revoked:
An example of encrypting and signing a file for a given recipient (the -r switch can be specified many times):
File decryption and signature verification is carried out with the command:
An example of signing and verifying the signature of a binary file (for example, an ISO disk image):
Symmetric file encryption / decryption (convenient, for example, for storing passwords):
Symmetric encryption with saving in binary format (convenient for encrypting backups):
Decryption of a file encrypted in this way:
At the same time, by default, GPG asks for a password through the GUI interface, which I personally find not very convenient. You can change this behavior like this:
It may turn out that your private key has been compromised, that is, it was stolen and a password was picked up for it. Or you have lost it. Or you just can't remember the key password. For such cases, key revocation is provided. This is how it is done. In advance, immediately after creating the keys, you need to create a revocation certificate:
Using it, the key can be revoked like this:
Important! The revocation certificate is not encrypted and can be used by anyone. Make sure to store it in a safe place (better even in several such places) and always encrypted!
Attaching GnuPG to Claws Mail
On Ubuntu we need the following packages:
In Configuration → Plugins → Load load pgpcore.so, pgpinline.so and pgpmime.so. Next, we simply configure the plugins through the client's settings. In your account settings, you can specify which keys to use, as well as generate new keys and send them to the keyserver. When writing a letter, the Encrypt and Sign checkboxes will become available in Options.
In the account properties in the Privacy tab, you can configure plugins so that messages are always signed, encrypted when replying to encrypted messages, and so on. I recommend using PGP / MIME, as PGP / Inline may not be a little annoying for non-PGP / GPG users. That is, almost everyone.
From the jambs of the plugin, I only encountered the fact that in the settings you need to specify the full path to the gpg executable file, after that everything worked.
Attaching GnuPG to Mutt
To make GPG work in Mutt, add to ~ / .muttrc:
When writing a letter, click p, select the options there - sign, encrypt, and so on. All options crypt_*and are pgp_*described in man muttrc. Plus, there is a long line here, thanks to which Mutt can be taught to check signatures for inline messages.
My complete and up-to-date version of the config for Mutt is here.
Conclusion
GPG has a lot to do with it. Let's say there is an Enigmail plugin for Thunderbird . There are mobile apps with GPG support. For example, there are oPenGP and iPGMail for the iPhone. In addition, there are plugins for IM clients, in particular for Psi. Unfortunately, it is not possible to consider all of them in one article.
As a homework assignment, you can add me to your keyring, sign my keys and send me an encrypted email by email.
Are you using PGP / GPG?
This article is a quick guide to using GnuPG (aka GPG). There you will find basic commands, examples of use, and instructions on how to screw GPG into mail clients. The following assumes that you are familiar with how GPG works and is not required to explain, for example, what is asymmetric cryptography, public and private key, digital signature, and so on. Over the decades of its existence, no one has particularly succeeded in cracking GPG, which kind of hints to us that it is a fairly reliable solution for both encrypted messaging and just file encryption.
Terminology
There is some confusion about terminology. For example, not everyone can clearly explain how PGP differs from GPG. Let's figure it out.
- OpenPGP is an encryption standard described in RFC 4880 and RFC 6637. Not to be confused with specific implementations such as PGP and GPG;
- GnuPG or GPG is a specific open source (GPLv3) implementation of OpenPGP, which will be discussed in this article;
- PGP is a highly proprietary implementation of OpenPGP from the PGP Corporation. In 2010, the company was bought by Symantec, and its products were renamed into something like Symantec Desktop Email Encryption;
Basic GnuPG Commands
Generating keys:
Code:
gpg --gen-keyIt is a good idea to choose the RSA algorithm and the 4096-bit key length.
Important! Don't forget the password for the private key.
A common problem is a message like this:
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 204 more bytes)
It is solved by installing a demon for collecting entropy:
Code:
sudo apt-get install rng-toolsView the list of keys:
Code:
gpg --list-keys
gpg --list-secret-keys
gpg --list-public-keysObtaining a fingerprint key:
Code:
gpg --fingerprint afiskon @ example.comOutput example:
Code:
pub 4096R / 8640D6B9 2016-09-27
Fingerprint = DB5E AA39 0745 427D ED31 D189 3197 3F00 8640 D6B9
uid John Smith <[email protected]>
sub 4096R / 5982B4BF 2016-09-27Fingerprints are used primarily to verify that a valid key has been imported from a keyserver (see below). They are not used for searching.
To display more secure long ids, use the keyid-format option:
Code:
gpg --keyid-format LONG --list-keys
gpg --keyid-format 0xLONG -k 7EFE74E5Short keyids are convenient for manipulating keys locally. You should always use long id's for searches and check fingerprints. In recent versions of GPG, long ids are used by default.
Delete key:
Code:
gpg --delete-secret-keys 8640D6B9
gpg --delete-keys 8640D6B9Export the public key in text form (you can write on all fences):
Code:
gpg --armor --output pubkey.txt --export 8640D6B9Export private key in plain text (key is still encrypted with master password, can be used for backup in Git ):
Code:
gpg --armor --output privkey.txt --export-secret-keys 8640D6B9Public key import:
Code:
gpg --import key.txtPrivate key import:
Code:
gpg --allow-secret-key-import --import privkey.txtIf you do not specify --allow-secret-key-import, only the public key is imported, and when you try to sign something, you will receive strange errors like:
Code:
gpg: no default secret key: secret key not available
gpg: msg.txt: sign + encrypt failed: secret key not availableExporting public key to keyserver:
Code:
gpg --keyserver pgp.mit.edu --send-keys 8640D6B9Important! After you have uploaded the key to the keyserver, it will be impossible to delete it, just make a revoke. Make sure you make a reliable backup of your key. If you have never worked with PGP / GPG before, I strongly advise you to first practice using email addresses in the example.ru zone.
It doesn't really matter which keyserver you specify. For example, there are also keys.gnupg.net as well as others. They all exchange data with each other from time to time. It makes sense to do send-keysit on several servers at once, so that all PGP / GPG users can see them faster. Synchronization of servers, according to my observations, takes 10-15 minutes.
Hint: to avoid specifying all the time --keyserver, just add to ~ / .bashrc:
Code:
alias gpg = "gpg --keyserver pgp.mit.edu"Importing a public key with keyserver:
Code:
gpg --keyserver pgp.mit.edu --search-keys afiskon @ example.comIn the PGP / GPG world, there is a so-called web of trust. In a nutshell, this means that GPG does not trust the key, unless it is signed by someone you trust. In addition, if you trust Petya, and Petya trusts Kolya, then you automatically trust Kolya. In particular, by default, when verifying a signature and other actions, the GPG will swear like this:
WARNING: This key is not certified with a trusted signature!
There is no indication that the signature belongs to the owner.
To fix this, we say:
Code:
gpg --edit-key afiskon @ example.comThen in dialogue we talk trust, hit 5 ("I trust ultimately"), talk quit. Other keys can be signed with the command tsign. By the way, in the same place you can change the password for your key (command passwd), change the expiration date of the key in any direction (command expire), add the name / email (command adduid), delete the name / email (command revuid), see the encryption algorithms used by default (showpref) and do other interesting things.
Note: What to do when the key is expired? In this case, you can change the expiration date to a later one and reload the key. Or create a new key, sign it with the old one, and upload the new key to the keyserver. No revoke is required.
You can sign anyone's key and upload the signed key to the server, thereby confirming that the key really belongs to the person specified in the description:
Code:
gpg --sign-key 7EFE74E5
gpg --keyserver pgp.mit.edu --send-keys 7EFE74E5On some other machine, you can download the key again and see who signed it:
Code:
gpg --keyserver pgp.mit.edu --search-keys eax @ example.com
gpg --list-sigs eax @ example.com
gpg --check-sigs eax @ example.comFrom time to time, it is worth updating the keys, in case the keys have new signatures, or some keys have been revoked:
Code:
gpg --keyserver pgp.mit.edu --refresh-keysAn example of encrypting and signing a file for a given recipient (the -r switch can be specified many times):
Code:
gpg --encrypt --sign --armor -r eax @ example.com msg.txtFile decryption and signature verification is carried out with the command:
Code:
gpg msg.txt.ascAn example of signing and verifying the signature of a binary file (for example, an ISO disk image):
Code:
gpg --detach-sign file.iso
gpg --verify file.iso.sigSymmetric file encryption / decryption (convenient, for example, for storing passwords):
Code:
gpg -o nonsense.gpg --cipher-algo AES -a -c nonsense.txt
gpg -o nonsense2.txt -d nonsense.gpgSymmetric encryption with saving in binary format (convenient for encrypting backups):
Code:
tar -cvzf - / home / eax | \
gpg --symmetric --cipher-algo AES256 --digest-algo SHA256 \
--compression-algo Uncompressed > backup.tgz.gpgDecryption of a file encrypted in this way:
Code:
gpg --decrypt backup.tgz.gpg | tar -xvzf -At the same time, by default, GPG asks for a password through the GUI interface, which I personally find not very convenient. You can change this behavior like this:
Code:
echo 'pinentry-program / usr / bin / pinentry-tty' >> \
~ / .gnupg / gpg-agent.conf
killall gpg-agentIt may turn out that your private key has been compromised, that is, it was stolen and a password was picked up for it. Or you have lost it. Or you just can't remember the key password. For such cases, key revocation is provided. This is how it is done. In advance, immediately after creating the keys, you need to create a revocation certificate:
Code:
gpg --gen-revoke --armor --output = revocation.crt eax @ example.comUsing it, the key can be revoked like this:
Code:
gpg --import revocation.crt
gpg --keyserver pgp.mit.edu --send-keys 7EFE74E5Important! The revocation certificate is not encrypted and can be used by anyone. Make sure to store it in a safe place (better even in several such places) and always encrypted!
Attaching GnuPG to Claws Mail
On Ubuntu we need the following packages:
Code:
sudo apt-get install claws-mail-pgpinline claws-mail-pgpmimeIn Configuration → Plugins → Load load pgpcore.so, pgpinline.so and pgpmime.so. Next, we simply configure the plugins through the client's settings. In your account settings, you can specify which keys to use, as well as generate new keys and send them to the keyserver. When writing a letter, the Encrypt and Sign checkboxes will become available in Options.
In the account properties in the Privacy tab, you can configure plugins so that messages are always signed, encrypted when replying to encrypted messages, and so on. I recommend using PGP / MIME, as PGP / Inline may not be a little annoying for non-PGP / GPG users. That is, almost everyone.
From the jambs of the plugin, I only encountered the fact that in the settings you need to specify the full path to the gpg executable file, after that everything worked.
Attaching GnuPG to Mutt
To make GPG work in Mutt, add to ~ / .muttrc:
Code:
# enable GPG support
set crypt_use_gpgme = yes
# sign all messages by
default set crypt_autosign = yes
# encrypt responses to encrypted messages
set crypt_replyencrypt = yesWhen writing a letter, click p, select the options there - sign, encrypt, and so on. All options crypt_*and are pgp_*described in man muttrc. Plus, there is a long line here, thanks to which Mutt can be taught to check signatures for inline messages.
My complete and up-to-date version of the config for Mutt is here.
Conclusion
GPG has a lot to do with it. Let's say there is an Enigmail plugin for Thunderbird . There are mobile apps with GPG support. For example, there are oPenGP and iPGMail for the iPhone. In addition, there are plugins for IM clients, in particular for Psi. Unfortunately, it is not possible to consider all of them in one article.
As a homework assignment, you can add me to your keyring, sign my keys and send me an encrypted email by email.
Are you using PGP / GPG?
hey, thanks for answering but im not using linux, im using windows 10 with the gpa program, and i my problem is that i dont know which public key i have, when i try to see i get 2 different results so im not sure which one is the right one.
HOW TO: Search the PGP Global Directory for a Key
This article describes how to search for a key on the PGP Global Directory You can search the PGP Global Directory directly via a web browser or using PGP Deskt
knowledge.broadcom.com
How to find and share your public key / GPG Keychain FAQ / Knowledge Base - GPGTools Support
GPGTools, GPG Mail, Support, Customer, Issues, Troubleshooting, Problem, GPGServices, GPG Keychain Access, GKA, MacGPG, MacGPG2, GPGPreferences, MacGPG1, Mobile OpenPGP
gpgtools.tenderapp.com
Similar threads
