Next Meeting:

The next Ryedale Linux User Group meeting will be:

Feb 27th 2012

More details...

LUG News:

RyeLUG is six years old and doing well!


- York LUG
- Scarborough LUG
- Beverley LUG
- Get Counted
- Valid XHTML
- Valid CSS

Welcome To The RyeLUG HowTo files

We only have the one HowTo file at the moment, about getting started with GnuPG or GPG as it's otherwise known.  As we have more added, this page will change accordingly.

HowTo generate, revoke and sign a GnuPG key

By following these instructions you should be able to create a GPG key, revoke this key if things go horribly wrong and attend a key signing party to strengthen the web of trust and your keys position within it.

These instruction use the *nix command line with the '$' meaning a user prompt rather than '#' for the root user.  I'm sure there are GUI tools to do the same thing, but every *nix user has access to the command line so that's what I suggest you use.

Generate GnuPG Key
Generate Revocation Certificate
Revoking a Key Pair
Key Signing
Backup & Transfer of keys

(1) Generate your GnuPG keys

$ gpg --gen-key<return>

(1a) Select the key types you want - The default is good.

Please select what kind of key you want:

   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? <return>

(1b) Select your key size: 4096

DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096<return>
Requested keysize is 4096 bits

(1c) Set the lifetime of this key: 5 years is good

Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 5y<return>
Key expires at Fri Nov  5 00:19:43 EST 2012
Is this correct (y/n)? y<return>

(1d) Enter your name and email address

Real name: Demo User<return>
Email address: demo@doesnot.exist<return>
You selected this USER-ID:
    "Demo User <demo@doesnot.exist>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?  O<return>

(1e) Choose a pass phrase.  You need to pick a good one.  It should be long and very difficult to guess.  Any pass phrase less than twelve characters can be guessed by current cluster computing technology.  A best practice is to use a program like passgen (FreshMeat) to generate your phrase from operating system sources of pseudorandomness.  If you don't use a program like passgen, a pass phrase rather than a password is highly recommended.  It should be something you won't forget.  If you forget your pass phrase, you cannot recover your key.

(1f) Move the mouse and hit some keys maybe update locate in the background or run a big find.  GPG is reading from /dev/random to get some randomness for your key generation.  /dev/random is populated in part by the interrupts happening on your computer.

(2) Modify your key if you want.  For example if you have multiple email addresses and you want to list them as valid on your key:

To do this we use the --edit-key command.

$ gpg --edit-key 12345678<return>
gpg (GnuPG) 1.4.6; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Secret key is available.

pub  1024D/12345678  created: 2007-11-05  expires: 2012-11-05  usage: SC
                     trust: ultimate      validity: ultimate
sub  2048g/ABCDEFGH  created: 2007-11-05  expires: 2012-11-05  usage: E
[ultimate] (1). Demo User <demo@doesnot.exist>

Command> adduid<return>
Real name: Example User<return>
Email address: example@doesnot.exist<return>
You selected this USER-ID:
    "Example User <example@doesnot.exist>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O<return>

You need a passphrase to unlock the secret key for
user: "Demo User <demo@doesnot.exist>"
1024-bit DSA key, ID 12345678, created 2008-03-14

Enter passphrase: passphrase<return>

pub  1024D/12345678  created: 2007-11-05  expires: 2012-11-05  usage: SC
                     trust: ultimate      validity: ultimate
sub  2048g/ABCDEFGH  created: 2007-11-05  expires: 2012-11-05  usage: E
[ultimate] (1)  Demo User <demo@doesnot.exist>
[ unknown] (2). Example <example@doesnot.exist>

Command> save<return>

(3) Optionally, send your key to the keyserver:

$ gpg --keyserver <keyserver> --send-key <Your_Key_ID>

If you have:

keyserver <keyserver>

in your .gnupg/gpg.conf file then the --keyserver <keyserver> is not required.  Where <keyserver> is somethung like hkp://

Sending your key to the keyserver is prefered as it makes it much easier to distribute your key for others to use.

Also you should send it to a ring of keyservers like hkp:// as this means your key will propogate around a large number of machines around the world.

(4)Generating a Revocation Certificate

This following additional step is optional, but recommended.

A revocation certificate is a special from of digital signature on a public key that can be used to revoke that key in the event that you loose access to your private key due to compromise, seizure, forgotten passphrase, or media failure.  To use a revocation certificate, you simply need to circulate it in the same matter that you circulated your public key.  For example, if you upload the revocation certificate to a public keyserver, the keyserver will merge it with your key there by revoking it.  If you want to have the ability to revoke your public key when you do not have access to your private key, you should generate a revocation certificate and store it a secure and safe place.  You could also print out a copy of your ascii encoded revocation certificate so that it can be entered and used in the event of the failure or loss of the media that it is stored on.

If your revocation certificate is compromised, the individual who compromises your revocation certificate will be able to circulate the certificate thereby disabling your key.  However, the individual will not be able to compromise your secret key through his access to your revocation certificate.  Therefor, they will not be able to generate fake signatures, decrypt messages encrypted with your keypair, or otherwise misrepresent themselves as the owner of your keypair.  Since the only negative outcome possible from the compromise of a revocation certificate is the disabling of your keypair, it is a generally safe and good thing to do.

The GnuPG command to generate an ascii encoded revocation certification is:

$ gpg --output revcert.asc --gen-revoke <key_ID>

(4a) Revoking a key pair

To revoke your key for whatever reason, you need to import your revocation certificate into your key like this:

$ gpg --import revcert.asc

Don't worry if you have two keys containing similar UIDs as GPG will find the appropriate key to revoke.

You now need to send the revoked key to the public keyserver like this:

$ gpg --keyserver <keyserver> --send-keys <revoked_key_ID>

If you check your key's verbose index page on your keyserver, you'll see *** KEY REVOKED *** on the first line of the details.

(5) Key Signing

Signing a GnuPG key is a simple task that requires a few steps to complete.  Essentially, for a normal key which has a real name and email address the signing process is done to confirm the person is who they say they are, that they control the email address they have on the key and that they have both the secret and public parts of the key.

To do this you need to meet the person whose key you intend to sign.  You need to see some form of photo ID like a passport or a modern photo driving licence.  When you've confirmed who they are you need a copy of their GnuPG key ID fingerprint.  This is usually in the form of a slip of paper with a real name, key ID, fingerprint and email address.  There is a package called 'signing-party' which contains 'key2ps' which generates keyslips, but I prefer to use a python script we have available called printkeys.

 You can verify this script with this MD5 check-sum


 Lastly, you need to agree on a secret.  Again on the slips generated by printkeys you'll find a randomly generated alpha-numeric set of characters for both key-holder and signatory.

Having completed the face-to-face part, you can now go your seperate ways.  Though it's best if you both have IDs and slips so that the checks are completed for both people.  Once you return to your computer you can download the key to your machine like this:

$ gpg --keyserver <keyserver> --recv-keys <key_ID>

You then need to verify this is the key with the fingerprint on the slip like so:

$ gpg --fingerprint <key_ID>

When you've checked the two fingerprints are the same you can proceed by sending an encrypted signed message to the email address on the key to be signed.  In this you ask for the secret the key holder gave you when you met.  You should do this for each UID (address) on the key you intend to sign.  You should receive an encrypted and signed email back with the secret.  At which point you have confirmed the physical ID of the person, that they have the secret part of the GnuPG key to unlock the encryption made using their public key and that they control the email address too.  You can now sign their key.

To do this you need to use this command:

$ gpg --edit-key <key_ID>

This will take you to the GnuPG prompt:


You should issue the command 'sign'.  You'll be asked to check you're sure you want to sign with your key and then asked for your passphrase.  When this is done you'll find yourself back at the GnuPG prompt, at which point you should issue the command 'save'.  This will save and exit the edit interface.

All that now remains is to return the signed key to the key holder.  You can do this by either uploading it to the keyservers yourself with:

$ gpg --keyserver <keyserver> --send-keys <key_ID>

Or, and this is how I've seen a lot of people do it, by creating an ascii armoured key block, like so:

$ gpg --armor --export <key_ID> > <filename>.asc

and sending this file in an encrypted and signed email to the key holder for them to upload themselves.

Congratulations!  You have just completed your first keysigning, hopefully we'll get to meet and exchange keys someday.

If you receive a signed key as an ascii armoured file, it can be imported to your key ring like this:

$ gpg --import <filename>.asc

You then re-send your key to the keyserver.

Finally, it's a good idea to refresh your key ring every now and then as this updates the public keys of other people that you have on your key ring and will mark any revoked keys appropriately.  To do this, use this command:

$ gpg --refresh-keys

(6)Backup & Transfer of keys

Having completed a key signing and with your key available from the public keyservers, the last thing you want is to lose your key.  So, you need an effective way to back it up and to able to transfer it if you rebuild a machine or buy another.

The simplist way to back up your key is to copy the ~/.gnupg/ directory.  This contains all the necessary files for your GnuPG use.  Save this copy to a safe place and you have your backup.  Use this to transfer your key to a new or rebuilt machine by simply copying this directory back to $HOME.