What is your favorite key signature
GPG (Gnu Privacy Guard)
Software downloadThe software can be obtained from the: GnuPG homepage
The German-language documentation can be found at: GPGMiniHowto.pdf
A Windows version with graphical access to GnuPG and the portable version is available from the: GnuPT homepage
Generate, export, import, revoke keys ...
Generate keyGeneration of a new key pair.
The first thing you will be asked is which algorithm to use. More details on the algorithms can be found in the PGP DH vs. RSA FAQ or in Schneier (1996). You can (and should) simply take the default value (DSA / ElGamal). When choosing the key length, you have to weigh up between security and computing time. The longer a key, the more secure it is, but the longer operations with it take. In terms of computing time, however, one must take into account that the key may still need to be used in a few years, when the average computing power will have increased significantly. GnuPG asks for a key length of more than 1536 bits whether such a large key is really necessary, other people recommend at least 2048 bits. For DSA, 1024 bits is standard.
Then you will be asked for your name, comment and email address. This information is used to identify the key. You can change or add to the information later. You should choose a longer valid email address, as the complete user ID is signed. If something is then changed, the signatures under the changed information no longer apply.
Finally, you will be asked for the password (or pass phrase (in the German translation: mantra) because there may be spaces) with which the private key is to be secured. Use a good mantra.
A good mantra is:
- Not too short,
- contains special characters,
- is not a name and cannot be easily guessed with the knowledge of the user (such as telephone number, bank code, name and number of children, ...)
You also have to be able to remember it, since the secret key is worthless without a mantra.
In this context, it can be a good idea to create a recall certificate right away.
Exporting a key (with the User ID UID.)gpg --export [UID]
If no UID is given, the entire key ring is exported. The output is preset to stdout, but you can use the option -o file output to a file. We still recommend using the option -a (- marble) to work, otherwise I had problems. With this option, the keys are not output in binary format, but as ASCII (7-bit) files.
The exported key can then be distributed around the world, either on the homepage, via finger, via keyserver, ....
Importing KeysIf you got a public key from somewhere, you should include it in your key ring.
gpg --import [file]
If you omit the file name, stdin is read.
Revoke keyThere are several reasons to revoke an old key:
- It could have gotten into someone else's hands
- the UID is no longer correct
- he just got too small
This creates a key revocation certificate. For this you need the private key, because otherwise such certificates could also be generated by strangers. But this has one disadvantage: a key whose mantra I don't know is obviously useless. But because I don't know the mantra, I can't revoke it. It is therefore a good idea to generate a revocation certificate when generating the key. This should then be kept in a safe place, preferably on diskette and on paper, so that it does not fall into the wrong hands.
Manage your keychainThe keyring is a file in which all keys with the associated information (except for the owner trust values, which is in Sign the key get saved.
Public keyring lists.gpg --list-keys
shows all keys of the public keyring.
also shows the signatures (see Sign the key).
Lists of keys with their "fingerprints"gpg - fingerprint
lists the keys with their "fingerprints". These are (relatively) short sequences of numbers that can be used to identify the key. This can be useful to make sure over the phone that a public key comes from the person you are talking to. Sending fingerprints in the credits of email or Usenet articles does not make sense, by the way.
Lists of keys in the private keyringgpg --list-secret-keys
lists the keys of the private keyring. Signatures and fingerprints of private keys have no informative value.
Delete keygpg --delete-key UID
deletes keys from the corresponding keyring.
Edit keygpg --edit-key UID
In the menu you can change the mantra and the expiry date, display fingerprints and sign keys, among other things.
Sign the keyAfter having:
gpg --edit-key UID
has selected the key to be signed, it can be signed with the sign command.
Use keyserverKeyservers are large databases with public keys. GnuPG can import keys from keyservers and export them to keyservers. GnuPG communicates with the keyserver via HTTP, but uses port 11371. You have to make sure that a possibly existing firewall does not block this port.
The address of the keyserver is passed with the option --keyserver when called on the command line, but you can also change the entry in the configuration file of the ~ / .gnupg / options invest:
# Enter your favorite server here (e.g.):
By the way, the server really does exist. If you have now made sure that GnuPG knows where the keys can be found, you can import using
gpg --recv-keys UID
and exported using
gpg --send-key UID
Encrypt and decryptIf you have several private keys, you can use the option -u UID or --local-user UID
select one (or more) keys according to their UID. This selection replaces the one in the configuration file with the command:
gpg --default-key KeyID
key selected by default.
With -r UID or --recipient UID you can select the recipient in the command line.
EncryptThe command to encrypt is
gpg -e recipient [file]
gpg --encrypt recipient [file]
It makes sense to also sign the files, see for more details Sign and verify signatures.
DecryptThe command to decrypt is
gpg [-d] [file]
gpg [--decrypt] [file]
The following also applies here: Output is preset to stdout, but you can use the option -o file output to a file.
Sign and verify signaturesWith the command
gpg -s (or --sign) [file]
you sign a file with your private key. It is compressed at the same time, so it is no longer easily readable.
gpg --clearsign [file]
leave the file readable.
gpg -b (or --detach-sign) [file]
a signature is created in a separate file. The latter is particularly recommended for signing binary files such as archives. The option - marble to be useful.
Usually it is signed as well as encrypted, the command is then complete
gpg [-u sender] [-r receiver] [--armor] --sign --encrypt [file]
The options -u ( and -r (recipient) work as explained above.
If an encrypted file is signed, the signature is also checked when it is decrypted. The signature of an unencrypted file is checked with:
gpg [--verify] [file]
always assuming, of course, that you are in possession of the corresponding public key.
- Why did the Germans exterminate the Africans
- Why do American domestic airlines look shabby
- Why Narendra Modi often goes to America
- Why did some churches begin to test testimonies?
- Respect welders
- Which anime best represents Japanese culture?
- What really offends Muslims
- Can I take ashwagandha with medication
- Where do our thoughts come from?
- Are there immortal people
- What is it like to be transgender in China
- How are the SAT test subjects rated?
- What is your rating of Staffordshire University
- Why don't people like to listen to opera
- What do you order from Taco Bell
- Where is Harry Styles now
- Are dental x-rays safe and necessary
- What is something that nobody likes
- Have you ever had a creative breakthrough?
- Indians love to be called sir
- Has MLK pastor a church
- Had Kerala the best transportation system
- How exactly is Moana with Polynesian culture
- Which war had the lowest casualties
- Fought with BTS recently
- Are Tunisians seen as white
- Which superhero should be forgotten?
- What is the japanese symbols for brother
- Is Trump a conservative or in between
- Why do people buy and sell stocks
- Cataracts cause watery eyes
- Are military personnel government employees