Table of Contents

Generating a new keypair

Exchanging keys

Encrypting and decrypting documents

Making and verifying signatures

1. Gpg Generate Key On Card Login
2. Gpg Generate Public Key
3. Generate Key Code

Jun 30, 2018  Create Your Public/Private Key Pair and Revocation Certificate. Use gpg -full-gen-key command to generate your key pair. Gpg -full-gen-key. It asks you what kind of key you want. Notice there’re four options. The default is to create a RSA public/private key pair and also a RSA signing key. Let’s hit Enter to select the default. The public key and user IDs are not stored on the smart card. Thus you can not use '-card-status' to get the card to work. For that, you need to have the public key in your keychain. This is the case, when you generate a new key. You have two options to handle this: Generate a new key on the card or move an existing key to the card: Generate a. The public key and user IDs are not stored on the smart card. Thus you can not use '-card-status' to get the card to work. For that, you need to have the public key in your keychain. This is the case, when you generate a new key. You have two options to handle this: Generate a new key on the card or move an existing key to the card: Generate a.

GnuPG is a tool for secure communication.This chapter is a quick-start guide that covers the core functionalityof GnuPG.This includes keypair creation, exchanging and verifying keys, encryptingand decrypting documents, and authenticating documents with digitalsignatures.It does not explain in detail the concepts behind public-key cryptography,encryption, and digital signatures.This is covered in Chapter 2.It also does not explain how to use GnuPG wisely.This is covered in Chapters 3 and 4.

GnuPG uses public-key cryptography so that users may communicate securely.In a public-key system, each user has a pair of keys consisting ofa private key and a public key.A user's private key is kept secret; it need never be revealed.The public key may be given to anyone with whom the user wants tocommunicate.GnuPG uses a somewhat more sophisticated scheme in which a user hasa primary keypair and then zero or more additional subordinate keypairs.The primary and subordinate keypairs are bundled to facilitate keymanagement and the bundle can often be considered simply as one keypair.

The command-line option --gen-keyis used to create a new primary keypair.GnuPG is able to create several different types of keypairs, but a primarykey must be capable of making signatures.There are therefore only three options.Option 1 actually creates two keypairs.A DSA keypair is the primary keypair usable only for making signatures.An ElGamal subordinate keypair is also created for encryption. Option 2 is similar but creates only a DSA keypair.Option 4[1] creates a single ElGamal keypair usable for both making signatures and performing encryption.In all cases it is possible to later add additional subkeys for encryptionand signing.For most users the default option is fine.

You must also choose a key size.The size of a DSA key must be between 512 and 1024 bits, and an ElGamalkey may be of any size.GnuPG, however, requires that keys be no smaller than 768 bits.Therefore, if Option 1 was chosen and you choose a keysize larger than1024 bits, the ElGamal key will have the requested size, but the DSAkey will be 1024 bits.The longer the key the more secure it is against brute-force attacks,but for almost all purposes the default keysize is adequate sinceit would be cheaper to circumvent the encryption than try to break it.Also, encryption and decryption will be slower as thekey size is increased, and a larger keysize may affect signature length.Once selected, the keysize can never be changed.

gpg -card-edit gpg/card admin Admin commands are allowed gpg/card passwd.FOLLOW THE PROMPTS TO SET PINS, BOTH ADMIN AND STANDARD. Tell Git about your Signing Key Globally. Be sure to tell Git on your machine some important configuration info like your signing key, but also WHERE the gpg.exe is. This is important because git ships its own. For a new smartcard (crypto stick), I've invoked gpg -card-edit, performed the generate command and selected to not create any backup of the generated keys. After key generation has finished, a%A. Jun 01, 2018  All of these steps should be performed on a local machine, not your Linode. Install GPG: On Debian and its derivatives: sudo apt-get install gnupg2 On OS X: GPGTools provides the simplest implementation of GPG for OS X. Otherwise, you could run brew install gnupg2 if you have Homebrew. On other operating systems, this process should be fairly clear. Jun 30, 2018 Create Your Public/Private Key Pair and Revocation Certificate. Use gpg -full-gen-key command to generate your key pair. Gpg -full-gen-key. It asks you what kind of key you want. Notice there’re four options. The default is to create a RSA public/private key pair and also a RSA signing key. Let’s hit Enter to select the default.

Finally, you must choose an expiration date.If Option 1 was chosen, the expiration date will be used for both theElGamal and DSA keypairs.For most users a key that does not expire is adequate.The expiration time should be chosen with care, however,since although it is possible to change the expiration date after the keyis created, it may be difficult to communicate a changeto users who have your public key.

You must provide a user ID in addition to the key parameters.The user ID is used to associate the key being created with a realperson.Only one user ID is created when a key is created, but it is possibleto create additional user IDs if you want to use the key in two ormore contexts, e.g., as an employee at work and a political activiston the side.A user ID should be created carefully since it cannot be edited afterit is created.

GnuPG needs a passphrase to protect the primary and subordinate private keys that you keep in your possession.There is no limit on the length of a passphrase, and it should becarefully chosen.From the perspective of security, the passphrase to unlock the privatekey is one of the weakest points in GnuPG (and other public-key encryption systems as well) since it is the only protection you have if another individual gets your private key.Ideally, the passphrase should not use words from a dictionary andshould mix the case of alphabetic characters as well as use non-alphabetic characters.A good passphrase is crucial to the secure use of GnuPG.

Generating a revocation certificate

After your keypair is created you should immediately generate a revocationcertificate for the primary public key using the option--gen-revoke.If you forget your passphrase or if your private key is compromised or lost, this revocation certificate may be published to notify othersthat the public key should no longer be used.A revoked public key can still be used to verify signatures madeby you in the past, but it cannot be used to encrypt future messagesto you.It also does not affect your ability to decrypt messages sent toyou in the past if you still do have access to the private key.The argument mykey must be a keyspecifier,either the key ID of your primary keypair or any part of a user IDthat identifies your keypair.The generated certificate will be left in the filerevoke.asc.If the --output option is omitted, the result will be placed on standard output.Since the certificate is short, you may wish to print a hardcopy ofthe certificate to store somewhere safe such as your safe deposit box.The certificate should not be stored where others can access it sinceanybody can publish the revocation certificate and render thecorresponding public key useless.

Notes

[1]

Option 3 is to generate an ElGamal keypair that isnot usable for making signatures.

To follow the instructions in this chapter make sure that the card reader works and the card can be accessed (Chapter 3, Administrating the Card, command gpg --card-status).

To initialise a card enter gpg --card-edit. Basic information about the card is shown. The output is the same as gpg --card-status. The difference is that the output is now followed by a command prompt.

To get a list of all commands available enter help.

These commands are not very useful because data stored on the card cannot be changed.

For a list of useful commands enter admin and then help.

Save the name of the card owner on the card. Technically this is not required but it will prove useful if more than one card is around.

Enter name and follow the prompts. You are seperately asked for sur- and given name. After entering the data you are asked for the AdminPIN.

Note

The name is stored in an ISO format. This format distinguishes between the different name parts and is also used for machine readable passports.

In general the AdminPin is cached through a session. So if you do not remove the card you will not be asked again to enter it. As always there are exceptions to this rule.

If you like you can also enter the language you prefer (lang) and the sex (sex). gpg does not use this information so you might want to omit it.

To generate a key on the card enter generate. You will be asked if you would like to make an off-card copy of the encryption key. It is useful to say yes here.

Note

Without a backup you will not be able to access any data you encrypted with the card if it gets lost or damaged.

If a key exists on the card a security question has to be answered to avoid accidental overwriting.

The whole process of key generation looks like this.

Note

You might be asked for the PINs at different times.

Six signing operations are done during the creation of the public and secret key (one self-signature to bind the name to the key and two key-binding signatures for each key). Future versions of gpg might just need three signing operations.

The card is now ready for use.

Note

Gpg Generate Key On Card Login

Please save the backup key, transfer it to a different medium and store it in a safe place.

Gpg Generate Public Key

It is important that you delete the copy of the key from the hard disk, too. The best choices here are tools like shred from the GNU coreutils package or wipe to make sure that the original content gets overwritten.

Generate Key Code

A key can also be stored as a printout. Normally you do not need it, but in case your card breaks and the backup copy is not available you still have the chance to re-enter the key. gpg --enarmor may be used to convert the backup key into a printable format.