Docs/quick-docs
1
0
Fork 0
Code Issues 48 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Technical review of creating gpg keys

Browse source
This commit is contained in:
Connor Lim 2021-02-09 17:27:15 +08:00 committed by pbokoc
parent 10de2c1391
commit b3d51e3626
12 changed files with 75 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

6
modules/ROOT/pages/_partials/proc_backup-gpg-keys-cli.adoc
View file

@ -1,12 +1,12 @@
[[backup-gpg-keys-cli]]
= Making a Key Backup Using the Command Line
Use the following command to make the backup, which you can then copy to a destination of your choice:
Use the following command to make the backup, which you can then copy to a destination of your choice:
----
gpg2 --export-secret-keys --armor jqdoe@example.com > jqdoe-privkey.asc
gpg --export-secret-keys --armor johndoe@example.com > johndoe-privkey.asc
----
Store the copy in a secure place, such as a locked container.
See now <<exporting-gpg-keys-cli>>.
Now see <<exporting-gpg-keys-cli>>.

8
modules/ROOT/pages/_partials/proc_backup-gpg-keys-gnome.adoc
View file

@ -3,10 +3,10 @@
. Right-click your key and select _Properties_.
. Select the _Details_ tab, and _Export_, next to the _Export Complete Key_ label.
. Select the _Details_ tab, and select menu:Export to file[Export secret key].
. Select a destination filename and click btn:[Save].
. Select a destination filename and click btn:[Export].
. Store the copy in a secure place, such as a locked container.
Store the copy in a secure place, such as a locked container.
See now <<exporting-gpg-keys-gnome>>.
Now see <<exporting-gpg-keys-gnome>>.

5
modules/ROOT/pages/_partials/proc_backup-gpg-keys-kde.adoc
View file

@ -3,11 +3,12 @@
. Right-click your key and select _Export Secret Key_.
. Click btn:[Export] to continue at the confirmation dialog.
. Click btn:[Continue] to continue at the confirmation dialog.
. Select a destination filename.
. Click btn:[Save].
Store the copy in a secure place, such as a locked container.
See <<exporting-gpg-keys-kde>>.
Now see <<exporting-gpg-keys-kde>>.

4
modules/ROOT/pages/_partials/proc_copying-public-gpg-keys-manually.adoc
View file

@ -4,7 +4,7 @@
If you want to give or send a file copy of your key to someone, use this command to write it to an ASCII text file:
----
gpg2 --export --armor jqdoe@example.com > jqdoe-pubkey.asc
gpg --export --armor johndoe@example.com > johndoe-pubkey.asc
----
See now <<safeguarding-your-secret-key>>.
Now see <<safeguarding-your-secret-key>>.

34
modules/ROOT/pages/_partials/proc_creating-gpg-keys-cli.adoc
View file

@ -4,12 +4,12 @@
. Use the following shell command:
+
----
gpg2 --full-gen-key
gpg --full-generate-key
----
+
This command generates a key pair that consists of a public and a private key.
Other people use your public key to authenticate and/or decrypt your communications.
Distribute your *public* key as widely as possible, especially to people who you know will want to receive authentic communications from you, such as a mailing list..
Distribute your *public* key as widely as possible, especially to people who you know will want to receive authentic communications from you, such as a mailing list.
. Press the kbd:[Enter] key to assign a default value if desired.
The first prompt asks you to select what kind of key you prefer:
@ -20,7 +20,8 @@ Please select what kind of key you want:
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
(14) Existing key from card
Your selection?
----
+
In almost all cases, the default is the correct choice.
@ -29,8 +30,8 @@ A RSA/RSA key allows you not only to sign communications, but also to encrypt fi
. Choose the key size:
+
----
RSA keys may be between 1024 and 4096 bits long. Larger is almost always recommended here, however your use case and security models may dictate otherwise.
What keysize do you want? (2048)
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)
----
+
Again, the default is sufficient for almost all users, and represents an _extremely_ strong level of security.
@ -51,10 +52,10 @@ Key is valid for? (0)
+
Entering a value of `1y`, for example, makes the key valid for one year.
(You may change this expiration date after the key is generated, if you change your mind.)
Before the `gpg2` program asks for signature information, the following prompt appears:
Before the `gpg` program asks for signature information, the following prompt appears:
+
----
Is this correct (y/n)?
Is this correct (y/N)?
----
+
. Enter `y` to finish the process.
@ -75,16 +76,17 @@ Is this correct (y/n)?
. Enter the letter `O` at the confirmation prompt to continue if all entries are correct, or use the other options to fix any problems.
. Enter a passphrase for your secret key.
The `gpg2` program asks you to enter your passphrase twice to ensure you made no typing errors.
The `gpg` program asks you to enter your passphrase twice to ensure you made no typing errors.
Finally, `gpg2` generates random data to make your key as unique as possible.
Finally, `gpg` generates random data to make your key as unique as possible.
Move your mouse, type random keys, or perform other tasks on the system during this step to speed up the process.
Once this step is finished, your keys are complete and ready to use:
----
pub 1024D/1B2AFA1C 2005-03-31 John Q. Doe (Fedora Docs Project) <jqdoe@example.com>
Key fingerprint = 117C FE83 22EA B843 3E86 6486 4320 545E 1B2A FA1C
sub 1024g/CEA4B22E 2005-03-31 [expires: 2006-03-31]
pub rsa3072 2021-02-09 [SC] [expires: 2022-02-09]
3782CBB60147010B330523DD26FBCC7836BF353A
uid John Doe (Fedora Docs) <johndoe@example.com>
sub rsa3072 2021-02-09 [E] [expires: 2022-02-09]
----
The key fingerprint is a shorthand signature for your key.
@ -93,12 +95,12 @@ You do not need to write this fingerprint down.
To display the fingerprint at any time, use this command, substituting your email address:
----
gpg2 --fingerprint jqdoe@example.com
gpg --fingerprint johndoe@example.com
----
Your _GPG key ID_ consists of 8 hex digits identifying the public key.
In the example above, the GPG key ID is `1B2AFA1C`.
In most cases, if you are asked for the key ID, you should prepend "0x" to the key ID, as in `0x1B2AFA1C`.
In the example above, the GPG key ID is `36BF353A`.
In most cases, if you are asked for the key ID, you should prepend "0x" to the key ID, as in `0x36BF353A`.
See now <<backup-gpg-keys-cli>>.
Now see <<backup-gpg-keys-cli>>.
Make sure to back up your revocation keys for all active keys as this allows to revoke keys in the event of lost passphrase of key compromise.

15
modules/ROOT/pages/_partials/proc_creating-gpg-keys-gnome.adoc
View file

@ -3,26 +3,25 @@
Install the Seahorse utility, which makes GPG key management easier.
. Select menu:Applications[Add/Remove Software].
. Select menu:Activities[Software].
. Select the _Search_ tab and enter the name `seahorse`.
. Click the _Search_ button and enter the name 'Seahorse'.
. Select the checkbox next to the `seahorse` package and select _Apply_ to add the software.
You can also install Seahorse using the command line with the command `su -c "dnf install seahorse"`.
. Click the Seahorse package and click btn:[Install] to add the software.
You can also install Seahorse using the command line with the command `sudo dnf install seahorse`.
To create a key:
. Select menu:Activities[Passwords and Encryption Keys], which starts the application Seahorse.
. Select menu:File[New... > PGP Key].
. Click btn:[Continue].
. At the top left hand corner, click the menu:Plus Button[GPG Key].
. Type your full name, email address, and an optional comment describing who you are (e.g.: John C. Smith, jsmith@example.com, The Man).
. Click btn:[Create].
. Choose a passphrase that is strong but also easy to remember in the dialog that is displayed.
. Click btn:[OK] and the key is created.
See now <<backup-gpg-keys-gnome>>.
Now see <<backup-gpg-keys-gnome>>.

8
modules/ROOT/pages/_partials/proc_creating-gpg-keys-kde.adoc
View file

@ -1,7 +1,7 @@
[[creating-gpg-keys-kde]]
= Creating GPG Keys Using the KDE Desktop
. Start the KGpg program from the main menu by selecting menu:Utilities[PIM > KGpg].
. Start the KGpg program from the main menu by selecting menu:Applications[Utilities > KGpg].
If you have never used KGpg before, the program walks you through the process of creating your own GPG keypair.
. Enter your name, email address, and an optional comment in the dialog box that appears prompting you to create a new key pair.
@ -10,7 +10,7 @@
. Enter your passphrase in the next dialog box.
At this point, your key appears in the main KGpg window.
To find your GPG key ID, look in the _Key ID_ column next to the newly created key.
In most cases, if you are asked for the key ID, you should prepend `0x` to the key ID, as in `0x6789ABCD`.
To find your GPG key ID, look in the _ID_ column next to the newly created key.
In most cases, if you are asked for the key ID, you should prepend `0x` to the last 8 characters of the key ID, as in `0x6789ABCD`.
See now <<backup-gpg-keys-kde>>.
Now see <<backup-gpg-keys-kde>>.

8
modules/ROOT/pages/_partials/proc_exporting-gpg-keys-cli.adoc
View file

@ -4,16 +4,16 @@
Use the following command to send your key to a public keyserver:
----
gpg2 --send-key KEYNAME
gpg --send-key KEYNAME
----
For `KEYNAME`, substitute the key ID or fingerprint of your primary keypair.
This will send your key to the gnupg default key server (keys.gnupg.net), if you prefer another one use:
This will send your key to the gnupg default key server. If you prefer another one use:
----
gpg2 --keyserver hkp://pgp.mit.edu --send-key KEYNAME
gpg --keyserver hkp://pgp.mit.edu --send-key KEYNAME
----
Replacing `pgp.mit.edu` with your server of choice.
See now <<safeguarding-your-secret-key>>.
Now see <<safeguarding-your-secret-key>>.

8
modules/ROOT/pages/_partials/proc_exporting-gpg-keys-gnome.adoc
View file

@ -1,14 +1,14 @@
[[exporting-gpg-keys-gnome]]
= Exporting a GPG Key Using the GNOME Desktop
. Right-click the key and select _Sync and Publish Keys...._
. Click the menu:Menu Button[Sync and Publish Keys...]
. Click _Key Servers_.
. Click btn:[Key Servers].
. Select _hkp://subkeys.pgp.net:11371_ in the _Publish Keys To_ combobox.
. Select _ldap://keyserver.pgp.com_ in the _Publish Keys To_ combobox.
. Click btn:[Close].
. Click btn:[Sync].
See now <<safeguarding-your-secret-key>>.
Now see <<safeguarding-your-secret-key>>.

16
modules/ROOT/pages/_partials/proc_exporting-gpg-keys-kde.adoc
View file

@ -1,8 +1,14 @@
[[exporting-gpg keys-kde]]
[[exporting-gpg-keys-kde]]
= Exporting a GPG Key Using the KDE Desktop
After your key has been generated, you can export the key to a public keyserver by right-clicking on the key in the main window, and selecting _Export Public Keys._
From there you can export your public key to the clipboard, an ASCII file, to an email, or directly to a key server.
Export your public key to the default key server.
After your key has been generated, you can export the key to a public keyserver
See now <<safeguarding-your-secret-key>>.
. Right-click on the key in the main window.
. Select _Export Public Keys._
. From there you can export your public key to the clipboard, an ASCII file, to an email, or directly to a key server.
. Export your public key to the default key server.
Now see <<safeguarding-your-secret-key>>.

6
modules/ROOT/pages/_partials/proc_revoking-gpg-keys.adoc
View file

@ -14,7 +14,7 @@ As long as you still have access to the private key, messages received previousl
If you forget the passphrase, you will not be able to decrypt messages encrypted to that key.
----
gpg2 --output revoke.asc --gen-revoke KEYNAME
gpg --output revoke.asc --gen-revoke KEYNAME
----
If you do not use the `--output` flag, the certificate will print to standard output.
@ -30,7 +30,7 @@ It is a good idea to write the revocation certificate to secure removable media
. Revoke the key locally:
+
----
gpg2 --import revoke.asc
gpg --import revoke.asc
----
+
Once you locally revoke the key, you must send the revoked certificate to a keyserver, regardless of whether the key was originally issued in this way.
@ -39,7 +39,7 @@ Distribution through a server helps other users to quickly become aware the key
. Export to a keyserver with the following command:
+
----
gpg2 --keyserver subkeys.pgp.net --send KEYNAME
gpg --keyserver hkp://pgp.mit.edu --send-keys KEYNAME
----
+
For `KEYNAME`, substitute either the key ID of your primary keypair or any part of a user ID that identifies your keypair.

26
modules/ROOT/pages/create-gpg-keys.adoc
View file

@ -3,28 +3,26 @@ ifdef::context[:parent-context: {context}]
= Creating GPG Keys
:experimental:
include::{partialsdir}/unreviewed-message.adoc[]
This document explains in detail how to obtain a GPG key using common Fedora utilities.
It also provides information on managing your key as a Fedora contributor.
[[creating-gpg-keys]]
== Creating GPG Keys
include::{partialsdir}/proc_creating-gpg-keys-gnome.adoc[leveloffset=+1]
include::{partialsdir}/proc_creating-gpg-keys-gnome.adoc[leveloffset=+2]
include::{partialsdir}/proc_creating-gpg-keys-kde.adoc[leveloffset=+1]
include::{partialsdir}/proc_creating-gpg-keys-kde.adoc[leveloffset=+2]
include::{partialsdir}/proc_creating-gpg-keys-cli.adoc[leveloffset=+1]
include::{partialsdir}/proc_creating-gpg-keys-cli.adoc[leveloffset=+2]
[[making-a-backup]]
== Making a Backup
include::{partialsdir}/proc_backup-gpg-keys-gnome.adoc[leveloffset=+1]
include::{partialsdir}/proc_backup-gpg-keys-gnome.adoc[leveloffset=+2]
include::{partialsdir}/proc_backup-gpg-keys-kde.adoc[leveloffset=+1]
include::{partialsdir}/proc_backup-gpg-keys-kde.adoc[leveloffset=+2]
include::{partialsdir}/proc_backup-gpg-keys-cli.adoc[leveloffset=+1]
include::{partialsdir}/proc_backup-gpg-keys-cli.adoc[leveloffset=+2]
[[making-your-public-key-available]]
== Making Your Public Key Available
@ -32,16 +30,15 @@ include::{partialsdir}/proc_backup-gpg-keys-cli.adoc[leveloffset=+1]
When you make your public key available to others, they can verify communications you sign, or send you encrypted communications if necessary.
This procedure is also known as _exporting_.
Now see <<exporting-gpg-keys-gnome>>, <<exporting-gpg-keys-kde>>, or the <<exporting-gpg-keys-cli>>.
See <<copying-public-gpg-keys-manually>> to a file if you wish to email it to individuals or groups.
include::{partialsdir}/proc_exporting-gpg-keys-gnome.adoc[leveloffset=+1]
include::{partialsdir}/proc_exporting-gpg-keys-gnome.adoc[leveloffset=+2]
include::{partialsdir}/proc_exporting-gpg-keys-kde.adoc[leveloffset=+1]
include::{partialsdir}/proc_exporting-gpg-keys-kde.adoc[leveloffset=+2]
include::{partialsdir}/proc_exporting-gpg-keys-cli.adoc[leveloffset=+1]
include::{partialsdir}/proc_exporting-gpg-keys-cli.adoc[leveloffset=+2]
include::{partialsdir}/proc_copying-public-gpg-keys-manually.adoc[leveloffset=+1]
include::{partialsdir}/proc_copying-public-gpg-keys-manually.adoc[leveloffset=+2]
[[safeguarding-your-secret-key]]
== Safeguarding Your Secret Key
@ -56,7 +53,7 @@ If you lose your secret key, you will be unable to sign communications, or to op
If you followed the above, you have a secret key which is just a regular file.
A more secure model than keeping the key on disk is to use a hardware token.
There are several options available on the market, for example the https://www.yubico.com/products/yubikey-hardware/yubikey4/[YubiKey].
There are several options available on the market, for example the https://www.yubico.com/products/yubikey-5-overview/[YubiKey].
Look for a token which advertises OpenPGP support.
See https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/[this blog entry] for how to create a key with offline backups, and use the token for online access.
@ -69,5 +66,6 @@ include::{partialsdir}/proc_revoking-gpg-keys.adoc[leveloffset=+1]
* https://en.wikipedia.org/wiki/Public-key_cryptography[Wikipedia - Public Key Cryptography]
See a typo, something missing or out of date, or anything else which can be improved? Edit this document at https://pagure.io/fedora-docs/quick-docs[quick-docs's git repository].
ifdef::parent-context[:context: {parent-context}]
ifndef::parent-context[:!context:]