DoC Computing Support Group

GnuPG Howto

GnuPG (GNU Privacy Guard) is the GNU version of PGP.

You may use it to encrypt data, sign messages or rpm packages amongst other uses. It is the default and recommended encryption algorithm in DoC and is installed on all Linux machines. The keys, once you have made them, are available via Samba to Windows machines via H:\.gnupg\ Creating your key

To generate personal keys, follow the procedure below. Commands are indicated in bold green type. Command output is shown in blue italic type. This assumes that you have logged into a CSG supported linux machine. If in doubt, ssh to shell2.

gpg --gen-key

If this is the first time you have run this command, gpg will exit immediately saying that it has created the initial directory and options file. Simply re-enter the above command a second time.

gpg (GnuPG) 1.0.4; Copyright (C) 2000 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: Warning: using insecure memory!
Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (4) ElGamal (sign and encrypt)

Select (1) DSA and ElGamal (default)

Suggested selection is 1024 bits.

Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0

This question relates to the lifetime of your key. If unsure, choose 0 (does not expire). If you wish to set an expiry date and you know what this means, choose a lifetime for your key.

Key does not expire at all Is this correct (y/n) y

Then you will be prompted for your details. Enter your own details.

You need a User-ID to identify your key; the software constructs the user id from Real Name, Comment and Email Address in this form:

Real name: Tim J Southerwood Email address: Comment: You selected this USER-ID:

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a Passphrase to protect your secret key.

Enter passphrase

Repeat passphrase:

Choose a long passphrase that you will remember. Passphrases cannot be recovered. If you lose it you will not be able to sign or decrypt anything! Do not use a blank passphrase. If someone steals your secret key you have no security any more!

We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ++++++++++++++++++++++++++++++++++++++++++++++++++.++++++++++++++++++++. +++++++++++++++++++++++++..++++++++++++++++++++++++++++++++++++++++.+++ ++...................................................................... .........................................+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++.+++++.++++++++++++++++++++..++++++++++++++++++++... ......+++++^ public and secret key created and signed.

If the process appears to hang, type lots of random stuff on the keyboard (while the ssh window running gpg is in focus).

This is because the /dev/random device used for getting random numbers is not psuedo-random. It needs to be fuelled by system events on the machine running gpg. Such fuelling can be achieved by moving the mouse on the machine's own X-display, typing keystrokes at the machine, disk activity and other things.

That is done. You have your public and secret keys under: ~/.gnupg/ This directory contains:

ls -l ~/.gnupg/

total 40 -rw-r--r-- 1 ts csg 2924 Mar 26 15:23 options -rw-r--r-- 1 ts csg 1782 Mar 26 16:31 pubring.gpg -rw

1 ts csg 600 Mar 26 16:31 random_seed -rw

1 ts csg 2226 Mar 26 16:31 secring.gpg -rw-r--r-- 1 ts csg 2560 Mar 26 15:54 trustdb.gpg

Never ever let secring.gpg become readable by others. Back it up on a floppy. Keep it secure! Do not forget your passphrase. Using Encryption

For now, read the man page on gpg. Also available is a graphical front end which is good for getting a feel of things. To run, enter the command:


A gui should fire up and will by default reference your keys in ~/.gnupg How to check a file against a signature and a public key file

You have just downloaded a file called for example bind-9.1.1rc7.tar.gz from the Internet Software Consortium, perhaps from some (untrusted) mirror. Along with the data file you also retrieved the signature file bind-9.1.1rc7.tar.gz.asc. You have then gone directly to the ISC FTP site and have downloaded their public key, isckey.txt

Although you can download the data bind-9.1.1rc7.tar.gz and the signature from any mirror site, the public key must be downloaded from a trusted source. Of course, various things, including could be compromised and someone could have put a forged public key there - but in practise this is unlikely and the only way you are going to get a more trusted key is to go to the owner in person. For most normal and practical purposes, the strategy given here is valid.

Next you need to import ISC's (or whoever's) public key into your public keyring. To do this type:

gpg --import isckey.txt

Now (important) you need to sign their key with your own secret key. First list their formal identity:

gpg --list-keys

gpg: Warning: using insecure memory! /homes/ts/.gnupg/pubring.gpg

pub 1024D/AE35A8E9 2001-03-26 Tim J Southerwood <> sub 1024g/08E7605B 2001-03-26

pub 1024R/51BAB2ED 1997-01-29 Internet Software Consortium <>

You will need to use the key id given in red above. To sign their key, do:

gpg --lsign "Internet Software Consortium <>"

Great. Now you have a signed a hopefully trusted copy of the 3rd party public key. You can now check any number of files and signatures claiming to originate from them like this:

gpg --verify bind-9.1.1rc7.tar.gz.asc bind-9.1.1rc7.tar.gz

gpg: Warning: using insecure memory! gpg: Signature made Tue 27 Mar 2001 02:53:01 BST using RSA key ID 51BAB2ED gpg: Good signature from "Internet Software Consortium <>"

If the bit in red says the signature is good then all is well. Then you know that the signature itself is valid and the data file you got matches the signature. Generally this proves within all reasonable bounds that the data file you got really was produced by the people it claims (ISC in this case).


guides/gpg (last edited 2009-05-14 10:20:20 by driden)