PGP

Key Creation

Generating a PGP key pair on Linux is simple. Understanding how the process goes can enhance your security. Start by installing  gnupg, then run:

$ gpg --full-generate-key
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1

There are various kind of key algorithm to choose from, it's better to stick with the default.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits

In this case the default keysize is 3072, but 4096 is more robust.

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at mer 7 giu 2023, 15:20:50 CEST
Is this correct? (y/N) y

By default the key will never expire, but for good security practice it's better to put an expiration date on the key. That's in case you forget about the key or it's compromised (revoke a key). You must remember to update and rotate the key before the expiration.

GnuPG needs to construct a user ID to identify your key.

Real name: Fabrice Monasterio
Email address: me[at]fabricemonasterio[dot]dev
Comment:
You selected this USER-ID:
    "Fabrice Monasterio <me[at]fabricemonasterio[dot]dev>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

We now create the user information associated with the key. At last we are required to encrypt the private key with a passphrase. You can now see what private key you own.

$ gpg --list-secret-keys --keyid-format=long
/tmp/tmp.lV9Srnl5Mg/pubring.kbx
-------------------------------
sec   rsa4096/BBDA30BC3476B1F6 2022-06-07 [SC] [expires: 2023-06-07]
      8581F3F031E50BE0A5E1C725BBDA30BC3476B1F6
uid                 [ultimate] Fabrice Monasterio <me[at]fabricemonasterio[dot]dev>
ssb   rsa4096/612A309BCB38496F 2022-06-07 [E] [expires: 2023-06-07]

If you want to personalize the fingerprint, you can! Here I explain how:

Vanity Addresses and Keys
What are vanity addresses and how to generate them: SSH, PGP, ETH, BTC, TOR and I2P

You can now upload the public key to a keyserver and share it:

gpg --keyserver pgp.mit.edu --send-keys BBDA30BC3476B1F6
gpg --output fabrice-public-key.asc --armor --export BBDA30BC3476B1F6

All that's left to do is backup the private key (the public key is contained in the private key)

Key Backup & Restore

It's good practice to backup and save a copy of the key pair somewhere safe:

gpg -o private.gpg --export-options backup --export-secret-keys BBDA30BC3476B1F6

And to restore it:

gpg --import-options restore --import private.gpg

You may now want to change the trust level of the imported key.

Key Customization

After I generated my vanity PGP key I set an expiration date, a trust level and encrypt the private key.

Note that despite similar, I do not use the key shown here! You can find the one I currently use here. Command used to record the shell with asciinema:

SHELL="sh -c 'env \
    GNUPGHOME=$(mktemp -d) \
    fish_history="" \
    DISPLAY="" \
    fish'" \
asciinema rec -t 'PGP Customization'

Revoking a Key

You need to have a way of invalidating your key pair in case there is a security breach or in case you lose your secret key. This should be done as soon as you make the key pair, not when you need it. This revocation key must be generated ahead of time and kept in a secure, separate location in case your computer is compromised or inoperable. To generate a revocation key revoke.asc:

$ gpg --output revoke.asc --gen-revoke BBDA30BC3476B1F6

sec  rsa4096/BBDA30BC3476B1F6 2022-06-07 Fabrice Monasterio <me[at]fabricemonasterio[dot]dev>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 3

There are many reason for the revocation, in this example I want to use a vanity key:

Enter an optional description; end it with an empty line:
> I now have a cool vanity key!
>
Reason for revocation: Key is no longer used
I now have a cool vanity key!
Is this okay? (y/N) y

If the private key was encrypted (as it should) it will ask for the passphrase

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

Fun fact: Mallory is a placeholder name for a malicious attacker, just like the fictional characters Alice and Bob commonly used in cryptology.

Once the revocation key has been generated you should immediately restrict access to the file:

chmod 600 revoke.asc

To actually revoke the key said certificate must be imported in the keyring:

gpg --import revoke.asc

If you previously sent the key to an external keyring (such as pgp.mit.edu)

gpg --keyserver pgp.mit.edu --send-keys BBDA30BC3476B1F6

Encrypt & Decrypt

You can encrypt files using public key cryptography:

# Encrypt
gpg --output file.gpg --encrypt --sign --armor --recipient bob@email.com --recipient me[at]fabricemonasterio[dot]dev file
# Decrypt
gpg --output file --decrypt file.gpg

Note that this sign the encrypted file with your private key to guarantee that it is coming from you. The output is then armored in ASCII code so it can be sent via email. You should include a second recipient with your own email address if you want to be able to read the encrypted message. This is because the message will be encrypted with each person’s public key, and will only be able to be decrypted with the associated private key.