Print this article Edit this article

GPG: Generating a New Key

Introduction

ECN maintains the program gpg for use by faculty, students and staff to enhance security. One of the first duties is to generate a new GPG public and private key. Below is a quick start guide to create your public and private key, then have fellow members sign your public key so that it can be verified.

Generating the public and private keys

In this example, the user cstest will generate the public and private keys, then send his key to the keyserver pgp.mit.edu. Commands you need to type into your machine are bold, underlined, and italicized.

Step 1. Initialize the GPG directory.

If gpg has never been run on cstest's account, then you will need to create a new .gnupg directory is created. 

mkdir .gnupg

Step 2. Generate a private key

Run the gpg key generation command, and it will actually start to generate a new public and private key pair. Answer the questions as best as you can. I increased the size of the key so that it will last longer (who knows when a new mathematical process will make 1024 bit keys too small). Enter in a really good passphrase (20-25 characters is good, with spaces and punctuation).

gpg --gen-key
gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: /home/titanic/a/cstest/.gnupg/secring.gpg: keyring created
gpg: /home/titanic/a/cstest/.gnupg/pubring.gpg: keyring created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and ElGamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)? yes

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment (Comment field is optional) and Email Address in this form:
"CS Test (Assistant Head Guru) <cstest@ecn.purdue.edu>"

Real name: CS Test
Email address: cstest@ecn.purdue.edu
Comment: Assistant Head Guru (this field is optional)
You selected this USER-ID:
"CS Test (Assistant Head Guru) <cstest@ecn.purdue.edu>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

Enter passphrase: The Quick Brown Fox yelled 1984! @ George Orwell
Repeat passphrase: The Quick Brown Fox yelled 1984! @ George Orwell

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.+++++.+++++++++++++++..++++++++++.++++++++++++++++++++++++++++++.+++++..
++++++++++++++++++++.+++++++++++++++..+++++.+++++.++++++++++.+++++>++++++++++.
...........+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++..+++++.+++++++++++++++.++++++++++..+++++.++++++++++..+++++.+++
++++++++++++++++++++++++++++++++.+++++++++++++++.+++++.+++++++++++++++++++++++
++>++++++++++>+++++............+++++^^^^
public and secret key created and signed.

 

Once this is done, it'll spit out a 40-character Key Fingerprint that looks like: B6C2 FF22 6F63 7DB0 FA3E  C62A 1389 7FD6 EAF5 46BA

Copy that, and paste it into a text file for later use.

Your KeyID is the last 8, in this form: 0xEAF546BA (also important later)

 

That's It! You now have a GPG keypair that you can use for various purposes.

If you are an ECN staffer, you will need to follow the steps outlined below:

 

Step 3. Get other ECN Staff public keys

Importing other ECN staffer's public keys into your keyring is simple:

gpg --import /ftp/keys/*.asc

Step 4. Send your public key to a keyserver

Keyservers are like synchronized repositories for public keys. A popular one is pgp.mit.edu

gpg --keyserver pgp.mit.edu --send-keys Your8digitKeyID


Step 5. Keep your keys refreshed, and up to date

You'll need your login and KeyID (Last 8 characters of your fingerprint)

Then, type these two commands:
 gpg --keyserver pgp.mit.edu --refresh-keys
gpg -a --export yourKeyId > /ftp/keys/yourLogin.asc
 

Step 6. (Optional) Adding other email addresses

If you need to add a different email address to your key, the command is: 
gpg --edit-key Your8digitKeyID
gpg will prompt you for a command:
Command> adduid
Follow the prompts, and make sure you run step 5 again.

And keep going...

In order to build a trusted public key, you need to continue to ask for other peoples' public keys, sign then and return them. Also you need to publish your key so others can find it. Places to publicly make your key available are on your home web page, in PH, or a key server like the one at MIT:

MIT PGP Key Server

Last Modified: Dec 19, 2016 11:12 am US/Eastern
Created: Nov 6, 2007 1:43 pm US/Eastern by admin
JumpURL: