This is a fun tutorial I made to assist someone in making gpg-keys. For the best information and practices, please refer to the gnupg manual.
You will require:
- gnu linux
- A flavor of linux, or some variant.
- gnupg
- GNU Privacy Guard
- bash
- The bourne again shell.
- /dev/random
- For passphrase suggestions.
- /usr/bin/od
- This comes with coreutils.
You will require a wordlist for passphrase generation. For example, you may acquire a wordlist here.
Passphrase generation is inspired by xkcd. Be warned, you cannot select words you like, you must use a random passphrase in order for it to be effective. If you reveal a single word to someone else, it can reduce the time it takes to solve your passphrase from something like 10000 years to 1 week. Every bit of entropy, effectively doubles the time it takes to solve a password. The fastest supercomputer on the planet at the time of this writing can apparently crunch through a 55-bit passphrase in a second.
The command for passphrase suggestions is as follows:
# the WORDLIST file, this should be line delimited. read -e WORDLIST # The largest possible number that can be represented by 4 bytes, 2**(4*8) # divided by # The number of words in the wordlist, $(cat $WORDLIST |wc -l) FACTOR=$[ 2**(4*8)/$(cat "$WORDLIST"|wc -l) ] # Read 4 bytes of data from dev/random # Convert into a number, n # Select the first n lines from $WORDLIST # Take the last line as the randomly chosen word cat "$WORDLIST" | head -n "$[ $(od -vAn -N4 -tu4 < /dev/random ) / $FACTOR ]" | tail -1 # Not too much entropy is required for this, far more is required for your gnupg private key. 32-bit for each word vs 2048-bit for default key. # 5 words would give you 180-bits of password entropy, provided that the wordlist used 2**32 different words. # Largest wordlist I have found is approximately 470k words, (2**18, 18-bits approx.), this would give you about 90-bits of entropy for 5 words.
This step generates your private/public key pair using gpg. The command used is
gpg --gen-key
This uses your system’s default settings.
This step uploads your public key to a keyserver, for sharing with the world of the internets. The commands used are:
gpg --list-keys # Lists all the keys on your keychain, currently just yours. # The last 8 chars of your fingerprint form your shorthand crypto-signature. gpg --send-keys "$FINGERPRINT" # Sends your key to the keyservers
.
This uses my public key and fingerprint as an example of keysigning. If you do not trust my key, you can abort at any step with =Ctrl-C=. GPG will also ask for your permission to sign my key. The set of commands are:
gpg --recv-key 553A180D # Download my public key, now you can encrypt things to me # Verify that my fingerprint matches 2FCB9E31EA77CDECA3AE5DD7D54CC777553A180D gpg -k 553A180D # This lists my key # If you trust that this is indeed me, you can sign my key # If you don't trust me, don't sign my key. Ctrl-C to abort. # Or select N and quit to abort gpg --sign-key 553A180D # After signing my key, you can upload it back to the keyserver # along with your signature. gpg --send-keys 553A180D
.
This uses my key which you may have downloaded to check that this script did indeed come from me (553A180D).
gpg --verify "$0.sig" "$0" # Verifies that the script came from the author, 553A180D
.
If you have made changes to the script, or you would like to sign it with your own signature, you can do that here. This creates a detached signature.
gpg --detach-sign "$0"
If you would like to encrypt something for a particular person you can do so.
gpg --encrypt $FILE
If you would like to decrypt something for you. Do this.
Usually encrypted files have a .gpg
extension.
gpg --decrypt $FILE.gpg
If you would like to encrypt something into ASCII text, use the --armor
option in addition to the above. These files usually have an .asc
extension.
For all the information, please see the gnupg manual. I hope you enjoyed my brief gpg tutorial.