{{ :how_to:gnu.png |GPG Logo}}

=====Creating a GPG Key=====

**Note:** this is made from a fake account, so there will be differences, i.e. nuck is the fake username, and nucky is the fake name used for this tutorial.

As always, we will assume that we are starting off from the home directory.

To make a key, use the following command:

<cli>gpg --gen-key</cli>

You will be asked for the following
<cli>nuck@riviera:~$ gpg --gen-key
gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: directory `/home/nuck/.gnupg' created
gpg: new configuration file `/home/nuck/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/nuck/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/nuck/.gnupg/secring.gpg' created
gpg: keyring `/home/nuck/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?</cli>

The default is fine, so select that.

<cli>Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)</cli>

Again, the default is fine. If you make your key too long, it can take a long time to encode your message.

<cli>Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)</cli>

Yet again, the default is fine (you can change it later if you wish).

<cli>Key does not expire at all
Is this correct? (y/N)</cli>

If you are happy, enter 'y' and press enter.

You'll be asked for your real name in a prompt like:

<cli>Is this correct? (y/N) y</cli>

You need a user ID to identify your key. The software constructs the user ID
from the Real Name, Comment and Email Address in this form:

<cli>"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name:</cli>

Here, I've filled out my own test gpg data:

<cli>Real name: Nucky
Email address: nuck@compsoc.nuigalway.ie
Comment:
You selected this USER-ID:
"Nucky <nuck@compsoc.nuigalway.ie>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?</cli>

If you're happy, select 'O'.

Now, you'll be asked to enter a pass phrase. Be sure to think of something that is hard for a machine to think of, such as alternating lowercase and uppercase letters, number, symbols, etc.

The server will now generate random(ish) bytes. It'll take a long time, so be patient.

So, after all that you'll be given something like:

<cli>gpg: /home/nuck/.gnupg/trustdb.gpg: trustdb created
gpg: key 91B4BAB5 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/91B4BAB5 2007-12-03
Key fingerprint = 1AA1 376E 850E 1A6D 5935 845F 3CF2 9036 91B4 BAB5
uid Nucky <nuck@compsoc.nuigalway.ie>
sub 2048g/8B7CDEDB 2007-12-03</cli>

The segment
<cli>91B4BAB5</cli>
is the "short fingerprint", and we'll talk about it later.

We'll need to make a public long fingerprint and long armoured text. I'll use **fingerprint** as the fingerprint file and **public.key** for the long key file.

So, for the fingerprint file we'll use:

<cli>gpg --fingerprint > fingerprint</cli>

If you view the file, you'll see something like:

<cli>nuck@riviera:~$ cat fingerprint
/home/nuck/.gnupg/pubring.gpg
-----------------------------
pub 1024D/91B4BAB5 2007-12-03
Key fingerprint = 1AA1 376E 850E 1A6D 5935 845F 3CF2 9036 91B4 BAB5
uid Nucky <nuck@compsoc.nuigalway.ie>
sub 2048g/8B7CDEDB 2007-12-03</cli>

To make the public.key, we'll use the following:

<cli>gpg --export --armor > public.key</cli>

When you view the file, you should get something like:

<cli>nuck@riviera:~$ cat public.key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.3 (GNU/Linux)

mQGiBEdUiJwRBACdf9HoSw6hDaPQRDG2TOi07O1xt5ouEs2evIAF3wNsbfTpE3JG
BJPhusO4zGoBgUDIPKDupEcjgUjVbaCQAQGRZ/16BK2kAs4D03waN7ujGMmCwCrs
4VV1X71OVlXHHJIwMxw43AziLr8sRuZzHu27IH+DvSK0obsoOI1iO3w6cwCgqMbK
Ab2LnRMRyU777sKke4Uk5tEEAJiPRHpdsZEoTOr0mT4yehI40/VJAeG1t0NVtpVE
ph5tyISs8aV1cCZnXgsSuAilXQNVIc4M1t9kiddHk4lbAC6IgHIkbbC5+/z7oGsU
jHRAiJ1z+FeJThuVmYPy/3/wuXbkc+UETR5cmFQOD1d6aTAy3GWW6lXrCzlUg00J
xs0TA/4tTXTPjEnC3pUM1PEahXq5/qpBsRXqZPWtZ7FUGHGuAEJsC2B2/OxgjTD9
gf1acWW5qfP76vEIACyhKJ5tGQEsXVWOkjusS3o1XOqeZrUTabmB8EnAx95YXtiJ
g9CAkiLR+ncHC2i07WElXdBuZKt12YTiOu6gXXWtODmPXWQ0M7QhTnVja3kgPG51
Y2tAY29tcHNvYy5udWlnYWx3YXkuaWU+iGAEExECACAFAkdUiJwCGwMGCwkIBwMC
BBUCCAMEFgIDAQIeAQIXgAAKCRA88pA2kbS6tck6AJ49+nBE6gKfy7APOCZGGAA+
SoM0RwCdFmPuYobXwtWX75x1NwYUTPILOtm5Ag0ER1SInxAIAMhjx/WmQNpiRAeQ
EhRcJ2z8NYZQstOpXUR0sTZSuCrE4YO2669tHAfuwdz9OsJMt0BEh4UwPJ0FjFw0
fXCUdTg5mhnu3iAojH2G4D5fskIBI+0CP8fAogWHExHBUcG3capHuike7FBIUukq
ku2yZ0zW96GxwUkli0itE51ku1HguJMJkpn20tTycteCnEWFiFJ7WBMpgmGn/ut5
bMMcnqR3ocH4/CA9LfqHzsx0D7Hs2sQnpmQzCT7Z3Z7roesCifaTp5NIij+Yidc4
HX/ZoVabU09gNOk60QdAjMU6b7S+VoN8fOl/wv040wueJ49YekdW+HwOqgBmW9Bw
lJxzIVcAAwUH/1uoV59AhxrJNipwasa4bOUoBEDLcxHLBOlbGcg21KMfpcaSc6BK
qvemzTcjvjm62JhHSESVkX18eqDEg10D9iGHXopTb5Ddetm81dnosSzkg5mrrbgm
tRxdWbgqJqzjY2PNi6PsOb8KR3Vl7pTGmKp8ENqSnl8c2S5KzQ8NFv0oPHrUXTGv
Y4kpXV56FlKl+8pngIoMl2hj4mU5idJ/E/r72n9usHd9Uk+ESm5CCsJBqlrDngww
7jxT5ffIIzyhr/OFdCeUWbhCfGReQLJkv+F/jER6xwPaoTMrV2xoUWF0NqpCz1jc
klZor6EtOvHadlOSFRB8UzNALmXGMnubX2qISQQYEQIACQUCR1SInwIbDAAKCRA8
8pA2kbS6tduzAJwNr7vhg+neFUrrm3/LsW0ExdaS0gCgqL434RAoPpsYTD+VIGxQ
m60LjvE=
=MeiD
-----END PGP PUBLIC KEY BLOCK-----</cli>

=====Sharing Your Fingerprint/Public Key=====

It's best to keep the fingerprint and public.key in your public_html folder.

So we have the key made, let's upload it to a keyserver. There are two schools of thought about uploading your public key to a key server. One is that you should upload it -- as it adds to the ease at which other people can verify your key -- and the other is that it reduces security. I'll show you how to upload it anyway and, if you want to keep it private, you can.

Remember the short fingerprint from earlier, the **91B4BAB5**? That's what we'll upload to the keyserver.

<cli>gpg --keyserver subkeys.pgp.net --send-keys 91B4BAB5</cli>

And away it goes. To confirm, you can download your key from the keyserver using:

<cli>gpg --recv-keys 91B4BAB5</cli>

But wait, what if I forget my passphrase/my account is hacked/my key is compromised?

We'll create a revoke key, that will kill your current key from the keyserver and tell everyone who refreshes their keylist regularly that your old key is no longer to be used:

<cli>gpg --gen-revoke 91B4BAB5</cli>

Select 'y', then give a reason (I'm choosing 1), enter description, and 'y' again. After entering your passphrase for your key, you'll be given a revoke certificate.

Print it out, and store it safely! 

Now, after all that fun, we'll finally get to adding keys to your keyring.

First, I'll show you how to get keys from the keyserver of someone you know's short fingerprint and publickey.

**Short Fingerprint**\\
If someone has given you their short fingerprint, either online, in person (recommended), or some other means (fax!), you can search for them in the public key server.

<cli>gpg --recv-keys 5470C9D7</cli>

Doing so will import their (in this case, my proper gpg-key) public key into your keyring.

**Public Key**\\
You can import files or just copy and paste like here. To end the final line, use Ctrl-D.

<cli>gpg --import
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.3 (GNU/Linux)

mQGiBEdFiOcRBADW4f4Wu3/T394hZ3IW0NrETxrApB1bjjV3ZlrV010cyRn7TdH4
Wz2EGrI6R/+77QCpniIdHA/gybLJf6ePKUAoY477aSaTYKJbwKxL2s7b2EtRhKCf
f/xDjk/vOlqnow0wed74gmE32FzbXfizw6Gpey+uL4tsU4eDy1Gmp/Xw+wCgjxoq
Zvi5FrNN0SzXK6cq/Anlj70D+gJBHZK8+iQF+T5A68zeIgLuX4O9ooj3zPy6WbA3
SSU8H2LB9guqx8lJd54E0ka7Gr0+85dmM31wmrsvmRlY4Kc/PaUwOssTXsaP2/4o
sHnCatIQ2WWc/YHA/qu7Q7hoYj2kN//+u2+VAt/OB2G1ke65Ab9kcwkrN+eq2yl5
pXaoA/0aRxH1XO/8ZfobPjuUvkWOX3HqpQgR/4SJoAVMf5Y7no/rie1qZsAxCipv
1+WN7/SjOlBi0SRk2I0elegLLf17m7uYVos6K4AaC6GG2U8cQJ+BTsv+Z7r3CcQy
XmfICELvArYQDMenpOfQ4aXYBXojZpB3lAMRaAL3RBRjGots4rQxTmljaG9sYXMg
R2VvZ2hlZ2FuIDxudW1iZXI2QGNvbXBzb2MubnVpZ2Fsd2F5LmllPohgBBMRAgAg
BQJHRYjnAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQD7YtDFRwyddR6gCf
chSSeqCn+fj9Nte6AO01QXxcMywAnjqFLET2kMiz/wYpjw4wK2PY5FL4uQINBEdF
iPAQCAC/Nh/nViyWeWciABAkp2jg6WaCEdJDb2TGwD750saHJLsotTE9gas+JFKm
Wc7J7brtDdfzMFKSFW8HObiazTKGm6F/nT0aO8VB9pTcW7nDovH2e4ZdTJLLJBJ2
fWxl1Xzs5Tc6pNMqcSbRGHddyud1/p5E9LVzKDOoH1wN9n1ITCsSLb+MemdyR5N/
IGWmcMKGr9IRIXRtUz3Pb4w9bbxB6ZhjBBSa1BiQcCSzLdnNElRa676p9Z9KbvEg
xlzp2wsuQS7j9dYJ4vjDpGVy0/YxWnjW3g4mXWtutomOk60s3x2J8l5nWpN+9nLo
OJvBmYo0868W9UjjuE/XBufpw+MLAAMFB/4xkWrDEfZF6aGJ9um3p8sESpAALx3c
B09BrX8wRyY0UxNRYbJNfxfSTUYUZJd38H2Izc8HPkRvzizjjoz/xycGglt/AnBm
fEjEFYyU1FAEOOk/hGkczaHA3mqoy2/RjVv99fe8/4B4PO/6k9rBFg7V2MCjJ8Jc
bz4YzaHjgUg9cv7kJcb3xmgHg6qJonyaXT1MOQcIqdHRAUN7ZCP5fwLD+7NYjWtb
Vod53acwOQkZLFQBi6uK5D3keK+M11lEUY2+N3tVSghxCFkoNOlmOSZUitppRDZ1
7vlOYvHumY96wLo3KqgmappI9GNY8DymohBt7hIKDrc4Jcl1lC/DW/SPiEkEGBEC
AAkFAkdFiPACGwwACgkQD7YtDFRwydfa5ACaAhL9oLkDz+f7SGZS4sxJa3Il468A
n09gzwviknwiQssbm273BDd6T1ra
=Mjw6</cli>

=====Assigning Trust Ratings=====

Now we have the key we wanted to import, let's assign it a trust rating.

All the editing of keys, including your own, used the:

<cli>gpg --edit-key</cli>
command but, to list all the keys you have, you'll need to issue this command:

<cli>gpg --list-keys</cli>

My key ring gives:

<cli>nuck@riviera:~$ gpg --list-keys
/home/nuck/.gnupg/pubring.gpg
-----------------------------
pub 1024D/91B4BAB5 2007-12-03
uid Nucky <nuck@compsoc.nuigalway.ie>
sub 2048g/8B7CDEDB 2007-12-03

pub 1024D/5470C9D7 2007-11-22
uid N Geoghegan <number6@compsoc.nuigalway.ie>
sub 2048g/8159DFB2 2007-11-22</cli>

**Nucky** is the private key and **5470C9D7** is the key I want to edit.

So, back to the edit-key command:

<cli>gpg --edit-key 5470C9D7</cli>

This outputs something similar to:

<cli>
nuck@riviera:~$ gpg --edit-key 5470C9D7
gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.


pub 1024D/5470C9D7 created: 2007-11-22 expires: never usage: SC
trust: unknown validity: unknown
sub 2048g/8159DFB2 created: 2007-11-22 expires: never usage: E
[ unknown] (1). N Geoghegan <number6@compsoc.nuigalway.ie>

Command></cli>

The commands you can use are as follows:

  * help - lists all commands
  * save - save changes and quit
  * quit - quit, prompts to ask if you want to save changes
  * fpr - show fingerprint
  * list - show details about the key
  * sign - this is among the most important commands. With it you say that you believe that a key is really belonging to its owner. You must select the level to which you have checked the owner's identity. After signing, you should use 
<cli>gpg --send-key</cli> to upload the key to a keyserver
  * trust - this is also an important command. With it, you select how much you trust others to verify the identity of keys. Ultimately, trust should never be used. Marginal/full are generally used. <cli>gpg --check-trustdb</cli> should be run after this to update your web of trust.

In this example, I know 5470C9D7 so I'll sign his key.

<cli>sign 5470C9D7</cli>

I'll be asked whether I really want to sign and then for my passphrase. After that, I'll have signed his key.

Next, we'll go onto trust. How well do you trust the person? I suggest that you only "marginally" trust them as it's safer. So, to trust the key 5470C9D7 we'll use:

<cli>trust 5470C9D7</cli>

And I'll select marginally from the options. To quit, just type:

<cli>quit</cli>

There, you've just signed your first gpg key. They're now in your keyring and all emails in mutt from them will be recognised as valid signatures and will be able to be decrypted.

=====GPG and Mutt=====

So, finally, we get to configure mutt to use gpg to autosign your emails. Again, like before, I'm assuming you're in your home directory.

First create a .muttrc file and then add the following lines to it:

<cli>set pgp_autosign=yes
#this auto signs tyour outgoing mail

set pgp_timeout=1800
#remembers your password for 1800 seconds

my_hdr X-GPG-Key: http://www.compsoc.nuigalway.ie/~username/public.key
#where your gpg key is available, this key points to public.key in your webspace

set move=no
#this is optional, it gets rid of mutt asking to move your read meassages

set editor = nano
#this is also optional, it uses the nano text editor which is easier to use</cli>

Signing, encrypting and decrypting mail all require your passphrase. Ctrl-F will wipe your passphrase from memory.

**Viewing Mail**\\
Once your Muttrc is configured, GPG will automatically be called to verify any signed/encrypted mail.

**Composition**\\
In the compose menu (where you normally press 'y' to send a message) you can press 'p' to bring up the PGP menu. This displays:

<cli>(e)ncrypt, (s)ign, sign (a)s, (b)oth, or (f)orget it?</cli>

This allows you to encrypt and sign mail. If you set **pgp_autosign** (as above), all mail will be signed by default.

To encrypt a mail to someone, you must have a copy of their public key.