Manage your GPG keys to encrypt or sign documents.
Why using GPG?
There is no doubt that nowadays, to protect your privacy, you can not trust anyone. Neither companies, nor governements, … etc. You have to act by yourself. (I let you re-read the Snowden/Manning/*whistleblowers stories and conclusions)
Fortunatly, there are great tools for that.
New tools ? NO ! They are around for years and years!
Among them, there is the standard GnuPG (GPG) binaries which are the GNU port of the OpenPGP suite that is itself an open port of the PGP suite, initially written in 1991 by Phil Zimmermann.
Now, let’s create and publish a key that will help you to sign/encrypt your communication (i.e via your mail user agent like Gnus) or your files.
Create a GnuPG key
Generate your key
In order to generate a new GPG key, the command gpg --gen-key will help you by asking a few questions.
Here is a sample session:
Now you have a new key, and its ID is 3732BE06.
In order to check the changes, run gpg --list-keys:
Add other identities to your key
Sometimes, you want to sign your communications or encrypt your file with a specific identity.
Let’s say that you have your own company and beside your personnal identity (My Name firstname.lastname@example.org), you want to use your professional identity (My Name email@example.com).
You create another standalone key by starting a new gpg --gen-key session
You add a new identity to your existing key
In order to achieve the second solution, you just have to edit your key like this:
Again, check the changes with gpg --list-keys:
Choose the main identity
Now that you have your “multiple identities” key, you may define a main identity.
Check the changes with gpg --list-keys and note that the main identity is now on top:
Set your keys’ trust level
The next step is to define a trust level for your key:
And repeat the same operation for all your different identities.
Send your key to main keyservers
Once you are done with the creation of your key and its setup, you have to publish them on signature servers.
It is necessary (mandatory) so that the different clients that will check your key can retrieve it and ensure the validity of the encrypted document (communication or files).
You can publish it on several trusted server. To do so, just run
This will take the main key server defined in your ~/.gnupg/gpg.conf (you can modify it if you want).
But maybe you want to publish it occasionnaly on a specific serrver. For this, just add the --keyserver option:
Now you are ready to sign/encrypt whatever you want and send it to whoever you want (well … not everybody, of course).
Export and import keys
Let’s say that you have two computer on which you want to be able to sign/encrypt some data with the same keyring.
For this, you can export your keys from the first one and import them in the second one.
To export it, simply run:
Now, to import them ion the other side, run:
Now, what can I do with my key?
Here are some practical examples of using your GPG key.
Configure your MUA to sign your emails
Most of the decent MUA (mail user agents, or mail reader if you prefer) support encryption.
I will not detail the configuration for each of them, but here are some useful links for each MUA: