\u00a0on your server.<\/span><\/p>\nCreate a Revocation Certificate<\/b><\/p>\n
You need to have a way of invalidating your key pair in case there is a security breach or in case you lose your secret key. There is an easy way of doing this with the GPG software.<\/span><\/p>\nThis should be done as soon as you make the key pair, not when you need it. This revocation key must be generated ahead of time and kept in a secure, separate location in case your computer is compromised or inoperable. To generate a revocation key, type:<\/span><\/p>\n\n- gpg –output ~\/<\/span>revocation.crt<\/span> –gen-revoke <\/span>your_email@address.com<\/span><\/li>\n
- <\/li>\n<\/ul>\n
You will be asked to confirm the revocation key creation and then prompted for the reason that it is being revoked. This information will be visible to other users if the revocation is used in the future. You can choose any of the available options, but since this is being done ahead of time, you won’t have the specifics. Often, it is a good idea to create a revocation certificate for each of the likely scenarios for maximum flexibility.<\/span><\/p>\nAfterwards, you will then be asked to supply a comment and finally, to confirm the selections. Before creating the revocation certificate, you will need to enter your GPG key’s passphrase to confirm your identity. The revocation certificate will be written to the file specified by the\u00a0<\/span>–output<\/span>\u00a0flag (<\/span>revocation.crt<\/span>\u00a0in our example):<\/span><\/p>\nOutput<\/span><\/p>\nRevocation certificate created.<\/span><\/p>\n <\/p>\n
Please move it to a medium which you can hide away; if Mallory gets<\/span><\/p>\naccess to this certificate he can use it to make your key unusable.<\/span><\/p>\nIt is smart to print this certificate and store it away, just in case<\/span><\/p>\nyour media become unreadable. \u00a0But have some caution: \u00a0The print system of<\/span><\/p>\nyour machine might store the data and make it available to others!<\/span><\/p>\nYou should immediately restrict the permissions on the generated certificate file in order to prevent unauthorized access:<\/span><\/p>\n\n- chmod 600 ~\/<\/span>revocation.crt<\/span><\/li>\n
- <\/li>\n<\/ul>\n
The revocation certificate must be kept secure so that other users cannot revoke your key. As the message states, you should consider backing the certificate up to other machines and printing it out, as long as you can secure it properly.<\/span><\/p>\nHow To Import Other Users’ Public Keys<\/span><\/p>\nGPG would be pretty useless if you could not accept other public keys from people you wished to communicate with.<\/span><\/p>\nYou can import someone’s public key in a variety of ways. If you’ve obtained a public key from someone in a text file, GPG can import it with the following command:<\/span><\/p>\n\n- gpg –import <\/span>name_of_pub_key_file<\/span><\/li>\n
- <\/li>\n<\/ul>\n
There is also the possibility that the person you are wishing to communicate with has uploaded their key to a public key server. These key servers are used to house people’s public keys from all over the world.<\/span><\/p>\nA popular key server that syncs its information with a variety of other servers is the MIT public key server. You can search for people by their name or email address by going here in your web browser:<\/span><\/p>\nhttps:\/\/pgp.mit.edu\/<\/span><\/p>\nYou can also search the key server from within GPG by typing the following:<\/span><\/p>\n\n- gpg –keyserver pgp.mit.edu \u00a0–search-keys <\/span>search_parameters<\/span><\/li>\n
- <\/li>\n<\/ul>\n
You can use this method of searching by name or email address. You can import keys that you find by following the prompts.<\/span><\/p>\nHow To Verify and Sign Keys<\/span><\/p>\nWhile you can freely distribute your generated public key file and people can use this to contact you in a secure way, it is important to be able to trust that the key belongs to who you think it does during the initial public key transmission.<\/span><\/p>\nVerify the Other Person’s Identity<\/b><\/p>\n
How do you know that the person giving you the public key is who they say they are? In some cases, this may be simple. You may be sitting right next to the person with your laptops both open and exchanging keys. This should be a pretty secure way of identifying that you are receiving the correct, legitimate key.<\/span><\/p>\nBut there are many other circumstances where such personal contact is not possible. You may not know the other party personally, or you may be separated by physical distance. If you never want to communicate over insecure channels, verification of the public key could be problematic.<\/span><\/p>\nLuckily, instead of verifying the entire public keys of both parties, you can simply compare the “fingerprint” derived from these keys. This will give you a reasonable assurance that you both are using the same public key information.<\/span><\/p>\nYou can get the fingerprint of a public key by typing:<\/span><\/p>\n\n- gpg –fingerprint <\/span>your_email@address.com<\/span><\/li>\n
- <\/li>\n<\/ul>\n
Output<\/span><\/p>\npub \u00a0\u00a04096R\/311B1F84 2013-10-04<\/span><\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0Key fingerprint = <\/span>CB9E C70F 2421 AF06 7D72 \u00a0F980 8287 6A15 311B 1F84<\/span><\/p>\nuid \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Test User <test.user@address.com><\/span><\/p>\nsub \u00a0\u00a04096R\/8822A56A 2013-10-04<\/span><\/p>\nThis will produce a much more manageable string of numbers to compare. You can compare this string with the person themselves, or with someone else who has access to that person.<\/span><\/p>\nSign Their Key<\/b><\/p>\n
Signing a key tells your software that you trust the key that you have been provided with and that you have verified that it is associated with the person in question.<\/span><\/p>\nTo sign a key that you’ve imported, simply type:<\/span><\/p>\n\n- gpg –sign-key <\/span>email@example.com<\/span><\/li>\n
- <\/li>\n<\/ul>\n
When you sign the key, it means you verify that you trust the person is who they claim to be. This can help other people decide whether to trust that person too. If someone trusts you, and they see that you’ve signed this person’s key, they may be more likely to trust their identity too.<\/span><\/p>\nYou should allow the person whose key you are signing to take advantage of your trusted relationship by sending them back the signed key. You can do this by typing:<\/span><\/p>\n\n- gpg –output ~\/<\/span>signed.key<\/span> –export –armor <\/span>email@example.com<\/span><\/li>\n
- <\/li>\n<\/ul>\n
You’ll have to type in your passphrase again. Afterwards, their public key, signed by you, will be displayed. Send them this, so that they can benefit from gaining your “stamp of approval” when interacting with others.<\/span><\/p>\nWhen they receive this new, signed key, they can import it, adding the signing information you’ve generated into their GPG database. They can do this by typing:<\/span><\/p>\n\n- gpg –import ~\/<\/span>signed.key<\/span><\/li>\n
- <\/li>\n<\/ul>\n
They can now demonstrate to other people that\u00a0<\/span>you<\/span><\/i>\u00a0trust that their identity is correct.<\/span><\/p>\nHow To Make Your Public Key Highly Available<\/span><\/p>\nBecause of the way that public key encryption is designed, there is not anything malicious that can happen if unknown people have your public key.<\/span><\/p>\nWith this in mind, it may be beneficial to make your public key publicly available. People can then find your information to send you messages securely from your very first interaction.<\/span><\/p>\n