How do I configure gpg for use?

The website for Gnu Privacy Guard (gpg) is www.gnupg.org. There are many different options. A wealth of information is available on the website and through Internet search. The information here provides the minimum steps to configure gpg, create a master keypair with two identities and two subkeys (one to encrypt files and another to sign email) and copy the keys (without the private master key) to a new keyring for use on a desktop or laptop.

In Brief
  1. Branch 1.4.x is monolithic and mostly used on servers. Branch 2.x (gpg2) is modular, a little larger and geared toward the desktop with the addition of S/MIME and smartcard features. Otherwise, the feature set is the same.
  2. gpg/gpg2 works from the command line, but GUI interfaces are available for different platforms (e.g., Gpg4Win, Mac GPG).
  3. Master keys vs subkeys – This is a key management issue and will differ for everyone. The general advice is that a master keypair should be created for each identity and subkeys created for each purpose (encrypt/decrypt or signing). A person could create one master keypair with a UID for each contact email address. They might also create two master keypairs, one for work and a separate one for personal use. In any case, it is strongly recommended to create subkeys, with a different password, for daily use and keep the master private key, with its own password, in a separate, secure location.
  4. Expire or not – Again, this is a personal decision. Some people feel that setting an expiration date is an additional safety feature in the event a key is stolen or compromised. They are  comfortable every year or two renewing the expiration date and resubmitting the keys (which can be done, even if the keys have  expired). Others feel that a key should be available forever, and if a laptop is stolen, for example, it is sufficient to retrieve the master key at that time, revoke the subkey and generate a new subkey.
 Configuration

The following operations are done at the command line and can be performed with gpg or gpg2. Use the appropriate command.

1. Find the home directory for gpg.

> gpg --version
...
Home: ~/.gnupg

2. Copy the following defaults into gpg.conf in the home directory (gleaned from the Internet). Comment or uncomment lines, as desired.

# Keep user ID and primary key separate in listings, show fingerprint
fixed-list-mode
with-fingerprint
# Show long key IDs for no ambiguity
keyid-format 0xlong
# If all recipients support multiple digests, choose the strongest
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
personal-cipher-preferences AES256 CAMELLIA256 TWOFISH AES192 CAMELLIA192 AES CAMELLIA128 CAST5
personal-compress-preferences ZLIB BZIP2 ZIP
# Prefer stronger algorithms for defaults in new keys
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
# Agent reduces password entry in a GUI environment (otherwise optional)
use-agent
# Always validate UIDs with the keyring
verify-options show-uid-validity
list-options show-uid-validity
# The default SHA1 is too weak. Use a strong digest when signing a key.
cert-digest-algo SHA512
# Do not display version information in armored output
no-emit-version
# Specify a keyserver to use
keyserver hkp://pool.sks-keyservers.net
# Use a secure connection (not with Gpg4Win, yet, Linux needs gnupg-curl)
#keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem
# Stick with the server we want to use
#keyserver-options no-honor-keyserver-url
# Automatically get keys we don't have
#keyserver-options auto-key-retrieve

3. Create the master key and an encryption subkey.

> gpg --expert --gen-key

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want for the subkey? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key...

Real name: John Doe
Email address: John.Doe@cune.edu
Comment: work
You selected this USER-ID:
"John Doe (work) <John.Doe@cune.edu>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

........................+++++
gpg: /home/jdoe/.gnupg/trustdb.gpg: trustdb created
gpg: key 0x832AF0B74FE1A7F6 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 4096R/0x832AF0B74FE1A7F6 2014-04-08
Key fingerprint = 4E9A F149 61F1 5CD7 6520 7B0E 832A F0B7 4FE1 E7F6
uid [ultimate] John Doe (work) <John.Doe@cune.edu>
sub 4096R/0x098A1F34ACD626C9 2014-04-08

# Preferences are taken from default-preference-list in gpg.conf. Set
# it manually, if default-preference-list was not set in gpg.conf.
> gpg --edit-key John.Doe@cune.edu
gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

gpg> save

4. Add a signing subkey, if desired (e.g., for an email client).

> gpg --edit-key John.Doe@cune.edu
gpg> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "John Doe (work) "
4096-bit RSA key, ID 0x832AF0B74FE1A7F6, created 2014-04-08

Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all Is this correct? (y/N) y
Really create? (y/N) y

.+++++
pub 4096R/0x832AF0B74FE1A7F6 created: 2014-04-08 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/0x098A1F34ACD626C9 created: 2014-04-08 expires: never usage: E
sub 2048R/0xE60D4FC0C433A20E created: 2014-04-08 expires: never usage: S
[ultimate] (1). John Doe (work) <John.Doe@cune.edu>

5. Add another UID, if desired.

> gpg --edit-key John.Doe@cune.edu
gpg> adduid
Real name: John Doe
Email address: John.Doe@cune.org
Comment: personal
You selected this USER-ID:
"John Doe (personal) <John.Doe@cune.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a passphrase to unlock the secret key for
user: "John Doe (work) <John.Doe@cune.edu>"
4096-bit RSA key, ID 0x832AF0B74FE1A7F6, created 2014-04-08

pub 4096R/0x832AF0B74FE1A7F6 created: 2014-04-08 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/0x098A1F34ACD626C9 created: 2014-04-08 expires: never usage: E
sub 2048R/0xE60D4FC0C433A20E created: 2014-04-08 expires: never usage: S
[ultimate] (1) John Doe (work) <John.Doe@cune.edu>
[ unknown] (2). John Doe (personal) <John.Doe@cune.org>

gpg> uid 2

pub 4096R/0x832AF0B74FE1A7F6 created: 2014-04-08 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/0x098A1F34ACD626C9 created: 2014-04-08 expires: never usage: E
sub 2048R/0xE60D4FC0C433A20E created: 2014-04-08 expires: never usage: S
[ultimate] (1) John Doe (work) <John.Doe@cune.edu>
[ unknown] (2)* John Doe (personal) <John.Doe@cune.org>

gpg> trust

pub 4096R/0x832AF0B74FE1A7F6 created: 2014-04-08 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/0x098A1F34ACD626C9 created: 2014-04-08 expires: never usage: E
sub 2048R/0xE60D4FC0C433A20E created: 2014-04-08 expires: never usage: S
[ultimate] (1) John Doe (work) <John.Doe@cune.edu>
[ unknown] (2)* John Doe (personal) <John.Doe@cune.org>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports,checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub 4096R/0x832AF0B74FE1A7F6 created: 2014-04-08 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/0x098A1F34ACD626C9 created: 2014-04-08 expires: never usage: E
sub 2048R/0xE60D4FC0C433A20E created: 2014-04-08 expires: never usage: S
[ultimate] (1) John Doe (work) <John.Doe@cune.edu>
[ unknown] (2)* John Doe (personal) <John.Doe@cune.org>

gpg> uid 2

pub 4096R/0x832AF0B74FE1A7F6 created: 2014-04-08 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/0x098A1F34ACD626C9 created: 2014-04-08 expires: never usage: E
sub 2048R/0xE60D4FC0C433A20E created: 2014-04-08 expires: never usage: S
[ultimate] (1) John Doe (work) <John.Doe@cune.edu>
[ unknown] (2). John Doe (personal) <John.Doe@cune.org>

gpg> uid 1

pub 4096R/0x832AF0B74FE1A7F6 created: 2014-04-08 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/0x098A1F34ACD626C9 created: 2014-04-08 expires: never usage: E
sub 2048R/0xE60D4FC0C433A20E created: 2014-04-08 expires: never usage: S
[ultimate] (1)* John Doe (work) <John.Doe@cune.edu>
[ unknown] (2). John Doe (personal) <John.Doe@cune.org>

gpg> primary

You need a passphrase to unlock the secret key for
user: "John Doe (work) <John.Doe@cune.edu>"
4096-bit RSA key, ID 0x832AF0B74FE1A7F6, created 2014-04-08

pub 4096R/0x832AF0B74FE1A7F6 created: 2014-04-08 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/0x098A1F34ACD626C9 created: 2014-04-08 expires: never usage: E
sub 2048R/0xE60D4FC0C433A20E created: 2014-04-08 expires: never usage: S
[ultimate] (1)* John Doe (work) <John.Doe@cune.edu>
[ unknown] (2) John Doe (personal) <John.Doe@cune.org>

gpg> uid 1

pub 4096R/0x832AF0B74FE1A7F6 created: 2014-04-08 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/0x098A1F34ACD626C9 created: 2014-04-08 expires: never usage: E
sub 2048R/0xE60D4FC0C433A20E created: 2014-04-08 expires: never usage: S
[ultimate] (1). John Doe (work) <John.Doe@cune.edu>
[ unknown] (2) John Doe (personal) <John.Doe@cune.org>

gpg> save

6. Create a revocation certificate and store it separately, in the event that the master keypair is compromised or inaccessible.

gpg --output jdcuneedu-rev_cert.txt --gen-revoke John.Doe@cune.edu

sec 4096R/0x832AF0B74FE1A7F6 2014-04-08 John Doe (work)

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "John Doe (work) <John.Doe@cune.edu>"
4096-bit RSA key, ID 0x832AF0B74FE1A7F6, created 2014-04-08

ASCII armored output forced.
Revocation certificate created.

7. If desired, save text versions of the public and private keys to go with the revocation certificate.

gpg --export-secret-keys --armor --output prikeys.txt 0x832AF0B74FE1A7F6
gpg --export --armor --output pubkeys.txt 0x832AF0B74FE1A7F6

8. Copy the key directory for backup so that a version can be prepared without the master private key.

cp -a .gnupg gnupgbak

9. Export the private subkeys, delete the (entire) master private key and import the private subkeys without the master.

gpg --list-secret-keys
gpg --export-secret-subkeys --output subkeys John.Doe@cune.edu
gpg --delete-secret-key John.Doe@cune.edu
gpg --import subkeys

# The private (secret) primary key will be flagged with # as missing.
gpg --list-secret-keys

# By default, gpg uses the same password for all of the keys. Change the
# password for the desktop/laptop keyring so that the master keypair
# password cannot be swiped.

gpg --edit-key John.Doe@cune.edu passwd
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 4096R/0x832AF0B74FE1A7F6 created: 2014-04-08 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/0x098A1F34ACD626C9 created: 2014-04-08 expires: never usage: E
sub 2048R/0xE60D4FC0C433A20E created: 2014-04-08 expires: never usage: S
[ultimate] (1). John Doe (work)
[ultimate] (2) John Doe (personal)

Secret parts of primary key are not available.

You need a passphrase to unlock the secret key for
user: "John Doe (work) "
4096-bit RSA key, ID 0x098A1F34ACD626C9, created 2014-04-08

Enter the new passphrase for this secret key.

gpg> save

The directory .gnupg can now be compressed and moved to another machine. The files should “just work”, regardless of platform. The .gnupg directory can be removed and restored from the backup directory. An alternative is to leave the .gnupg directory, compress the gnupgbak directory and move it to a secure location to protect the master private key.

10. Send the public keys to the key servers.
gpg --send-keys 0x832AF0B74FE1A7F6
gpg: sending key 0x832AF0B74FE1A7F6 to hkp server hkp.pool.sks-keyservers.net

Comments are closed