diff options
Diffstat (limited to 'src/_posts/2019-02-03-how-to-sign-pgp-keys.html')
-rw-r--r-- | src/_posts/2019-02-03-how-to-sign-pgp-keys.html | 165 |
1 files changed, 0 insertions, 165 deletions
diff --git a/src/_posts/2019-02-03-how-to-sign-pgp-keys.html b/src/_posts/2019-02-03-how-to-sign-pgp-keys.html deleted file mode 100644 index a8a9618..0000000 --- a/src/_posts/2019-02-03-how-to-sign-pgp-keys.html +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: How to sign PGP keys -layout: post -tags: PGP Tutorial -description: > - A small tutorial on how to sign others PGP keys. ---- - -{% markdown %} -Having attended [FOSDEM](https://fosdem.org/2019/) last weekend, I have been -asked to help some people out with signing PGP keys. As it is an international -gathering of users and developers of all levels of expertise, it's a great event -to get your key out in to the wild. While helping people out, I figured it might -be even easier next time around to just refer to a small tutorial on my blog -instead. -{% endmarkdown %} - -{% markdown %} -## Creating a PGP key - -The first step to sign keys, is to have a PGP key. If you already have one, -you're good to go to the next part of this tutorial. If you don't, you can check -out the `gpg` manual on how to create a key, or read about key creation in my -[article on using PGP with a Yubikey][yubikey-pgp-article]. While I would -strongly suggest reading at least some material, `gpg` does quite a good job of -guiding you through the process without prior knowledge, so you can just get -started with `gpg --generate-key` as well. - -[yubikey-pgp-article]: {{ "/post/2018/09/04/setting-up-pgp-with-a-yubikey/#creating-pgp-keys" | prepend: site.baseurl | prepend: site.url }} -{% endmarkdown %} - -{% markdown %} -## Create key slips - -A *key slip* is a small piece of paper containing some basic information about -the PGP key. They're exchanged when people meet, so they don't have to -immediately sign the key, but can do it safely at home. When you're signing in a -group, this may be faster to work with. Another benefit is that some people -don't have their private keys with them. They can then just collect the key slips -from the people who's key they want to sign, and sign it whenever they are in -possession of their private key again. - -A key slip doesn't have to contain much. A key ID, fingerprint, email address and -a name is plenty. For reference, my key slips look as follows: -{% endmarkdown %} - -{% highlight text %} -Patrick Spek <p.spek@tyil.nl> rsa4096/0x7A6AC285E2D98827 - 1660 F6A2 DFA7 5347 322A 4DC0 7A6A C285 E2D9 8827 -{% endhighlight %} - -{% markdown %} -## Verifying the owner - -Before you sign anyone's public key, you should verify that the person is -actually who they say they are. You can easily do this by asking for government -issued identification, such as an ID card, driver's license or passport. What -constitutes good proof is up to you, but in general people expect at least one -form of government issued identification. - -If the person can't verify who they are, you should *not* sign their key! -{% endmarkdown %} - -{% markdown %} -## Retrieving their key - -Once you have verified the person is who they say they are, and you have -received their key slip containing their key ID, you can look up their key -online. You can let `gpg` do all the work for you in searching and downloading -the key, using the `--search` switch. For instance, to retrieve my key, do the -following: -{% endmarkdown %} - -{% highlight sh %} -gpg --search-keys 0x7A6AC285E2D98827 -{% endhighlight %} - -{% markdown %} -If a result has been found, you are prompted to enter the numbers of the keys -you want to download. Make sure you download the right key, in case multiple -have been found! - -After retrieving the key, you can see it in the list of all the keys `gpg` knows -about using `gpg --list-keys`. -{% endmarkdown %} - -{% markdown %} -## Signing their key - -To actually sign their key, and show that you trust that the key belongs to the -person's name attached to it, you can use `gpg --sign-key`: -{% endmarkdown %} - -{% highlight sh %} -gpg --sign-key 0x7A6AC285E2D98827 -{% endhighlight %} - -{% markdown %} -You will be prompted whether you are sure you want to sign. You should answer -this with a single `y` to continue. - -After signing it, you'll have signed a PGP key! You can verify this by looking -at the signatures on a given key with `--list-sigs 0x7A6AC285E2D98827`. This should -contain your name and key ID. -{% endmarkdown %} - -{% markdown %} -## Exchanging the signed key - -While you could publish the updated public key with your signature on it, you -should **not** do this! You should encrypt the updated public key and send it to -the person that owns the private key, and they should upload it themselves. One -reason for this is that it allows you to safely verify that they do in fact -actually own the private key as well, without ever asking them explicitly to -show you their private key. - -To export the public key, use `--export`: -{% endmarkdown %} - -{% highlight sh %} -gpg --armor --export 0x7A6AC285E2D98827 > pubkey-tyil.asc -{% endhighlight %} - -{% markdown %} -The `--armor` option is used to export the key as base64, instead of binary -data. - -You can attach this file to an email, and let your email client encrypt the -entire email and all attachments for they key ID. How you can do this depends on -your email client, so you should research how to do this properly in the -documentation for it. - -However, it's also possible to encrypt the public key file before adding it as -an attachment, in case you don't know how to let your email client do it (or if -you don't trust your email client to do it right). - -You can use the `--encrypt` option for this, and add a `--recipient` to encrypt -it for a specific key. -{% endmarkdown %} - -{% highlight sh %} -gpg --encrypt --recipient 0x7A6AC285E2D98827 < pubkey-tyil.asc > pubkey-tyil.pgp -{% endhighlight %} - -{% markdown %} -Now you can use this encrypted key file and share it with the owner of the key. -If the person you send it to really is the owner of the key, they can use the -private key to decrypt the file, import it with `gpg --import` and then publish -it with `gpg --send-keys` -{% endmarkdown %} - -{% markdown %} -## Winding down - -Once all this is done, other people should have sent you your signed pubkey as -well, and you should have published your updated key with the new signatures. -Now you can start using PGP signatures and encryption for your communication -with the world. People who have not signed your key can see that there's other -people that do trust your key, and they can use that information to deduce that -whatever's signed with your key really came from you, and that anything they -encrypt with your public key can only be read by you. - -With this [trust](https://en.wikipedia.org/wiki/Web_of_trust), you can make -communication and data exchange in general more secure. -{% endmarkdown %} |