Saturday, September 5, 2009

Creating GPG keys from the CLI

I've written about GnuPG before; it is an open source implementation of the PGP encryption standard. Most Linux distributions include a version of it and there are binary packages available for Windows and OS X. On a Unix-like system, if you want to create a new public/private key pair, there is a convenient interactive tool to do this. Start by typing this:
$ gpg --gen-key
Next you will be prompted to answer a series of questions:
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?
Choose the option for "DSA and Elgamal" by typing a number one:
1
Next you are asked about key size:
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
IMHO a 2048 bit key is fine. If you want to go bigger you can but you shouldn't go any smaller. Enter the size you want, for 2048 enter:
2048
The next question is to specify an expiration date for your key:
Please specify how long the key should be valid.
0 = key does not expire
[n]= key expires in n days
[n]w = key expires in n weeks
[n]m = key expires in n months
[n]y = key expires in n years
Key is valid for? (0)
Whether you want your key to expire is a personal choice. If you choose to make your key expire you probably will want to make it last at least a few years, but it is up to you. To make the key valid for 3 years, type this:
3y
You will now be asked to verify the expiration date for your key:
Key expires at Tue 04 Sep 2012 11:59:31 AM EDT
Is this correct? (y/N)
If that is correct, type:
y
Now you get to enter you identifying information, name, email, and comments. After that, you will be prompted to enter a passphrase to use with your private key. Make sure it is something secure! The next thing the system will do is try to generate the keys. If there is not enough activity on the system from which to gather random data, you will be asked to complete other tasks on the system until enough random bytes have been collected to continue. Once this occurs, the key creation will continue on its own.

When that completes you will have a new public/private key pair stored in your keychain, which is located inside "~/.gnupg/".

No comments:

Post a Comment