Ci Haoyi Home Page


The PGP and GPG use tips

CreateTime: Fri May 13 2022 13:52:15 GMT+0800
EditTime: Tue Jun 07 2022 15:01:04 GMT+0800

In this page, I will record some tips for using PGP and GnuPG(GPG) for personal use.

Usage

In this section, we will focus on discussing the usage of GnuPG with command line.

Generate a new key pair

gpg --gen-key               # generate a new key pair
gpg --generate-key          # same as "--gen-key"
gpg --full-gen-key          # full featured key pair generation
gpg --full-generate-key     # same as "--full-gen-key"
gpg --full-gen-key --expert # the full feature with expert mod. MOST OPTIONS!

In the rest of this section, I will only talk based on the "--full-gen-key --expert".

You will get a result like this.

$ gpg --full-gen-key --expert
gpg (GnuPG) 2.2.31; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card
Your selection?

Here you can chooss one preset to generate your key pair. There are several "ansymmetric emcryption algorithms" you can choise, they are DSA, RSA, ECC and Elgamal. DSA is too old to use, and it's not safe any more. I have no idea with Elgamal, but it look not have been the choise of the most people. RSA and ECC are widly used. RSA is based on large-scale decomposition problems, and it has a long time, so it is more mature. ECC based on ellipse mathematics, and it's new, with no supporting on old mechines. But at the same key length, ECC has a stronger security than RSA.

If you chooise ECC and ECC, you will get:

Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection?

The "NIST curves" are designed by NIST(National Institute of Standards and Technology, an US government agency), so we don’t know if there are potential defects. As we all know, the free software community does not believe in "authority". "Brainpool curves" comes from Europe, which is also comes from "authority". So we don't recommand all both of them. According to information, SCEP256K1 is not safe[1], but I have not done a detailed investigation yet. So, there's only "Curve 25519" is recommanded in options of ECC. But there is a problem with Curve 25519, that is, you can only use the fix lenth key with it, that is what EdDSA makes. The full name of EdDSA is Edwards-curve Digital Signature Algorithm. If you choose "Curve25519", then you will use cv25519 to encrypt, and use ed25519 to sign, which is one of EdDSA. And "ed25519" is not more secure than the other choise, RSA 4096.

Here, we final recommand (1) RSA and RSA with 4096 key lenth, which will generate one primary key with RSA and then generate a encrypt sub key with RSA too, as your choise. If you type in the command, you will get:

$ gpg --full-gen-key --expert
gpg (GnuPG) 2.2.31; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits       
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want for the subkey? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Tue May 14 15:52:16 2024 CST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name:

There's a new thing, expiration. Of course, you can choose never expire and type 0 in. However, we don't recommand this way of doing things. Imagine it, you lose your secret key or you forget the password of your secret key, and you cannot let your friends know about this. That means, you can't decrypt the message that sent to you, and there's nothing you can do. If people have one of your keys "available", they probably won't look for a new one, even if the key is no longer available.

You can always extend your expiration date, even after it has expired! This “expiration” is actually more of a safety valve or “dead-man switch” that will automatically trigger at some point.If you have access to the secret key material, you can untrigger it.[2] So here we recommand to use an expiration date less than two years. You can set a calendar event to remind you about your expiration date.

Then type in your personal information, that identifies you as User ID. It will be part of the public key certificate, and that's what the certificate is going to prove, you are really you, after all a certificate is going to prove something.

To be Continue!

References

[1]:In 2021, Use PGP in modern way (Middle)(Chinese)

[2]:OpenPGP Best Practices



If the page has errors, please contact [email protected] (PGP fingerprint: F557 32D7 EBF0 7DD0 7072 AF9F 5C23 6BC4 C691 3982)