Security

GPG - Getting Started 2/2

In the last part of this article, we installed GPG and created our first keys. For this part, let's have a look at sub-keys and renews. Afterward, you should be set up to use GPG for upcoming tasks like container image encryption, Git commit signing or E-Mail signatures.

Daniel Schier

Daniel Schier

7 min read
GPG - Getting Started 2/2
Photo by Basil James / Unsplash

In the last part of this article, we installed GPG and created our first keys. For this part, let's have a look at sub-keys and renews. Afterward, you should be set up to use GPG for upcoming tasks like container image encryption, Git commit signing or E-Mail signatures.

GPG

GPG or GNUPG (GNU Privacy Guard) is an Open Source implementation of the OpenPGP standard is refined in RFC4880. PGP itself is an implantation of software systems, that enables a user to sign and encrypt data via private-public-key cryptography. It was initially designed by Phil Zimmermann.

GPG can be used for E-mail communication, chat programs, signing packages, Git commits, and much more. GNUPG itself also supports a set of applications and libraries, that can be used to interact with PGP.

Manage GPG Keys (Part 2)

Creating some keys was tackled in the first part of this series. If you don't know about GPG, I recommend reading part 1, first. With this part, I want to demonstrate some additional improvements, but also tackle renews and exports.

Reminder

In the last part of this series, we created a key pair, which can be reviewed like this:

# List keys
$ gpg --list-keys --keyid-format=long

/var/home/dschier/.gnupg/pubring.kbx
------------------------------------
pub   ed25519/351CDEEBC00CF944 2023-02-12 [SC] [expires: 2025-02-11]
      84AFA996AE578D69A7E1E299351CDEEBC00CF944
uid                 [ultimate] Daniel Schier <dschier@while-true-do.io>
sub   cv25519/E44CEC6FBDBFA040 2023-02-12 [E] [expires: 2025-02-11]

With this knowledge, let's do something with these.

Sub Keys

The first thing, you might consider, is the creation of a sub-key for signing. This will avoid, that your cert key is the same as your signing key. Let's do this.

# Enter the edit mode
$ gpg2 --edit-key 351CDEEBC00CF944
gpg (GnuPG) 2.4.0; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/351CDEEBC00CF944
     created: 2023-02-12  expires: 2025-02-11  usage: SC  
     trust: ultimate      validity: ultimate
ssb  cv25519/E44CEC6FBDBFA040
     created: 2023-02-12  expires: 2025-02-11  usage: E   
[ultimate] (1). Daniel Schier <dschier@while-true-do.io>

gpg>

Now that we are in the GPG shell, we can invoke the creation of new keys.

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
  (10) ECC (sign only)
  (12) ECC (encrypt only)
  (14) Existing key from card
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Do 25 Apr 2024 19:05:06 CEST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  ed25519/351CDEEBC00CF944
     created: 2023-02-12  expires: 2025-02-11  usage: SC  
     trust: ultimate      validity: ultimate
ssb  cv25519/E44CEC6FBDBFA040
     created: 2023-02-12  expires: 2025-02-11  usage: E   
ssb  rsa4096/620CFFAF6CAECD69
     created: 2023-04-26  expires: 2024-04-25  usage: S   
[ultimate] (1). Daniel Schier <dschier@while-true-do.io>

As you can see, there is a new key, which can be used for signing only.

Renew

Let's have another look at our keys.

$ gpg --list-keys --keyid-format=long
/var/home/dschier/.gnupg/pubring.kbx
------------------------------------
pub   ed25519/351CDEEBC00CF944 2023-02-12 [SC] [expires: 2025-02-11]
      84AFA996AE578D69A7E1E299351CDEEBC00CF944
uid                 [ultimate] Daniel Schier <dschier@while-true-do.io>
sub   cv25519/E44CEC6FBDBFA040 2023-02-12 [E] [expires: 2025-02-11]
sub   rsa4096/620CFFAF6CAECD69 2023-04-26 [S] [expires: 2024-04-25]

As you might have discovered already, there are expiration dates. These dates will invalidate your keys automatically, after a given time. Well, you might want to extend or renew this, right?

We will need to edit the key, again.

$ gpg2 --edit-key 351CDEEBC00CF944
gpg (GnuPG) 2.4.0; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/351CDEEBC00CF944
     created: 2023-02-12  expires: 2025-02-11  usage: SC  
     trust: ultimate      validity: ultimate
ssb  cv25519/E44CEC6FBDBFA040
     created: 2023-02-12  expires: 2025-02-11  usage: E   
ssb  rsa4096/620CFFAF6CAECD69
     created: 2023-04-26  expires: 2024-04-25  usage: S   
[ultimate] (1). Daniel Schier <dschier@while-true-do.io>

gpg>

By default, you will operate on the primary key. To change the expiration of this key, you can use the expire command.

gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Do 25 Apr 2024 19:19:50 CEST
Is this correct? (y/N) y

sec  ed25519/351CDEEBC00CF944
     created: 2023-02-12  expires: 2024-04-25  usage: SC  
     trust: ultimate      validity: ultimate
ssb  cv25519/E44CEC6FBDBFA040
     created: 2023-02-12  expires: 2025-02-11  usage: E   
ssb  rsa4096/620CFFAF6CAECD69
     created: 2023-04-26  expires: 2024-04-25  usage: S   
[ultimate] (1). Daniel Schier <dschier@while-true-do.io>

gpg>

As you can see, the first key has changed the expiration date. To edit another key, you need to address these by their index.

gpg> key 1

sec  ed25519/351CDEEBC00CF944
     created: 2023-02-12  expires: 2024-04-25  usage: SC  
     trust: ultimate      validity: ultimate
ssb* cv25519/E44CEC6FBDBFA040
     created: 2023-02-12  expires: 2025-02-11  usage: E   
ssb  rsa4096/620CFFAF6CAECD69
     created: 2023-04-26  expires: 2024-04-25  usage: S   
[ultimate] (1). Daniel Schier <dschier@while-true-do.io>

gpg> key 2

sec  ed25519/351CDEEBC00CF944
     created: 2023-02-12  expires: 2024-04-25  usage: SC  
     trust: ultimate      validity: ultimate
ssb* cv25519/E44CEC6FBDBFA040
     created: 2023-02-12  expires: 2025-02-11  usage: E   
ssb* rsa4096/620CFFAF6CAECD69
     created: 2023-04-26  expires: 2024-04-25  usage: S   
[ultimate] (1). Daniel Schier <dschier@while-true-do.io>

You can see the small * marker next to the entries. Now you can change the expiration for them.

gpg> expire
Are you sure you want to change the expiration time for multiple subkeys? (y/N) y
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 6m
Key expires at Mo 23 Okt 2023 19:21:43 CEST
Is this correct? (y/N) y

sec  ed25519/351CDEEBC00CF944
     created: 2023-02-12  expires: 2024-04-25  usage: SC  
     trust: ultimate      validity: ultimate
ssb* cv25519/E44CEC6FBDBFA040
     created: 2023-02-12  expires: 2023-10-23  usage: E   
ssb* rsa4096/620CFFAF6CAECD69
     created: 2023-04-26  expires: 2023-10-23  usage: S   
[ultimate] (1). Daniel Schier <dschier@while-true-do.io>

gpg> q
Save changes? (y/N) y

As you can see, this was pretty easy.

Export/Import

Finally, you might want to export your GPG key pairs for backup purposes. GPG provides some commands for the same.

# Export secret keys
$ gpg2 --export-secret-keys --armor 351CDEEBC00CF944 > 351CDEEBC00CF944-secret.gpg

# export public keys
$ gpg2 --export --armor 351CDEEBC00CF944 > 351CDEEBC00CF944.gpg

# show files
$ ls
351CDEEBC00CF944.gpg  351CDEEBC00CF944-secret.gpg

Let's assume, we deleted our keys or have a fresh system and want to import the keys again.

$ gpg2 --import 351CDEEBC00CF944.gpg 
gpg: key 351CDEEBC00CF944: public key "Daniel Schier <dschier@while-true-do.io>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg2 --import 351CDEEBC00CF944-secret.gpg 
gpg: key 351CDEEBC00CF944: "Daniel Schier <dschier@while-true-do.io>" not changed
gpg: warning: lower 3 bits of the secret key are not cleared
gpg: key 351CDEEBC00CF944: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

That's already it. Now, you should be prepared to back up and recover your keys.

For some additional reading, I want to share some helpful articles,  I used in the past.

GPG Subkeys · James Oguya
James OguyaContact me
Getting Started
Exchanging keys

Conclusion

There we go. These were the final steps to be prepared for more sophisticated topics. Next, we will have a look at container encryption, git commit signing and much more.

One more thing: Never share your private keys publicly. All of the above keys were explicitly created for demonstration and tutorial purposes.

And finally, I would like to ask you: How do you use GPG key pairs? Have you just started your journey? Are you using it since forever? Please let me know and share experiences.

Read more