mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-10-18 17:26:29 +00:00
130 lines
6.1 KiB
Text
130 lines
6.1 KiB
Text
[[creating-gpg-keys-cli]]
|
|
= Creating GPG Keys Using the Command Line
|
|
|
|
. Use the following shell command:
|
|
+
|
|
----
|
|
gpg --full-generate-key
|
|
----
|
|
+
|
|
This command generates a key pair that consists of a public and a private key.
|
|
Other people use your public key to authenticate and/or decrypt your communications.
|
|
Distribute your *public* key as widely as possible, especially to people who you know will want to receive authentic communications from you, such as a mailing list.
|
|
|
|
. Press the kbd:[Enter] key to assign a default value if desired.
|
|
The first prompt asks you to select what kind of key you prefer:
|
|
+
|
|
----
|
|
Please select what kind of key you want:
|
|
(1) RSA and RSA (default)
|
|
(2) DSA and Elgamal
|
|
(3) DSA (sign only)
|
|
(4) RSA (sign only)
|
|
(14) Existing key from card
|
|
Your selection?
|
|
----
|
|
+
|
|
In almost all cases, the default is the correct choice.
|
|
A RSA/RSA key allows you not only to sign communications, but also to encrypt files.
|
|
|
|
. Choose the key size:
|
|
+
|
|
----
|
|
RSA keys may be between 1024 and 4096 bits long.
|
|
What keysize do you want? (3072)
|
|
----
|
|
+
|
|
Again, the default is sufficient for almost all users, and represents an _extremely_ strong level of security.
|
|
|
|
. Choose when the key will expire.
|
|
It is a good idea to choose an expiration date instead of using the default, which is _none._
|
|
If, for example, the email address on the key becomes invalid, an expiration date will remind others to stop using that public key.
|
|
+
|
|
----
|
|
Please specify how long the key should be valid.
|
|
0 = key does not expire
|
|
<n> = key expires in n days
|
|
<n>w = key expires in n weeks
|
|
<n>m = key expires in n months
|
|
<n>y = key expires in n years
|
|
Key is valid for? (0)
|
|
----
|
|
+
|
|
Entering a value of `1y`, for example, makes the key valid for one year.
|
|
(You may change this expiration date after the key is generated, if you change your mind.)
|
|
Before the `gpg` program asks for signature information, the following prompt appears:
|
|
+
|
|
----
|
|
Is this correct (y/N)?
|
|
----
|
|
+
|
|
. Enter `y` to finish the process.
|
|
|
|
. Enter your name and email address.
|
|
_Remember this process is about authenticating you as a real individual._
|
|
For this reason, include your _real name_.
|
|
Do not use aliases or handles, since these disguise or obfuscate your identity.
|
|
|
|
. Enter your real email address for your GPG key.
|
|
If you choose a bogus email address, it will be more difficult for others to find your public key.
|
|
This makes authenticating your communications difficult.
|
|
If you are using this GPG key for https://fedoraproject.org/wiki/Introduce_yourself_to_the_Docs_Project[self-introduction] on a mailing list, for example, enter the email address you use on that list.
|
|
|
|
. Use the comment field to include aliases or other information.
|
|
(Some people use different keys for different purposes and identify each key with a comment, such as "Office" or "Open Source Projects.")
|
|
|
|
. Enter the letter `O` at the confirmation prompt to continue if all entries are correct, or use the other options to fix any problems.
|
|
|
|
. Enter a passphrase for your secret key.
|
|
The `gpg` program asks you to enter your passphrase twice to ensure you made no typing errors.
|
|
|
|
Finally, `gpg` generates random data to make your key as unique as possible.
|
|
Move your mouse, type random keys, or perform other tasks on the system during this step to speed up the process.
|
|
Once this step is finished, your keys are complete and ready to use:
|
|
|
|
----
|
|
pub rsa3072 2021-02-09 [SC] [expires: 2022-02-09]
|
|
3782CBB60147010B330523DD26FBCC7836BF353A
|
|
uid John Doe (Fedora Docs) <johndoe@example.com>
|
|
sub rsa3072 2021-02-09 [E] [expires: 2022-02-09]
|
|
----
|
|
|
|
The key fingerprint is a shorthand signature for your key.
|
|
It allows you to confirm to others that they have received your actual public key without any tampering.
|
|
You do not need to write this fingerprint down.
|
|
To display the fingerprint at any time, use this command, substituting your email address:
|
|
|
|
----
|
|
gpg --fingerprint johndoe@example.com
|
|
----
|
|
|
|
Your key fingerprint is actually a 160 bit SHA-1 hash of the key, represented as a 40 character string of hexadecimal digits.
|
|
Though shorter than the public key itself, it's still a bit unwieldy, so people tend to use a shorter _GPG key ID_ to refer to a key when, for example, looking up a key in a keyserver.
|
|
The GPG key ID is a small number of hex digits drawn from the characters representing the lower-order bits of the fingerprint.
|
|
The "short" GPG key ID consists of the final 8 characters of the hexadecimal fingerprint, that is, the last 32 bits of the fingerprint.
|
|
Short keys are unsafe and no longer recommended because it's possible to create collisions so that an attacker's forged key has the same short ID as your key.
|
|
Thus if you give someone the short GPG key ID of your key, they may retrieve the attacker's key from a keyserver instead.
|
|
|
|
For this reason, it's preferred to use the "long" GPG key ID, which consists of the final 16 characters of your key's hexadecimal fingerprint.
|
|
This represents the 64 lower-order bits of your fingerprint, which is sufficient to be collision-resistant.
|
|
The `gpg` program makes it easy for you to find your key's long GPG key ID:
|
|
|
|
----
|
|
gpg --list-keys --fingerprint --key-id-format 0xlong johndoe@example.com
|
|
----
|
|
|
|
The `0xlong` format prepends "0x" to the key ID to make it clear that this is a series of hexadecimal digits; it is considered good practice to do this.
|
|
The output from the above command looks like this:
|
|
|
|
----
|
|
pub rsa3072/0x26FBCC7836BF353A 2021-02-09 [SC] [expires: 2022-02-09]
|
|
Key fingerprint = 3782 CBB6 0147 010B 3305 23DD 26FB CC78 36BF 353A
|
|
uid John Doe (Fedora Docs) <johndoe@example.com>
|
|
sub rsa3072/0xF834D62672E88A6F 2021-02-09 [E] [expires: 2022-02-09]
|
|
----
|
|
|
|
The first line (beginning with "pub") tells you what kind the key is (that is, 3072 bit RSA) and what the long key ID is (that is, `0x26FBCC7836BF353A`).
|
|
You can see that this corresponds to the last 16 characters of the Key fingerprint in the output.
|
|
|
|
Now see <<backup-gpg-keys-cli>>.
|
|
Make sure to back up your revocation keys for all active keys as this allows to revoke keys in the event of lost passphrase of key compromise.
|