Gnupg Use Key File Generated In Another Machine

  1. Gnupg Use Key File Generated In Another Machine In Windows 10
  2. Gnupg Use Key File Generated In Another Machine In Excel
  3. Gnupg Use Key File Generated In Another Machine In Minecraft
  4. Gnupg Use Key File Generated In Another Machine In One
  5. Gnupg Use Key File Generated In Another Machine In Texas
  6. Gnupg Use Key File Generated In Another Machine In The World
  7. Gnupg Use Key File Generated In Another Machine In Computer

The key is exported in a binary format, but this can be inconvenient when the key is to be sent though email or published on a web page. GnuPG therefore supports a command-line option -armor that that causes output to be generated in an ASCII-armored format similar to uuencoded documents. Gpg -list-keys. To list the keys in your secret key ring: gpg -list-secret-keys. To generate a short list of numbers that you can use via an alternative method to verify a public key, use: gpg -fingerprint fingerprint This creates the file fingerprint with your fingerprint info. To encrypt data, use: gpg -e -u 'Sender User Name' -r. Recover gnupg folder from machine backup; Backup gnupg folder (experts only) Backup single key. Select key to backup; click 'Export' icon in the toolbar or press ⌘E; to include the secret key, enable 'Include secret key in exported file' option (only necessary to transfer your key to another computer or create a backup in a secure location. Never send your sec key via email!) click 'Save'.

@Celeda, thanks, with -edit-key and and the trust command I managed to get the key trusted. Since my original question was how to copy the key from one machine to another, I think it would be appropriate to add something about that to your answer. Today I started learning how to work with GPG keys. I successfully generated a pair for me, and imported some other keys, encrypted some files and successfully decrypted them. I want to send my GPG key to the keyserver, but I cannot seem to be able to do so. Apr 15, 2008 How-To: Import/Export GPG key pair 1 minute read This tutorial will show how you can export and import a set of GPG keys from one computer to another. This way, you can sign/encrypt the same way one different computer. A simple way of doing it would be to: $.

Updated by Alex FornutoContributed byHuw Evans

Try this guide out by signing up for a Linode account with a $20 credit.
Contribute on GitHub

Report an Issue View File Edit File

You may be familiar with public key authentication for Secure Shell (SSH) on your Linode. But you may not have known that you can also use a GNU Privacy Guard (GPG) keypair to authenticate with SSH.

The chief benefit of this method is that instead of having separate keys for GPG messaging and SSH authentication, they can both belong to the same GPG keyring. This configuration really shines, however, when used with a GPG smartcard or YubiKey, because the card/dongle can store the underlying private key and only authenticate SSH sessions when it’s plugged in. WIRED reported that engineers at Facebook use this method for authenticating with local servers, so why shouldn’t you?

This guide will show you how to generate a GPG key, set up your computer to serve it in place of an SSH key, and put the new public key onto your server for authentication. It will also detail how to optionally move your GPG private key onto a smartcard or YubiKey to prevent authentication when the device isn’t plugged into your computer.

Before You Begin

Note
This guide will only work on UNIX-based (Linux & OS X) machines! The process is very complicated on Windows but may be possible with some research.

This guide assumes:

Download free all in one keylogger serial key generator. Universal Keygen Generator 2019 Features. It is easy and simple to use. It enables with all operating system. It does not require internet connection.

  • You have a fully functional Linode
  • You have followed the Getting Started and Securing Your Server guides, and updated your Linode with sudo apt-get update && sudo apt-get upgrade)
  • You are familiar with the command line

You don’t necessarily need to be familiar with SSH public key authentication or GPG encryption, but an understanding of their operation will help you out if you run into problems.

Generate a GPG Keypair

This section explains how to generate a new GPG keypair. If you already have one, you may skip these steps, as the next section will include instructions for how to create a subkey to use specifically for authentication. You will just need the 8-digit ID for your existing key to do so.

Caution
As an additional security measure, this process may be undertaken on an offline (non network-connected) machine or single-use Virtual Machine (VM). After installing the pre-requisite packages and only the pre-requisite packages, disconnect it from the network and continue with the steps below.

All of these steps should be performed on a local machine, not your Linode.

  1. Install GPG:

    On Debian and its derivatives:

    On OS X:

    GPGTools provides the simplest implementation of GPG for OS X. Otherwise, you could run brew install gnupg2 if you have Homebrew.

    On other operating systems, this process should be fairly clear. GPG is likely already installed, but if it isn’t, a quick internet search should give you the instructions you need.

  2. Open a command prompt and execute:

  3. When prompted to select the kind of key you want, select (1) RSA and RSA.

  4. When asked for a keysize, type 4096. If you want to store your key on a YubiKey Neo or certain smartcards, you may be restricted to a 2048-bit key size, so ensure that you aware of limitations for your device, if applicable.

  5. Choose an expiration period that you think will be suitable for this key. After that date, the key will no longer work, so choose carefully.

  6. Enter your full name, email address, and a comment (if you want). Select O for ‘Okay’.

  7. After looking over your shoulders for secret agents, enter a long and secure passphrase that will be used to encrypt your key in local storage. Write this down somewhere you know to be physically secure while your computer generates the keypair.

Once this is done, your output should resemble the following:

This process has created a master GPG key and a subkey for encrypting messages and files. To authenticate with SSH, we need to generate a second subkey for authentication.

Generating the Authentication Subkey

  1. In a command prompt or terminal, type:

    Replace key-id with the eight-character string output from the key generation process. This will be found in the line beginning with pub. In the example above, the ID is 71735D23.

  2. At the new gpg> prompt, enter:

  3. When prompted, enter your passphrase.

  4. When asked for the type of key you want, select: (8) RSA (set your own capabilities).

  5. Enter S to toggle the ‘Sign’ action off.

  6. Enter E to toggle the ‘Encrypt’ action off.

  7. Enter A to toggle the ‘Authenticate’ action on. The output should now include Current allowed actions: Authenticate, with nothing else on that line.

  8. Enter Q to continue.

  9. When asked for a keysize, choose 4096. The same limitation from Step 4 in the first section applies, so ensure your card/YubiKey can support this key size.

  10. Enter an expiration date, just as before. You should probably keep this the same as the first one. If you choose a lower expiration date, your main private key will continue to function but your SSH authentication will break on this date.

  11. When you’re sure all of the information entered is correct, enter y at the Really create? (y/N) prompt to complete the process.

  12. Once the key is created, enter quit to leave the gpg prompt, and y at the prompt to save changes.

Your terminal should now look like this:

Secure Your GPG Key

Caution
If you fail to back up or otherwise secure your key, any hardware failure will lead to you being unable to access your Linode with this key. If you lock out password access through SSH, you’ll need to use Lish to regain access.

You should always have a backup of your private key in case something goes wrong and you end up locked out of everything that requires it. This private key, along with the instructions in this guide, will be enough to get your setup working again if you need to start afresh on a new computer.

  1. Back up your ~/.gnupg folder with the following command, replacing USB_DEVICE with the name of your device:

    This assumes you have a storage device mounted at /Volumes/USB_DEVICE/. Different operating systems may use different naming conventions for this path. You can safely ignore any Operation not supported on socket warnings that appear when you enter this command.

  2. Back up your private key, replacing key-id with the eight-character key ID for your private key:

  3. Back up your subkeys, replacing key-id with the eight-character key ID for each subkey:

If something bad happens and you lose your keys, you can re-import them by overwriting the ~/.gnupg directory with your copy, and using:

Be sure to replace key-file with the location of each of your files.

Export Your Public Key

If you’re working on a VM or offline machine, you’ll also need to export your public key to be reimported later:

Be sure to replace key-id with your own key ID.

You can reimport it with the ever-handy gpg2 --import key-file command.

Move Your Key to a Smartcard or YubiKey (Optional)

Note
If you’re using a brand new YubiKey, you’ll need to enable OpenPGP Card / CCID Mode first. This can be done through the YubiKey Personalization Tool, or by running ykpersonalise -m82. ykpersonalise can be installed through your package manager.

Secure Your Card

It is assumed that you have already configured your card/YubiKey’s (herein referred to as ‘GPG device’) owner information. It is highly recommended that you secure your card before you start this section.

Note
Some of these commands may ask for a PIN or Admin PIN. The default PIN is usually 123456, and the default Admin PIN is usually 12345678. If these don’t work, contact the manufacturer or review online documentation.

  1. Plug in the device and execute:

  2. Enable admin commands:

  3. Enter the password change menu:

  4. Change the password to your device by selecting 2 - unblock PIN. This will unblock your PIN, and prompt you to change it. This PIN will be required every time you want to access your GPG key (e.g. every time you authenticate with SSH), and has a limit of eight characters.

  5. Change the admin PIN by selecting 3 - change Admin PIN. This PIN is required to make administrative changes, like in step 2, and has a limit of 6 characters. For optimum security, never store this PIN in a digital location, since it will be unnecessary for daily use of the YubiKey.

  6. Exit these menus by selecting Q and then typing quit.

For reference, your window should resemble the following. This example is abbreviated:

Transfer Your Subkey

  1. Enter the key edit menu from a normal command prompt, replacing key-id with your own key ID:

  2. Switch to the private key editor:

  3. Select only the authentication subkey:

    Remember, if you have more subkeys this command should be changed as appropriate.

  4. Transfer the key:

  5. Select (3) Authentication key to store your key on the third slot of the device. If this is not an option, ensure that you’ve selected the appropriate subkey.

  6. Enter your passphrase.

  7. Type save to exit this menu.

  8. If you’re working on a VM or offline machine, export the subkey stubs (pointers so GPG knows your subkeys are on the device):

    Be sure to substitute your own key ID for key-id. You can reimport these with an ordinary gpg2 --import <stub file> on your private machine.

After all this, your output should resemble the following:

Congratulations! You’ve successfully transferred your authentication subkey to your device.

Caution
If you weren’t using a VM or offline machine, back up your local copies of the private keys, delete them, and ensure that the rest of the keys are still on the card.

Serve Your GPG key Instead of an SSH key

In this section, we’ll configure your local machine so the connection between GPG and SSH works properly.

Return to your local machine, import all of the appropriate GPG keys and insert the appropriate GPG device. Install GPG if you don’t already have it on your local computer (e.g. if you performed all the above steps on a VM).

  1. Edit the ~/.bash_profile file (or similar shell startup file) to include:

    Linux:

    ~/.bash_profile

    OS X

    ~/.bash_profile

    This ensures that SSH can ‘see’ your GPG keys and automatically starts gpg-agent as needed.

  2. Edit or create ~/.gnupg/gpg-agent.conf:

    ~/.gnupg/gpg-agent.conf

    If you’re on OS X and previously installed GPGTools, you can also add the line:

    This allows you to use the PIN entry program provided by GPGTools.

  3. Restart the GPG agent:

Add the New Key to Your Linode

The steps from the previous sections will take your GPG keys and pipe them through SSH so they can be used for authentication. The result of this process is that you’ve created a new RSA public key for use with SSH authentication.

  1. On your local machine, extract the public key:

    You should see a long output of alphanumeric characters. If you see The agent has no identities, try the steps to restart the GPG agent from above.

  2. Copy the whole string of output, including ssh-rsa. If you see multiple strings beginning with ssh-rsa, copy the one that ends with cardno:. It might look like this:

  3. Paste this into a new file (for example, ~/gpg-key.pub) and save it.

  4. Copy the file to your Linode:

  5. Log into your Linode and append the key to the authorized_hosts file:

You’re done! Disconnect, and all new logins should now use your GPG key instead of a passphrase. This SSH key can also be used with GitHub, Bitbucket, other SSH-based Version Control Systems, or anywhere else that accepts SSH keys.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

Join our Community

Please enable JavaScript to view the comments powered by Disqus.comments powered by Disqus

This guide is published under a CC BY-ND 4.0 license.

Related

How To Install and Configure Postfix as a Send-Only SMTP Server on Ubuntu 18.04 Tutorial
How To Set Up and Configure an OpenVPN Server on CentOS 8 Tutorial

Introduction

GPG, or GNU Privacy Guard, is a public key cryptography implementation. This allows for the secure transmission of information between parties and can be used to verify that the origin of a message is genuine.

In this guide, we will discuss how GPG works and how to implement it. We will be using an Ubuntu 16.04 server for this demonstration, but will include instructions for other distributions as well.

How Public Key Encryption Works

A problem that many users face is how to communicate securely and validate the identity of the party they are talking to. Many schemes that attempt to answer this question require, at least at some point, the transfer of a password or other identifying credentials, over an insecure medium.

Ensure That Only the Intended Party Can Read

To get around this issue, GPG relies on a security concept known as public key encryption. The idea is that you can split the encrypting and decrypting stages of the transmission into two separate pieces. That way, you can freely distribute the encrypting portion, as long as you secure the decrypting portion.

This would allow for a one-way message transfer that can be created and encrypted by anyone, but only be decrypted by the designated user (the one with the private decrypting key). If both of the parties create public/private key pairs and give each other their public encrypting keys, they can both encrypt messages to each other.

So in this scenario, each party has their own private key and the other user’s public key.

Validate the Identity of the Sender

Another benefit of this system is that the sender of a message can “sign” the message with their private key. The public key that the receiver has can be used to verify that the signature is actually being sent by the indicated user.

Set Up GPG Keys

GPG is installed by default in most distributions.

If for any reason GPG is not installed, on Ubuntu and Debian, you can update the local repo index and install it by typing:

On CentOS, you can install GPG by typing:

Gnupg Use Key File Generated In Another Machine In Windows 10

To begin using GPG to encrypt your communications, you need to create a key pair. You can do this by issuing the following command:

This will take you through a few questions that will configure your keys:

  • Please select what kind of key you want: (1) RSA and RSA (default)
  • What keysize do you want? 4096
  • Key is valid for? 1y (expires after 1 year. If you are just testing, you may want to create a short-lived key the first time by using a number like “3” instead.)
  • Is this correct? y
  • Real name: your real name here
  • Email address: your_email@address.com
  • Comment: Optional comment that will be visible in your signature
  • Change (N)ame, ©omment, (E)mail or (O)kay/(Q)uit? O
  • Enter passphrase: Enter a secure passphrase here (upper & lower case, digits, symbols)

At this point, gpg will generate the keys using entropy. Entropy describes the amount of unpredictability and nondeterminism that exists in a system. GPG needs this entropy to generate a secure set of keys.

This process may take a long time depending on how active your system is and the keysize you selected. To generate additional entropy more easily, you can use a tool called haveged. Open up a new terminal and SSH into the server again to set up haveged on your server.

Create a Revocation Certificate

You need to have a way of invalidating your key pair in case there is a security breach or in case you lose your secret key. There is an easy way of doing this with the GPG software.

This should be done as soon as you make the key pair, not when you need it. This revocation key must be generated ahead of time and kept in a secure, separate location in case your computer is compromised or inoperable. To generate a revocation key, type:

Gnupg Use Key File Generated In Another Machine In Excel

You will be asked to confirm the revocation key creation and then prompted for the reason that it is being revoked. This information will be visible to other users if the revocation is used in the future. You can choose any of the available options, but since this is being done ahead of time, you won’t have the specifics. Often, it is a good idea to create a revocation certificate for each of the likely scenarios for maximum flexibility.

Afterwards, you will then be asked to supply a comment and finally, to confirm the selections. Before creating the revocation certificate, you will need to enter your GPG key’s passphrase to confirm your identity. The revocation certificate will be written to the file specified by the --output flag (revocation.crt in our example):

You should immediately restrict the permissions on the generated certificate file in order to prevent unauthorized access:

The revocation certificate must be kept secure so that other users cannot revoke your key. As the message states, you should consider backing the certificate up to other machines and printing it out, as long as you can secure it properly.

How To Import Other Users’ Public Keys

GPG would be pretty useless if you could not accept other public keys from people you wished to communicate with.

You can import someone’s public key in a variety of ways. If you’ve obtained a public key from someone in a text file, GPG can import it with the following command:

There is also the possibility that the person you are wishing to communicate with has uploaded their key to a public key server. These key servers are used to house people’s public keys from all over the world.

A popular key server that syncs its information with a variety of other servers is the MIT public key server. You can search for people by their name or email address by going here in your web browser:

You can also search the key server from within GPG by typing the following:

You can use this method of searching by name or email address. You can import keys that you find by following the prompts.

How To Verify and Sign Keys

While you can freely distribute your generated public key file and people can use this to contact you in a secure way, it is important to be able to trust that the key belongs to who you think it does during the initial public key transmission.

Verify the Other Person’s Identity

How do you know that the person giving you the public key is who they say they are? In some cases, this may be simple. You may be sitting right next to the person with your laptops both open and exchanging keys. This should be a pretty secure way of identifying that you are receiving the correct, legitimate key.

But there are many other circumstances where such personal contact is not possible. You may not know the other party personally, or you may be separated by physical distance. If you never want to communicate over insecure channels, verification of the public key could be problematic.

Luckily, instead of verifying the entire public keys of both parties, you can simply compare the “fingerprint” derived from these keys. This will give you a reasonable assurance that you both are using the same public key information.

You can get the fingerprint of a public key by typing:

This will produce a much more manageable string of numbers to compare. You can compare this string with the person themselves, or with someone else who has access to that person.

Sign Their Key

Signing a key tells your software that you trust the key that you have been provided with and that you have verified that it is associated with the person in question.

To sign a key that you’ve imported, simply type:

When you sign the key, it means you verify that you trust the person is who they claim to be. This can help other people decide whether to trust that person too. If someone trusts you, and they see that you’ve signed this person’s key, they may be more likely to trust their identity too.

You should allow the person whose key you are signing to take advantage of your trusted relationship by sending them back the signed key. You can do this by typing:

You’ll have to type in your passphrase again. Afterwards, their public key, signed by you, will be displayed. Send them this, so that they can benefit from gaining your “stamp of approval” when interacting with others.

When they receive this new, signed key, they can import it, adding the signing information you’ve generated into their GPG database. They can do this by typing:

They can now demonstrate to other people that you trust that their identity is correct.

How To Make Your Public Key Highly Available

Because of the way that public key encryption is designed, there is not anything malicious that can happen if unknown people have your public key.

With this in mind, it may be beneficial to make your public key publicly available. People can then find your information to send you messages securely from your very first interaction.

You can send anyone your public key by requesting it from the GPG system:

You can then send this file to the other party over an appropriate medium.

If you want to publish your key to a key server, you can do it manually through the forms available on most of the server sites.

Another option is to do this through the GPG interface. Look up your key ID by typing:

The highlighted portion in the output below is the key ID (look for the pub along the left-hand column if you’re uncertain about which one to use). It is a short way to reference the key to the internal software.

To upload your key to a certain key server, you can then use this syntax:

The key will be uploaded to the specified server. Afterwards, it will likely be distributed to other key servers around the world.

Encrypt and Decrypt Messages with GPG

You can easily encrypt and decrypt messages after you have shared your keys with the other party.

Encrypt Messages

You can encrypt messages using the “–encrypt” flag for GPG. The basic syntax would be:

This encrypts the message using the recipient’s public key, signs it with your own private key to guarantee that it is coming from you, and outputs the message in a text format instead of raw bytes. The filename will be the same as the input filename, but with an .asc extension.

You should include a second “-r” recipient with your own email address if you want to be able to read the encrypted message. This is because the message will be encrypted with each person’s public key, and will only be able to be decrypted with the associated private key.

So if it was only encrypted with the other party’s public key, you would not be able to view the message again, unless you somehow obtained their private key. Adding yourself as a second recipient encrypts the message two separate times, one for each recipient.

Decrypt Messages

When you receive a message, simply call GPG on the message file:

The software will prompt you as necessary.

If instead of a file, you have the message as a raw text stream, you can copy and paste it after typing gpg without any arguments. You can press “CTRL-D” to signify the end of the message and GPG will decrypt it for you.

Key Maintenance

There are a number of procedures that you may need to use on a regular basis to manage your key database.

Gnupg Use Key File Generated In Another Machine In Minecraft

To list your available GPG keys that you have from other people, you can issue this command:

Your key information can become outdated if you are relying on information pulled from public key servers. You do not want to be relying on revoked keys, because that would mean you are trusting potentially compromised keys.

You can update the key information by issuing:

This will fetch new information from the key servers.

You can pull information from a specific key server by using:

Gnupg Use Key File Generated In Another Machine In One

You may receive error messages if any of your keys cannot be found on the key server.

Gnupg Use Key File Generated In Another Machine In Texas

Conclusion

Gnupg Use Key File Generated In Another Machine In The World

Using GPG correctly can help you secure your communications with different people. This is extremely helpful, especially when dealing with sensitive information, but also when dealing with regular, everyday messaging.

Gnupg Use Key File Generated In Another Machine In Computer

Because of the way that certain encrypted communications can be flagged by monitoring programs, it is recommended to use encryption for everything, not just “secret” data. That will make it more difficult for people to know when you are sending important data or just sending a friendly hello.