• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to generate PGP keys using GPG on Linux

by admin

How to generate PGP keys using GPG on Linux

The GNU Privacy Guard application allows you to encrypt and decrypt information, create public and private encryption keys, and use or verify digital signatures. GPG is based on the use of a pair of keys, one public and one private (or “secret”). Data encrypted with one key can only be decrypted with the other. To encrypt a message to you, someone would use your public key to create a message that could only be unlocked with your private key. To sign information, you would lock it with your private key, allowing anyone to verify that it came from you by unlocking it with your public key.

GPG has dozens of additional options that fine-tune its available options. In this post we will see how to generate PGP keys using GPG on Linux.

Step 1: Confirm GPG version.

# gpg --help

gpg (GnuPG) 1.4.5
Copyright (C) 2006 Free Software Foundation, Inc.

Step 2: Start the key generation process. Enter the following command to start generating your key:

gpg --gen-key

Select the type of key

Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)      ## SELECT THIS OPTION
Your selection? 5

Select the key size

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048

Requested keysize is 2048 bits

Select the expiration time

Please specify how long the key should be valid.
0 = key does not expire                 ## SELECT THIS OPTION
 = key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0

Key does not expire at all

Is this correct? (y/N) y

Enter user name and email

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: 

"[NAME]" (xyz-comment) [USERNAME]@[DOMAIN_NAME].com"

Real name: [Name]
Email address: [USERNAME]@[DOMAIN_NAME].com
Comment: comment
You selected this USER-ID:
"[Name] (comment) [USERNAME]@[DOMAIN_NAME].com"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

Enter passphrase to protect secret key

You need a Passphrase to protect your secret key.

Enter passphrase: *******
Repeat passphrase: *******

We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.

You may see the following message. If you do, follow the instructions and the key generation process will start automatically.

Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 284 more bytes)

..+++++
...+++++
gpg: key F709C771 marked as ultimately trusted
public and secret key created and signed

gpg: checking the trustdb
gpg: 3 marginal(s) needed. 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0m, 0n, 0f, 1u
pub: 2048R/F709C771 2015-05-27
key fingerprint = BDC2 5293 DB14 C218 D2DA 711C EB0A 564A F709 C771
uid [Name] (comment) [USERNAME]@[DOMAIN_NAME].com

Note that this key cannot be used for encryption. You may want to use the command “–edit-key” to generate a subkey for this purpose. Key generation is complete. At this point, you have generated a private/public key pair with a public key that can be used for signing purposes. The next step is to add a subkey that will be used for encryption.

Step 3: Add a subkey for encryption. Enter the following command to start generating your key:

# gpg --edit-key '[NAME]'
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Secret key is available.

pub 2048R/F709C771 created: 2015-05-27 expires: never usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). [Name] (comment) [USERNAME]@[DOMAIN_NAME].com

Enter the edit-key command

Command> addkey

Key is protected.

Enter the passphrase you specified in step 2

You need a passphrase to unlock the secret key for
user: "[NAME] (comment) [USERNAME]@[DOMAIN_NAME].com"
2048-bit RSA key, ID F709C771, created 2015-05-27

Enter passphrase: *******

user: "[Name] (comment) [USERNAME]@[DOMAIN_NAME].com"
2048-bit RSA key, ID F709C771, created 2015-05-27

Select the type of key

Please select what kind of key you want:
(2) DSA (sign only)
(4) Elgamal (encrypt only)
(5) RSA (sign only)
(6) RSA (encrypt only)              ## SELECT THIS OPTION
Your selection? 6

Select the key size

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048

Requested keysize is 2048 bits

Select the expiration time

Please specify how long the key should be valid.
0 = key does not expire       ## SELECT THIS OPTION
 = key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0

Key does not expire at all
Is this correct? (y/N) Y
Really create? (y/N) Y

We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.

You may see the following message. If you do, follow the instructions and the subkey generation process will start automatically.

Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 277 more bytes)

..........+++++
..........+++++

pub 2048R/F709C771 created: 2015-05-27 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048R/13DA9D02 created: 2015-05-27 expires: never usage: E
[ultimate] (1). [Name] (comment) [USERNAME]@[DOMAIN_NAME].com

Note, pub is for signing (SC), sub is for encryption (E)

Exit the edit-key editor and save your changes

Command> q
Save changes? (y/N) y

Subkey generation for encryption purposes is complete. The next step is to verify and export the keys.

Step 4: List your keys. Enter the following command to list the key on your keyring:

# gpg -k
/home/[USERNAME]/.gnupg/pubring.gpg
--------------------------------
pub 2048R/F709C771 2015-05-27
uid Your [NAME] (comment) [USERNAME]@[DOMAIN_NAME].com
sub 2048R/13DA9D02 2015-05-27

Step 5 – Export the public key (including subkey) in ASCII format. Enter the following command to list the keys:

# gpg --armor --output [Name]-pub-sub.asc --export '[Name]'
# cat [NAME]-pub-sub.asc

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)

“[.......Removed the PGP KEY...... ]”

-----END PGP PUBLIC KEY BLOCK-----

Filed Under: CentOS/RHEL, Linux

Some more articles you might also be interested in …

  1. Error: Can’t open display: hostname:x.y when running xclock
  2. How to Enable/Disable CPUs (Limiting CPU count) in CentOS / RHEL
  3. CentOS / RHEL : How to configure an DHCP server
  4. How to audit all Commands run on OEL 5,6 using auditd
  5. What are “segfault” messages in /var/log/messages file
  6. How to activate and mount 2 Volume groups with same names in CentOS/RHEL
  7. How to Configure Automatic Package Updates on the Server in CentOS/RHEL 8
  8. How To Disable MD5-based HMAC Algorithm’s for SSH
  9. How to Find the Original Installation OS Version in CentOS/RHEL
  10. Volume “test_vg/lvol0” is not active locally – Error while running lvcreate

You May Also Like

Primary Sidebar

Recent Posts

  • vgextend Command Examples in Linux
  • setpci command – configure PCI device
  • db_load command – generate db database
  • bsdtar command – Read and write tape archive files

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright