On behalf of the attendees, thank you Adrian for your OCLUG tutorial on
how to use GnuPG for securing email.
For those that attended, and for those that could name the tutorial,
below is a summary on how to create your new PGP key. Adrian and I will
hold a small "key signing party" after the general meeting next week to
place those keys into the OLCUG web of trust.
First, to create a new key follow these steps:
1) prepare the .gnupg directory
gpg --list-key
2) create a new main key
gpg --gen-key
select '(2) DSA (sign only)';
you can leave this key to never expire.
3) create a sub key that expires relatively soon
the output of the last command will list the main key that was
created it looks like '1024D/E5B5EC9E', you will want to copy the
part after the slash (the key ID) and edit that key:
gpg --edit-key E5B5EC9E
(substitute E5B5EC9E for your key ID)
run command 'addkey' and select '(4) Elgamal (encrypt only)';
select between 2048 and 4096 bits, and make it expire relatively soon
(Adrian suggested at the end of the year, which is about 120 days).
once done run 'save'.
4) publish your key
gpg --send-key E5B5EC9E
(substitute E5B5EC9E for your key ID)
~~~
Next, to get your key signed by others on Tuesday, you will need to
bring the following:
- a government published and easily identifiable picture ID (or multiple)
- a few copies of your key fingerprint; you will need to give one of
these to each person that you want to sign your key.
The best thing would be to print out the output of the following command
multiple times on a page and cut them into strips:
gpg --fingerprint E5B5EC9E
(substitute E5B5EC9E for your key ID)
I have written a script that does just that...
http://www.jukie.net/~bart/scripts/gpg-fpr-slips
If you chose to, or have to, do it by hand, then make sure that the
information you give the other person includes:
- Your name (must be the same as your ID)
- Your key ID
- Your email address (same as the key you generated)
- The key fingerprint
Have a look at 'gpg --fingerprint' output.
~~~
The "key signing party" is relatively simple. You will be given a slip
of paper by each of the individuals, and will be shown their photo ID.
You will verify that the photo ID matches the name on the slip of paper.
When you go home you will retrieve their key from the internet, verify
the fingerprint and sign them.
gpg --recv-key <their key id>
gpg --edit-key <their key id>
fpr
At this point you must verify that the output of the 'fpr' command
matches the bits you were given on the slip of paper (particularly the
fingerprint, name and email address). If not, say 'quit', otherwise
continue with...
sign
trust
save
gpg --send-key <their key id>
See you on Tuesday.
-Bart
--
WebSig: http://www.jukie.net/~bart/sig/
----- End forwarded message -----
--
WebSig: http://www.jukie.net/~bart/sig/
Attachment:
signature.asc
Description: Digital signature