jaetype.blogg.se - Gpg suite key

GPG SUITE KEY HOW TO

Gpg uses the web of trust to determine if a key is acceptable for use without warning the user. The combination creates a “Web of Trust”, starting with locally-defined trust statements about users, and passing through multiple levels of key-signature-defined validity links to other keys. Of keys (defined by key signatures/certificates). Trust, Validity, and the Web of Trust - gpg uses a model of ‘trust’ of users (defined locally-only using the ‘trust’ edit command) and reported ‘validity’.Messages and keys certificates are made up of packets and subpackets of various types. Key packet - ‘Packet’ is the term used by RFC4880 to identify a component of the message/certificate format.Ironically, the act of certifying a key is universally called “key signing”. ‘Certification’ is the signing of another key. signing - ‘Signing’ is an action against arbitrary data. UID, or User ID - The name and email of the user is stored in one or more UID entries, stored under the Primary key.Key ID - A hexadecimal string that identifies a key (usually the primary key).We will be focusing on the key certificate. Key pairs and private keys will not come up here. I will use the term “key/public key” and “key certificate” to distinguish between the possible interpretations. It can refer to a specific private or public key, or to a particular key pair, or to the OpenPGP ‘certificate’ that defines a suite of information associated with a key or set of keys. Key certificate - Part of the challenge of understanding gpg key management documentation is the flexibility in the definition of the word ‘key’.Your local version of your key also includes the associated private keys (for decryption and signature creation), to define the key pair. Therefore, only public keys are described (the ones that encrypt and verify signatures). Public key - This post is working with the published version of the key certificate.The additional keys are “subkeys” in that theyĪchieve their web-of-trust validity by way of the primary key.

subkey - A PGP key certificate may contain other information Having said that, let’s be clear on a couple of terms: Oh, and also binary-to-hexadecimal conversion for one (small) part. You should also know about key signing and the the reason for it. It’s best that you have an understanding of data encryption and data signing using public key cryptography before you read this.

(Edit - ) gpg automatically uses the newest subkey to sign/encrypt.

Trust from external signatures is provided transitively.

Subkeys need only be self-signed (which is automatic).

That means they can be changed at will by the key owner without affecting the status of external key signatures.

Most key parameters are stored in the self signature.

Here are some takeaways I wish I had going into this: The goal of this post is to grease the skids for the next guy, by tying the key storage format to the RFC definition, and to the associated gpg commands and parameters.

GPG SUITE KEY HOW TO

Many questions that I had were tangential to the particular procedure, and therefore not covered where I needed it to be.įor me, the key to understanding how to work with gpg was to understand the packet structure of the underlying OpenPGP Message Format ( RFC4880), which defines how gpg messages, signatures, and key material are stored. Pretty much all of the documentation is procedural - how to use the tool to accomplish some specific tasks. I had a fairly hard time understanding all of the ins and outs of managing keys using the gnupg tool ‘gpg’.