[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Friday 19 August 2005 7:42 pm, Rob Beard wrote: > Right, > > So if I create a key, I'm assuming I have to do this on a Linux system? Not necessarily but it's usually easier to start using GnuPG on Debian than it is to install WinPT and associated tools on XP. > If I was to create the private key on a temporary Debian system, could I > transfer it to CD and then transfer it to another system (say if I > reinstall the OS, or upgrade/replace the PC)? Keys are in two parts - the public bit is what you give to me. The private bit is what you use to decrypt what I've sent you using that public key. Anyone can encrypt to you, only you can decrypt it. Equally, only you can MAKE a signature (say on an email) because that uses the private part of the key - anyone can verify that signature using the public part of the key. Once you've got the key it can be exported. --export just deals with the public part, --export-secret-key exports the private part that allows you to import the key on another system and continue to use it. (It's protected by your passphrase so make the passphrase GOOD!) The public key is best kept on a keyserver, the private key must be kept secure and it is your responsibility to ensure that you are always the sole person able to access that private key. No need to transfer it via CD, it ain't that big. A USB stick, even a floppy will do fine. In fact, writing the secret key to a CD is generally a bad idea - even a CDRW that you can erase later doesn't always erase the old data, it may just hide it. Always give away the public key, always guard the private key. Where possible, transfer the secret key directly between the two machines using SSH etc. To create a new key from a Debian system, just check gnupg is installed: $ gpg --version (If not, apt-get install gnupg as root). First time you run gpg it creates a home directory and associated files. (and tells you what it is doing.) Then: $ gpg --gen-key http://www.dcglug.org.uk/linux_doc/startgnupg.html#generate Accept the defaults, put in sensible details (they will remain on this key for good) like your full name, your usual current email address and a comment about what you do etc. Then use: $ gpg --list-keys That will show you the key details - you'll only have your own key listed at this stage usually. Make a mental note of the keyid - the first line of the list key output includes: pub 1024D/28BCB3E3 2002-01-27 pub - this is the public key part. 1024D - key size and type 28BCB3E3 - my key id. and then the date the key was created. Create the revocation certificate, as described above, and store it safely. $ gpg --gen-revoke your_key_id Now publish your key to a keyserver (subkeys.pgp.net is best) so that when you ask people to sign your key they can actually get hold of it. Now create the fingerprint output you can print and bring with you: $ gpg --fingerprint your_key_id > mykey.txt Don't forget your photo ID and when you get home, be prepared to respond to emails from other members who want to verify your email address. You can learn about subkeys, encryption, keysigning and trust at the meeting. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgpAMB6S9tmOU.pgp
Description: PGP signature