Keysigning with the GNU/Linux Terminal

Abstract

This is a quick guide to participating in a key-signing party using the gpg command line program on GNU/Linux.

Table of Contents

Before the Party
After the Party
Additional Resources

Before the Party

Create your key

Before you can participate in a keysigning party, you need a key.

  1. Generate a key pair:

    gpg --gen-key
    1. Choose the default (DSA and Elgamal)

    2. Since you want your key pair to be safe, it is a good idea to choose the largest possible key size (4096)

    3. You don't really need to set a key expiry period, so choose the default (0)

    4. Enter your full name, preferably just as it appears on your proof of ID

    5. Enter your email address, this must be your real email address!

      If you have more than one email address, choose the one you prefer to use, others email addresses can be associated with this key pair later.

    6. Choose a strong passphrase!

      For some help on choosing a strong passphrase, see Wikipedia: Password Strength

    GPG will now generate your key pair. During this process, it needs random data to make it truly unique. Random data is gathered from keyboard input, mouse movement, and other actions, so do something else with your computer for a moment. After a short time, GPG will have finished creating your key.

Important information about keys

GPG stores its keys in keyring files, typically one public and one private keyring.

To find information about all the keys in your keyrings:

gpg --list-keys --fingerprint

To find information about only your keys:

gpg --list-secret-keys --fingerprint
An example key
pub   1024D/01234567 1996-06-10
Key fingerprint = 0995 ECD6 3843 CBB3 C050  28CA E103 6EED 0123 4567
uid                  Tux T. Penguin <tux@kernel.org>
sub   4096g/FEDCBA98 1996-06-10
  • This is a public key
  • This is a 1024-bit DSA key
  • This eight digit hexadecimal number is the ID number of your key
  • This is the date on which your key was created
  • This is the fingerprint of your key, used to verify its identity
  • This is the user ID information associated with your key
  • Your key may have one or more subkeys

This key will represent your key in following examples, replace its values with those from your key.

Make sure you keep your private key and passphrase safe!

  • Never write down or tell anyone your key password.

  • Remember your passphrase and don't lose your private key. You will not be able to access your encrypted data without both of them!

  • Make sure the permissions of your private keyring file prevent all access by other users.

  • If you have a safe or lock-box, consider printing out a copy of your public and private keys and storing it there, but commit your passphrase to memory.

Share your public key

In order for other people to send you encrypted data or verify your signatures, you must share your public key with the world. There are several keyservers you may use for this at no cost.

  1. Specify a default keyserver:

    1. If it does not already exist, create the file ~/.gnupg/gpg.conf

    2. Add the line of text:

      keyserver	hkp://subkeys.pgp.net
  2. Send your public key to the keyserver:

    gpg --send-keys 01234567

    All the keyservers periodically synchronize with each other, so you only need to send your key to one of them. It is therefore best to send your key to the keyserver several days ahead of the signing party so it will have propagated to every keyserver.

Print copies of your public key

  1. Make a text file containing information about your public key:

    gpg --fingerprint 01234567 >> key.txt
  2. Repeat this command or use a text editor to add enough copies of your key information to this file to fill one page.

    By default, 6 lines of text are printed on an inch of paper, so you can usually fit 12 copies of your key information per page of US Letter paper.

  3. Print the file:

    lp key.txt

    Print as many pages as you will need to give one copy of your key information to each participant.

  4. Cut the pages into strips, with one full set of key information on each strip.

    If you have your own business cards, consider having your key ID printed on them.

For the party, you will need these strips and an official photo ID, such as a driver's license or passport.

After the Party

Get other people's keys

You now have the printed public key information from the other participants.

Example key IDs for the other participants will be E4758D1D, C27659A2, and 09026E7B. Replace these IDs with the key IDs you received from the other participants.

  1. Find the key ID numbers on each printout and get the public keys from the keyservers:

    gpg --recv-keys E4758D1D C27659A2 09026E7B

Sign the keys

  1. Sign a key:

    gpg --sign-key E4758D1D
    1. If a key has multiple user IDs, GPG will ask if you want to sign all of them. Unless they seem suspicious to you, It is usually alright to sign all of the user IDs.

    2. Compare all of the information displayed by GPG with the information on the paper, only sign the key if it matches exactly.

    3. GPG will ask for the passphrase for your secret key, enter it and GPG will sign the other person's key with yours.

  2. Repeat this procedure with the other keys.

    gpg --sign-key C27659A2
    gpg --sign-key 09026E7B

Send the signatures

Instead of sending the signed keys back to the keyserver, send each key to its owner via email.

  1. Export each key signature:

    gpg --armor --output E4758D1D.signed-by.01234567.asc --export E4758D1D
    gpg --armor --output C27659A2.signed-by.01234567.asc --export C27659A2
    gpg --armor --output 09026E7B.signed-by.01234567.asc --export 09026E7B
  2. Use your preferred email program to compose messages to the email address from each key's user ID and attach the corresponding signature file.

    If possible, have your email program encrypt these messages with the corresponding keys.

Share your signed key

  1. Once you have received signature files from the other participants, import them into your keyring:

    gpg --import 01234567.signed-by.E4758D1D.asc
    gpg --import 01234567.signed-by.C27659A2.asc
    gpg --import 01234567.signed-by.09026E7B.asc
  2. You should see the signatures with:

    gpg --list-sigs 01234567
  3. Send your key to the keyserver:

    gpg --send-keys 01234567

That's it, your key is now signed and you have enlarged your web of trust.

Additional Resources

GPG comes with a manual page, which describes how to use it. View it with:

man gpg

For more information on keysigning parties, see The Keysigning Party HOWTO

For more information on GPG, see The GnuPG Documentation