GPG (GNU Privacy Guard) utilizes public key cryptography to provide encryption and digital signatures for securing files, emails and communications in Linux. Properly managing the GPG keys used in this system through listing, analyzing and verifying keys is essential to trusting the encryption model. This comprehensive 2600+ word guide will provide Linux administrators, developers and security experts both an overview of GPG encryption and specifics on commands to control GPG keys for robust security.
An Introduction to GPG Encryption and Key Management
Overview of Public Key Cryptography
Public key cryptography like GPG uses a key pair consisting of mathematically linked public and private keys to secure information:
-
Public Key – This key can be freely shared and is used to:
- Encrypt messages/files so only the private key holder can decrypt them
- Verify digital signatures to prove they originated from the private key owner
-
Private Key – This key must be kept completely secret and is used to:
- Decrypt messages that were encrypted with the corresponding public key
- Digitally sign documents or messages to validate they were sent by the private key holder
By utilizing these mathematically connected key pairs for encryption and authentication, secure communication can occur without having to securely exchange a common secret key between parties.
*Figure 1: GPG public and private key pairs enabling encryption and signing of communications*
GPG Keyrings
GPG stores keys in encrypted databases called keyrings on the local system:
-
Public Keyring – Contains public keys from yourself and other users you communicate with. Also includes signatures vouching for the validity of public keys along with user IDs.
-
Private Keyring – Houses your own personal private keys used for decryption and signing. Encrypted with a passphrase for security.
-
Trust Database – Defines which users you consider trusted. Used to establish validity of keys when web of trust signing is implemented.
Benefits of GPG Encryption and Principles
Some benefits GPG provides through its encryption model include:
-
Confidentiality – Messages encrypted via GPG can only be decrypted and read by intended recipients possessing the right private key.
-
Authenticity – Digital signatures enabled by GPG confirm communication originated from a trusted sender and has not been tampered.
-
Integrity – Detects if encrypted data was modified in transit by unauthorized parties through cryptographic checks.
-
Secure key exchange – Keys transmitted through GPG encryption allow protected exchange of additional single use session keys.
Adopting PGP brings the encryption technology and its security assurances for sensitive communications like personal, financial or government interactions where privacy is paramount.
Central principles of GPG‘s design include:
- Trust – Established through a web of signed and validated public keys rather than a central authority.
- Privacy – No registration or tracking of key usage or content of communications.
- Portability – Keypairs portable across devices, OS versions, and do not depend on licenses or support.
Following best practices in utilizing PGP ensures these principles are maintained.
GPG Key Listing and Analysis Commands
Now we will explore the various commands available to Linux administrators, developers and security analysts to list and analyze the public and private keys underlying the GPG encryption scheme.
Proper management and understanding of configured keys via outputs from these gpg list commands is crucial to assess the current state of encryption and signature configurations.
Command | Description |
---|---|
gpg --list-keys |
Display public keys in keyring |
gpg --list-secret-keys |
Display private keys in keyring |
gpg --list-sigs [user-id] |
List signatures assigned to specified user‘s public key |
gpg --fingerprint [user-id] |
Show fingerprint of specified user‘s public key |
gpg --export [key-id] |
Export public key from keyring |
gpg --export-secret-keys [key-id] |
Export private key from keyring |
gpg --recv-keys [key-id] |
Add/import public key into keyring |
gpg --delete-keys [key-id] |
Remove public key from keyring |
gpg --delete-secret-keys [key-id] |
Remove private key from keyring |
Table 1 – Common GPG key management commands relating to listing and analyzing keys
Now we will explore these crucial PGP key listing and analysis commands in further detail.
Listing GPG Public Keys
Public keys make up a core component of the GPG "web of trust" by enabling peers to encrypt content intended for the key owner as well as verify signatures created with the corresponding private key.
To display all GPG public keys installed on your system, use the --list-keys
option:
gpg --list-keys
This prints out information on each public key including:
- Key type – RSA, DSA, ECC decryption/signing
- Key ID – Long unique identifier
- User ID – User name & email address
- Creation & expiry dates – Keys should be periodically rotated
- Capabilities – Encryption, signing, certification & authentication
- Trust level – Ultimately trusted, unknown etc.
Here is sample abbreviated output:
pub rsa3072 2022-10-01 [SC] [expires: 2024-10-01]
ABC123DEF456GHI789
uid John Smith <jsmith@email.com>
sub rsa3072 2022-10-01 [E] [expires: 2024-10-01]
pub rsa2048 2020-03-29 [SC] [expired: 2022-03-29]
JKL012MNO340PQR567
uid Jane Doe <jdoe@email.com>
sub rsa2048 2020-03-29 [E] [expired: 2022-03-29]
Key properties indicate:
pub
– Public keyrsa3072
– RSA algorithm, 3072 bit key sizeuid
– User ID stringsub
– Encryption subkeySC
– Signing & certification capabilitiesE
– Encryption capability
For longer key and user IDs, add the --keyid-format LONG
option:
gpg --list-keys --keyid-format LONG
Seeing vital information like expiry dates and key usages allows assessment of whether keys are valid and properly supporting signature and encryption needs.
Listing GPG Private Keys
While public keys focus on encryption and verification, private keys enable the decryption of messages and creation of digital signatures to certify documents and prove identity.
To view your private keys, utilize the --list-secret-keys
option:
gpg --list-secret-keys
Information similar to the public keys is displayed but denotes sec
instead of pub
along with ssb
for secret subkey:
sec rsa2048 2022-04-01 [SC] [expires: 2024-04-01]
ABC123DEF000GHIJKL345
uid John Smith <jsmith@email.com>
ssb rsa2048 2022-04-01 [E] [expires: 2024-04-01]
As private keys should be closely guarded, options like --keyid-format LONG
assist better identification and auditing.
Monitoring private key expirations allows properly rotating keys to maintain security assurances and functionality.
Listing GPG Signatures
A signature in GPG attests to the validity of a public key through checks from peers utilizing their private keys. Signatures boost trust in unknown keys.
To display signatures verifying a public key‘s authenticity, utilize:
gpg --list-sigs [user-id]
This prints out GPG signatures along with the signer‘s user ID:
pub rsa2048 2022-07-15 [SC]
ABC123DEF456GHI789
uid John Smith <jsmith@email.com>
sig! Jane Doe <jdoe@email.com> 2022-08-03 [Key is fully certified]
sig! HR Signing Key <hr@company.com> 2022-07-16 [Key is certified not revoked]
The signatures denoted with sig
indicate trusted verification of the public key.
Checking signatures before relying on keys for sensitive communications is vital. Segmenting keys into ultimately trusted vs uncertified allows tuning the web of trust.
Listing GPG Key Fingerprints
While PGP keys utilize long key IDs for precise identification, key fingerprints act as shorter handles to distinguish keys from each other.
To list key fingerprints, use:
gpg --fingerprint [user-id]
Matching fingerprints when exporting public keys between peers ensures correct keys are shared.
Sample abbreviated output displaying the fingerprint with fpr
tag:
pub rsa2048 2022-07-15 [SC]
ABC123DEF456GHI789
uid John Smith <jsmith@email.com>
fpr:::::::::ABCDEF1234GHIJ67890ABCDEF1234GHIJ67890::::::::
Verifying fingerprints before utilizing keys promotes proper encryption and trust.
Additional GPG Key Listing Options
Now we will cover some additional commands that assist in managing and utilizing keys by exporting, importing revoking keys as well as alternate interfaces.
Exporting & Importing Keys
- Export public keys to transfer to another peer and allow them to encrypt content for you or verify your signatures:
gpg --export -a [key-id] > public-key.gpg
- Export private keys to serve as backups protected by a passphrase. Can restore and import if keys are lost:
gpg --export-secret-keys -a [key-id] > private-key.gpg
- Import public keys shared by peers to communicate securely:
gpg --import [peer-file.gpg]
Ensuring proper fingerprints when exporting and importing keys avoids spoofing.
Revoking Keys
If a private key becomes compromised or public key needs rescinding:
gpg --gen-revoke [key-id] > revocation.asc
Distribute revocation certification to notify peers key is untrusted.
Keyservers
Central servers provide lookup services to retrieve public keys using email address as search term. Can upload keyservers to disperse public key further.
Graphical Interfaces
Utilities like Seahorse provide GUI management of GPG keys for those less comfortable with the command line gpg
tool.
GPG Key Listing Recommendations
Now we will provide recommendations for properly managing and listing GPG keys to maximize the assurances of encryption and signature trust:
-
Create keys securely – Generate keys on systems with no external access to safeguard private keys during creation.
-
Store keys safely – Private keys should reside on encrypted partitions or hardware that requires a passphrase/pin before decrypting.
-
Backup keyrings – Maintain secure remote copies of keyring databases against data loss events.
-
Compare fingerprints – Cross check shorter fingerprints when trading public keys between new peers.
-
Check expirations – Periodically list keys checking validity periods to proactively rotate keys.
-
Monitor signatures – Review signatures from trusted peers before relying on keys for sensitive communications.
-
Revoke compromised keys – If a breach occurs, immediately revoke key, generate new set and alert peers.
Adhering to these vital practices when listing and managing GPG keys will maximize the confidentiality assurances public key cryptography provides.
Conclusion
This expert guide covered both a high level overview of GPG encryption along with specifics on listing keys to manage this encryption scheme securely. Proper listing and analysis of public keys, private keys, signatures and fingerprints is crucial to understanding and trusting the web of trust that underlies GPG confidentiality. Utilizing the commands like gpg --list-keys
, Linux administrators can take full control of this robust encryption system bolstering the privacy and integrity assurances around personal communications, financial transactions and sensitive government or corporate data exchanges.