Skip to content

GNU Privacy Guard#

GPG (GNU Privacy Guard) is a free, open-source implementation of the OpenPGP (Pretty Good Privacy) standards. The Platform team uses GPG to generate and manage the pubilc and private keys they use for file encryption and decryption, signing of Git commits, and for SSH access to various systems.

Once installed, team members will have access to GPG's functions via the cli.

macOS#

Requirements#

Installing GPG on macOS#

Use Homebrew to install GPG by entering the following in the cli and following the on-screen instructions:

$ brew install gnupg

Linux#

Requirements#

Installing GPG on Linux#

  • Ubuntu/Debian

    $ apt install gpg
    

  • RHEL/Fedora

    
    

Key Generation#

Generate a master key#

  1. Generate a master key:

    $ gpg --expert --full-generate-key
    

  2. Select (ECC sign only):

    Please select what kind of key you want:
       (1) RSA and RSA (default)
       (2) DSA and Elgamal
       (3) DSA (sign only)
       (4) RSA (sign only)
       (7) DSA (set your own capabilities)
       (8) RSA (set your own capabilities)
       (9) ECC and ECC
      (10) ECC (sign only)
      (11) ECC (set your own capabilities)
      (13) Existing key
      (14) Existing key from card
    Your selection? 10
    
    Select Curve 25519:
    Please select which elliptic curve you want:
       (1) Curve 25519
       (3) NIST P-256
       (4) NIST P-384
       (5) NIST P-521
       (6) Brainpool P-256
       (7) Brainpool P-384
       (8) Brainpool P-512
       (9) secp256k1
    Your selection? 1
    
    Select an expiration:
    Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
    Key is valid for? (0)
    

  3. Associate a user id with the newly generated key:

    GnuPG needs to construct a user ID to identify your key.
    
    Real name: kmitnick@vt.edu
    Email address: kmitnick@vt.edu
    Comment: testing
    You selected this USER-ID:
        "kmitnick@vt.edu (testing) <kmitnick@vt.edu>"
    

  4. Verify your new key is associated with the uid you expect, and is enabled for Signing and Cert generation:

    $ gpg -k kmitnick@vt.edu
    pub   ed25519 2023-04-14 [SC]
       6BD6FC926DC6C6D46B4F725B2B1E270B47DB1308
    uid           [ultimate] Kevin Mitnick (testing) <kmitnick@vt.edu>
    

Generate an encryption subkey#

  1. Edit the master key:
    $ gpg --expert --edit-key kmitnick@vt.edu
    
    Choose to addkey, and select ECC encrypt only:
    gpg> addkey
    Please select what kind of key you want:
       (3) DSA (sign only)
       (4) RSA (sign only)
       (5) Elgamal (encrypt only)
       (6) RSA (encrypt only)
       (7) DSA (set your own capabilities)
       (8) RSA (set your own capabilities)
      (10) ECC (sign only)
      (11) ECC (set your own capabilities)
      (12) ECC (encrypt only)
      (13) Existing key
      (14) Existing key from card
    Your selection? 12
    
  2. Select Curve 25519, and set an expiration earlier than that of the master key:
    Please select which elliptic curve you want:
       (1) Curve 25519
       (3) NIST P-256
       (4) NIST P-384
       (5) NIST P-521
       (6) Brainpool P-256
       (7) Brainpool P-384
       (8) Brainpool P-512
       (9) secp256k1
    Your selection? 1
    Please specify how long the key should be valid.
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
    Key is valid for? (0) 2y
    
  3. Verify you have a new subkey for Encryption
    sec  ed25519/2B1E270B47DB1308
         created: 2023-04-14  expires: never       usage: SC  
         trust: ultimate      validity: ultimate
    ssb  cv25519/CB4687B62B16CAF3
         created: 2023-04-14  expires: 2025-04-13  usage: E   
    [ultimate] (1). Kevin Mitnick (testing) <kmitnick@vt.edu>
    
  4. Save your new configuration
    gpg> save
    

Generate an authentication subkey#

  1. Generate an authentication subkey:
    $ gpg --expert --edit-key kmitnick@vt.edu
    
    Select the addkey option, and ECC set your own capabilities:
    gpg> addkey
    Please select what kind of key you want:
       (3) DSA (sign only)
       (4) RSA (sign only)
       (5) Elgamal (encrypt only)
       (6) RSA (encrypt only)
       (7) DSA (set your own capabilities)
       (8) RSA (set your own capabilities)
      (10) ECC (sign only)
      (11) ECC (set your own capabilities)
      (12) ECC (encrypt only)
      (13) Existing key
      (14) Existing key from card
    Your selection? 11
    
  2. Toggle the available options until only Authentication is enabled:
    Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
    Current allowed actions: Sign 
    
       (S) Toggle the sign capability
       (A) Toggle the authenticate capability
       (Q) Finished
    
    Your selection? s
    
    Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
    Current allowed actions: 
    
       (S) Toggle the sign capability
       (A) Toggle the authenticate capability
       (Q) Finished
    
    Your selection? a
    
    Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
    Current allowed actions: Authenticate 
    
       (S) Toggle the sign capability
       (A) Toggle the authenticate capability
       (Q) Finished
    
  3. Again select Curve 25519, and set an expiration (ideally, earlier than the master key)
    Please select which elliptic curve you want:
       (1) Curve 25519
       (3) NIST P-256
       (4) NIST P-384
       (5) NIST P-521
       (6) Brainpool P-256
       (7) Brainpool P-384
       (8) Brainpool P-512
       (9) secp256k1
    Your selection? 1
    Please specify how long the key should be valid.
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
    Key is valid for? (0) 2y
    
  4. Verify you have a new subkey for Authentication:
    sec  ed25519/2B1E270B47DB1308                                                
         created: 2023-04-14  expires: never       usage: SC                     
         trust: ultimate      validity: ultimate                                 
    ssb  cv25519/CB4687B62B16CAF3                                                
         created: 2023-04-14  expires: 2025-04-13  usage: E                      
    ssb  ed25519/D8C413AFD85D7A62
         created: 2023-04-14  expires: 2025-04-13  usage: A
    [ultimate] (1). Kevin Mitnick (testing) <kmitnick@vt.edu>                    
    
  5. Save your configuration:
    gpg> save
    

Signing Git commits#

Once GPG keys have been generated Git can be configured to use them for signing.

  1. First find your GPG keyid:

    $ gpg --list-secret-keys --keyid-format long
    sec   ed25519/2B1E270B47DB1308 2023-04-14 [SC]
          6BD6FC926DC6C6D46B4F725B2B1E270B47DB1308
    uid                 [ultimate] Kevin Mitnick (testing) <kmitnick@vt.edu>
    ssb   cv25519/CB4687B62B16CAF3 2023-04-14 [E] [expires: 2025-04-13]
    ssb   ed25519/D8C413AFD85D7A62 2023-04-14 [A] [expires: 2025-04-13]
    

  2. Run the following commands to configure Git:

    $ git config --global user.signingkey 2B1E270B47DB1308
    $ git config --global commit.gpgsign true
    

  3. Any future commits can now be signed with inclusion of the S flag:

    $ git commit -S -m "foo bar"