How do I share my GPG public key?
I have generated my keys and uploaded my public key. However, I
am not sure what my public key is (ie how I would manually give it
to a friend). Where do I find the key? The Key Inspector says it is
my "Secret and Public" key. Is it safe to share that with people?
Also, what do I use the fingerprint for? I realize these are
obvious questions, but I recently switched to GPG. Thanks in
advance for your help!
Jeremy
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
1 Posted by Paul Morten Vik... on 21 Apr, 2012 08:52 PM
Hi Jeremy.
In GPG Keychain Access, you can right-click on your key, and choose export.
Make sure "Allow secret key export" checkbox is UNCHECKED (very important!) in the save as dialog, in which only the public key will be exported and that file can be shared safely.
Never share your secret key!
For your second question:
When you recieve a public key over the internet (or some other untrusted way), you might want to authenticate it with the owner of the key (to make sure he is who the key claim he is).
For this you can ask the owner of the key for the fingerprint of his public key in some safe way (in person, or some other trusted way of communication), and compare it to the fingerprint of the public key you recieved.
EDIT: If you have PGP Services enabled, you can also right click in any text field and choose "OpenPGP: Insert my key"
Hope this helps a bit, and feel free to ask if something is unclear.
Paul Morten
Support Staff 2 Posted by Steve on 24 Apr, 2012 12:41 PM
Hey all :)
Paul thanks for answering this question superbly. Jeremy, did this work for you?
Note that you might wanna consider using the key servers to exchange keys as well (very simply and effective). For that you'd have to upload your public key to the key servers.
All the best,
steve
3 Posted by Jeremy on 24 Apr, 2012 05:23 PM
Paul,
Thank you very much. This was very helpful and largely answered my questions. I know this is also an obvious question, but how do I see my own secret key? Is it actually a file I need to see visually or is it simply protected by my passphrase? I just don't want to inadvertently share the secret key. I understand the key servers and I uploaded my public key only. I just want to make sure I take all necessary precautions to protect the secret key and also understand what file actually contains the secret key and how I should store it. I hope this makes sense and, again, thanks to you and Steve.
Best,
Jeremy
Support Staff 4 Posted by Steve on 24 Apr, 2012 06:05 PM
No problem. Glad to see others chiming in on this platform here. :)
The questions about your secret key are partly covered in this tutorial: Quickstart Tutorial
So the secret key is stored in a keychain file and additionally protected by your passphrase. So to be corrupted the intruder would need to have full access to your machine plus the knowledge of your passphrase.
Since you'll need your sec key for signing mails and decrypting mails you receive encrypted, there's no use storing your sec key away and lock it. You need access to it yourself.
Some people find that storing their sec key on a USB stick is a good idea. Depending on your level of paranoia, others rotate their keys and generate a new set of keys every month or so. But that is maybe higher security than some military institutions have. Security is always a trade off. If you want to be 100% sure, throw your computer out of the window.
All the best,
steve
Please consider a donation. We do all this in our spare time.
5 Posted by Paul Morten Vik... on 24 Apr, 2012 06:55 PM
Hi again Jeremy (and Steve).
Yes, your secret key is in a actual file. That file is /Users/your_username/.gnupg/secring.gpg
(This means: a hidden directory called ".gnupg" under your home directory; and the file is called "secring.gpg" and as Steve says, it is encrypted with your passphrase). I really don't think you should move that file around without knowing what you are doing.
As Steve points out, you actually need to access the file to decrypt and sign files and emails.
Just make sure to never share your home directory, and don't let untrusted people (like the CIA, Kim Jong-un, cyber criminals and people you don't like or know) use your computer with your user logged in, and the file should be reasonably safe.
I have created a guest account for other people to use, and they just have to live with it.
IF the file gets stolen, the job of breaking your encryption is a lot easier (still not easy, but easier); depending on the strength of your passphrase (it really shouldnt be just one word).
And Steve, I just have to say you guys do a really great job making this available to people. I don't do any coding myself, but I check the discussions here often to see whats current in the gpgtools world; and figured why not help out when I can.
I'm glad I can be of some help. (wow this got too long, sorry) :-)
Paul Morten
6 Posted by Jeremy on 24 Apr, 2012 07:24 PM
Paul and Steve
Thanks so much for all of your help. This is such a valuable tool you have provided. I will definitely be donating $$ to the cause.
peace,
//jeremy
Support Staff 7 Posted by Steve on 24 Apr, 2012 07:55 PM
Jeremy, this is very kind. And thanks for your response.
Considering what happend to riseup lately you might wanna keep the money and invest it into new servers?
My hat is off to you guys. You are doing important work!
I wish you all the best for the riseup project... Don't give up.
Sincerely,
steve
8 Posted by BW on 26 Apr, 2012 10:22 PM
For exporting the public key, you say:
"In GPG Keychain Access, you can right-click on your key, and choose export. Make sure "Allow secret key export" checkbox is UNCHECKED (very important!)"
I'm using a Mac/Lion. In Keychain Access, there isn't a box for unchecking secret key export, nor is there one when I right-click on my key. And there isn't a "pub" key visible, unless it is the same as the "uid". How can I export my public key to a file to send?
I tried sending my public key to a friend by right-clicking inside an email message body and selecting "OpenPGP: Insert My Key", but my friend could not get the key to use.
9 Posted by Paul Morten Vik... on 27 Apr, 2012 02:08 PM
Hi BW.
You right-click on your secret key in GPG Keychain Access, and click on "Export".
You will then get a save as dialog, where you choose where to save it. It is in this dialog you get the option to check/uncheck "Allow secret key export".
Why your friend can not use your key from the mail I don't know, but he might have to copy/paste it into a .asc file and import it in to his pgp software?
Hope this helps.
Paul Morten
10 Posted by Joe on 28 Apr, 2012 08:47 AM
I'm assuming that if you type "gpg --export" it won't export your secret key?
11 Posted by Paul Morten Vik... on 29 Apr, 2012 12:33 PM
That is correct.
"gpg --export-secret-key" is for exporting secret keys.
Support Staff 12 Posted by Steve on 30 Apr, 2012 02:43 PM
@BW: Are you still having issues?
Otherwise I'd close this discussion soon.
13 Posted by Blanc on 30 Apr, 2012 10:00 PM
I'm still having problems. That is, I don't know how to encrypt the message. If I highlight the message body and select Services: encrypt file, I can the select the recipient and the key I want to use for it, but when the recipient receives it, they cannot open it with their key.
Otherwise, I don't know what other steps to take to actually encrypt the message.
Blanc
Support Staff 14 Posted by Steve on 16 May, 2012 04:23 PM
Blanc, first off: sorry for insane slow response times.
So are we talking about GPGServices or GPGMail? When you are using GPGServices are you sure you have used the recipients key to encrypt the file in the first place?
This thread is a bit confusing so I'm not sure what the problem is and what you have already tried to resolve it. Pls consider opening a new discussion and filling out our new default form so everybody knows which version of what software you are using and at which step you encounter problems.
All the best,
steve
Please consider a donation. We do all this in our spare time.
15 Posted by Blanc on 17 May, 2012 11:09 AM
I have GPGMail, Services, and Tools installed. When I create a new message (Macbook) with his name in the "To" line, the icon with the lock on it is automatically locked. However, when he receives it, he can't open it.
I have tried selecting the text within the message, right-clicking the mouse and selecting Services to encrypt the text, then selecting my key, but that didn't work. I tried using an encrypted text message which I attached to an unencrypted message to him, but that didn't work, either.
He does not want to try opening messages any more. Could I perhaps attempt to do this with you, sending you my public key? I can start another thread for this, or just continue with this one.
Blanc
Support Staff 16 Posted by Steve on 17 May, 2012 03:59 PM
So the problem is the decryption on the other machine? Hmm, are you sure your friend has his setup correctly done?
Does he have a sec key in GPG Keychain Access with the corresponding mail address used in Mail.app?
Also what you write about GPGServices is not 100% correct I'm afraid.
Here's what you could try to figure out, if the problem is in GPGMail or a general problem with your friends setup:
Then we'll see if we can correctly decrypt your message.
All the best,
steve
Please consider a donation. We do all this in our spare time.
Support Staff 17 Posted by Steve on 04 Jun, 2012 05:33 PM
No further user feedback. Closing.
@Blanc: Should your problem persist, feel free to re-open this discussion any time.
All the best,
steve
Please consider a donation. We do all this in our spare time.
Steve closed this discussion on 04 Jun, 2012 05:33 PM.