First Time GPG
First time using GnuPG and find it sophisticated and scary? Don't worry, this is my best practice guide for you. I wrote this guide to prevent any new people from making some unrecoverable mistakes like I did. Welcome to using GnuPG.
Since we're about to build our web of trust identity, here's are some big picture you're about to experience through:
- Creating your first primary key (I'll call it the master key)
- Creating usable sub-keys for consumption
- Protecting and backing up your master key
- GnuPG learning journey
This guide contains many links to my GnuPG specification sections containing the how-to. For best experience, open those link in a new tab/window.
Preparations
Before we start, let's prepare some stuff before we create a GnuPG web-of-trust.
Purpose of the Key
Before charging towards creating the key, you need to ask yourself what is this key for and the timeless ownership as well. Remember, this is an identity; people can still recognize your work even if you left the world.
If you are surely owning 100% of the key, great! That means you'll be creating 1 primary key for your own.
If the ownership is shared, be in your significant others or your company, that means you'll be creating 2 primary keys:
- 1 is for your 100% ownership, for your own
- 1 is for shared ownership key
Real Name per NRIC
Now I know that raises a concern when you need a real name. That is because it is your first key: it needs to be real in order for others to trust you. Yes you can spin another primary key with some funky nickname later and then have it signed by your real identity master key.
Corresponding Email
PGP and GnuPG system uses email as an address for your web identity. You can use the most active email address corresponding to the identity.
Backup Storage Location
This is a tough question: you should decide now where do you want to store your master key. You can refer to Backup GPG Primary Key section to get some recommended idea.
Why upfront? Because it will reduce the learning curve when you're half way learning the GnuPG. I recommend LastPass as I personally used and tested it myself. You can setup your backup choice now before proceeding.
A Very Long And Secure Passphrase
When I say long and secure I mean something like:
d7vSNpF^0NElf@hFe#^qp&BanVo14P#BP
Wh@t15G0ingOnW1thT][isPrOmptsARGH
Why the long gibberish? Because this is your last line of defense when the master key dropped into the wrong hand. If you're using LastPass as your storage solution, this shouldn't be a problem. A good and long password has these attributes:
- 33 characters minimum
- minimum 1 lowercase alphabet (a-z)
- minimum 1 UPPERCASE alphabet (A-Z)
- minimum 1 number (0-9)
- minimum 1 symbol (@#%^!&)
Why? You can read my research paper here if you want to learn more.
Create Your First Primary Key
When you are done, let's proceed to create your 100% ownership primary key.
Create Necessary Sub-Key
Once you have your master primary key, you need to create new subkey like signature or encryption for consumption. The minimum is:
- One signature subkey
- One encryption subkey
Set Encryption Preferences
Now that we have the master key ready, it's time to set the settings. One critical item would be setting the default cipher algorithm for hashing and encryption. To do that, you can refer to Specification - Encrypt: Set Default Cipher Algorithm.
Backup Master Secret Key
You're pretty much done. This is your 100% ownership key. It's time to back u the master key. To do that, you need to do 2 steps:
Export the Secret Key with All Sub-Keys
You first need to export the master secret key with all the sub-keys into a key file. I recommend use --armor
argument for human-readable text-only format. That is commonly used version.
Distribute Your Public Key
Now that your master key is ready, it's time distribute its public key to the known key-servers.
All right! Now you're done creating your first web identity! If you need to create a shared ownership key, you may restart again but with the shared ownership information.
Now that you know you have created your keys, I recommend you to learn up GnuPG for your next step, at least, in-depth to avoid pitfall. I wrote the specifications for in-depth learning. You can try it out with "Jane Smith" identity and understand deeply how GnuPG works across the world (but please don't distribute "Jane Smith" key into the internet. You can skip those.).
Cheers!
Once again, welcome to using GnuPG.