GPG, the GNU Privacy Guard, can be used to digitally sign email, encrypt files. GPG is also used to sign RPM package.
In this post, I’ll write a short instruction on how to generate a new GPG key on RHEL or CentOS 7.
The command we need to generate the GPG key is
gpg. This program is provided by
gnupg2, and it should have aready been installed in most system.
If we’re generating the GPG key on a virtual machine, we should run
rngd command to generate enough entropy. (
rngd is provided by
sudo rngd -r /dev/urandom [sudo] password for student: Initalizing available sources Enabling RDSEED rng support Enabling JITTER rng support
Now we’re ready to generate the key:
$ gpg --gen-key gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: directory `/home/student/.gnupg' created gpg: new configuration file `/home/student/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/student/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/student/.gnupg/secring.gpg' created gpg: keyring `/home/student/.gnupg/pubring.gpg' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Student Email address: email@example.com Comment: You selected this USER-ID: "Student <firstname.lastname@example.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /home/student/.gnupg/trustdb.gpg: trustdb created gpg: key B5DEFFB6 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/B5DEFFB6 2019-08-26 Key fingerprint = 1549 22C9 02C5 FBDD 8296 2384 B081 992B B5DE FFB6 uid Student <email@example.com> sub 2048R/6FE8E924 2019-08-26
In the above example, I supplied the following answers or options:
- Type of key: RSA
- Key size: 2048
- Key does not expire: 0
- Real name: student
- Email address: firstname.lastname@example.org
We can list the keys with either
$ gpg --finger /home/student/.gnupg/pubring.gpg -------------------------------- pub 2048R/B5DEFFB6 2019-08-26 Key fingerprint = 1549 22C9 02C5 FBDD 8296 2384 B081 992B B5DE FFB6 uid Student <email@example.com> sub 2048R/6FE8E924 2019-08-26
If we want to export our public key to put send it to a friend, or put on the website for others to download, we can export this key as the following:
$ gpg --export --armor firstname.lastname@example.org -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) mQENBF1jkcgBCADFpem3sIxRG3Nl+uu3iZN38xsHTUCTTyZdD0hUiAsD9gsmKzbL LCPCnNYBHzJ+dzQR5DamqOMqgHOnJbFxm2SAdRVKY2c45HB2aYKg5wLZpQMsDkgY 3ue8aWLVU2gsJTTMDE0n2DOyczJfZZ7w2xsmOvtClaSgkHNwmkdY5645IIrEZvuF ZrGiYpSRMM5TmX7Ilzi2g/HKsEJaXI0vk6PtT89rFJP6gr7dRw4+YK1mD/nUNtLo 9CBAM0QEeNw+LtNPe4bfNKLB5/XIHzlUDU7I0QDo1nR4ruTdB8ZzdDSHQA/3UCFY +0vjf52H6nD27TGDLKzt8X4YGK44aVpwn+17ABEBAAG0HVN0dWRlbnQgPHN0dWRl bnRAZXhhbXBsZS5jb20+iQE5BBMBAgAjBQJdY5HIAhsDBwsJCAcDAgEGFQgCCQoL BBYCAwECHgECF4AACgkQsIGZK7Xe/7Yyqgf7B5PvpTV64nYAmYlwxKZ1Uryj9h7z FHq6yN7eBN3i98GPScZaqm1NQQ+nIYfbpVyUzDSpfmAz0SbuhxGTXEhHLFCar8d/ YN/O+MgJSZx/EuZ/xk9hUSgyP37E4+0hwph053UXvoHtIE+F/Y/Uf3qRTi7KutUS xA11HGLMrxa9jujIKNAVg4w+Xla/jDB8BhTdqxFC/45+Flmb13tz1yJLbh5Bj6EI G/ak/gMtf1MO2iUEQ5YzREpcS55O7RPYYjhYwb/eJPJFJZtOK6HfH4miDcACwX4X 6IPbVcB1nJc6rQgtq+ownCOyWGWIDHCEp2yD9Zs9GHZOvBevcEagcgKtRLkBDQRd Y5HIAQgA7YgiMoyhwpBwcesHJAgVgfr+r6+WdHgvqxLnO1TH/VpPRsXpLBanLGhB kF39OcZGE0rt/Y/mRjJSAvxBjbboDiTTHr3SUJwe5jDt2L4A/40POZBZ8pKHZ6ut YcsAa11QHSJ3UgnczimX3VJwcLSnFf8WdVlD8iX1oX3Wn5sem8nhFGyhJfg5iKlQ xA1AiOsIXmorz9DrE6ky14q3qUq5/FBhpi/m/PVvwmVux4CT6QhpMeoZnLsfO1eI ZPi5LQ2RHabTsppDFASwFW+7+lnjUxPj2pEYiGSqYLfy/L6dfNfSGn6KNxgrpRi0 C7DNiNa2Wp8z4BFLPrylSftpjVQwmwARAQABiQEfBBgBAgAJBQJdY5HIAhsMAAoJ ELCBmSu13v+2EvMH/2nUd3SCEgOlcWaEVqi+AFevZcCzg5WJJZEwMRd2xYqZNXuk IfsfaFT+fbm2GB+Q+D2ohLrgY3vd+1xpDRga3K7H+3SlllIMn71xavFlwgE2bAAI kZuLDU/tYQvNKIVnoYyawcws5FE+UaqK0HOsnc+Qaic86CdW7uPmA+CidSUcRvxQ q9Az+Jsx4ZBjUOzi6m/eg4Tn4+IdduzM8/j9wqP+e2q2LLNKTMEY9rjOU7cWqPwL rCyAg75Le+Jpr8oaA5Ds5ub+V80cOLr+5FJ1RWA7gPkuA48Kpd1TDG8qtj3IiLcp UA8XGYRXfPwxg6sy8GAMwObNVW9KF8aGgJRbSYE= =S0wW -----END PGP PUBLIC KEY BLOCK-----
--armor- exported as ASCII armored version