

GPG/PGP Basics - cinquemb
http://aplawrence.com/Basics/gpg.html

======
songgao
The reason why I never had a GPG/PGP key is that I don't know where to put my
private key. It's an identity that's supposed to reliably identify you. In
other words, it is you.

Computers can be hacked; cloud services are not trusted because they can
easily access to it if forced by government or whatever. Could've use a
passphrase but brute-force it is just a matter of time.

Burning into CD or store in USB stick and keep it safe in your house? What if
it gets stolen? I feel like I need to use something like this:
[http://worldsbestflashdrive.com/](http://worldsbestflashdrive.com/) but not
sure how hard it is to brute-force it. Yes it "reset on multiple incorrect
entries" but if you are targeted, people who try to hack it certainly will
research the product first and won't be stupid enough to try multiple times to
cause it "reset". It probably can only be a hassle for you when you forget
your password.

The problem is that, once you published it, you can't regenerate a new one and
claim the previous one invalid/compromised. That'll break the trust system. I
guess the safest way is to memorize the private key in your brain just like
some people memorize PI. Oh wait, what if you are hypnotized?

~~~
noyesno
Use a smart card. After creating your secret key(s), you move them to the card
(or you can create the key inside the card, so it is never seen by your PC).
The card has no capability of exporting them so they will never be leaked. You
can only wipe the card clean and start over. To further protect your PIN-code
for the card, you can use a card reader with integrated keypad, which should
work against most key-loggers.

For GPG you most certainly can invalidate a key, in fact, this is a crucial
part of the key-generation and management process. Along with the
public/private key pair, you also generate a key revocation certificate. The
revocation cert can then be uploaded to the key-server in the case that your
key gets compromised. A well behaving GPG-client will check the validity of
the public keys in your key chain, and if it encounters a revocation key
against the public key you are trying to use, it will then disable it and warn
you.

For more, see:
[http://g10code.com/p-card.html](http://g10code.com/p-card.html) and
[https://www.crypto-stick.com/](https://www.crypto-stick.com/)

------
toufka
man, every time I want to give this another try the tremendous effort involved
to even begin is off-putting.

Here Marge prepares her public key:

[marge@apl marge]$ gpg --armor --export marge@aplawrence.com > mypk

To add Marges public key, Tom does this (he's saved the file as "margepk"):

[tom@apl tom]$ gpg --import margepk

[tom@apl tom]$ gpg --list-keys

[tom@apl tom]$ gpg --edit-key marge@aplawrence.com

Command> fpr

Command> sign

[tom@apl tom]$ gpg --out secrets_to_marge --encrypt secrets

[tom@apl tom]$ ls -l sec*

[marge@apl marge]$ gpg --output secrets_from_tom --decrypt secrets_to_marge

And voila! "That's it. GPG is actually pretty simple, and nothing to get a
headache over."

~~~
noyesno
If you don't like the command line approach, you can use GUIs [1] like GNU
Privacy Assistant or Cryptophane.

[1]
[http://www.gnupg.org/related_software/frontends.html#gui](http://www.gnupg.org/related_software/frontends.html#gui)

