Now I have a private/public key pair, but what to do with it? Ofcourse we want to use it for encrypting and signing files, we will get tot that in a minute (next article). Because, as written in the first article, Bob needs Alice’s public key to encrypt a message to her, and he also needs her public key to verify whether signature is valid. So, it’s not enough to only create the keypair, you also have to distribute your public key to the persons you want to have this encrypted/signed communication with. Therefor…..first let’s discuss that:
What we now should do:
- Alice must be sure that Bob is who he says he is (ID/Passport/Blue Eyes)
- And if Alice is sure, get from Bob the fingerprint of the public key of Bob
- Somehow get the public key of Bob to Alice
- Export the public key of Bob
- Get the key to Alice
- Import the key into the gpg-keyring of Alice
- Check the fingerprint of the imported public key of Bob with the fingeprint from step 1.1
- If the fingerprints compare (step 5), trust the public key in the gpg public keyring
Step 1:
In this example I just created two users on my system, they don’t really exist 🙂 So, I herby certify that Alice actually is Alice and Bob is actually Bob.
The public keyring of Alice now looks like:
[alice@radijs ~]$ gpg --list-keys /home/alice/.gnupg/pubring.kbx ------------------------------ pub rsa2048 2020-11-12 [SC] [expires: 2022-11-12] 9B40B1BC71AD2D212D316CEEDA65161857B73DD7 uid [ultimate] Alice <alice@maboc.nl> sub rsa2048 2020-11-12 [E] [expires: 2022-11-12] [alice@radijs ~]$
There’s only one public key (her own).
Step 1.1 :
Bob now has to supply the fingerprint for his public key:
[bob@radijs ~]$ gpg --fingerprint bob@maboc.nl pub rsa2048 2020-11-12 [SC] [expires: 2022-11-12] C819 0B35 074D 7BBF E07F 4DF0 119E 1700 215E 42E6 uid [ultimate] BobBob <bob@maboc.nl> sub rsa2048 2020-11-12 [E] [expires: 2022-11-12]
And there you have it.
Step 2:
The public key must be transported to Alice. But first we must export it to a file, in order to be able to transport it 🙂
[bob@radijs ~]$ gpg --export --armor bob@maboc.nl -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBF+tS9wBCADHpmq20vvmC3EAkOvZWMWDTGjIDGj7RYA00RxCYKUl9VNw3qKx Y3QIPuWRlscPlyX4RY1a8EiO52G65l8M0PHnJJH7cnfr00gsv0SoxWa3f4fGt/tC BykScL0kIV4hYrl03mETTWaSrWVB5SuEa9nGlpHfQL83jFf6fXOJveheDjG8f4+L KoWE+juztMbJYc7AZ83k/ltZNDJtK7Fwny8upX1ehxOcKMqgPNmi7PlRkGihBAnU ejiOMSQcbslxZmyocZIjRQlCGXC5pexKILK/FVRJckovaTJAr1koHvMff8TZXILu ntCg2XMrqyD5oIL/WWCcsGgr6VlpA0lrypz7ABEBAAG0FUJvYkJvYiA8Ym9iQG1h Ym9jLm5sPokBVAQTAQgAPhYhBMgZCzUHTXu/4H9N8BGeFwAhXkLmBQJfrUvcAhsD BQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBGeFwAhXkLmexQH/0c9 zjz/8RPtJ4jZM7qKWMVUJ3ZVdOGIYi6Z3JiiWC0pXwMF3Nxm7vZQpCJEPu3Uq9hX 0Qiyy3Holp/zVBgJBQQlP3+stiNNA3P2vhSWrz2VhMcIZ6U50herpkm/ev+YSKtS oRXrVnohMb6LAu9dx5KlvBcqY9gCdHqmGSj8wFTWIcn9mYL3IuRDt0d9N3P+UN9j B10GgftY1i3fFFWj3tHcnhBFBY7Ju1rGLWlvEudh2/mkhyAhEGPbK4v2ufMqAD2Y eAab1qDgToKsyehcmzciurZ3RnAAYtODdk8NocfZU1b7N5tu6xgea7OCjixcDDvy 4eV3xcqfCY661NmecHuJATMEEAEIAB0WIQSbQLG8ca0tIS0xbO7aZRYYV7c91wUC X7WFmgAKCRDaZRYYV7c913VwB/4wETygdHMKP9ORbUiKKSEK5e4RSfi+pH7TYGFT nbVK60J/+R97yayZuwkCEJZ85QAETFNYhDfB1aOXyr76TjWEKjyv+U3Gl9C3PTrS lour5nZe7d8ugibGFsa+GTVpl011kQqCstTXNzC+myPPk+bFdMpHaAjLf7VHiAeB ApIgM4KYUIc2XqbITfJrBWSLrJr85t+PFAscTdn71+iATeGRBLGtskBtriVwRJm4 ygaHe9zdhOiO7RK+OzYE9iUZ/RPZbCjm1fDAlRfgWVZZwWI99h6b4/0W3J91e4oY P2ZpBuvLt/8z79nkfVk9q16odcG2Nykt5qLBhpqiU50dsoGduQENBF+tS9wBCADe EGbKuFZryNZqQxxQsjDI4I3KV7mYK0jQuWHVKv92sG6L1blWZLmj+prxCooq95D4 zfCGX0gaM/2TfgjGtASsDcZYu/vFX8rovMsCv/SSe/ACpgSaBGbMpREmVZcvThJn 9mTtvVwT0MixDlWP8plYj359xd294uZrjicmayU1WgykDppMU4doJLRAC2op2TsJ FuDAeXABeUUcHzeeUaVePb/33KSVhe2Y5gUrZCGm2iM0VXu+P0N3p05pH+yNxXku P339KQKoqrUtv9L2ar8Dlg2bapJJmvUbg+jn/UFBUMt38RBDUKg5Lwf9uyWaqVRI IFWfHuWvd2kCKM86EuA3ABEBAAGJATwEGAEIACYWIQTIGQs1B017v+B/TfARnhcA IV5C5gUCX61L3AIbDAUJA8JnAAAKCRARnhcAIV5C5mbeCAC3CZ96PRf2ZgRwqqE4 Huj5vC8Ls+AsAoe+x8RtaI51l42I37x0mHxJoPiNJ2yvF+YGoa+ffgcBxtypsz46 qSl7S5thDBx0B1h+WJdGkODB8SAHsRNfjVy17WQeiYkYh0xdFDMbKlSFxQIvMBH0 OOrecWsTKqZzjxVaaOFvr76ZMqVwHxvQWzkK8SU70IMjvkra0pkmeXB/EvN2owBm shaCvLLm+Skuq3+vzc7/xfboah3kwDrTzcasY7jUobZx3b+9rpjPILgbsRGX7dSW taAQO/Zw17ieZ3Aw07nFsOXUN+n6Ralys0b7ClBc9GebH/7g6hYkPW9tXFzoPgGT rDMO =Mo5o -----END PGP PUBLIC KEY BLOCK----- [bob@radijs ~]$ [bob@radijs ~]$ [bob@radijs ~]$ [bob@radijs ~]$ gpg --export --armor bob@maboc.nl > bobs.pub [bob@radijs ~]$ ls -l bobs.pub -rw-rw-r--. 1 bob bob 2164 19 nov 13:09 bobs.pub [bob@radijs ~]$
As you can see…the gpg export command outputs the key to standard out. In the second instance I redirected the output to a file.
Maybe you wonder why I use the option –armor? Well, it works just as well without the armor option, however, the output will then be “binary” and I would not easily be able to show it here. The armor option tells gpg to export the key in an ascii readable format.
Step 2.2:
Get the key to Alice in any way you see fit. Since I’m here just demoing, I passed it via /tmp. Bob puts his public key in /tmp and Alice picks it up (don’t forget to loosen the permissions on the key, otherwise Alice can not pick it up from /tmp)
Step 3:
Alice picks the public key up (from /tmp). And imports it to her public keyring
[alice@radijs ~]$ gpg --list-keys /home/alice/.gnupg/pubring.kbx ------------------------------ pub rsa2048 2020-11-12 [SC] [expires: 2022-11-12] 9B40B1BC71AD2D212D316CEEDA65161857B73DD7 uid [ultimate] Alice <alice@maboc.nl> sub rsa2048 2020-11-12 [E] [expires: 2022-11-12] [alice@radijs ~]$ [alice@radijs ~]$ cp /tmp/bob.pub ./ [alice@radijs ~]$ [alice@radijs ~]$ ls -l bob.pub -rwxrwxr-x. 1 alice alice 1745 19 nov 13:20 bob.pub [alice@radijs ~]$ [alice@radijs ~]$ gpg --import bob.pub gpg: key 119E1700215E42E6: public key "BobBob <bob@maboc.nl>" imported gpg: Total number processed: 1 gpg: imported: 1 [alice@radijs ~]$ [alice@radijs ~]$ gpg --list-keys /home/alice/.gnupg/pubring.kbx ------------------------------ pub rsa2048 2020-11-12 [SC] [expires: 2022-11-12] 9B40B1BC71AD2D212D316CEEDA65161857B73DD7 uid [ultimate] Alice <alice@maboc.nl> sub rsa2048 2020-11-12 [E] [expires: 2022-11-12] pub rsa2048 2020-11-12 [SC] [expires: 2022-11-12] C8190B35074D7BBFE07F4DF0119E1700215E42E6 uid [ unknown] BobBob <bob@maboc.nl> sub rsa2048 2020-11-12 [E] [expires: 2022-11-12] [alice@radijs ~]$
What did I do? 1) list the public key Alice has in her keyring at the moment, 2) Copy the key to her home-directory 3) list it (just to see whether it’s there, 4) import the key, and finally 5) list the public keys in Alice’s keyring.
Asyou might see Alice now has two public keys in her keyring. The first is her own, which she trusts ultemately, and there is the public key of Bob of which the trust is Unkown.
Step 4 :
Let’s check the fingerprint on the freshly imported public key.
[alice@radijs ~]$ gpg --fingerprint bob@maboc.nl pub rsa2048 2020-11-12 [SC] [expires: 2022-11-12] C819 0B35 074D 7BBF E07F 4DF0 119E 1700 215E 42E6 uid [ unknown] BobBob <bob@maboc.nl> sub rsa2048 2020-11-12 [E] [expires: 2022-11-12] [alice@radijs ~]$
How does this fingerprint found (C819 0B35 074D 7BBF E07F 4DF0 119E 1700 215E 42E6) compare to the fingerprint supplied by Bob in step 1.2 (C819 0B35 074D 7BBF E07F 4DF0 119E 1700 215E 42E6)….they are the same 🙂
We now know that the public key we have got from Bob actually is the same key as we have got the fingerprint from at step 1.2
Step 5 :
Last thing to do is trusting this key so we can safely use whitout hesitations:
[alice@radijs ~]$ gpg --edit-key bob@maboc.nl gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa2048/119E1700215E42E6 created: 2020-11-12 expires: 2022-11-12 usage: SC trust: unknown validity: unknown sub rsa2048/6945C7E1B92180C0 created: 2020-11-12 expires: 2022-11-12 usage: E [ unknown] (1). BobBobgpg> trust pub rsa2048/119E1700215E42E6 created: 2020-11-12 expires: 2022-11-12 usage: SC trust: unknown validity: unknown sub rsa2048/6945C7E1B92180C0 created: 2020-11-12 expires: 2022-11-12 usage: E [ unknown] (1). BobBob Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub rsa2048/119E1700215E42E6 created: 2020-11-12 expires: 2022-11-12 usage: SC trust: ultimate validity: unknown sub rsa2048/6945C7E1B92180C0 created: 2020-11-12 expires: 2022-11-12 usage: E [ unknown] (1). BobBob Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> quit [alice@radijs ~]$ [alice@radijs ~]$ gpg --list-key bob@maboc.nl gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2022-11-12 pub rsa2048 2020-11-12 [SC] [expires: 2022-11-12] C8190B35074D7BBFE07F4DF0119E1700215E42E6 uid [ultimate] BobBob sub rsa2048 2020-11-12 [E] [expires: 2022-11-12] [alice@radijs ~]$
As you might notice Alice provided ultimate trust on this key. Why you can (for example) also give marginally trust, is not for now. It is wath the “web of trust” is build with.
You may also notice that when the public key of Bob is listed it now has ultimate trust.
Alice is good to go…she can encrypt files for Bob and be sure only Bob can decrypt the file, and if she receives a signed file/document/email, she can confidently verify whether it was actually signed by Bob.