# revocation certificates can be issued if
# the private key is lost or compromised
gpg --output your-new-certificate-name.asc --gen-revoke your-key-id
# list keys. helpful for finding the key id
gpg --list-keys
# print key to the terminal
gpg --armor --export your-email@your-domain.com your-key-id
# add an existing gpg key to profile
gpg --import $HOME/.gnupg/file-name.gpg
# sign the imported key
# ONLY IF YOU VERIFY THE FINGERPRINT!!!
gpg --edit-key someone-you-trust@their-domain.com
GPG (technically gpg2) is the OpenPGP part of the GNU Privacy Guard (GnuPG). It ships with your EC2 instance and offers digital encryption and signing services. It also can be used for secure shell applications (GitHub supports GPG keys for SSH).
Technically, the pre-installed package is**gpg2**, which is targeted for desktop use whereas the original gpg package is for server and embedded platforms. Your ec2 instance will interpret both gpg and gpg2 commands as gpg2. This documentation will use the form gpg for simplicity.
Tamper Resistant Digital Signatures
Digital signature certifies and timestamps a document. Any changes to that file, however slight, will be unable to pass the verification process.
Creating and verifying signatures uses the public/private keypair from the SSH and PKI discussion; however, the operation is different from encryption and decryption.
Getting Started
Go ahead and create a new primary key pair so you can get started with gpg.
# input
gpg --gen-key
# output
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 2 # 2 generates DSA for signing and Elgamal for encrypting
SA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 2048 # default is 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) # zero means no expiration
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
# enter your own information when you get to this screen
Real name: Kenneth Shultz
Email address: kshultz@permitzip.com
Comment: Gadget Engineering Director
You selected this USER-ID:
"Kenneth Shultz (Gadget Engineering Director) <kshultz@permitzip.com>"
...
...
...
You will be prompted to create a passphrase for your key pair; proceed to do so, preferably using a memorable phrase with a length of several words.
Take note of your new Key ID in the output (Line 3 below):
# output
gpg: /home/ec2-user/.gnupg/trustdb.gpg: trustdb created
gpg: key 9FCE5492 marked as ultimately trusted #Key ID = 9FCE5492
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048D/9FCE5492 2022-06-09
Key fingerprint = CD37 7CB1 4E47 42DC D0C2 E0F1 12C5 ED0C 224F 4A80
uid Kenneth Shultz (Gadget Engineering Director) <kshultz@permitzip.com>
sub 2048g/D436E7FC 2022-06-09
%
Generate Revocation Certificate
With the new key pair created, immediately generate a revocation certificate for the primary public key.
revocation certificates may be published to notify others that the public key has expired (perhaps due to a lost key, etc)
can be used to verify signatures made in the past
cannot be used to encrypt future messages
does not impact the ability to decrypt past messages (if you still have the private key)
Create a revocation certificate using:
# input
gpg --output $HOME/.gnupg/your-new-certificate-name.asc --gen-revoke your-key-id # example key-id: 9FCE5492
# output
sec 2048D/9FCE5492 2022-06-08 Kenneth Shultz (Gadget Engineering Director) <kshultz@permitzip.com>
Create a revocation certificate for this key? (y/N) y #confirm yes
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
> #No description necessary; could enter something like
# "safety revocation certificate"
Reason for revocation: No reason specified
(No description given)
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "Kenneth Shultz (Gadget Engineering Director) <kshultz@permitzip.com>"
# Use same passphrase from key creation process
2048-bit DSA key, ID 9FCE5492, created 2022-06-08
ASCII armored output forced.
Revocation certificate created.
...
...
Your revocation certificate has been stored in $HOME/.gnupg/ as your-new-certificate-name.asc (See line 2 above). Check your key ring out now:
You will need to share your key so that others may verify your signatures. Use the command below, but replace the email and key ID (9FCE5492) with your information:
Lines 2 through 41 above (bounded header and footer included) can now be copied to the clipboard in order to share public key information anywhere.
Add Another User's Public Key and Sign
You can add another user's public key to your keyring.
Copy and paste Kenny's public key from above (include the bounded header and footer).
Name it kenny.gpg and save it to $HOME/.gnupg then import the key using:
gpg --import $HOME/.gnupg/kenny.gpg
In order to certify the key on your system, you now must sign it:
# input
gpg --edit-key kshultz@permitzip.com
# output
pub 2048D/9FCE5492 created: 2022-06-08 expires: never usage: SC
trust: unknown validity: unknown
sub 2048g/586776A7 created: 2022-06-08 expires: never usage: E
[ unknown] (1). Kenneth Shultz (Gadget Engineering Director) <kshultz@permitzip.com>
A gpg shell has been spawned (gpg>); proceed to enter the following fpr and sign commands. Before using your passphrase to complete the signing process, verify that the fingerprint (Line 9 below) matches exactly to:
4104 CFE0 F9A4 8B60 5253 A6BF ACAD E367 9FCE 5492
# input
gpg> fpr
# output
pub 4096R/58360418 2015-09-24 Amazon Inspector <inspector@amazon.com>
Primary key fingerprint: DDA0 D4C5 10AE 3C20 6F46 6DC0 2474 0960 5836 0418
# input
gpg> sign
# output
pub 2048D/9FCE5492 created: 2022-06-08 expires: never usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 4104 CFE0 F9A4 8B60 5253 A6BF ACAD E367 9FCE 5492
Kenneth Shultz (Gadget Engineering Director) <kshultz@permitzip.com>
Are you sure that you want to sign this key with your
key "Your Name (Your Key Description) <your-username@your-domain.com>" (your-keyID)
Really sign? (y/N) y
...
Always verify fingerprints before signing and authorizing keys on your system.
You can now use a force quit (ctrl+C) to exit the gpg terminal.
Encrypting and Decrypting
You can use someone's public key to encrypt a message.
The message can only be decrypted with the recipient's private key (the key pair to the public key)
Try creating a file to encrypt - we'll create and use a message.txt file:
Here we pass kshultz@permitzip.com as the recipient to encrypt the message using Kenny's key. We create and define message.txt.gpg as the output (encrypted file).
You will never be able to decrypt this file without Kenny's private key.
Kenny could now decrypt this message using his private key and resolve it to message.txt with the command: