8 : signing and encrypting data #
Learn how to create and manage PGP and SSH keys.
The GNOME Passwords and Keys program is an important component of the encryption infrastructure on your system. With this program, you can create and manage PGP and SSH keys, import, export and share keys, back up your keys and keyring, and cache your passphrase.
To start the application, open the Meta and search for pass
.
8.1 Signing and encryption #
Signing. Attaching electronic signatures to pieces of information, such as e-mail messages or software to prove its origin. To keep someone else from writing messages using your name, and to protect both you and the people you send them to, you should sign your mails. Signatures help you check the sender of the messages you receive and distinguish authentic messages from malicious ones.
Software developers sign their software so that you can check the integrity. Even if you get the software from an unofficial server, you can verify the package with the signature.
Encryption. You might also have sensitive information you want to protect from other parties. Encryption helps you transform data and make it unreadable for others. This is important for companies so they can protect internal information and their employees' privacy.
8.2 Generating a new key pair #
To exchange encrypted messages with other users, you must first generate your own pair of keys. It consists of two parts:
Public key. This key is used for encryption. Distribute it to your communication partners, so they can use it to encrypt files or messages for you.
Private key. This key is used for decryption. Use it to make encrypted files or messages from others (or yourself) legible again.
If others gain access to your private key, they can decrypt files and messages intended only for you. Never grant others access to your private key.
8.2.1 Creating OpenPGP keys #
OpenPGP is a non-proprietary protocol for encrypting e-mail with the use of public-key cryptography based on PGP. It defines standard formats for encrypted messages, signatures, private keys, and certificates for exchanging public keys.
Open the
overview and typepass
.Open
.Press the
button in the upper left corner of the window.Select
from the list.Enter your name in the
field.Optionally, add your e-mail address and a comment to describe the key.
Click
to create the new key pair.In the password dialog, enter a password for the key.
Confirm with
.When you specify a passphrase, use the same practices you use when you create a strong password.
8.2.2 Creating secure shell keys #
Secure Shell (SSH) is a method of logging in to a remote computer to execute commands on that machine. SSH keys are used in key-based authentication system as an alternative to the default password authentication system. With key-based authentication, there is no need to manually type a password to authenticate.
Open the
overview and typepass
.Open
.Press the
button in the upper left corner of the window.Select
from the list.Enter a description for the key.
Optionally, change the default settings for encryption type or key strength.
Encryption type. Specifies the encryption algorithms used to generate your keys. Select to use the Rivest-Shamir-Adleman (RSA) algorithm to create the SSH key. This is the preferred and more secure choice. Select to use the Digital Signature Algorithm (DSA) to create the SSH key.
Key strength. Specifies the length of the key in bits. The longer the key, the more secure it is (provided a strong passphrase is used). Keep in mind that performing any operation with a longer key requires more time than it does with a shorter key. Acceptable values are between 1024 and 4096 bits. At least 2048 bits is recommended.
Confirm either with
or . The latter guides you through the installation of the public key.
8.3 Modifying key properties #
You can modify properties of existing OpenPGP or SSH keys.
8.3.1 Editing OpenPGP key properties #
The descriptions in this section apply to all OpenPGP keys.
Open the
overview and typepass
.Open
.Select
from the left side panel.Right-click the PGP key you want to edit and select
.A dialog opens, showing the following key properties:
Key ID: The Key ID is similar to the Fingerprint, but the Key ID contains only the last eight characters of the fingerprint. It is generally possible to identify a key with only the Key ID, but sometimes two keys might have the same Key ID.
Fingerprint: A unique string of characters that exactly identifies a key.
Expires: The date the key can no longer be used (a key can no longer be used to perform key operations after it has expired). Changing a key's expiration date to a point in the future re-enables it. A good general practice is to have a master key that never expires and multiple subkeys that do expire and are signed by the master key.
Subkeys: See Section 8.3.1.2, “Editing OpenPGP subkey properties” for more information.
Override owner trust: Set the level of trust for the owner of the key. Trust is an indication of how sure you are of a person's ability to correctly extend the Web of trust. When there is a key that you have not signed, the validity of the key is determined from its signatures and how much you trust the people who made those signatures.
Click the plus button to add a photo to the key or change the passphrase associated with the key.
Photo IDs allow a key owner to embed one or more pictures of themselves in a key. These identities can be signed like normal user IDs. A photo ID must be in JPEG format. The recommended size is 120×150 pixels.
If the chosen image does not meet the required file type or size,
can resize and convert it on the fly from any image format supported by the GDK library.Close the dialog to finish.
8.3.1.1 Adding a user ID #
User IDs allow multiple identities and e-mail addresses to be used with the same key. Adding a user ID is useful, for example, when you want to have an identity for your job and one for your friends. They take the following form:
Name (COMMENT) <E-MAIL>
Open the
overview and typepass
.Open
.Select the
keyring from the left side panel.From the list, select the
.Right-click the key and select
› .In the dialog, fill in
, and for the new user ID and click .Your e-mail address is how most people can locate your key on a key server or other key provider. Make sure it is correct before continuing.
Enter the passphrase and click
to finish.
8.3.1.2 Editing OpenPGP subkey properties #
Each OpenPGP key has a single master key used to sign only. Subkeys are used to encrypt and to sign as well. In this way, if your subkey is compromised, you do not need to revoke your master key.
Open the
overview and typepass
.Open
.Select
from the list.Select the
from the list.Right-click the selected key and select
.Choose the properties for your key.
Close the box to confirm the changes.
8.3.2 Editing secure shell key properties #
The descriptions in this section apply to all SSH keys.
Open the
overview and typepass
.Open
.Select
from the list and right-click the key you want to edit.A dialog opens where you can see and edit the following properties:
Algorithm: Specifies the encryption algorithm used to generate a key.
Location: The location where the private key has been stored.
Fingerprint: A unique string of characters that exactly identifies a key.
Export. Exports the key to a file.
Close the dialog to confirm the changes.
8.4 Importing keys #
Keys can be exported to text files. These files contain human-readable text at the beginning and at the end of a key. This format is called an ASCII-armored key.
To import keys, proceed as follows:
Open the
overview and typepass
.Open
.Press the
button in the upper left corner.Select
from the list.In the dialog, select the key to import. Public SSH keys end with
pub
.Click
to import the key.
You can also paste keys inside
:Select an ASCII-armored public block of text, then copy it to the clipboard.
Open the
overview and typepass
.Open
.Press the
button in the upper left corner.Paste the key to the appropriate location.
8.5 Exporting keys #
To export keys, proceed as follows:
Open the
overview and typepass
.Open
.Select the
keyring you want to export from the left side panel.Select the
to be exported.Right-click the key and select
.To store the key in
ASCII
format, select .Choose a location and confirm with
.
8.6 Signing a key #
Signing another person's key means that you are giving trust to that person. Before signing a key, carefully check the key's fingerprint to ensure that the key really belongs to that person.
Trust is an indication of how sure you are of a person's ability to correctly extend the Web of trust. When there is a key that you have not signed, the validity of the key is determined from its signatures and how much you trust the people who made those signatures.
Open the
overview and typepass
.Open
.Import the key to be signed.
From the list of
, select the imported key.Right-click the key and select
› .Click the
button.Choose how carefully you have checked the key.
Decide if you want to revoke your signature at a later date and to make your signature public.
Confirm with
.
8.7 Password keyrings #
You can use password keyring preferences to create or remove keyrings, to set the default keyring for application passwords or to change the unlock password of a keyring. To create a new keyring, follow these steps:
Open the
overview and typepass
.Open
.Click the
button in the upper left corner.Select
from the list.Enter a name for the keyring and click
.Set and confirm a new
for the keyring and click to create the keyring.
To change the unlock password of an existing keyring, right-click the keyring in the
tab and click . You need to provide the old password to be able to change it.To change the default keyring for application passwords, right-click the keyring in the
tab and click .8.8 Key servers #
You can keep your keys up-to-date by synchronizing keys periodically with remote key servers. Synchronizing ensures that you have the latest signatures made on all your keys, so that the Web of trust is becoming effective.
Open the
overview and typepass
.Open
.Select the PGP key you want to synchronize.
Press the menu button in the header bar.
Select
.HKP key servers: HKP key servers are ordinary Web-based key servers, such as the popular
hkp://pgp.mit.edu:11371
, also accessible at http://pgp.mit.edu.LDAP key servers: LDAP key servers are less common, but use the standard LDAP protocol to serve keys.
ldap://keyserver.pgp.com
is a recommended LDAP server.You can
or key servers to be used using the buttons on the left. To add a new key server, set its type, host and port, if necessary.Set whether you want to automatically publish your public keys and which key server to use. Set whether you want to automatically retrieve keys from key servers and whether to synchronize modified keys with key servers.
Click the
button to synchronize your key.
8.9 Key sharing #
Key Sharing is provided by DNS-SD, also known as Bonjour or Rendezvous. Enabling key sharing adds the local
users' public key rings to the remote search dialog. Using these local key servers is generally faster than accessing remote servers.Open the
overview and typepass
.Open
.Select
from the left side panel.From the list, select the
you want to share.Press the menu button in the header bar.
Select
.Press the
button to see the list of key servers.To publish your key, select a server from the menu. Close the window and go back to the previous dialog.
Press
to finish.