PGP

Personal Security – Importing, Verifying and Signing PGP Keys

In our last article, we went over how to create keys that we can share with others. Before we get into using them in our email program of choice, we have to know a bit more about how to work with the keys we get from others. In today’s article, we will be discussing how to import keys that we receive from others as well as how to then verify the other person’s identity with their key and then signing it, so our software knows it is trusted.

Importing Public Keys from Other Users

Once we have a key from someone else in a text file, we need to import it for our use (decrypting their secure messages). Using the utilities we already have installed, we can easily accomplish this with the following command:

gpg --import nameofpublic.key

Keep in mind that anyone we want to communicate with may have simply uploaded their previously verified public key to a public key server. They will provide you with the URL location of that key. You can search for a public key for someone as well if you know the keyserver it may be posted to. This is done with the following command (using the keyserver at pgp.com):

gpg --keyserver keyserver.pgp.com --search-keys [myfriends.info]

The search parameters can be name, email or other identifying information typically contained in a public key.

Verification

How can you be sure of the identity of the person providing the public key? Assuming you are not a personal friend or in the same physical location, you can use what is called a fingerprint. This fingerprint is a value derived from the keys that provide reasonable verification that both parties have the same public key information. You can generate the public key fingerprint via:

gpg --fingerprint youremail@example.com

Which should then show you something similar to:

pub   4096R/525B1E29 2016-05-04
      Key fingerprint = BE9F 04EE 49FE BE08 8F8E  B980 7654 8B22 41AB ABD8
uid                   User <youremail@example.com>
sub   4096R/9721AE73 2016-05-04

Of course your fingerprint will differ based on the key used and email address it is generated from. This information provides a string of information that can be used to compare against you have or someone else has about the other party

Signing (or Trusting) Keys

Finally, before we can use any key in a secure transaction, we have to have a way to let our software know that it is trusted. Once you feel confident you have verified the key as having come from where you expected it to, we have sign an imported key:

gpg --sign-key email@sample.com

In addition to letting your software know that it is a trusted key, it can help others decide to trust that information. People who trust you may decided to implicitly trust those you do. You can help that trust by sending them the signed key:

gpg --export --armor email@sample.com

You will have to provide your passphrase again as you are signing this key with your information as well. Think of it as a tacit “approval” of their information by you. They can then import the signed key into their system, furthering the trust relationship of their key.

Conclusion and Next Steps

We now have all of the necessary components to secure messaging between us and the third party we have been working with during this article. In our conclusion, I will show you how to add these keys into our email chain in order to securely communicate with information decryptable only between the intended target and ourselves. If you have any questions, leave a comment and I will do what I can to help address them!

Terrence T. Cox

A veteran of twenty years in Information Technology in a variety of roles. He has worked in development, security and infrastructure well before they merged into what we now call DevOps. He provides training in Linux, VMWare, DevOps (Ansible, Jenkins, etc) as well as containers and AWS topics.

Leave a Reply

Your email address will not be published. Required fields are marked *