Translation(s): English - Español - Italiano - Português (Brasil) - Українська
Introduction
The intent of this page is to explain how you can create and sign an OpenPGP key.
Then, to get connected to the web of trust, go to the keysigning coordination page.
How to
Tutorials explaining how to use:
- Sequoia-PGP:
- GnuPG:
If you want your OpenPGP key signed by at least one (but ideally more than one) Debian Developer, you have to follow the below steps.
Step 1: Create a keypair
Current tools should have good defaults when creating new key pairs. See also creating a keypair (GnuPG specific).
![/!\](/htdocs/debwiki/img/alert.png "/!\"){kind=small}
Note that due to weaknesses found with the SHA1 hashing algorithm, when creating RSA keys, Debian wants stronger RSA keys that are at least 4096 bits and preferring SHA2, although the current tools default to Ed25519, which is even better.
Also see OpenPGP Best Practices (GnuPG specific) and documentation about subkeys (GnuPG specific).
After the key generation, the command will print information about the key itself including its fingerprint, which is important to have in hand because throughout the rest of the page, that fingerprint is assumed to be set in the variable ${myFingerPrint}.
- Sequoia-PGP
sq key generate --userid "Name <email@example.org>" --own-key
This command will also generate a revocation certificate in ~/.local/share/sequoia/revocation-certificates.
- GnuPG
gpg --full-gen-key
With new enough GnuPG, this command will also generate a revocation certificate in ~/.gnupg/openpgp-revocs.d/. Otherwise it can be created with:
gpg --gen-revoke ${myFingerPrint} > ~/.gnupg/revocation-${myFingerPrint}.crt
Step 2: Make your public key public
- Sequoia-PGP
sq network keyserver publish --cert ${myFingerPrint}
- GnuPG
gpg --send-key ${myFingerPrint}
Some public keyservers:
https://keyring.debian.org (only Debian Developers can upload or send key updates to this server)
https://keyserver.ubuntu.com (recommended)
https://keys.openpgp.org/ (used by Thunderbird)
Step 3: Print your key
The printout of your fingerprint must contain the following information:
- Your first name
- Your last name
- Your e-mail addresses (the ones you use with the key)
- The encryption method and the ID of the key (e.g. 4096R/1A2B3C4D5E6F7G8H)
- The fingerprint itself
The above information should be available when the generation step has finished, but it can always be retrieved again with:
- Sequoia-PGP
sq inspect --cert ${myFingerPrint}
- GnuPG
gpg -v --fingerprint ${myFingerPrint}
Usually, you make several printouts on a sheet of paper, a so-called _keysheet_. Each printout can for example be the size of a business card.
Use a website to generate a PDF
There are various websites that you can use to generate ready-to-print PDF of your key, for example https://openpgp.quelltextlich.at/slip.html.
Use gpg-key2ps to generate a PDF
You can also use the gpg-key2ps, which is part of the signing-party package, to create a keysheet:
- GnuPG
- Alternatively, you can print in one column only to avoid printing issues (for extra wide keys):
gpg-key2ps -p a4 ${myFingerPrint} | gs -sDEVICE=pdfwrite -sOutputFile=out.pdf
gpg-key2ps -1 -p a4 ${myFingerPrint} | gs -sDEVICE=pdfwrite -sOutputFile=out.pdf
If you go to a key signing party, you will have to send this information beforehand, and they will then print a list for each participant.
Display your key on your screen instead of printing it
Alternatively, you can show your fingerprint(s) on your laptop screen like this:
- Sequoia-PGP
sq key list | grep '^ - '*' | sm -i -
- GnuPG
LANG=C gpg --list-secret-keys --fingerprint --keyid-format long | grep -Po 'fingerprint = \K.*' | sed 's/$/\n/; s/ /\n/' | sm -i -
Step 4: Hand out your key's fingerprint
The people who will sign your key will need to see some form of government issued ID (passport or similar).
You have to give the printout to at least one Debian Developer.
Read the official Debian keysigning page.
A CAcert member will need to see two IDs.
Step 5: Get your key digitally signed
The Debian Developer will with their ${ddSignersFingerprint} key, do the following:
- Retrieve your key from the server:
- Sequoia-PGP
sq network search ${myFingerPrint}
- GnuPG
gpg --recv-keys ${myFingerPrint}
- Sequoia-PGP
- Verify that the information is correct (the fingerprint):
- Sequoia-PGP
sq cert list --cert ${myFingerPrint}
- GnuPG
gpg --fingerprint ${myFingerPrint}
- Sequoia-PGP
- Sign it:
- Sequoia-PGP
- Where ${myEmail} is the email that you want to certify as being linked to this certificate.
sq pki vouch add --certifier ${ddSignersFingerprint} --cert ${myFingerPrint} --userid "${myEmail}"
- GnuPG
gpg --sign-key ${myFingerPrint}
- Sequoia-PGP
- Send it back to the key owner as an encrypted email (do not send it directly to a server). Sending it encrypted is preferred as you can verify the person can decrypt the messages they receive.
- Sequoia-PGP
sq cert export --cert ${myFingerPrint} | sq encrypt --for ${myFingerPrint} --signer ${ddSignersFingerprint} --output ${myFingerPrint}-signedBy-${ddSignersFingerprint}.asc
- GnuPG
gpg --armor --export ${myFingerPrint} | gpg --encrypt -r ${myFingerPrint} --armor --output ${myFingerPrint}-signedBy-${ddSignersFingerprint}.asc
- Sequoia-PGP
Alternatively, the caff tool from the signing-party package automates all this process:
caff ${myFingerPrint}
Step 6: Send your signed key to the server
Some time after having participated in a keysigning, you will perhaps receive your signed key as an e-mail attachment. Import the signatures:
- Sequoia-PGP
sq decrypt ${myFingerPrint}-signedBy-${ddSignersFingerprint}.asc | sq cert import
- GnuPG
gpg -d ${myFingerPrint}-signedBy-${ddSignersFingerprint}.asc | gpg --import
Afterwards you will have to send your updated key to the server:
- Sequoia-PGP
sq network keyserver publish --cert ${myFingerPrint}
- GnuPG
gpg --send-key ${myFingerprint}
Beyond Debian
For those interested in expanding the web of trust beyond Debian: http://www.cacert.org/
See also