Using a PGP Key Pair

A PrettyGood Privacy (PGP) Key Pair allows the signing and encryption of files and fields.

This howto shows how to install the GNU Privacy Guard and create a PGP Key Pair.

Pretty Good Privacy (PGP) is a data encryption and decryption program that provides cryptographic privacy and authentication for data communication. It's commonly used for securing emails, ensuring that only the intended recipient can read the message.

Intended usage:

• Terraform and OpenTofu allow base-64 encoded PGP public keys for the generation of IAM access keys.
• GitHub allows signing commits with a GPG key.

Install GnuPG

To install in Ubuntu, update the repository and install the package gnupg.

sudo apt update
sudo apt install gnupg

Check GnuPG installation

Check that the GnuPG package has been installed

gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Generate a PGP Key Pair

There are multiple ways to generate PGP Key Pairs depending on the needs. See How to Manage Your Keys for additional options.

Command line quick generation without a passphrase

Specify the Name of the user, its e-mail address (IT Wonder Lab [email protected]), type of key (default = rsa), key size (default = 3072), and expiration (never).
Parameters --quick-generate-key --passphrase '' --batch are used to avoid questions from gpg.

gpg --quick-generate-key --passphrase '' --batch "IT Wonder Lab <[email protected]>" default default never

Command line detailed generation

For advance selection of algorithm use the interactive key generation

gpg --full-generate-key
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: IT Wonder Lab
Email address: [email protected]
Comment: IT Wonder Lab Tutorial 3
You selected this USER-ID:
    "IT Wonder Lab (IT Wonder Lab Tutorial 3) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy

Command line batch generation

• See GPG Official Manual for Unattended key generation.

List PGP Keys

Use gpg -k for listing the generated keys

gpg -k
/home/user/.gnupg/pubring.kbx
------------------------------
pub   rsa3072 2023-11-14 [SC]
      4FFFF70506DFFCA9AC9303B811E695F8A4A14CB4
uid           [ultimate] IT Wonder Lab (IT Wonder Lab Tutorial) <[email protected]>
sub   rsa3072 2023-11-14 [E]

Exporting the Public and Private Keys

Export the keys using --export and --export-secret-key with the email used for the key.

• ditwl_infradmin_gpg_public.key: The Public Key in Binary format
• itwl_infradmin_gpg_b64_public.key: The Public Key in base64 format (for Terraform)
• ditwl_infradmin_gpg_private.key: The Private Key in base64 format

gpg --export [email protected] > ditwl_infradmin_gpg_public.key
gpg --export [email protected] | base64 > ditwl_infradmin_gpg_b64_public.key
gpg --export-secret-key -a [email protected] > ditwl_infradmin_gpg_private.key

Convert the public key to base64 for usage in Terraform:

cat ditwl_infradmin_gpg_public.key | base64 > ditwl_infradmin_gpg_b64_public.key

Deleting the Key Pair

Use gpg --delete-secret-key and --delete-key with the email used for the key to delete the key pair.

$ gpg --delete-secret-key [email protected]
$ gpg --delete-key [email protected]