Using a PGP Key Pair

A PrettyGood Privacy (PGP) Key Pair allows the signing and encryption of files and fields.

This howto shows how to install the GNU Privacy Guard and create a PGP Key Pair.

Pretty Good Privacy (PGP) is a data encryption and decryption program that provides cryptographic privacy and authentication for data communication. It's commonly used for securing emails, ensuring that only the intended recipient can read the message.

Intended usage:

  • Terraform and OpenTofu allow base-64 encoded PGP public keys for the generation of IAM access keys.
  • GitHub allows signing commits with a GPG key.

How to install Install PGP and generate a PGP Key Pair

  1. Install GnuPG

    Install PGP using apt.

  2. Generate a PGP Key Pair

    Use gpg command line to generate a Key Pair

  3. Exporting the Public and Private Keys

    Use gpg command line --export and --export-secret-key to export the keys

  4. Deleting the Key Pair

    Use gpg command line --delete-secret-key and --delete-key to export the keys

Install GnuPG

To install in Ubuntu, update the repository and install the package gnupg.

sudo apt update
sudo apt install gnupg

Check GnuPG installation

Check that the GnuPG package has been installed

gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Generate a PGP Key Pair

There are multiple ways to generate PGP Key Pairs depending on the needs. See How to Manage Your Keys for additional options.

Command line quick generation without a passphrase

Specify the Name of the user, its e-mail address (IT Wonder Lab [email protected]), type of key (default = rsa), key size (default = 3072), and expiration (never).
Parameters --quick-generate-key --passphrase '' --batch are used to avoid questions from gpg.

gpg --quick-generate-key --passphrase '' --batch "IT Wonder Lab <[email protected]>" default default never

Command line detailed generation

For advance selection of algorithm use the interactive key generation

gpg --full-generate-key
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: IT Wonder Lab
Email address: [email protected]
Comment: IT Wonder Lab Tutorial 3
You selected this USER-ID:
    "IT Wonder Lab (IT Wonder Lab Tutorial 3) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy

Command line batch generation

List PGP Keys

Use gpg -k for listing the generated keys

gpg -k
/home/user/.gnupg/pubring.kbx
------------------------------
pub   rsa3072 2023-11-14 [SC]
      4FFFF70506DFFCA9AC9303B811E695F8A4A14CB4
uid           [ultimate] IT Wonder Lab (IT Wonder Lab Tutorial) <[email protected]>
sub   rsa3072 2023-11-14 [E]

Exporting the Public and Private Keys

Export the keys using --export and --export-secret-key with the email used for the key.

  • ditwl_infradmin_gpg_public.key: The Public Key in Binary format
  • itwl_infradmin_gpg_b64_public.key: The Public Key in base64 format (for Terraform)
  • ditwl_infradmin_gpg_private.key: The Private Key in base64 format
gpg --export [email protected] > ditwl_infradmin_gpg_public.key
gpg --export [email protected] | base64 > ditwl_infradmin_gpg_b64_public.key
gpg --export-secret-key -a [email protected] > ditwl_infradmin_gpg_private.key

Convert the public key to base64 for usage in Terraform:

cat ditwl_infradmin_gpg_public.key | base64 > ditwl_infradmin_gpg_b64_public.key

Deleting the Key Pair

Use gpg --delete-secret-key and --delete-key with the email used for the key to delete the key pair.

$ gpg --delete-secret-key [email protected]
$ gpg --delete-key [email protected]

Leave a Reply

Your email address will not be published. Required fields are marked *


Related Cloud Tutorials

Securing your Infrastructure: Encrypting Terraform State Files with OpenTofu
Using the Terraform aws_route53_delegation_set, aws_route53_zone, and aws_route53_record resource blocks to configure DNS in AWS.
Using the Terraform aws_db_instance resource block to configure, launch, and secure RDS instances.
How to use the Terraform aws_instance resource block to configure, launch, and secure EC2 instances.
How to configure and use the Terraform aws_ami data source block to find and use AWS AMIs as templates (root volume snapshot with operating system and applications) for EC2 instances.
Javier Ruiz Cloud and SaaS Expert

Javier Ruiz

IT Wonder Lab tutorials are based on the diverse experience of Javier Ruiz, who founded and bootstrapped a SaaS company in the energy sector. His company, later acquired by a NASDAQ traded company, managed over €2 billion per year of electricity for prominent energy producers across Europe and America. Javier has over 25 years of experience in building and managing IT companies, developing cloud infrastructure, leading cross-functional teams, and transitioning his own company from on-premises, consulting, and custom software development to a successful SaaS model that scaled globally.

Are you looking for cloud automation best practices tailored to your company?

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram