Creating a GPG key on Fedora 22

Install the required tools

dnf install gnupg2 rng-tools -y

Start rngd. This provides entropy for the key generation process.

rngd -r /dev/urandom

Create a master GPG key. The key represents your GPG identity. Note that the command we are using is gpg2, not gpg.

# gpg2 --gen-key
gpg (GnuPG) 2.1.4; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/root/.gnupg' created
gpg: new configuration file '/root/.gnupg/gpg.conf' created
gpg: WARNING: options in '/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keybox '/root/.gnupg/pubring.kbx' created
Note: Use "gpg2 --full-gen-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: Demo User
Email address:
You selected this USER-ID:
    "Demo User <>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 9CDBF8B3 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   rsa2048/9CDBF8B3 2015-06-17
      Key fingerprint = 2FDB EB02 1D3C 8698 FBAD  DF1C B5BF 8F3A 9CDB F8B3
uid       [ultimate] Demo User <>
sub   rsa2048/AE893683 2015-06-17

# gpg2 --list-keys
pub   rsa2048/9CDBF8B3 2015-06-17
uid       [ultimate] Demo User <>
sub   rsa2048/AE893683 2015-06-17

[root@demo ~]# gpg2 --list-secret-keys 
sec   rsa2048/9CDBF8B3 2015-06-17
uid       [ultimate] Demo User <>
ssb   rsa2048/AE893683 2015-06-17

This has created a master key, 9CDBF8B3, with an encryption subkey, AE893683.

In the following steps, use your master key ID in place of 9CDBF8B3.

The key can be published to a keyserver like this

gpg2 --keyserver --send-keys 9CDBF8B3

In the event that the master key is lost or compromised, a revocation certificate will be needed to indicate that the key, and all its subkeys, should no longer be used.

gpg2 --gen-revoke 9CDBF8B3 > 9CDBF8B3-revoke.asc

All the *.asc files mentioned should be stored offline for security.

Backup your keys

gpg2 --export 9CDBF8B3 > 9CDBF8B3-pub.asc
gpg2 --export-secret-keys 9CDBF8B3 > 9CDBF8B3-sec.asc

If the key is published to a keyserver, the backup of the public keys is not needed as they can be retrieved from the keyserver.

Test encryption and decryption

# echo "this is a secret" > test.txt
# gpg2 -e -r 9CDBF8B3 test.txt 
# gpg2 -d test.txt.gpg 
gpg: encrypted with 2048-bit RSA key, ID AE893683, created 2015-06-17
      "Demo User <>"
this is a secret

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.