GPG: the Best Free Crypto You Aren't Using, Part II of II

After you've generated your key, you should immediately create a revocation certificate. This is a string of text that you can send to a keyserver if and when you need to revoke your key.

Of course, you can create a revocation certificate at any point. The reason it makes sense to create one now is that it's not uncommon for even very knowledgeable and careful people to forget their passphrase. You need your passphrase to create a revocation certificate, but not to use one you created earlier.

That's why it's a good idea to create a revocation certificate now and save it in a safe place (you can even print it out and save it in “meatspace”--revocation certificates aren't very long). Just be sure to set its file permissions to be as strict as your private key's (e.g., not group- or world-readable or writable). The ramifications of someone sending the certificate to a keyserver without your permission aren't as scary as if someone can actually use your private key, but at the very least a prematurely revoked key could inconvenience you.

To generate a revocation certificate, enter this command:

gpg --output rev_cert_filename.asc --gen-revoke keyname

where rev_cert_filename.asc is the filename you'd like the certificate to have (just make sure it ends in .asc) and keyname is the key's ID number (e.g., 0586AF78) or part of your identity (“Smooth JoJo” would be enough to identify our example key).

GnuPG stores its files in a subdirectory of your home directory called .gnupg. Any private keys you have are stored in a file called secring.gpg; public keys are stored in pubring.gpg. By default, secring.gpg is readable only by you; leave it that way. It's extremely important that you protect this file. By all means, back it up to a floppy or CD-ROM, but keep your backup in a safe place. If anyone obtains a copy of your secret keyring, they may be able to guess or brute-force-crack the passphrase of your private key and effectively steal your identity (or at least be able to decrypt your stuff).

Both pubring.gpg and secring.gpg are binary data files. To add, delete or change keys on either keyring, you need to use various flags with the gpg command.

For example, you're going to want to distribute your public key to your friends, right? So let's extract that key from your public keyring into a text file (see Sidebar “Armored ASCII vs. Binary GPG Files”). To print your public key to the screen, from whence it can be copied and pasted as needed, you need simply enter:

gpg --armor --export

the output of which will look something like Listing 2.

Listing 2. A Public Key

I took the liberty of simplifying a bit here; if you don't specify a user ID, gpg will dump the public portion of your default key pair. If you only have one private key, then that key pair is your default key and that pair's public key will be dumped.

If, on the other hand, you wish to dump some other public key, you need to specify a user ID. Continuing our example using Mr. Figplucker, to display JoJo's public key we enter:

gpg --armor --export jojo

As you can see, gpg is fairly intelligent when trying to determine which key you want to work with. In fact, it works a lot like grep: if you give a snippet of your e-mail address or some other text as your key identifier, gpg will match the first key whose user ID contains the string. In managing my own keyrings, in which I have several private-public key pairs and therefore numerous user IDs containing my name, I find it easiest to provide gpg with the entire e-mail-address portion of the key I wish to work with at any given time, e.g., gpg --armor --export mick@visi.com.

By the way, if you want to print a key to a file rather than to the screen, specify a filename with the --output option. To write JoJo's public key to the file jojo_pub.asc, the command would look like this:

gpg --armor --output jojo_pub.asc --export jojo

Armored ASCII vs. Binary GPG Files

Have you backed up your new keys yet? You may consider exporting your entire key pair, including your private key, but I recommend against doing this. You're much better off simply copying the keyring files pubring.gpg and secring.gpg from ~/.gnupg to a safe place. But if for some reason you do need to export your entire key pair, it's the same as exporting a public key except that you use the --export-secret-keys command rather than --export.