GPG-Schlüsselverwaltung

Connor Lim Version F35 onwards Last review: 2021-02-09
Dieses Dokument erklärt detailliert, wie Sie mithilfe gängiger Fedora-Dienstprogramme einen GPG-Schlüssel erhalten. Es enthält außerdem Informationen zur Verwaltung Ihres Schlüssels als Fedora-Mitwirkender.

GPG-Schlüssel erstellen

GPG-Schlüssel in der GNOME-Arbeitsumgebung erstellen

Installieren Sie das Dienstprogramm Seahorse, das die Verwaltung von GPG-Schlüsseln vereinfacht.

  1. Wählen Sie Activities  Software.

  2. Klicken Sie auf den _Suchen_Knopf und geben Sie den Namen „Seahorse“ ein.

  3. Klicken Sie auf das Seahorse-Paket und anschließend auf den Knopf Installieren, um die Software hinzuzufügen. Alternativ können Sie Seahorse auch über die Befehlszeile mit sudo dnf install seahorse installieren.

Einen Schlüssel erstellen:

  1. Wählen Sie im Activities  Passwörter und Verschlüsselung, wodurch die Anwendung Seahorse gestartet wird.

  2. Klicken Sie in der oberen linken Ecke auf Plus Button  GPG-Schlüssel.

  3. Geben Sie Ihren vollständigen Namen, Ihre E-Mail-Adresse und optional einen Kommentar ein, der beschreibt, wer Sie sind (z.B.: John C. Smith, jsmith@example.com, The Man).

  4. Klicken Sie auf Erstellen.

  5. Wählen Sie im angezeigten Dialogfeld eine sichere, aber auch leicht zu merkende Passphrase.

  6. Klicken Sie auf OK und der Schlüssel wird erstellt.

Now see [backup-gpg-keys-gnome].

Erstellen von GPG-Schlüsseln in der KDE-Arbeitsumgebung

  1. Start the KGpg program from the main menu by selecting Applications  Utilities  KGpg. If you have never used KGpg before, the program walks you through the process of creating your own GPG keypair.

  2. Enter your name, email address, and an optional comment in the dialog box that appears prompting you to create a new key pair. You can also choose an expiration time for your key, as well as the key strength (number of bits) and algorithms.

  3. Enter your passphrase in the next dialog box. At this point, your key appears in the main KGpg window.

To find your GPG key ID, look in the ID column next to the newly created key. In most cases, if you are asked for the key ID, you should prepend 0x to the last 8 characters of the key ID, as in 0x6789ABCD.

Now see Erstellen einer Schlüsselsicherung in der KDE-Arbeitsumgebung.

Erstellen von GPG-Schlüsseln über die Befehlszeile

  1. Verwenden Sie den folgenden Shell-Befehl:

    gpg --full-generate-key

    Dieser Befehl erzeugt ein Schlüsselpaar, bestehend aus einem öffentlichen und einem privaten Schlüssel. Andere verwenden Ihren öffentlichen Schlüssel, um Ihre Kommunikation zu authentifizieren und/oder zu entschlüsseln. Verteilen Sie Ihren öffentlichen Schlüssel so weit wie möglich, insbesondere an Personen, von denen Sie wissen, dass sie authentische Nachrichten von Ihnen erhalten möchten, beispielsweise auf einer Mailingliste.

  2. Drücken Sie die Eingabetaste, um bei Bedarf einen Standardwert zuzuweisen. Im ersten Schritt werden Sie aufgefordert, die gewünschte Schlüsselart auszuwählen:

    Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection?

    In fast allen Fällen ist die Standardeinstellung die richtige Wahl. Ein RSA/RSA-Schlüssel ermöglicht es Ihnen nicht nur, Nachrichten zu signieren, sondern auch Dateien zu verschlüsseln.

  3. Wählen Sie die Schlüssellänge:

    RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)

    Auch hier gilt: Die Standardeinstellung ist für fast alle Benutzer ausreichend und stellt ein extrem hohes Sicherheitsniveau dar.

  4. Choose when the key will expire. It is a good idea to choose an expiration date instead of using the default, which is none. If, for example, the email address on the key becomes invalid, an expiration date will remind others to stop using that public key.

    Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

    Entering a value of 1y, for example, makes the key valid for one year. (You may change this expiration date after the key is generated, if you change your mind.) Before the gpg program asks for signature information, the following prompt appears:

    Is this correct (y/N)?

  5. Drücken Sie y, um den Vorgang abzuschließen.

  6. Geben Sie Ihren Namen und Ihre E-Mail-Adresse ein. Denken Sie daran, dass es bei diesem Vorgang um Ihre Authentifizierung als echte Person geht. Geben Sie daher unbedingt Ihren richtigen Namen an. Verwenden Sie keine Pseudonyme oder Benutzernamen, da diese Ihre Identität verschleiern.

  7. Geben Sie Ihre echte E-Mail-Adresse für Ihren GPG-Schlüssel ein. Wenn Sie eine ungültige E-Mail-Adresse wählen, ist es für andere schwieriger, Ihren öffentlichen Schlüssel zu finden. Dies erschwert die Authentifizierung Ihrer Kommunikation. Wenn Sie diesen GPG-Schlüssel beispielsweise für die Vorstellung auf einer Mailingliste verwenden, geben Sie die E-Mail-Adresse an, die Sie auf dieser Liste verwenden.

  8. Nutzen Sie das Kommentarfeld, um Aliase oder andere Informationen hinzuzufügen. (Manche verwenden unterschiedliche Schlüssel für unterschiedliche Zwecke und kennzeichnen jeden Schlüssel mit einem Kommentar, z. B. „Office“ oder „Open-Source-Projekte“.)

  9. Enter the letter O at the confirmation prompt to continue if all entries are correct, or use the other options to fix any problems.

  10. Enter a passphrase for your secret key. The gpg program asks you to enter your passphrase twice to ensure you made no typing errors.

Finally, gpg generates random data to make your key as unique as possible. Move your mouse, type random keys, or perform other tasks on the system during this step to speed up the process. Once this step is finished, your keys are complete and ready to use:

pub   rsa3072 2021-02-09 [SC] [expires: 2022-02-09]
      3782CBB60147010B330523DD26FBCC7836BF353A
uid                      John Doe (Fedora Docs) <johndoe@example.com>
sub   rsa3072 2021-02-09 [E] [expires: 2022-02-09]

The key fingerprint is a shorthand signature for your key. It allows you to confirm to others that they have received your actual public key without any tampering. You do not need to write this fingerprint down. To display the fingerprint at any time, use this command, substituting your email address:

gpg --fingerprint johndoe@example.com

Your key fingerprint is actually a 160 bit SHA-1 hash of the key, represented as a 40 character string of hexadecimal digits. Though shorter than the public key itself, it’s still a bit unwieldy, so people tend to use a shorter GPG key ID to refer to a key when, for example, looking up a key in a keyserver. The GPG key ID is a small number of hex digits drawn from the characters representing the lower-order bits of the fingerprint. The "short" GPG key ID consists of the final 8 characters of the hexadecimal fingerprint, that is, the last 32 bits of the fingerprint. Short keys are unsafe and no longer recommended because it’s possible to create collisions so that an attacker’s forged key has the same short ID as your key. Thus if you give someone the short GPG key ID of your key, they may retrieve the attacker’s key from a keyserver instead.

For this reason, it’s preferred to use the "long" GPG key ID, which consists of the final 16 characters of your key’s hexadecimal fingerprint. This represents the 64 lower-order bits of your fingerprint, which is sufficient to be collision-resistant. The gpg program makes it easy for you to find your key’s long GPG key ID:

gpg --list-keys --fingerprint --keyid-format 0xlong johndoe@example.com

The 0xlong format prepends "0x" to the key ID to make it clear that this is a series of hexadecimal digits; it is considered good practice to do this. The output from the above command looks like this:

pub   rsa3072/0x26FBCC7836BF353A 2021-02-09 [SC] [expires: 2022-02-09]
      Key fingerprint = 3782 CBB6 0147 010B 3305  23DD 26FB CC78 36BF 353A
uid                      John Doe (Fedora Docs) <johndoe@example.com>
sub   rsa3072/0xF834D62672E88A6F 2021-02-09 [E] [expires: 2022-02-09]

The first line (beginning with "pub") tells you what kind the key is (that is, 3072 bit RSA) and what the long key ID is (that is, 0x26FBCC7836BF353A). You can see that this corresponds to the last 16 characters of the Key fingerprint in the output.

Now see Erstellen einer Schlüsselsicherung über die Befehlszeile. Make sure to back up your revocation keys for all active keys as this allows to revoke keys in the event of lost passphrase of key compromise.

Eine Sicherung erstellen

Erstellen einer Schlüsselsicherung in der GNOME-Arbeitsumgebung

  1. Klicken Sie mit der rechten Maustaste auf Ihren Schlüssel und wählen Sie Eigenschaften.

  2. Select the Details tab, and select Export to file  Export secret key.

  3. Select a destination filename and click Export.

Store the copy in a secure place, such as a locked container.

Now see Exportieren eines GPG-Schlüssels in der GNOME-Arbeitsumgebung.

Erstellen einer Schlüsselsicherung in der KDE-Arbeitsumgebung

  1. Right-click your key and select Export Secret Key.

  2. Click Continue to continue at the confirmation dialog.

  3. Wählen Sie einen Namen für die Zieldatei.

  4. Klicken Sie auf Speichern.

Store the copy in a secure place, such as a locked container.

Now see Exportieren eines GPG-Schlüssels in der KDE-Arbeitsumgebung.

Erstellen einer Schlüsselsicherung über die Befehlszeile

Use the following command to make the backup, which you can then copy to a destination of your choice:

gpg --export-secret-keys --armor johndoe@example.com > johndoe-privkey.asc

Store the copy in a secure place, such as a locked container.

Now see Exportieren eines GPG-Schlüssels über die Befehlszeile.

Making Your Public Key Available

When you make your public key available to others, they can verify communications you sign, or send you encrypted communications if necessary. This procedure is also known as exporting.

See Manuelles Kopieren eines öffentlichen Schlüssels to a file if you wish to email it to individuals or groups.

Exportieren eines GPG-Schlüssels in der GNOME-Arbeitsumgebung

  1. Click the Menu Button  Sync and Publish Keys…​

  2. Klicken Sie auf Schlüsselserver.

  3. Select ldap://keyserver.pgp.com in the Publish Keys To combobox.

  4. Klicken Sie auf Schließen.

  5. Click Sync.

Now see Safeguarding Your Secret Key.

Exportieren eines GPG-Schlüssels in der KDE-Arbeitsumgebung

After your key has been generated, you can export the key to a public keyserver

  1. Right-click on the key in the main window.

  2. Select Export Public Keys.

  3. From there you can export your public key to the clipboard, an ASCII file, to an email, or directly to a key server.

  4. Export your public key to the default key server.

Now see Safeguarding Your Secret Key.

Exportieren eines GPG-Schlüssels über die Befehlszeile

Use the following command to send your key to a public keyserver:

gpg --send-key KEYNAME

For KEYNAME, substitute the key ID or fingerprint of your primary keypair. This will send your key to the gnupg default key server. If you prefer another one use:

gpg --keyserver hkp://pgp.mit.edu --send-key KEYNAME

Replacing pgp.mit.edu with your server of choice.

Now see Safeguarding Your Secret Key.

Manuelles Kopieren eines öffentlichen Schlüssels

Wenn Sie jemandem eine Dateikopie Ihres Schlüssels geben oder senden möchten, verwenden Sie diesen Befehl, um ihn in eine ASCII-Textdatei zu schreiben:

gpg --export --armor johndoe@example.com > johndoe-pubkey.asc

Now see Safeguarding Your Secret Key.

Safeguarding Your Secret Key

Treat your secret key as you would any very important document or physical key. (Some people always keep their secret key on their person, either on magnetic or flash media.) If you lose your secret key, you will be unable to sign communications, or to open encrypted communications that were sent to you.

Hardware Token options

If you followed the above, you have a secret key which is just a regular file. A more secure model than keeping the key on disk is to use a hardware token.

There are several options available on the market, for example the YubiKey. Look for a token which advertises OpenPGP support. See this blog entry for how to create a key with offline backups, and use the token for online access.

GPG-Schlüssel widerrufen

When you revoke a key, you withdraw it from public use. You should only have to do this if it is compromised or lost, or you forget the passphrase.

Generating a Revocation Certificate

When you create the key pair you should also create a key revocation certificate. If you later issue the revocation certificate, it notifies others that the public key is not to be used. Users may still use a revoked public key to verify old signatures, but not encrypt messages. As long as you still have access to the private key, messages received previously may still be decrypted. If you forget the passphrase, you will not be able to decrypt messages encrypted to that key.

gpg --output revoke.asc --gen-revoke SCHLÜSSELNAME

If you do not use the --output flag, the certificate will print to standard output.

For KEYNAME, substitute either the key ID of your primary keypair or any part of a user ID that identifies your keypair. Once you create the certificate (the revoke.asc file), you should protect it. If it is published by accident or through the malicious actions of others, the public key will become unusable. It is a good idea to write the revocation certificate to secure removable media or print out a hard copy for secure storage to maintain secrecy.

Einen Schlüssel widerrufen

  1. Revoke the key locally:

    gpg --import revoke.asc

    Once you locally revoke the key, you must send the revoked certificate to a keyserver, regardless of whether the key was originally issued in this way. Distribution through a server helps other users to quickly become aware the key has been compromised.

  2. Export to a keyserver with the following command:

    gpg --keyserver hkp://pgp.mit.edu --send-keys KEYNAME

    For KEYNAME, substitute either the key ID of your primary keypair or any part of a user ID that identifies your keypair.

Weitere Ressourcen

See a typo, something missing or out of date, or anything else which can be improved? Edit this document at quick-docs’s git repository.

Want to help? Learn how to contribute to Fedora Docs