Gestión de Llaves GPG

Connor Lim Versión F35 onwards Last review: 2021-02-09
Este documento explica detalladamente cómo obtener una clave GPG mediante utilidades comunes de Fedora. También proporciona información sobre cómo administrar su clave como colaborador de Fedora.

Creación de claves GPG

Crear Claves GPG Utilizando el Escritorio GNOME

Instalar la utilidad de Seahorse, la cual hace que sea más fácil la gestión de llave GPG.

  1. Seleccione Activities  Software.

  2. Pulse el botón Buscar e introduzca el nombre 'Seahorse'.

  3. Pulse el paquete Seahorse y pulse Instalar para añadir el software. Puede además instalar Seahorse utilizando la línea de instrucción con la instrucción sudo dnf install seahorse.

Para crear una clave:

  1. Seleccione Activities  Claves de Contraseña y Cifrado, cuando inicia la aplicación Seahorse.

  2. En la cima a mano izquierda, pulse el menú:Añadir Button[Clave GPG].

  3. Teclee su nombre completo, dirección de correo, y un comentario opcional describiendo quien eres (p.e.: Juan C. Serman, juan@ejemplo.com. El Manual).

  4. Pulse Crear.

  5. Elija una frase-contraseña que es fuerte pero además fácil de recordar en el diálogo que es exhibido.

  6. Pulse Aceptar y la tecla se crea.

Creando Claves GPG Utiliznado el Escritorio KDE

  1. Iniciar el programa KGpg desde el menú principal seleccionando Applications  Utilidades  KGpg. Si nunca ha utilizado KGpg antes, el programa le ayudará a través del proceso de creación de su propia pareja de GPG.

  2. Introduzca su nombre, dirección de correo, y un comentario opcional en la caja de diálogo que aparece solicitándole crear una pareja de clave nueva. Puede además elegir una caducidad para su clave, así como la fortaleza de la clave (número de bit) y algoritmos.

  3. Introduzca su frase-contraseña en el siguiente cuadro de diálogo. En este punto, su clave aparece en la ventana principal de KGpg.

To find your GPG key ID, look in the ID column next to the newly created key. In most cases, if you are asked for the key ID, you should prepend 0x to the last 8 characters of the key ID, as in 0x6789ABCD.

Crear Claves GPG Utilizando la Línea de Instrucción

  1. Utilice la siguiente instrucción del intérprete:

    gpg --full-generate-key

    Este comando genera un par de claves compuesto por una clave pública y una privada. Otras personas usan su clave pública para autenticar o descifrar sus comunicaciones. Distribuya su clave pública lo más ampliamente posible, especialmente a quienes sabe que querrán recibir comunicaciones auténticas suyas, como una lista de correo.

  2. Press the Enter key to assign a default value if desired. The first prompt asks you to select what kind of key you prefer:

    Please select what kind of key you want:
       (1) RSA and RSA (default)
       (2) DSA and Elgamal
       (3) DSA (sign only)
       (4) RSA (sign only)
      (14) Existing key from card
    Your selection?

    In almost all cases, the default is the correct choice. A RSA/RSA key allows you not only to sign communications, but also to encrypt files.

  3. Choose the key size:

    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (3072)

    Again, the default is sufficient for almost all users, and represents an extremely strong level of security.

  4. Choose when the key will expire. It is a good idea to choose an expiration date instead of using the default, which is none. If, for example, the email address on the key becomes invalid, an expiration date will remind others to stop using that public key.

    Please specify how long the key should be valid.
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
    Key is valid for? (0)

    Entering a value of 1y, for example, makes the key valid for one year. (You may change this expiration date after the key is generated, if you change your mind.) Before the gpg program asks for signature information, the following prompt appears:

    Is this correct (y/N)?
  5. Enter y to finish the process.

  6. Enter your name and email address. Remember this process is about authenticating you as a real individual. For this reason, include your real name. Do not use aliases or handles, since these disguise or obfuscate your identity.

  7. Enter your real email address for your GPG key. If you choose a bogus email address, it will be more difficult for others to find your public key. This makes authenticating your communications difficult. If you are using this GPG key for self-introduction on a mailing list, for example, enter the email address you use on that list.

  8. Use the comment field to include aliases or other information. (Some people use different keys for different purposes and identify each key with a comment, such as "Office" or "Open Source Projects.")

  9. Enter the letter O at the confirmation prompt to continue if all entries are correct, or use the other options to fix any problems.

  10. Enter a passphrase for your secret key. The gpg program asks you to enter your passphrase twice to ensure you made no typing errors.

Finally, gpg generates random data to make your key as unique as possible. Move your mouse, type random keys, or perform other tasks on the system during this step to speed up the process. Once this step is finished, your keys are complete and ready to use:

pub   rsa3072 2021-02-09 [SC] [expires: 2022-02-09]
      3782CBB60147010B330523DD26FBCC7836BF353A
uid                      John Doe (Fedora Docs) <johndoe@example.com>
sub   rsa3072 2021-02-09 [E] [expires: 2022-02-09]

The key fingerprint is a shorthand signature for your key. It allows you to confirm to others that they have received your actual public key without any tampering. You do not need to write this fingerprint down. To display the fingerprint at any time, use this command, substituting your email address:

gpg --fingerprint johndoe@example.com

Your key fingerprint is actually a 160 bit SHA-1 hash of the key, represented as a 40 character string of hexadecimal digits. Though shorter than the public key itself, it’s still a bit unwieldy, so people tend to use a shorter GPG key ID to refer to a key when, for example, looking up a key in a keyserver. The GPG key ID is a small number of hex digits drawn from the characters representing the lower-order bits of the fingerprint. The "short" GPG key ID consists of the final 8 characters of the hexadecimal fingerprint, that is, the last 32 bits of the fingerprint. Short keys are unsafe and no longer recommended because it’s possible to create collisions so that an attacker’s forged key has the same short ID as your key. Thus if you give someone the short GPG key ID of your key, they may retrieve the attacker’s key from a keyserver instead.

For this reason, it’s preferred to use the "long" GPG key ID, which consists of the final 16 characters of your key’s hexadecimal fingerprint. This represents the 64 lower-order bits of your fingerprint, which is sufficient to be collision-resistant. The gpg program makes it easy for you to find your key’s long GPG key ID:

gpg --list-keys --fingerprint --keyid-format 0xlong johndoe@example.com

The 0xlong format prepends "0x" to the key ID to make it clear that this is a series of hexadecimal digits; it is considered good practice to do this. The output from the above command looks like this:

pub   rsa3072/0x26FBCC7836BF353A 2021-02-09 [SC] [expires: 2022-02-09]
      Key fingerprint = 3782 CBB6 0147 010B 3305  23DD 26FB CC78 36BF 353A
uid                      John Doe (Fedora Docs) <johndoe@example.com>
sub   rsa3072/0xF834D62672E88A6F 2021-02-09 [E] [expires: 2022-02-09]

The first line (beginning with "pub") tells you what kind the key is (that is, 3072 bit RSA) and what the long key ID is (that is, 0x26FBCC7836BF353A). You can see that this corresponds to the last 16 characters of the Key fingerprint in the output.

Now see Crear una Clave de Respaldo Utilizando la Línea de Instrucción. Make sure to back up your revocation keys for all active keys as this allows to revoke keys in the event of lost passphrase of key compromise.

Realizar un respaldo

Crea una llave de respaldo utilizando el Escritorio GNOME

  1. Pulsación secundaria en su tecla y seleccione Propiedades.

  2. Seleccione la lengüeta Detalles, y seleccione Exportar a file  Exportar clave secreta.

  3. Select a destination filename and click Export.

Almacena la copia en un lugar seguro, tal como un contenedor bloqueado.

Crear una Clave de Respaldo Utilizando el Escritorio KDE

  1. Pulsación secundaria para su llave y seleccione Exportar Llave Secreta.

  2. Pulse Continuar para continuar en el diálogo de confirmación.

  3. Selecciona un nombre de archivo destino.

  4. Click Save.

Almacena la copia en un lugar seguro, tal como un contenedor bloqueado.

Crear una Clave de Respaldo Utilizando la Línea de Instrucción

Utilice la instrucción siguiente para crear el respaldo, lo cual puede entonces copiar a un destino de su elección:

gpg --export-secret-keys --armor johndoe@ejemplo.com > johndoe-privkey.asc

Almacena la copia en un lugar seguro, tal como un contenedor bloqueado.

Making Your Public Key Available

When you make your public key available to others, they can verify communications you sign, or send you encrypted communications if necessary. This procedure is also known as exporting.

See Copiar una Clave Pública Manualmente to a file if you wish to email it to individuals or groups.

Exportar una Clave GPG Utilizando el Escritorio GNOME

  1. Pulse en el menú:Menú Button[Sincronizar y Publicar Llaves…]

  2. Pulse Servidores Clave.

  3. Seleccione ldap://keyserver.pgp.com en la caja combinada Claves Publicadas En.

  4. Click Close.

  5. Click Sync.

Exportar una Clave GPG Utiliznado el Escritorio KDE

Tras su llave ha sido generada, puede exportar la llave a un servidor de llave pública

  1. Pulse el botón secundario en la tecla en la ventana principal.

  2. Seleccionar Exportar claves privadas.

  3. From there you can export your public key to the clipboard, an ASCII file, to an email, or directly to a key server.

  4. Export your public key to the default key server.

Exportar una Clave GPG Utilizando la Línea de Instrucción

Emplee la instrucción siguiente para enviar su clave a un servidor de clave público:

gpg --send-key NOMBRE-CLAVE

Para KEYNAME, sustituya el ID clave o huella dactilar de su pareja de clave primaria. Esto enviará su clave al servidor de clave predeterminada de gnupg. Si prefiere otro utilice:

gpg --keyserver hkp://pgp.mit.edu --send-key KEYNAME

Replacing pgp.mit.edu with your server of choice.

Copiar una Clave Pública Manualmente

Si desea dar o enviar una copia de archivo de su clave a alguno, utilice esta instrucción para escribirlo a un archivo de texto ASCII:

gpg --export --armor johndoe@ejemplo.com > johndoe-pubkey.asc

Safeguarding Your Secret Key

Treat your secret key as you would any very important document or physical key. (Some people always keep their secret key on their person, either on magnetic or flash media.) If you lose your secret key, you will be unable to sign communications, or to open encrypted communications that were sent to you.

Hardware Token options

If you followed the above, you have a secret key which is just a regular file. A more secure model than keeping the key on disk is to use a hardware token.

There are several options available on the market, for example the YubiKey. Look for a token which advertises OpenPGP support. See this blog entry for how to create a key with offline backups, and use the token for online access.

Revocación de Clave GPG

Cuando revoque una clave, lo retira de su uso público. Solamente tendría que hacer esto si está comprometido o perdido, u olvida la frase de paso.

Generar un Certificado de Revocación

Al crear el par de claves, también debe crear un certificado de revocación de clave. Si posteriormente emite el certificado de revocación, este notificará a los demás que la clave pública no debe utilizarse. Los usuarios podrán seguir usando una clave pública revocada para verificar firmas antiguas, pero no para cifrar mensajes. Mientras tenga acceso a la clave privada, los mensajes recibidos previamente podrán descifrarse. Si olvida la contraseña, no podrá descifrar los mensajes cifrados con esa clave.

gpg --output revoke.asc --gen-revoke KEYNAME

If you do not use the --output flag, the certificate will print to standard output.

For KEYNAME, substitute either the key ID of your primary keypair or any part of a user ID that identifies your keypair. Once you create the certificate (the revoke.asc file), you should protect it. If it is published by accident or through the malicious actions of others, the public key will become unusable. It is a good idea to write the revocation certificate to secure removable media or print out a hard copy for secure storage to maintain secrecy.

Revoking a key

  1. Revoke the key locally:

    gpg --import revoke.asc

    Once you locally revoke the key, you must send the revoked certificate to a keyserver, regardless of whether the key was originally issued in this way. Distribution through a server helps other users to quickly become aware the key has been compromised.

  2. Export to a keyserver with the following command:

    gpg --keyserver hkp://pgp.mit.edu --send-keys KEYNAME

    For KEYNAME, substitute either the key ID of your primary keypair or any part of a user ID that identifies your keypair.

Recursos adicionales

See a typo, something missing or out of date, or anything else which can be improved? Edit this document at quick-docs’s git repository.