Criando Chaves GPG

Este documento explica em detalhes como obter uma chave GPG usando utilitários comuns do Fedora. Ele também fornece informações sobre como gerenciar sua chave como um contribuidor do Fedora.

Criando Chaves GPG

Criando Chaves GPG Usando o Desktop GNOME

Instale o utilitário Seahorse, que facilita o gerenciamento de chaves GPG.

  1. Select Activities  Software.

  2. Click the Search button and enter the name 'Seahorse'.

  3. Click the Seahorse package and click Install to add the software. You can also install Seahorse using the command line with the command sudo dnf install seahorse.

To create a key:

  1. Select Activities  Passwords and Encryption Keys, which starts the application Seahorse.

  2. At the top left hand corner, click the Plus Button  GPG Key.

  3. Type your full name, email address, and an optional comment describing who you are (e.g.: John C. Smith,, The Man).

  4. Click Create.

  5. Choose a passphrase that is strong but also easy to remember in the dialog that is displayed.

  6. Click OK and the key is created.

Creating GPG Keys Using the KDE Desktop

  1. Start the KGpg program from the main menu by selecting Applications  Utilities  KGpg. If you have never used KGpg before, the program walks you through the process of creating your own GPG keypair.

  2. Enter your name, email address, and an optional comment in the dialog box that appears prompting you to create a new key pair. You can also choose an expiration time for your key, as well as the key strength (number of bits) and algorithms.

  3. Enter your passphrase in the next dialog box. At this point, your key appears in the main KGpg window.

To find your GPG key ID, look in the ID column next to the newly created key. In most cases, if you are asked for the key ID, you should prepend 0x to the last 8 characters of the key ID, as in 0x6789ABCD.

Criando Chaves GPG Usando a Linha de Comando

  1. Use the following shell command:

    gpg --full-generate-key

    This command generates a key pair that consists of a public and a private key. Other people use your public key to authenticate and/or decrypt your communications. Distribute your public key as widely as possible, especially to people who you know will want to receive authentic communications from you, such as a mailing list.

  2. Press the Enter key to assign a default value if desired. The first prompt asks you to select what kind of key you prefer:

    Please select what kind of key you want:
       (1) RSA and RSA (default)
       (2) DSA and Elgamal
       (3) DSA (sign only)
       (4) RSA (sign only)
      (14) Existing key from card
    Your selection?

    In almost all cases, the default is the correct choice. A RSA/RSA key allows you not only to sign communications, but also to encrypt files.

  3. Choose the key size:

    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (3072)

    Again, the default is sufficient for almost all users, and represents an extremely strong level of security.

  4. Choose when the key will expire. It is a good idea to choose an expiration date instead of using the default, which is none. If, for example, the email address on the key becomes invalid, an expiration date will remind others to stop using that public key.

    Please specify how long the key should be valid.
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
    Key is valid for? (0)

    Entering a value of 1y, for example, makes the key valid for one year. (You may change this expiration date after the key is generated, if you change your mind.) Before the gpg program asks for signature information, the following prompt appears:

    Is this correct (y/N)?
  5. Enter y to finish the process.

  6. Enter your name and email address. Remember this process is about authenticating you as a real individual. For this reason, include your real name. Do not use aliases or handles, since these disguise or obfuscate your identity.

  7. Enter your real email address for your GPG key. If you choose a bogus email address, it will be more difficult for others to find your public key. This makes authenticating your communications difficult. If you are using this GPG key for self-introduction on a mailing list, for example, enter the email address you use on that list.

  8. Use the comment field to include aliases or other information. (Some people use different keys for different purposes and identify each key with a comment, such as "Office" or "Open Source Projects.")

  9. Enter the letter O at the confirmation prompt to continue if all entries are correct, or use the other options to fix any problems.

  10. Enter a passphrase for your secret key. The gpg program asks you to enter your passphrase twice to ensure you made no typing errors.

Finally, gpg generates random data to make your key as unique as possible. Move your mouse, type random keys, or perform other tasks on the system during this step to speed up the process. Once this step is finished, your keys are complete and ready to use:

pub   rsa3072 2021-02-09 [SC] [expires: 2022-02-09]
uid                      John Doe (Fedora Docs) <>
sub   rsa3072 2021-02-09 [E] [expires: 2022-02-09]

The key fingerprint is a shorthand signature for your key. It allows you to confirm to others that they have received your actual public key without any tampering. You do not need to write this fingerprint down. To display the fingerprint at any time, use this command, substituting your email address:

gpg --fingerprint

Your GPG key ID consists of 8 hex digits identifying the public key. In the example above, the GPG key ID is 36BF353A. In most cases, if you are asked for the key ID, you should prepend "0x" to the key ID, as in 0x36BF353A.

Now see Making a Key Backup Using the Command Line. Make sure to back up your revocation keys for all active keys as this allows to revoke keys in the event of lost passphrase of key compromise.

Criando um backup

Fazendo um Backup de Chave Usando o Desktop GNOME

  1. Clique com o botão direito em sua chave e selecione Propriedades.

  2. Select the Details tab, and select Export to file  Export secret key.

  3. Select a destination filename and click Export.

Store the copy in a secure place, such as a locked container.

Making a Key Backup Using the KDE Desktop

  1. Right-click your key and select Export Secret Key.

  2. Click Continue to continue at the confirmation dialog.

  3. Select a destination filename.

  4. Click Save.

Store the copy in a secure place, such as a locked container.

Making a Key Backup Using the Command Line

Use the following command to make the backup, which you can then copy to a destination of your choice:

gpg --export-secret-keys --armor > johndoe-privkey.asc

Store the copy in a secure place, such as a locked container.

Disponibilizando sua chave pública

Quando você disponibiliza sua chave pública para outras pessoas, elas podem verificar as comunicações que você assina ou enviar comunicações criptografadas, se necessário. Este procedimento também é conhecido como exportação.

Veja Copiando um chave pública manualmente para um arquivo se você deseja enviá-la por e-mail para pessoas ou grupos.

Exportando uma Chave GPG Usando o Desktop GNOME

  1. Click the Menu Button  Sync and Publish Keys…​

  2. Click Key Servers.

  3. Select ldap:// in the Publish Keys To combobox.

  4. Click Close.

  5. Click Sync.

Exporting a GPG Key Using the KDE Desktop

After your key has been generated, you can export the key to a public keyserver

  1. Right-click on the key in the main window.

  2. Select Export Public Keys.

  3. From there you can export your public key to the clipboard, an ASCII file, to an email, or directly to a key server.

  4. Export your public key to the default key server.

Exporting a GPG Key Using the Command Line

Use the following command to send your key to a public keyserver:

gpg --send-key KEYNAME

For KEYNAME, substitute the key ID or fingerprint of your primary keypair. This will send your key to the gnupg default key server. If you prefer another one use:

gpg --keyserver hkp:// --send-key KEYNAME

Replacing with your server of choice.

Copiando um chave pública manualmente

Se você quiser dar ou enviar uma cópia de arquivo de sua chave para alguém, use este comando para escrevê-la em um arquivo de texto ASCII:

gpg --export --armor > johndoe-pubkey.asc

Protegendo sua chave secreta

Trate sua chave secreta como faria com qualquer documento ou chave física muito importante. (Algumas pessoas sempre mantêm sua chave secreta consigo, seja em mídia magnética ou flash.) Se você perder sua chave secreta, não poderá assinar comunicações ou abrir comunicações criptografadas que foram enviadas para você.

Opções de token de hardware

Se você seguiu o acima, você tem uma chave secreta que é apenas um arquivo normal. Um modelo mais seguro do que manter a chave no disco é usar um token de hardware.

Existem várias opções disponíveis no mercado, por exemplo, YubiKey. Procure um token que anuncie o suporte a OpenPGP. Consulte esta entrada do blog para saber como criar uma chave offline backups e use o token para acesso online.

GPG Key Revocation

When you revoke a key, you withdraw it from public use. You should only have to do this if it is compromised or lost, or you forget the passphrase.

Generating a Revocation Certificate

When you create the key pair you should also create a key revocation certificate. If you later issue the revocation certificate, it notifies others that the public key is not to be used. Users may still use a revoked public key to verify old signatures, but not encrypt messages. As long as you still have access to the private key, messages received previously may still be decrypted. If you forget the passphrase, you will not be able to decrypt messages encrypted to that key.

gpg --output revoke.asc --gen-revoke KEYNAME

If you do not use the --output flag, the certificate will print to standard output.

For KEYNAME, substitute either the key ID of your primary keypair or any part of a user ID that identifies your keypair. Once you create the certificate (the revoke.asc file), you should protect it. If it is published by accident or through the malicious actions of others, the public key will become unusable. It is a good idea to write the revocation certificate to secure removable media or print out a hard copy for secure storage to maintain secrecy.

Revoking a key

  1. Revoke the key locally:

    gpg --import revoke.asc

    Once you locally revoke the key, you must send the revoked certificate to a keyserver, regardless of whether the key was originally issued in this way. Distribution through a server helps other users to quickly become aware the key has been compromised.

  2. Export to a keyserver with the following command:

    gpg --keyserver hkp:// --send-keys KEYNAME

    For KEYNAME, substitute either the key ID of your primary keypair or any part of a user ID that identifies your keypair.

Recursos adicionais

Encontrou um erro de digitação, algo faltando ou desatualizado ou algo que pode ser melhorado? Edite este documento no repositório git do quick-docs.