Neatly managing and handling PGP/GnuPG keyrings

Key Service

Article from Issue 192/2016

PGP/GnuPG is becoming increasingly popular, thanks to digital crime and government surveillance. We take a look behind the scenes and show how you can keep your keyring current and valid.

If you want to encrypt your data traffic, you first have to gain a general understanding of the concepts and individual steps necessary. Pretty Good Privacy (PGP) or GNU Privacy Guard (GnuPG) let you create key pairs – public and private – and group your keys in keyrings. In this article, I discuss the tools for managing these keyrings and keeping them up to date, including checking them regularly for validity.

Once you have your key pair, you pass your public key to your communication partners. Traditionally, that either occurs directly as a character string in an email attachment [1], in printed form (e.g., during a key-signing party) [2], or by downloading the key from a web page. For some time, it's been possible to use QR codes that you can receive, check, and manage on your smartphone. In Figure 1, you can see the Monkeysign [3] GUI with the QR code key.

Figure 1: A GnuPG QR code key.

Individually exchanging keys with each communication partner is a bit complicated. To simplify the process for everyday use, key servers were established [4] (Table 1) to store your public key in a key server so that anyone can download it, validate it, and immediately use it to communicate with you. An example call using GnuPG [5] looks like this:

Table 1

A Selection of Key Servers











$ gpg --keyserver hkp:// --send-keys <key ID>
gpg: sending key <key ID> to hkp server

The program is simply called gpg on the command line, or gpg2 in version 2. You can state the ID of the key that you want to share with the --send-keys switch. The --keyserver switch specifies the key server to be used. It does not matter which key server you initially designate or have already set up in the ~/.gnupg/gpg.conf file [6]. All the larger key servers [7] work together and regularly compare the database of stored keys with one another [8]. Within 48 hours, the shared key generally spreads so far that it can automatically be checked for validity worldwide.

Please note that you can only upload keys for which you also hold the private key. When you use the --list-secret-keys switch, GnuPG delivers an overview of the private keys. Listing 1 shows an extract for one of my keys. Here, sec denotes the key's procedure and identification, uid is the user ID, and ssb is the secret key's procedure and identification [9]. Additionally, you can see in the readout that GnuPG analyzes the .gnupg/secring.gpg file, where it saves your private key.

Listing 1

Listing Secret Keys

$ gpg --list-secret-keys
sec  4096R/D431AC07 2014-09-05
uid  Frank Hofmann (Hofmann EDV) <>
ssb  4096R/3B074F29 2014-09-05

Integrating Email

To exchange data in signed or encrypted form [10] from your email program, you need to add a suitable cryptographic signature (see "Navigating the Signature Jumble" box). As a result, you are in a position to immediately exchange your data in signed and/or encrypted form. Figure 2 shows an example using the text-based email client Mutt [11]. The text lines in yellow show that the sender of this message has signed cryptographically. The PGP key has the ID D431AC07, is based on the RSA procedure, and is recognized as valid. In short, this email very likely came from the sender designated in the message.

Navigating the Signature Jumble

The cryptographic signature is completely different from the similar-sounding electronic signature [12] or email signatures for commercial transactions [13]. With a cryptographic signature, you extend the outgoing email by incorporating an additional block of text, including a header. Along with the ID of your GnuPG/PGP key, it contains the cryptographically secured checksum of the email content, thus protecting both the sender and the content. Both the electronic signature and signature for email in commercial use are variants of X.509 certificates [14]. The signatures sit at the end of the email as a block of text in plain language and more or less fulfil the function of a business card or document header on a company's letterhead.

Figure 2: Email with verified cryptographic signature.

All mail clients currently offer a suitable extension for dealing with signed and encrypted email. They differ clearly, however, in terms of the complexity of setting up and using the extension. You can find a comprehensive step-by-step guide for Mozilla Thunderbird/Icedove combined with the Enigmail [15] encryption plugin on the Debian wiki [16].

Displaying Existing Keys

Figure 3 shows a selection of the public keys with the name of the author; all interested parties have unrestricted access to these keys on the key server. This form of Internet-based request can serve as a reliable reference point for everyday use. Each line contains the key type (pub, or the public part of the key), the key length with the procedure (e.g., 4096R indicates a 4096-bit RSA key), the key identifier (ID), the date of key creation, and the name (User ID) and email address.

Figure 3: The public key with the name of the author.

If you compare Figures 2 and 3, you will note that the email's key ID in Figure 2 is identical to the one listed in line 4 of Figure 3. As is apparent from Figure 3, more than one key is associated with "Frank Hofmann," but only the keys in lines 2-4 belong to the author.

Checking the Other Side

All communication partners can automatically verify cryptographically signed email, provided the public PGP/GnuPG keys are stored on a public key server or the participants have a copy of the originator's public key.

GnuPG hangs the keys you received from the key server on your locally saved keyring. To check this, you need an existing Internet connection, unless you have access to a complete copy of the public key server's data pool (rather unlikely).

Listing 2 shows the full call on the command line to download a key. The --keyserver switch designates the server; here, hkp:// gives the key server network a generic specification. Specify the ID of the public key you want to receive with the --recv-keys switch, such as for the RSA key with the ID C76E337A.

Listing 2

Downloading a Key

$ gpg --keyserver hkp:// --recv-keys C76E337A
gpg: request key C76E337A from hkp-Server an
gpg: key C76E337A: public key "Wolfram Eifler <>" imported
gpg: 3 marginal-needed, 1 complete-needed, PGP trust model
gpg: depth: 0  valid:   3  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1  valid:   2  signed:   2  trust: 2-, 0q, 0n, 0m, 0f, 0u
gpg: total number of keys processed: 1
gpg:                              imported: 1  (RSA: 1)

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Encrypting Email

    The leading email applications include new features for helping users secure and authenticate their mail messages, but each tool has a different approach to handling tasks such as signing and encryption. This article describes how to add encryption and digital signatures to the Thunderbird, Kmail, and Evolution mail clients.

  • Security Lessons: Checking Signatures

    How to avoid malicious code on Linux.

  • Enigmail

    Combining the Enigmail add-on and the GnuPG encryption software gives Thunderbird users a powerful tool for encrypting and signing email.

  • Anubis

    The Anubis mail manipulation daemon lets you centralize encryption for outgoing mail.

  • Thunderbird Security

    Thunderbird offers several options for secure email, and the GnuPG-based Enigmail encryption add-on provides an additional layer of protection.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95


njobs Europe
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia