Export PGP Public Key

If you plan to use PGP for anything other than just SSH (i.e. to send and receive encrypted and/or signed messages, to digitally git commits, etc.) you will need to give your PGP public keys to other people, so they can use it to encrypt messages to you, and to verify signatures you have created.

Export to a file

$ gpg --export -a -o $KEYID.pub $KEYID

This will create a file called $KEYID.pub, containing the public key. The -a tells it to create an "ASCII-armored" file, meaning it will only use ASCII characters which can safely be sent via email. The filename doesn't necessarily have to have any specific name, however the normal convention is to use a name ending with ".pub" or ".pub.asc".

As an example of what the file looks like, here's my public key ...

$ cd /keybase/public/jms1/
$ cat E3F7F5F76640299C5507FBAA49B9FD3BB4422EBB.pub.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFyT6EQBEADKXl/ss7pG15/rknrVSynsA9IlfNSrIPehmPerbvZfpv+hWgtO
hcizxTMUzPfe7P+jDuSyyVaKlFT8jSt2roOqOTtRbFr+jf0hQr+w1RbmqZvpgUON
KXFcY8xadqDdLn5s62IuCRoEyQsibz8buT0O7tarC2g8xtZeRoYX/iQYVykAuhYb
...
NG8yXw5ainqDMeu2xJZ6WfjT6GdYhRFvS77nBwp7GkyAmfnL84XDQ6/HkQIYI06I
YxJ7VnFtWXttjzC/NHAmAVoedptBq4GVdp1qvm7xH+y5ZaU6gaKDYbsbNdfGO+TI
VFq/JIjGQxRun4sieQC3upYfX3/xDHuKBZkwcyj37MN+wKeF+tdstuI=
=GgCy
-----END PGP PUBLIC KEY BLOCK-----

Send to a Keyserver

Tails pre-configures GnuPG to use the Tor "onion" address of keys.openpgp.org as its keyserver.

This keyserver allows keys to be uploaded, and other people can download them if they know the Key ID, but the keys are not "searchable" by name or email address until those identities are verified. (My own key is verified.)

Tails forces all network traffic to use Tor, so using a .onion address as a keyserver works just fine.

To send a key ...

amnesia@amnesia:~$ gpg --send-key $KEYID
gpg: sending key 5A6C4588132E97A6 to hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion

I did send this key to the keyserver, and then downloaded it from the keyserver. This worked, however the key that I downloaded had been modified.

  • The identities had been removed, because the identity hasn't been verified.

  • The usage flags on the primary key appear to have been changed from [C] to [SCA]. I'm not sure why or how this happened.

Because of this, I'm not really happy with using this particular keyserver.

Change the keyserver

To use the same keyserver that GnuPG defaults to ...

  • Back up the existing GnuPG config files.

    amnesia@amnesia:~$ cd ~/.gnupg/
amnesia@amnesia:~$ mkdir .dist
amnesia@amnesia:~$ cp -av *.conf .dist/
'dirmngr.conf' -> '.dist/dirmngr.conf'
'gpg-agent.conf' -> '.dist/gpg-agent.conf'
'gpg.conf' -> '.dist/gpg.conf'
amnesia@amnesia:~$

  • Edit the dirmngr.conf file.

    I normally use nano, if you're more comfortable with some other editor (such as vi) then feel free to use that instead.

    amnesia@amnesia:~$ nano dirmngr.conf

    Find and comment out the existing keyserver line, and replace it with this:

    keyserver https://keyserver.ubuntu.com

    Save the changes.

  • Kill the dirmngr process. (The next time gpg needs it, it will start a new one, which will read the new config file.)

    amnesia@amnesia:~$ gpgconf --kill dirmngr

  • Send the key to the keyserver.

    amnesia@amnesia:~$ gpg --send-key $KEYID
gpg: sending key 5A6C4588132E97A6 to https://keyserver.ubuntu.com

  • From another machine, visit https://keyserver.ubuntu.com/, enter the Key ID (in this case 5A6C4588132E97A6), and click the "Search Key"

Notes

Export ...

  • to file
    • exported public key file from backup
  • send to keyserver (need to configure keyserver first?)

Copy the file ...

  • to second USB stick?
  • send via email?
  • copy to SSH server?
  • other?