in this example, and your name
is Trent Reznor. Let's make some backup files now by exporting your keys to some text files. I
don't need to say that you have to handle your private keys and your revocation certificates with care!
If you want to use your keys for your lifetime time it's a good idea to print them on paper and store them
in a safe location. Do NOT share your private key nor your revocation certificate.
- If you share your private key others might take your identity and read your encrypted emails.
- If you share your revocation certificate others might invalidate your keys.
# To add more identities/mail addresses
gpg --edit-key
> adduid
# This is the file you want to share with others!
gpg --output pubkey_ABCD1234.Trent.Reznor.ascii --armor --export ABCD1234
# Now create a revocation certificate.
# The purpose of the revocation certificate is to have a safe key that allows
# yout to invalidate keys you once uploaded to any key server.
gpg --output revocation_cert_ABCD1234.Trent.Reznor.ascii --gen-revoke ABCD1234
gpg --output privkey_ABCD1234.Trent.Reznor.ascii --armor --export-secret-keys ABCD1234
Now publish your new key to a key server.
heise.de recommended pool.sks-keyservers.net, which
seems to be a distributed service.
# Send key to a public server, in this case
gpg --keyserver pool.sks-keyservers.net --send-key 0xABCD1234
If you made some mistakes just remove your identities and run an update.
This happened to me: I had my 'primary identity' and added some email addresses of
my 'secondary identity'. I uploaded my key to a key server and now my identities (I wanted to separate) will _always_
be associated with each other :(
Revoking my keys will not remove this part of information. It will only be invalidated
but still visible to everyone (and marked as revoked). So carefully choose the
identities you want to use with your key. If unsure create more keys
for other identities.
To make changes:
# To remove Identities from the key
# Note that your keys change then!
gpg --edit-key
> revuid
# Then update your certs by revoking them (use your revocation certificate)
gpg --import revocation_cert_ABCD1234.ascii
# And update the modified keys on the server
gpg --keyserver pool.sks-keyservers.net --refresh-keys ABCD1234
# OR
gpg --keyserver pool.sks-keyservers.net --send-keys 0xABCD1234
Use your keys to encrypt and/or sign emails
# Now install enigmail
sudo apt-get install enigmail
# Enigmail: attach public key
# sign public key (don't forget to check fingerprint!)
# (to display fingerprint:)
gpg --fingerprint
Edit 2016-02-18
Export public key as ASCII text file:
gpg -a --output <filename/rsa_pub.ascii> --export ABCD1234
Export public key as binary text file:
gpg --output <filename/rsa_pub> --export ABCD1234
Export private key as ASCII text file (do NOT share):
gpg -a --export-secret-keys ABCD1234 > <filename/rsa.ascii>
Export private key as binary text file (do NOT share):
gpg --export-secret-keys ABCD1234 > <filename/rsa>