GPG with ECC and Subkeys
1 Cryptology with OpenPGP and GPG
2 PGP public keys
My GPG Key: [email protected]
GPG is practically the standard for encryption for Linux users. If Elliptic Curve Cryptography (ECC) is used instead of the typical RSA, it is supposed to be even more secure. Unfortunately its interface and documentation aren't user-friendly. This is a record of how I arrived to a relatively secure GPG setup, as reference for other non-specialists who are familiar with UNIX. Brief technical, historical and mathematical background is given. I have some personal history with the mathematical theory of elliptic curves but was never a cryptographer. So, mathematicians who are not well-versed in Linux technicalities may find this documentation useful, as may Linux users who want to use ECC for secure GPG but do not want to get into the mathematical and algorithmic specifics.
2.1 Public Key Cryptography
The schema of public key cryptography to reliably send and verify messages is as follows.
The algorithm is public and known to all users; that is, everyone has a software implementation available.
Every user has a key pair, private key and public key. The public key is shared with others; even published to the internet and stored in and shared between databases meant for same. The private key is always kept in the user's custody securely. In the default context of e-mails, the key pair is associated to an e-mail address.
Either key can encrypt or sign messages or documents by anyone who posseses it.
Messages signed by the public key can be decrypted only using the corresponding private key. Thus it is made sure that only the intended recipient, ie, private key owner, can read the message. If you want to send a private message to someone, you grab hold of his public key, encrypt ie sign the message using it, send it. If someone sends you a message encrypted using your public key, then you decrypt it using your private key and read it. Only you can successfully decrypt the message provided your private key is not lost.
Messages signed by the private key can be decrypted only using the corresponding public key. So when you want to send a message or a document verifying that it is from you, or eg publish a software package to the web, then you sign it using your private key. If any recipient wants to verify authenticity of author/sender, then they use the public key to check.
If a someone else gets custody of a user's private key, then he can impersonate the user. Send messages masquerading as the user, decrypt communications meant only for the user, etc.. Thus the secure custody of private key is very important. So most systems include a provision to revoke the certificates.
The trust in the system is based on the belief that with current level of theoretical knowledge and hardware, it is computationally too difficult to break the encryption. For this, a computational task with fast computation one-way, and exponentially more difficult to reverse engineer or do the opposite way, is desired. The GNU Privacy Handbook explains the computational problem for laymen as in the paragraph:
Public-key ciphers are based on one-way trapdoor functions. A one-way function is a function that is easy to compute, but the inverse is hard to compute. For example, it is easy to multiply two prime numbers together to get a composite, but it is difficult to factor a composite into its prime components. A one-way trapdoor function is similar, but it has a trapdoor. That is, if some piece of information is known, it becomes easy to compute the inverse. For example, if you have a number made of two prime factors, then knowing one of the factors makes it easy to compute the second. Given a public-key cipher based on prime factorization, the public key contains a composite number made from two large prime factors, and the encryption algorithm uses that composite to encrypt the message. The algorithm to decrypt the message requires knowing the prime factors, so decryption is easy if you have the private key containing one of the factors but extremely difficult if you do not have it.
Idea of exchanging public keys to verify authorship was proposed by Diffie and Hellman [DiffieH1976]. The RSA algorithm [RSA1978]
2.2 PGP
PGP, short for Pretty Good Privacy, was a public-domain implementation of the so-far restricted RSA algorithm. It was written in 1991 by an applied cryptographer and computer savant Philip Zimmermann and published amidst some hostility.
This cartoon from XKCD 504 alludes to RSA's and the government's attempt to criminalize publication of PGP and prosecute him for illegal export of munitions. Refer Zimmermann's interview and Senate testimony. Such a trial would have been somewhat in the style of Crown vs John Peter Zenger, yet another manifestation of the authoriatian vs libertarian formulations, and re-visiting some unresolved issues with same regarding American nationhood.
Notwithstanding this short-sighted obstructionism, PGP became so successful that it is for a long time virtually the standard for encryted e-mails. A brief overview is available at How PGP works.
Before PGP, strong public key cryptography was really accessible only for operatives of various state powers, and using the state's model, the problem of identifying other users keys was implemented using a centralized database and authority of certification. PGP also includes a decentralized model called Web of trust.
PGP was later standardized in RFC 4880 into the OpenPGP standard that anyone can implement.
2.3 GPG
GPG is short for GNU Privacy Guard and is GNU's implementation of OpenPGP.
Presently the gpg (1) man page says:
gpg is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool to provide digital encryption and signing services using the OpenPGP standard. gpg features complete key management and all the bells and whistles you would expect from a full OpenPGP implementation.
There are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x. GnuPG 2.x supports modern encryption algorithms and thus should be preferred over GnuPG 1.x. You only need to use GnuPG 1.x if your platform doesn't support GnuPG 2.x, or you need support for some features that GnuPG 2.x has deprecated, e.g., decrypting data created with PGP-2 keys.
If you are looking for version 1 of GnuPG, you may find that version installed under the name gpg1.
GPG is pre-installed on all Linux distributions as it is needed to verify the software signatures for installations and updates.
GnuPG's default storage directory is ~/.gnupg
which will be created and initialized upon the first run of gpg:
$ gpg gpg: directory '/home/nemo/.gnupg' created gpg: keybox '/home/nemo/.gnupg/pubring.kbx' created gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: Go ahead and type your message ... ^C gpg: signal Interrupt caught ... exiting
The contents of this directory are:
Issuing gpg --version gives:
$ gpg --version gpg (GnuPG) 2.2.10 libgcrypt 1.8.3 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/nemo/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2
So by default you have gpg2 installed rather than gpg1 which if you need, might have to be installed separately.
3 Key Generation
3.1 Master key pair
If entropy is not enough, install rng-tools:
Start and enable rngd:
3.2 Configuration Options
User level configuration of gpg is done by editing the ~/.gnupg/gpg.conf file.
Here is one with comments.
# gpg.conf of [email protected] # use gpg agent. use-agent # Set default recipient to self default-recipient [email protected] # reduce metadata in key export no-emit-version no-comments export-options export-minimal # use long key ids and show fingerprints keyid-format 0xlong with-fingerprint # Show validity list-options show-uid-validity verify-options show-uid-validity # Display photo using qiv when listing or verifying if key has one list-options show-photos verify-options show-photos photo-viewer "qiv %i" # set keyserver keyserver hkp://keys.gnupg.net # Set cipher and digest options. # Generally, use larger bit-size SHA algorithms or AES algorithms. default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed personal-cipher-preferences AES256 AES192 AES CAST5 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 cert-digest-algo SHA512 cipher-algo AES256 digest-algo SHA512 s2k-cipher-algo AES256 s2k-digest-algo SHA512 # For compression, BZIP2 with maximal level. personal-compress-preferences BZIP2 ZLIB ZIP UNCOMPRESSED compress-algo BZIP2 compress-level 9 bzip2-compress-level 9
GPG caches passphrases using gpg-agent which is automatically started by gpg.
Additional configuration of same is done by editing ~/.gnupg/gpg-agent.conf:
3.3 ECC
$ gpg --full-gen-key --expert gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key Your selection? 11
Possible actions for a ECDSA/EdDSA key: Sign Certify Authenticate Current allowed actions: Sign Certify (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? S
Possible actions for a ECDSA/EdDSA key: Sign Certify Authenticate Current allowed actions: Certify (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? q
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 5y
Email address: [email protected]
You selected this USER-ID: "[email protected]" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
Please select which elliptic curve you want: (1) Curve 25519 (3) NIST P-256 (4) NIST P-384 (5) NIST P-521 (6) Brainpool P-256 (7) Brainpool P-384 (8) Brainpool P-512 (9) secp256k1 Your selection?
Choose 1.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
gpg: /home/nemo/.gnupg/trustdb.gpg: trustdb created gpg: key 0x44AD10258E84D2E3 marked as ultimately trusted gpg: directory '/home/nemo/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/nemo/.gnupg/openpgp-revocs.d/28C5C748C63C43CFCCA8516644AD10258E84D2E3.rev' public and secret key created and signed. pub ed25519/0x44AD10258E84D2E3 2018-10-02 [C] [expires: 2023-10-01] Key fingerprint = 28C5 C748 C63C 43CF CCA8 5166 44AD 1025 8E84 D2E3 uid [email protected]
3.4 User IDs
One can add multiple user ids (identities) to the same GPG key.
In what follows, the e-mail addresses [email protected] [email protected] are added to the above key.
$ gpg --expert --edit-keys [email protected] gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2023-10-01 sec ed25519/0x44AD10258E84D2E3 created: 2018-10-02 expires: 2023-10-01 usage: C trust: ultimate validity: ultimate [ultimate] (1). [email protected] gpg> adduid Real name: Email address: [email protected] Comment: You selected this USER-ID: "[email protected]" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o sec ed25519/0x44AD10258E84D2E3 created: 2018-10-02 expires: 2023-10-01 usage: C trust: ultimate validity: ultimate [ultimate] (1) [email protected] [ unknown] (2). [email protected] gpg> adduid Real name: Email address: [email protected] Comment: You selected this USER-ID: "[email protected]" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o sec ed25519/0x44AD10258E84D2E3 created: 2018-10-02 expires: 2023-10-01 usage: C trust: ultimate validity: ultimate [ultimate] (1) [email protected] [ unknown] (2) [email protected] [ unknown] (3). [email protected] gpg>
Of the three e-mails, select the first one, [email protected] and set it as primary:
gpg> uid 1 sec ed25519/0x44AD10258E84D2E3 created: 2018-10-02 expires: 2023-10-01 usage: C trust: ultimate validity: ultimate [ultimate] (1)* [email protected] [ unknown] (2) [email protected] [ unknown] (3). [email protected] gpg> primary sec ed25519/0x44AD10258E84D2E3 created: 2018-10-02 expires: 2023-10-01 usage: C trust: ultimate validity: ultimate [ultimate] (1)* [email protected] [ unknown] (2) [email protected] [ unknown] (3) [email protected] gpg>
Now save the key:
After saving, all three identities are shown with ultimate trust:
$ gpg --list-keys gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2023-10-01 /home/nemo/.gnupg/pubring.kbx ----------------------------- pub ed25519/0x44AD10258E84D2E3 2018-10-02 [C] [expires: 2023-10-01] Key fingerprint = 28C5 C748 C63C 43CF CCA8 5166 44AD 1025 8E84 D2E3 uid [ultimate] [email protected] uid [ultimate] [email protected] uid [ultimate] [email protected]
The extra identities can be removed again using gpg --edit-key.
3.5 Subkeys
Open the key again for editing:
$ gpg --expert --edit-key [email protected] gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec ed25519/0x44AD10258E84D2E3 created: 2018-10-02 expires: 2023-10-01 usage: C trust: ultimate validity: ultimate [ultimate] (1). [email protected] gpg>
Add three subkeys, one each for signing, encryption and authentication. The chosen validity for the master keypair was 5 years. The subkeys in what follows are set to expire just one day before the master. First, signing subkey:
gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key Your selection? 11 Possible actions for a ECDSA/EdDSA key: Sign Authenticate Current allowed actions: Sign (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? q Please select which elliptic curve you want: (1) Curve 25519 (3) NIST P-256 (4) NIST P-384 (5) NIST P-521 (6) Brainpool P-256 (7) Brainpool P-384 (8) Brainpool P-512 (9) secp256k1 Your selection? 1 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1824 Key expires at Sat 30 Sep 2023 12:29:13 PM EDT Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. sec ed25519/0x44AD10258E84D2E3 created: 2018-10-02 expires: 2023-10-01 usage: C trust: ultimate validity: ultimate ssb ed25519/0x51F622FEDCB082CE created: 2018-10-02 expires: 2023-09-30 usage: S [ultimate] (1). [email protected] gpg>
Similarly, create a key for authentication:
gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key Your selection? 11 Possible actions for a ECDSA/EdDSA key: Sign Authenticate Current allowed actions: Sign (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? a Possible actions for a ECDSA/EdDSA key: Sign Authenticate Current allowed actions: Sign Authenticate (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? s Possible actions for a ECDSA/EdDSA key: Sign Authenticate Current allowed actions: Authenticate (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? q Please select which elliptic curve you want: (1) Curve 25519 (3) NIST P-256 (4) NIST P-384 (5) NIST P-521 (6) Brainpool P-256 (7) Brainpool P-384 (8) Brainpool P-512 (9) secp256k1 Your selection? 1 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1824 Key expires at Sat 30 Sep 2023 12:30:30 PM EDT Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. sec ed25519/0x44AD10258E84D2E3 created: 2018-10-02 expires: 2023-10-01 usage: C trust: ultimate validity: ultimate ssb ed25519/0x51F622FEDCB082CE created: 2018-10-02 expires: 2023-09-30 usage: S ssb ed25519/0x1D0632B5CB323A59 created: 2018-10-02 expires: 2023-09-30 usage: A [ultimate] (1). [email protected] gpg>
and one for encryption:
gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key Your selection? 12 Please select which elliptic curve you want: (1) Curve 25519 (3) NIST P-256 (4) NIST P-384 (5) NIST P-521 (6) Brainpool P-256 (7) Brainpool P-384 (8) Brainpool P-512 (9) secp256k1 Your selection? 1 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1824 Key expires at Sat 30 Sep 2023 12:31:11 PM EDT Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. sec ed25519/0x44AD10258E84D2E3 created: 2018-10-02 expires: 2023-10-01 usage: C trust: ultimate validity: ultimate ssb ed25519/0x51F622FEDCB082CE created: 2018-10-02 expires: 2023-09-30 usage: S ssb ed25519/0x1D0632B5CB323A59 created: 2018-10-02 expires: 2023-09-30 usage: A ssb cv25519/0x732F4743FAD7A827 created: 2018-10-02 expires: 2023-09-30 usage: E [ultimate] (1). [email protected] gpg>
Now save the key:
3.6 Air gapped keys
An air gapped machine is one that is not connected to the internet. The physical separation from all the other machines is the air gap.
You want to aver to world that your keys can positively identify you. Loss of control over keys or serious mistakes means you have to re-do eveything. Publishing fresh keys while the earlier one(s) is unrevoked is moot. So it's worth first adequately apprehending and testing the paradigms and praxis before deploying keys in public. It is recommended that the first you have a dummy run doing all the steps except deploying to keyservers where you can keep discarding/deleting without damage to GPG Web of Trust. Once you deploy to public keyservers, it is set in stone.
At first you can avoid the extra precautions described below like a separate USB installation. Once you have got the hang of it, repeat with the additional safety measures and after you are sure of everything, deploy to keyservers.
For extra caution, disable network and do not run any browsers while we are at it.
If a USB drive is to be used to permanently store the backup GPG key, it makes sense to have Linux installed on the same drive to enable stand-alone booting. The drive may be encrypted in LVM for more security. A good candidate for a secure and hardened distribution is Kali Linux focused towards network security testing. Use Kali Linux Light 64 bit to save space. Download the image and verify (why verify?).
VirtualBox, can be used it install on to USB drive or memory card.
Otherwise, procedure is same except for having to use two USB drives, one on which the Live image may be written to boot from, and the other as target medium.
Set up VirtualBox and use vboxdrv to add a virtual hard disk that corresponds to the USB drive.
The VirtualBox Oracle extensions pack has to be installed for the guest OS to have access to the drive via USB 3.0.
For some reason in my case it worked only after a re-boot.
Run VirtualBox using sudo in order to get write access to the virtual hard disk set up above.
Boot up the Live CD image in the virtual machine and start installation in text mode.
Follow the steps for Encrypted Disk Install.
After installation, reboot the Virtual Machine without the live image from the USB drive (virtual hard drive).
The kernel upon booting asks for the disk encryption password after giving which booting will proceed.
Login as the normal user, start terminal and become root using sudo su.
Populate /etc/apt/sources.list with:
nano is the default editor which may be used here.
Next, update the apt cache and upgrade all packages to latest:
Install vim as a preferred editor, rng-tools for better entropy during key generation and paperkey for extracting only the secret parts from a GPG key.
Rather than VirtualBox, it may be even better to use a physical hardware that is used only for this purpose, eg, your unused old laptop; but not all people may keep it.
Hencefore for each gpg command until noted otherwise, --home option should be specifically given in order to use this directory instead of the default ~/.gnupg, e. g.:
4 Key Distribution
4.1 Key Servers
4.2 Personal web page
Put the public key files [email protected] and its ascii-armored version [email protected] in your webpage.
4.3 E-mails
4.4 Keybase
4.5 WKD
WKD stands for Well Known Directory.
This stands for the .well-known subdirectory of the document root of web servers.
$ mkdir -p .well-known/openpgpkey/hu $ cp ~/[email protected] .well-known/openpgpkey/hu/7ykjtf53qx9r755yf55fchkban81w8t9
$ gpg --with-wkd-hash -k 44AD10258E84D2E3 pub ed25519/0x44AD10258E84D2E3 2018-10-02 [C] [expires: 2023-10-01] Key fingerprint = 28C5 C748 C63C 43CF CCA8 5166 44AD 1025 8E84 D2E3 uid [ultimate] [email protected] [email protected] sub ed25519/0x51F622FEDCB082CE 2018-10-02 [S] [expires: 2023-09-30] sub ed25519/0x1D0632B5CB323A59 2018-10-02 [A] [expires: 2023-09-30] sub cv25519/0x732F4743FAD7A827 2018-10-02 [E] [expires: 2023-09-30]
$ mkdir /tmp/nemo-gpg-tmp $ gpg --home /tmp/nemo-gpg-tmp -v --auto-key-locate=clear,wkd,nodefault --locate-key [email protected] gpg: keybox '/tmp/nemo-gpg-tmp/pubring.kbx' created gpg: /tmp/nemo-gpg-tmp/trustdb.gpg: trustdb created gpg: using pgp trust model gpg: pub ed25519/44AD10258E84D2E3 2018-10-02 [email protected] gpg: key 44AD10258E84D2E3: public key "[email protected]" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: auto-key-locate found fingerprint 28C5C748C63C43CFCCA8516644AD10258E84D2E3 gpg: automatically retrieved '[email protected]' via WKDpub ed25519 2018-10-02 [C] [expires: 2023-10-01] 28C5C748C63C43CFCCA8516644AD10258E84D2E3 uid [ unknown] [email protected] sub ed25519 2018-10-02 [S] [expires: 2023-09-30] sub ed25519 2018-10-02 [A] [expires: 2023-09-30] sub cv25519 2018-10-02 [E] [expires: 2023-09-30]
$ echo "Test message" | gpg -ear [email protected] gpg: 0x1206CC3C7B886121: There is no assurance this key belongs to the named user sub cv25519/0x1206CC3C7B886121 2018-10-10 [email protected] Primary key fingerprint: 2506 D64E DCC5 841A 1E21 879A EB79 AF04 66E0 1A81 Subkey fingerprint: 358C CE9F 4979 BFC3 A0F8 FD75 1206 CC3C 7B88 6121 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y -----BEGIN PGP MESSAGE----- hF4DEgbMPHuIYSESAQdAgZKFJIP1jZ/F+QUFpKBfvTSVkM8nKoSi5LT2rx/QDlUw GEk7uQ4dy700dS632G7r94NVTBvGtoz3kyVOyyvLSOphqzN5KMVKMnwZUck78p2d 0nEBjSk2PxUIeX1jJGhOxbON9w+xeq1V+XhnMc3xwfRc5YFY7IHB+uKLqHY+37PL P1Rrhc02jiOX0HhKw9XsuKhDf3U+tCtn0XiN+xbP04LZZO5z+bjEXgHN63b4llmC kxMfKH258bptKP8TywongjUJxw== =Bsvc -----END PGP MESSAGE-----
4.6 DNS
5 Regular Usage
5.1 Signing
5.2 Decryption
5.3 Keychains
List keys To list keys in your public key ring:
5.4 E-mail Clients
K-9 Mail
Thunderbird
Protonmail
6 Key Maintenance
6.1 Backup and Recovery
6.2 Paperkey
6.3 Revocation
6.4 Validity Extension
6.5 New Master Keypair
6.6 User IDs
6.7 Photos
7 Hardware Tokens via Smart Cards
Diffie, W.; Hellman, M. E., New directions in cryptography, IEEE Trans. Information Theory, 22 (6), Nov 1976, pp. 644-654. doi:10.1109/TIT.1976.1055638
Rivest, R., Shamir, A.; Adleman, L. . A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM. 21 (2) Feb 1978, pp. 120–126. doi:10.1145/359340.359342.