In part 1 of this GPG tutorial series, you learned the benefits of GPG and generated your public/private key pair. In part 2, you will learn how to upload your public key to a key server so others can send you encrypted messages that only can be decrypted with your private key. We will also look at how to import and verify other’s public keys and manage your keyring.

Step 1: Check Your Own Public Key

Run the following command to list your own GPG public key. Replace user-id with your GPG email address.

gpg --list-sigs user-id

Sample output:

As you can see, my key ID is 752E173A3F8B04F5, and my key fingerprint is 378CB32D8AC7D656F38961B1752E173A3F8B04F5.

Step 2: Share Your Public Key on Public Keyserver

Remember you should never share your private key, only share your public key. There’re hundreds of public keyservers around the world. Ubuntu has their own. MIT has one. Use the following command to send your public key to a keyserver.

gpg --send-key key-id

On Ubuntu, GPG will send your public key to the default keyserver hkps://keys.openpgp.org. You have the choice to select a different public keyserver with --keyserver option, but I prefer to use the default openPGP keyserver.

gpg --keyserver hkps://keyserver.ubuntu.com --send-key key-id

If your public key is sent to the openPGP keyserver, it will send a notification to your email address.

By default, your pubic key is not available for search by email address. If you want others to search your public key by email address, then click the link in the email. Then you will need to verify your email address. This way, an imposter can’t upload a fake key with your email address as the identifier.

After your email address is verified, you can search for your key on the key server.

gpg --search user-id

As you can see, it found my public key. When it asks what you want to do with this key, press N and it will quit, because this key is already on your system. If you don’t verify your email address, then you can’t search the key by email address.

Step 3: Import Others’ Public Key to Your Keyring

If you need to send an encrypted message to a recipient with GPG, then you should import the recipient’s public key to your keyring. The keyring contains your public key and imported public keys. The keyring file is located at ~/.gnupg/pubring.kbx.

Import from a file:

You can ask the recipient to give you the public key file and import it with the following command:

gpg --import public-key-file

Import from keyserver

If the recipient’s public key is uploaded to a key server, you can import it from a key server. Use the following command to search public keys on the keyserver. User ID is the recipient’s email address.

gpg --search user-id

If you know the key ID beforehand, use --recv-keys options to import the key from the keyserver.

gpg --recv-keys key-id

To specify a particular key server, us the --keyserver option like below.

gpg --keyserver hkps://keyserver.ubuntu.com --search user-id

Once you find the requested public key, you can import it to your keyring.

Step 4: Validate Public Keys

When somebody give you his/her public key, how do you know the public key really belongs to that person? Once you imported other’s public key, you should validate the key’s authenticity.

Here’s how the validation process works:

1. You view the fingerprint of the public key with command: gpg --fingerprint user-id
2. You contact the key’s owner over the phone, in person or by other means as long as you make sure you contact the key’s true owner and you ask the owner what’s the fingerprint of his/her key.
3. Compare the two fingerprints. If the two fingerprints match, then you can be sure it’s the correct public key.
4. Then you sign the key to certify it as a valid key. To sign a key, use command gpg --sign-key key-id

The fingerprint is a hash of public key. Its length is much shorter than the length of public key, therefore it’s easy for you to compare fingerprints. You must have you own private key in order to sign another’s public key.

After you sign the other person’s public key, you can optionally upload the public key to a key server. This tells the key server that you trust this person’s public key.

gpg --send-key key-id

Step 5: Manage Your Keyring

List all keys in your public keyring

gpg --list-keys

Sample output:

pub   ed25519 2022-05-10 [SC] [expires: 2024-05-09]
      378CB32D8AC7D656F38961B1752E173A3F8B04F5
uid           [ultimate] Xiao Guoan <xiao@linuxbabe.com>
sub   cv25519 2022-05-10 [E] [expires: 2024-05-09]

List all keys with signature

gpg --list-sigs

sample output:

pub   ed25519 2022-05-10 [SC] [expires: 2024-05-09]
      378CB32D8AC7D656F38961B1752E173A3F8B04F5
uid           [ultimate] Xiao Guoan <xiao@linuxbabe.com>
sig 3        752E173A3F8B04F5 2022-05-10  Xiao Guoan <xiao@linuxbabe.com>
sub   cv25519 2022-05-10 [E] [expires: 2024-05-09]
sig          752E173A3F8B04F5 2022-05-10  Xiao Guoan <xiao@linuxbabe.com>

To delete a key

gpg --delete-key key-id

Hint: Most of the time, you can use the fingerprint as key ID.

List Keys in Your Private Keyring

gpg --list-secret-key

Sample output

/home/linuxbabe/.gnupg/pubring.kbx
----------------------------------
sec   ed25519 2022-05-10 [SC] [expires: 2024-05-09]
      378CB32D8AC7D656F38961B1752E173A3F8B04F5
uid           [ultimate] Xiao Guoan <xiao@linuxbabe.com>
ssb   cv25519 2022-05-10 [E] [expires: 2024-05-09]

Manage GPG Keys in Seahorse

If you use a GNOME-based desktop environement on Linux, then you can manage GPG keys in Seahorse, which is a graphical tool for managing and using encryption keys, passwords and certificates. (If you use KDE desktop, there’s a similar program called KGPG.)

Open Seahorse from your applications menu.

Before starting using it, we need to configure the PGP key server. Click the dropdown menu and go to Preferences, you will see there are two default key servers.

• hkp://keyserver.ubuntu.com:11371
• ldap://keyserver.pgp.com

I found the Ubuntu key server doesn’t work, so I change it to the openPGP key server (hkps://keys.openpgp.org).

To import a public key from a key server, click the drop-down menu and select Find remote keys. Then enter an email address.

As you can see, it found my public key on the key server. Because this is my own key, so I don’t need to import it.

If this is another person’s key, you can click the import button, so it will be added to your key ring. And if you run command gpg --list-keys, you can see it’s been added to your key ring.

By default, Seahorse only show your own key. To show other keys, click the show any option.

Right-click on another person’s key and select Property, you will be able to check the key’s fingerprint. As explained earlier, you need to contact the key’s owner and verify if it’s the fingerprint is correct.

If the fingerprint is correct, you should sign the public key by clicking the sign key button.

Next Step

In this part, you learned how to upload public keys, import other’s keys, and key validation. In part 3 of this GPG tutorial series, we will learn how to encrypt and decrypt messages with GPG.

• A Practical GPG Guide Part 3: Encrypt and Decrypt Files

You may also like:

How to Set Up ScalaHosting Managed VPS Email Server

How to Set Up ScalaHosting Managed VPS Email Server

Learn who to create your own dedicated email server by using the SPanel control panel, without using Linux command line.

How to Install Passbolt Password Manager on Ubuntu 18.04 Server

How to Install Passbolt Password Manager on Ubuntu 18.04 Server

Passbolt is an open-source self-hosted password manager. Install Passbolt Community Edition (CE) on Ubuntu 18.04 with Ap

How to Install Passbolt Password Manager on Ubuntu 22.04 Server

How to Install Passbolt Password Manager on Ubuntu 22.04 Server

Passbolt is an open-source self-hosted password manager. Install Passbolt Community Edition (CE) on Ubuntu 22.04 with Ap

A Practical Guide to GPG Part 1: Generate Your Public/Private Key Pair

A Practical Guide to GPG Part 1: Generate Your Public/Private Key Pair

This tutorial series will teach you how to use GPG (Gnu Privacy Guard) in the Linux terminal, so you will be able to sen

How to Verify PGP Signature of Downloaded Software on Linux

How to Verify PGP Signature of Downloaded Software on Linux

In this tutorial, we will look at how to verify PGP signature of downloaded software. PGP signature is a hash value of t

How to Encrypt Emails with OpenPGP in Thunderbird (2022)

How to Encrypt Emails with OpenPGP in Thunderbird (2022)

In previous parts of the GPG tutorial series, I explained how GPG encryption works. In this tutorial, you will learn how

How to Install Passbolt Password Manager on Ubuntu 20.04 Server

How to Install Passbolt Password Manager on Ubuntu 20.04 Server

Passbolt is an open-source self-hosted password manager. This tutorial will be showing you how to install Passbolt on Ub

2 Simple Steps to Set Up SSH Public Key Authentication on CentOS

2 Simple Steps to Set Up SSH Public Key Authentication on CentOS

This tutorial explains how to set up SSH public key authentication on CentOS/RHEL Public key authentication is also know

⚡ by shareaholic

.