[conspire] (forw) Re: Can you point me to a gnupg tutorial?

Rick Moen rick at linuxmafia.com
Wed Apr 27 19:33:52 PDT 2011

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Wed, 27 Apr 2011 19:32:31 -0700
From: Rick Moen <rick at linuxmafia.com>
To: [a friend]
Subject: Re: Can you point me to a gnupg tutorial?
Organization: If you lived here, you'd be $HOME already.

Quoting [my friend]

> Hello Rick this is [my friend]

Hi there!

> 	Can you point me to a gnupg tutorial? I set up a gnupg encryption and
> signing application around 1999. 
> 	I need a hand holding tutorial so I can figure out what files and
> passwords and key phrases are still missing. 

Aw, man.  My condolences.  I'm especially sympathetic because gnupg 
has a really awful, infamously bad user interface.

Back when I worked at VA Linux Systems in the early 2000s, I wrote a
one-hour lecture on gnupg.  It's preserved here:

'GnuPG Lecture' on http://linuxmafia.com/kb/Security/
(Sometimes, you can find things of interest just by browsing the indexes
in my online knowledgebase.  That's one of the main reasons I created
and maintain it.)

> 	So far I have these pieces: I know the UID I used in 2000 and I know
> the second UID I created in 2004. I think I know my key id and I have
> found my key on an Internet keyserver.
> 	The thing I don't understand is how do I run gnupg from the command
> line and what part of the system is missing?

That's the worst part:  the mind-numbingly bad command-line syntax.

Normally, your personal gnupg-related data are stored in files in a
~/.gnupg directory.  Note the highly restricted permissions.  Most of
those files are a binary (non-ASCII) format.

[rick at linuxmafia]
~ $ cd .gnupg/
[rick at linuxmafia]
~/.gnupg $ ls -al
total 908
drwx------  2 rick rick   4096 Apr 25 13:15 .
drwxr-xr-x 53 rick rick  20480 Apr 27 18:44 ..
-rw-------  1 rick rick   3107 Oct 12  2006 options
-rw-------  1 rick rick   3108 Oct 20  2002 options~
-rw-r--r--  1 rick rick 436250 Jul 27  2009 pubring.gpg
-rw-r--r--  1 rick rick 436250 Jul 27  2009 pubring.gpg~
-rw-------  1 rick rick    600 Mar 20  2009 random_seed
-rw-------  1 rick rick   1204 Aug 10  2000 secring.gpg
-rw-------  1 rick rick   1240 Jul 27  2009 trustdb.gpg
[rick at linuxmafia]
~/.gnupg $

Here's a command that dumps the contents of the pubring.gpg (which is
your gnupg 'keyring') to ASCII.  These are hash values based on the
public halves of my and other people's gnupg (DSA-type) keys.

~/.gnupg $ gpg --list-keys | more
pub   1024D/6E03C0E3 2000-08-10
uid                  Rick Moen <rick at linuxmafia.com>
sub   1024g/FC2DDC3B 2000-08-10

pub   1024D/0CF0AE07 1999-12-02
uid                  Aaron Brick <aa at lithic.org>
sub   1024g/EF12F15F 1999-12-02

pub   1024D/9B936C95 2001-06-12
uid                  Colin Walters <walters at cis.ohio-state.edu>
sub   1024g/B31AC9BB 2001-06-12

pub   1024D/A8EFD603 2000-10-13
uid                  David Whedon <dwhedon at debian.org>
uid                  David Whedon <dwhedon at gordian.com>
uid                  David Whedon <davidw at gordian.com>
sub   1024g/6E090406 2000-10-13

pub   1024D/5E26741E 2000-07-28
uid                  Don Marti <dmarti at zgp.org>
sub   1024g/17CA19F0 2000-07-28
[snip dozens and dozens more entries that I've accumulated over the

[rick at linuxmafia]
~/.gnupg $

For each of those entries, 'pub' is the public signing key, and 'sub' is
the public encryption key.

These are hash values of the _private_ (secret) half of my personal
gnupg key.  None of this reveals the _actual_ full private key, which is
something I keep secret.

[rick at linuxmafia]
~/.gnupg $ gpg --list-secret-keys
sec   1024D/6E03C0E3 2000-08-10
uid                  Rick Moen <rick at linuxmafia.com>
ssb   1024g/FC2DDC3B 2000-08-10

[rick at linuxmafia]
~/.gnupg $ 

For the one private half of a gnupg key (mine) stored in secring.gpg,
'sec' is the hash value of the private signing key.  'ssb' is the hash
value of the private encryption key.  

This is a command for dumping to stdout my full public half of my
personal keypair, in an ASCII-export representation called 
'radix-64 format' aka 'armor', which is a process similar to

[rick at linuxmafia]
~/.gnupg $ gpg --export --armor rick at linuxmafia.com

Version: GnuPG v1.4.6 (GNU/Linux)

[snip many more lines]
[rick at linuxmafia]

I think I _might_ have bad news for you.

> I think I know my key id

You probably mean you think you know your key's hash (and/or its UID).
The hash is a probably-unique short expression derived from your key,
which you can use as an identifier to refer to it, e.g., when querying
keyservers.  Unfortunately, the hash value is not the key.

A gnupg key is a keypair created using the DSA public-key cipher (by
default).  Being a keypair, it has a public half and a private half.
I _think_ you mean (above) that you have a hash value derived from your 
private key (like the 'sec' and 'ssb' lines in the output I get, above,
when I type 'gpg --list-secret-keys').  

If you have only the hash values, or only the UID, then you have lost
the private key.  Sorry.  You have lost the ability to use that key, 
in that case.  Unless you are able to find a backup copy of secring.gpg,
you need to give up on that one.  If you are not that lucky but have
just a little bit of luck, then maybe you still have kept around the
'revocation certificate' (conventionally written out to revoke.asc) that
you might or might not have created immediately after generating your
personal keypair.  My tutorial strongly urges people to do that.  If you
did create (and keep) a revocation certificate, then you can now submit
that certificate to public keyservers, telling them that you're
declaring the key invalid, and that nobody should trust it any more.

> I have found my key on an Internet keyserver.

And you probably already know, at this point, what I'm going to say:
What you would find on an Internet keyserver would be the _public_ half
of your DSA-type gnupg key.  It would defeat the purpose of using
public-key keypairs to pub the _private_ half of your key out into the

If you have lost the private half of your key, you should not despair
but should start over by running 'gpg --gen-key'.  Attend a few
keysigning events, for example where Debian developers gather, so that
well-known people submit signatures to the public keyservers that make
your (new) key known and attested to.  That way, your key will be useful
because people can vet its authenticity through the web of trust.

I hope this proves useful. You will also find this thread to be useful,
especially as it fleshes out some detail missing from my 2001 lecture:

----- End forwarded message -----

More information about the conspire mailing list