7.9. Sharing Public Keys

Problem

You want to obtain a friend’s public key securely but conveniently.

Solution

Most securely, get the public key on disk directly from your friend in person. Barring that:

  1. Obtain the public key by any means (e.g., email, keyserver [Recipe 7.19]).

  2. Add the key to your keyring. [Recipe 7.10]

  3. Before using the key, telephone its owner and ask him to read the key fingerprint aloud. View the fingerprint with:

    $ gpg --fingerprint key_id

    If they match, you’re done. If not, consider the key suspect, delete it from your keyring, and don’t use it.

  4. If you trust the key, indicate this to GnuPG:

    $ gpg --edit-key key_id
    Command> trust

    and follow the prompts.

Discussion

Public keys are not secret, but they do require trust: the trust that a given key actually belongs to its alleged owner. A fingerprint can provide that trust in a convenient form, easy to read aloud over a telephone.

Always verify the fingerprint before trusting a public key. If you don’t, consider this scenario:

  1. You email your friend, asking for his public key.

  2. A snooper intercepts your email and sends you his public key instead of your friend’s.

  3. You blindly add the snooper’s public key to your keyring, believing it to be your friend’s.

  4. You encrypt sensitive mail using the snooper’s key and send it to your friend.

  5. The snooper intercepts your mail and decrypts it.

See Also

gpg(1).

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.