June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
7.9. Sharing Public Keys
Problem
You want to obtain a friend’s public key securely but conveniently.
Solution
Most securely, get the public key on disk directly from your friend in person. Barring that:
Obtain the public key by any means (e.g., email, keyserver [Recipe 7.19]).
Add the key to your keyring. [Recipe 7.10]
Before using the key, telephone its owner and ask him to read the key fingerprint aloud. View the fingerprint with:
$ gpg --fingerprint
key_idIf they match, you’re done. If not, consider the key suspect, delete it from your keyring, and don’t use it.
If you trust the key, indicate this to GnuPG:
$ gpg --edit-key
key_idCommand>trustand follow the prompts.
Discussion
Public keys are not secret, but they do require trust: the trust that a given key actually belongs to its alleged owner. A fingerprint can provide that trust in a convenient form, easy to read aloud over a telephone.
Always verify the fingerprint before trusting a public key. If you don’t, consider this scenario:
You email your friend, asking for his public key.
A snooper intercepts your email and sends you his public key instead of your friend’s.
You blindly add the snooper’s public key to your keyring, believing it to be your friend’s.
You encrypt sensitive mail using the snooper’s key and send it to your friend.
The snooper intercepts your mail and decrypts it.
See Also
gpg(1).