1. Introduction
PGP (Pretty Good Privacy) is a method of encryption and decryption of electronic messages and data. An ASCII-armored PGP secret key is a version of a PGP secret key that’s encoded using ASCII characters for easier transmission and sharing.
By ASCII-armoring the secret key, we can display it as plain text, making it easier to include in text files or emails without binary data. However, extracting specific information, such as the fingerprint, requires parsing through this ASCII armor and isolating the relevant data.
In this tutorial, we’ll learn how to locate and extract the fingerprint of an ASCII-armored PGP secret and public key.
2. Using GPG
GPG (GNU Privacy Guard) is a free and open-source implementation of the OpenPGP standard. It’s a tool that encrypts data and creates digital signatures with a versatile key management system. Moreover, it has access modules for all kinds of public key directories.
There are two versions of GPG available:
- gpg: standalone version suitable for servers and embedded platforms
- gpg2: version for desktops; requires several additional modules to be installed
In some Linux distros such as Debian, the gnupg2 package is a dummy transitional package that provides symlinks from gpg2 to gpg.
2.1. Installation
In most Linux distributions, the GPG command comes pre-installed. However, we can install it on different Linux distros from the local package manager if it’s not already available.
For example, on Debian, we can employ APT:
$ sudo apt install gnupg
Alternatively, on Arch Linux, we can use YUM:
$ sudo yum install gnupg
Finally, we can employ DNF for Fedora:
$ sudo dnf install gnupg
Now, we can proceed with using GPG to get the fingerprint of an ASCII-armored PGP secret key.
2.2. Fingerprint ASCII PGP Key
Let’s first navigate to the directory containing the PGP key:
$ cd /path/to/key/directory
Next, we can use the gpg command to display the fingerprint:
$ gpg --with-fingerprint the-secret-key.asc
pub 2048R/<key-id> YYYY-MM-DD [expires: YYYY-MM-DD]
Key fingerprint = XXXX YYYY ZZZZ AAAA BBBB CCCC DDDD EEEE FFFF GGGG
uid Your Name <[email protected]>
sub 2048R/12345678 YYYY-MM-DD [expires: YYYY-MM-DD]
We use the –with-fingerprint option to list the key and its fingerprint.
Let’s break down the output we get:
- pub indicates a public key
- 2048R represents the key size and type (2048-bit RSA)
-
represents the key ID - YYYY-MM-DD [expires: YYYY-MM-DD] shows the creation and expiry date if available
- Key fingerprint is a label indicating that the following line contains the fingerprint
- the line starting with uid represents the user’s email address
- finally, sub is a subkey that’s automatically associated with the primary key pair
Alternatively, in case we don’t know the exact directory of the PGP key secret key, we can use the keyring.
For public PGP keys, the command remains the same, but the input file points to a public PGP key.
2.3. Keyrings
The keyring is a central repository for storing cryptographic keys in PGP encryption systems. It’s a secure storage mechanism for public and private keys, offering structure and organization to environments for key management tasks.
There are two types of keyrings:
- secret: also known as a private keyring, this is a storage repository for private keys
- public: repository for storing public keys
We can use the gpg command to get the fingerprint of all PGP secret and public keys.
For instance, let’s list all available public keyrings:
$ gpg --list-keys --fingerprint
Alternatively, we can use the –list-secret-keys option to view all the secret keys:
$ gpg --list-secret-keys --fingerprint
These options are favorable when we’re unsure of the PGP key’s exact location.
Moreover, we can use the –no-default-keyring option to exclude default secret and public keys:
$ gpg --list-secret-keys --fingerprint --no-default-keyring
We can also specify or create a secret and public PGP keyring file. Specifying the keyring file helps to narrow down the results while creating a keyring file lets us store secret or public PGP keys in specific files.
2.4. Create PGP Keyring
For example, let’s create a PGP keyring:
$ gpg --no-default-keyring --keyring trustedkeys.gpg --fingerprint
The –keyring option creates the keyring trustedkeys.gpg, so we can use the gpg command to perform different operations.
Let’s look at the general format:
$ gpg --no-default-keyring --keyring trustedkeys.gpg <the-gpg-commands-here>
As an illustration, let’s list all the keys of the trustedkeys.gpg file:
$ gpg --no-default-keyring --keyring trustedkeys.gpg --list-keys
The command lists all keys stored in the trustedkeys.gpg keyring file.
3. Other Methods
We can also take a manual approach when extracting the fingerprint. This approach is favorable when we can’t access tools like gpg.
We can achieve this by navigating to the location of the PGP key file and using a common text editor such as nano to open the file:
$ nano /path/to/key/directory/secret-key.asc
Then we can search for a string that reads fingerprint that often precedes the actual fingerprint data.
Alternatively, we can use online tools and platforms such as Keybase which are dedicated to secure key management. They usually provide a user-friendly interface for viewing key details, including fingerprints, through a Web interface or application.
4. Verifying the Fingerprint
The obtained fingerprint is a string of characters unique to the PGP key. It serves as a cryptographic checksum, ensuring the integrity of the key.
We should cross-reference the fingerprint with the key owner through a secure communication channel to verify it. This step is crucial for establishing trust in the key’s authenticity.
The fingerprint verification process enhances security by mitigating the risk of key substitution or manipulation. Users can communicate the fingerprint through a secure channel, such as in-person meetings, phone calls, or encrypted messaging applications, to confirm the accuracy of the key.
The fingerprint of a PGP key plays a pivotal role in ensuring the security and authenticity of encrypted communication. In addition, verifying the fingerprint through trusted channels establishes a strong foundation for the Web of trust in the PGP ecosystem.
5. Conclusion
In this article, we’ve discussed different approaches to extracting fingerprints from ASCII-armored PGP keys.
The first method uses the gpg command to get the fingerprint from a specific PGP key file. In addition, we listed the fingerprints of all available secret and public keys. Overall, the public and secret keyrings are essential components of PGP encryption systems, facilitating secure communication, key management, and cryptographic operations.
In addition, we discussed a manual and online method we can use to view the fingerprint of a key. Finally, we learned how to verify the authenticity of a fingerprint to establish trust.