7.9. Sharing Public Keys
Problem
You want to obtain a friend’s public key securely but conveniently.
Solution
Most securely, get the public key on disk directly from your friend in person. Barring that:
Obtain the public key by any means (e.g., email, keyserver [Recipe 7.19]).
Add the key to your keyring. [Recipe 7.10]
Before using the key, telephone its owner and ask him to read the key fingerprint aloud. View the fingerprint with:
$ gpg --fingerprint
key_id
If they match, you’re done. If not, consider the key suspect, delete it from your keyring, and don’t use it.
If you trust the key, indicate this to GnuPG:
$ gpg --edit-key
key_id
Command>trust
and follow the prompts.
Discussion
Public keys are not secret, but they do require trust: the trust that a given key actually belongs to its alleged owner. A fingerprint can provide that trust in a convenient form, easy to read aloud over a telephone.
Always verify the fingerprint before trusting a public key. If you don’t, consider this scenario:
You email your friend, asking for his public key.
A snooper intercepts your email and sends you his public key instead of your friend’s.
You blindly add the snooper’s public key to your keyring, believing it to be your friend’s.
You encrypt sensitive mail using the snooper’s key and send it to your friend.
The snooper intercepts your mail and decrypts it.
See Also
gpg(1).
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.