WEBVTT

0
00:02.090 --> 00:09.760
When it comes to Public Key Cryptography  there are private and public keys which are related.

1
00:09.800 --> 00:15.260
You can share your public key with anyone but you must keep your private key secure.

2
00:15.350 --> 00:22.670
If someone gets your private key in clear text the encryption is compromised.  Let's start by creating

3
00:22.760 --> 00:35.170
a new  key pair. You can generate as many key pair as you want! gpg --gen-key


4
00:35.180 --> 00:41.410
And standard dialog for generating the key pair pops up. To generate the key

5
00:41.410 --> 00:51.240
I have to enter my name and my email address like say Andrei and andrei@somedomain.com

6
00:56.440 --> 01:05.610
To help safeguard  my key, GnuPG does not store my private key in clear-text on the disk.

7
01:05.700 --> 01:11.470
Instead it encrypts it using a symmetric encryption algorithm.

8
01:11.470 --> 01:15.050
That is why it's prompting for a passphrase.

9
01:15.170 --> 01:21.590
Thus there are barriers an attacker must cross to access my private key: 

10
01:21.670 --> 01:30.220
1 - He must actually acquire the key and 2 -  he must get the past the encryption. And I'm writing a password.

11
01:32.550 --> 01:34.290
This is just for this test.

12
01:34.650 --> 01:40.130
But you should use a passphrase that is at least eight characters long.

13
01:45.290 --> 01:54.400
The private and the public keys were generated. Maybe you wonder where the keys are saved.

14
01:54.410 --> 02:00.470
All GPG keys are stored in what is called a "keyring". On Linux

15
02:00.470 --> 02:07.280
this is a hidden  directory called .gnupg in the user’s home directory

16
02:07.280 --> 02:07.790
This one.

17
02:10.830 --> 02:12.090
On Windows

18
02:12.090 --> 02:20.100
the keys are saved in a directory gnupg in the AppData directory of the user. 

19
02:20.100 --> 02:30.620
Note that AppData is a hidden directory on Windows.  Running gpg --version will 


20
02:30.630 --> 02:32.430
show you the path being used.

21
02:34.180 --> 02:36.540
This is where the keyring is saved.

22
02:37.590 --> 02:48.380
Let's take a look at the public keys stored in the keyring gpg --list-keys


23
02:48.440 --> 02:52.520
I listed my public key and other people's public key

24
02:52.520 --> 03:02.000
I have imported into the keyring; and if I want to list my own private key I execute gpg--

25
03:02.090 --> 03:13.380
list-secret-keys. I see the public key cryptographic algorithm used, which is in this case RSA 3072

26
03:13.380 --> 03:24.330
the generation and the expiration date and the key fingerprint. Gpg provides

27
03:24.420 --> 03:28.320
a unique identifier for each key pair.

28
03:28.590 --> 03:36.710
There is both a short and the long gpg key id which consists of eight hexadecimal digits for the short

29
03:36.730 --> 03:42.030
ID and of sixteen hex digits for the long version.

30
03:42.040 --> 03:49.590
This ID is important when you want to perform operations like importing or exporting the keys.

31
03:49.740 --> 03:58.140
You can find it adding the --keyid -format to the gpg command that lists the keys

32
03:58.230 --> 04:11.950
like:  --keyid-format short This is the short id of the key and the long

33
04:11.950 --> 04:13.620
ID like this:

34
04:17.140 --> 04:26.780
This is the long ID of the key. Having the key pair ID we can export the keys in binary or ASCII form.

35
04:26.780 --> 04:35.450
Let's export the private key into text or ASCII format in order to back it up somewhere:


36
04:35.460 --> 04:47.370
gpg --export-secret-keys --armor and the key id


37
04:54.330 --> 05:01.660
It's prompting for the passphrase and it has printed out the private key.

38
05:01.680 --> 05:03.710
This is the private key.

39
05:03.810 --> 05:06.010
This very long string!

40
05:08.070 --> 05:16.500
If you want to save it to a file you use the output redirection operator: 

41
05:16.830 --> 05:19.680
> private_key.asc 


42
05:24.230 --> 05:25.270
perfect.

43
05:25.280 --> 05:27.170
This is the private key.

44
05:27.380 --> 05:38.280
It was saved into a file. If you want to export the public key you use a very similar command. Instead

45
05:38.280 --> 05:39.390
of export

46
05:39.390 --> 05:40.690
secret keys

47
05:40.920 --> 05:42.960
I use only export

48
05:46.320 --> 05:51.470
and I redirect the public key to a file called public.pub

49
05:58.390 --> 06:00.010
This is the public key.

50
06:02.820 --> 06:09.320
The exported keys can be imported back into the GPG keyring later.

51
06:09.450 --> 06:17.460
Let's move on and see how to delete a private key from the local storage gpg --delete-secret-keys

52
06:17.550 --> 06:25.900
and the key ID

53
06:26.080 --> 06:26.890
There is a typo.

54
06:26.890 --> 06:27.370
Keys

55
06:31.950 --> 06:34.240
and it wants a confirmation.

56
06:36.980 --> 06:40.010
One more time and delete key.

57
06:42.080 --> 06:45.520
Once you delete a key there is no way to recover it

58
06:48.660 --> 06:52.410
the private key was deleted but the public key was not.

59
06:52.890 --> 07:03.570
If I execute gpg--list-keys I'll see the public key in the keyring. To delete a public key

60
07:03.780 --> 07:10.920
I have to execute gpg--delete-keys and of course the key ID.

61
07:11.280 --> 07:12.480
It's the same key id.

62
07:16.890 --> 07:23.340
gpg-- list- keyids will display an empty keyring

63
07:26.180 --> 07:26.710
Let's

64
07:26.710 --> 07:33.690
go ahead and see how to import a public or a private key into the gpg keyring from a file.

65
07:33.820 --> 07:39.810
Most of the time you import your private key on a new computer or after a fresh install.

66
07:40.980 --> 07:49.140
On the other hand somebody else's public keys imported to send him an encrypted message or to verify

67
07:49.170 --> 07:51.070
a digital signature.

68
07:51.090 --> 08:00.650
The next command is the same for importing both public and private keys: gpg--import and

69
08:00.990 --> 08:03.970
the path to the private key file,

70
08:04.020 --> 08:08.490
in this case it's private.asc

71
08:14.800 --> 08:23.350
and it was imported; you can import the private key without asking for the passphrase adding the --

72
08:23.360 --> 08:26.030
patch option like this:

73
08:26.030 --> 08:27.590
first I'll delete the key

74
08:36.840 --> 08:47.800
and I'll import the private key again adding --patch option and it was imported without asking

75
08:47.800 --> 08:53.170
for the passphrase and finally let's import

76
08:53.200 --> 08:59.610
the public key gpg-- import public.pub, the public key file.

77
08:59.920 --> 09:00.880
It was imported!

78
09:04.060 --> 09:04.660
Okay!

79
09:04.660 --> 09:09.250
That's all! In the next lecture will discuss gpg key servers.