Public Key Cryptography Best Practices

• In order to use a key, that key must also be trusted.
• Once a key is trusted at a high-enough trust level, signing a key will no longer be necessary to use it.
• A key can become trusted it by signing it or explicitly trusting it.
• For a summary of how trust relationships work and the Web of Trust model, see here.

We will only provide instructions for explicitly trusting a key using the gpg command:

All commands must be run from the hrstgif service account on either stageprodapp01 or stagetestapp01.

1.  Create a file which contains the new public encryption key.  This can be transferred to the host via scp or simply cut and pasted into a file.
   In this sample case, it is stored in a file called equifax.  Contents should be similar to what you see below:

   -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQENBFvt5zoBCADUBZmcivJbCsO3xjWszn01SsqLewp+Ur7isbvyTeLJ+Ui95s1Y KGjDqK5ZYeK/Rq0yWc2g5Ejsb7Ot4N0vEWP9pfeQFderHnPCURLm3j9coMzLKcTH x5Habk5/F2mwAZIHIiUmuYWfbPCiUR5kG4MrgmWzalWG7UVzK77Vuw/l13slZBMC 1o8IPCGfQsGCrEM8EMoOUjTxF+6N0E8eXMYyt774RvTEgol8R2O6pchascFD2w+o Ka/JHBrGMyEuldXq5H9/8kU5EXlRp2/5Ls6YrSy/OzwDPEREQG9vcAqxCROsuVME xpOie7JDjZuwwDO90WlfyJqQh5AcvdIZeXMBABEBAAG0LGVxdWlmYXh3czA3MTcy MDE5IDxlcXVpZmF4d3NwZ3BAZXF1aWZheC5jb20+iQE+BBMBCAAoAhsDBQkBQWzW Ah4BAheABQJb7mN8BgsJCAcDAgYVCAIJCgsEFgIDAQAKCRCz3sFhiZcwZUdqCAC5 uIzqo+dfZQXvcdacDQqjfvDdYTS2QlZg+T607GjnbAoqkDNT+xPl6sl+cB07mtRy 8Y78vzHwEa7z2yvNwq+3NoUWe5UqnpCu7nk+kSVcI5N3izrU7KJV2MTHl8Ri+4c6 82FSG54++uRh/hrc/uNFGakCgph0Nc1GN96w8EryoYenI4IVvFaN4E0t7PE5biXr 3KNldlUhf+sEAWoIzhg7Rf1hYLNUjR94KCSgaNxLrzMbhP26lq/pfW7gzYL9oNeH FZcM4OEn7yLCU/l2y/wqEDIdqLe43gCXSjxLtfN/6SUg1gFeRn+s9tWRx3fxYJGy Hg5g10WsztVCz1epvadZuQENBFvt5zoBCAD5yjPWGYt47ap4eoHEC4ygxk7mVOo0 N13nxPo+HmbtFj7mAMQhztX+lnSWVcBvOBzl6uyIsRtacblphSnE1D5RCMJPSZ8W SHkh7L79egC1KqgEwwWP8y76Bn0G1UKGusFBwlDw+CNWDFBe8dB2ddA5TV6p0Zed i3QO6AVGqYFk7PJmCV+4uWfz25kCB6CBQHsKjOfZ2EoDu+VPxnqJjruV5Dm6ySDD cYSYaxQN9OAYKAL5hNyKjDbrDuM6RJi2EVmtkgCUZUOdiI39wr4sjbJEstn7coGk 1+iLsQJi32vXx0T4OBuW2kYDm6kwRy75S0ez8dgNCg5MOw0A52Tv6OrjABEBAAGJ ASUEGAEIAA8FAlvt5zoCGwwFCQFBbNYACgkQs97BYYmXMGX4xQgAxkzsltY0JWMw cxn6yTFBn02l2Jh8AR+8BKhTvNfSo1IW6lT6g+Dg4ChBbfL/M5bhRcw9OFHkp5Uh m+PDyi+N9plzASpl4XIyQbJjDEu8SUeF3zkz8apsJYiGR2XoaoHM0DMG+ciqHEa+ UhfgxbWqMRXMRr2ZOdQFXdafzwnPJKR2blJVP5IGKoKHVtaBOgEQFPxUwKzwY44b UM5nZT6BIvoQl6GcI3RfHDperKGbJr+/K9GaALV7LxdqQ61456y/kqVX3qwPrKLA oSsLKCW4JxsN5U5OPmAfae0qedSRIhJvSEEJq6xayB+TDIpBunKQlDkntp5orb3S MWigDoOYZw== =OdeH -----END PGP PUBLIC KEY BLOCK-----

   
   

2. Import the key:

   > /usr/bin/gpg --import equifax gpg: key 89973065 : public key "equifaxws07172019 <equifaxwspgp@equifax.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)

   
   

3. Trust the new key (Use the unique key id, in  bold red font  above.  Each key will display a different id.):

   > /bin/echo -e "trust\n5\ny\nq\n" | /usr/bin/gpg --command-fd 0 --edit-key 89973065 gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 2048R/89973065 created: 2018-11-15 expires: 2019-07-17 usage: SC ...................trust: unknown validity: unknown sub 2048R/97C85F31 created: 2018-11-15 expires: 2019-07-17 usage: E [ unknown] (1). equifaxws07172019 <equifaxwspgp@equifax.com> pub 2048R/89973065 created: 2018-11-15 expires: 2019-07-17 usage: SC ...................trust: unknown validity: unknown sub 2048R/97C85F31 created: 2018-11-15 expires: 2019-07-17 usage: E [ unknown] (1). equifaxws07172019 <equifaxwspgp@equifax.com> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) ..1 = I don't know or won't say ..2 = I do NOT trust ..3 = I trust marginally ..4 = I trust fully ..5 = I trust ultimately ..m = back to the main menu pub 2048R/89973065 created: 2018-11-15 expires: 2019-07-17 usage: SC ...................trust: ultimate validity: unknown sub 2048R/97C85F31 created: 2018-11-15 expires: 2019-07-17 usage: E [ unknown] (1). equifaxws07172019 <equifaxwspgp@equifax.com> Please note that the shown key validity is not necessarily correct unless you restart the program.

References

• • https://en.wikipedia.org/wiki/Public-key_cryptography
  • https://en.wikipedia.org/wiki/RSA_(cryptosystem)
  • https://en.wikipedia.org/wiki/Pretty_Good_Privacy
  • https://en.wikipedia.org/wiki/GNU_Privacy_Guard
  • https://www.gnupg.org/gph/en/manual/x334.html
  • https://www.gnupg.org/gph/en/manual/c235.html
  • http://www.pgp.net/pgpnet/pgp-faq/pgp-faq-key-signatures.html
  • http://www.iusmentis.com/technology/remailers/selfsign.html
  • http://www.heureka.clara.net/sunrise/pgpsign.htm
  • https://idea-instructions.com/public-key/