hpr_transcripts/hpr1440.txt

Episode: 1440
Title: HPR1440: Creating a Key Pair - GUI Client
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1440/hpr1440.mp3
Transcribed: 2025-10-18 02:51:13

---

—
Hello, this is Ahuka. Welcome to Hecker Public Radio for another installment in our
series on security and privacy. And what we want to do is talk about creating a key pair
with kind of a gooey application. Last time we looked at doing it from the command line
and for a lot of people, that's fine. But there are people out there that prefer to do
it with a gooey. And there are a number of options. You've got on the Linux side, you certainly
have a number of different desktop environments. So there's GNOME, Clients, KDE, Clients, there's
Windows, Clients, there's Macintosh, Clients. So you've got a number of options depending
on what platform you're on. I'm only going to pick one of them because I think trying
to, you know, it would just be repeating the same stuff over and over. So, you know, I
use Kabuntu, and that's a KDE distribution. So I'm going to use the KDE one, which is
called KGPG. So, the first thing is to go to your package manager, check the repositories,
and download the KGPG client and install it. So you do that, and then you open it up, and
there's really nothing there because you haven't done anything yet. So the first thing you
want to do is create a key pair. Now, to do this, you go to the keys menu and select generate
key pair. And that's going to pop up a window, and you're going to have really the same kinds
of information. You see, you start filling in the blanks. The first thing is your name,
then your email address, and your comment. Now, those three things are used to generate
your key ID. So your name and your email probably don't change a whole lot, but, you know,
if you wanted to have different keys for whatever reason, using different comments would do
that. So you could have one for business and one for personal use. Of course, you could
probably get the same effect if you had, you know, a business email and a personal email.
But, you know, those three things get the ID. Then you want to set the expiration. Now,
we talked about this last time. If you're brand new to this, there is an argument to be
made that you might want to set it to expire and say a year in case it ends up being a mistake
of some kind. You know, that way you don't want to have a live key floating around that
you don't know. And what would happen if that live key was out there? And, you know, if
you had lost your passphrase, you would be unable to decrypt anything sent to you. So if
you have a key that is out there that is still considered to be live, anyone can use your
public key and encrypt a message to send to you or encrypt a file for you to decrypt and
open any of that. And you would get it and you'd be unable to do anything because you've lost
your passphrase. So the idea of putting in an expiration is that it would protect you in
that case. Now, if you get so that you really understand how this works and you're very confident
that your passphrase has not is not anything you're ever going to forget or lose track of, you
can go back later. There is a procedure. We'll talk about that at some point that you can go in
and change the expiration as long as you get there before it expires. You can go there and change
the expiration. So in the example that I've done and I have all of this on my website with
screenshots, which when you're talking about a GUI environment that would help, wouldn't it?
So the example I set mine was one year. Then select the key size. Now, under no circumstances,
should you choose 768 bits if you want security? It's simply too short for today's computers.
Now, there are many people who will be fashionably cynical and claim that you can't really be
secure because the NSA has billions of dollars and big supercomputers and a huge data center in
Utah. Well, they're wrong. But you do need to understand how you can stay secure and key length
is one of the two parameters you need to be secure. 768 bits is just easy to break. 1024 is
possible with the right equipment. Now, right now, the National Institutes for Standard and Technology
here in the United States says that 2048 bits is secure and they estimated will stay secure until
the year 2030 based on the rate at which they expect computing power to grow. Now, if you
distrust them, there's some reason why you might want to. It does. We've talked before. They
seem to have put out a very bad standard for elliptical curve encryption and it looks as if they
were led to doing that by the NSA, thereby hurting their own credibility, then go to 4096.
Now, doubling the number of bits does not double the security. Oh, no. You are dealing with
exponential mathematics. It's not just twice as secure. It is 3 times 10 to the 616th power times
more secure. That's a three with 616 zeros after it. I don't even want to think about what
zillion that amounts to. I don't even know that we have terms for numbers that large.
So, the way to understand it, a brute force attack on something like that would require every
computer and existence working for billions of years. Okay. Now, for what I've done in my example,
I've gone with 2048. 4,096 bits does have a couple of drawbacks potentially. First, it can
take longer to encrypt and decrypt data with a longer key. Second, I have seen reports that some
smart cards cannot handle 4,096 bit keys. So, know your options, choose what works for you.
Then, you need to choose the encryption algorithm. You have several choices. Basically,
when you see two items on the same line, that means one key for signing and another for encryption
uses. We want to do both. So, that means either the DSA and EI Gamal or RSA and RSA. Now, the
difference here is essentially which one-way mathematical function they use, but if you're not an expert,
I would say it doesn't particularly matter. I chose RSA and RSA for my key pair.
Now, at this point, all you need to do is click the OK button. Now, if you click the expert mode button,
what will happen? It'll close the GUI and throw you into a terminal, in which case you're back
to doing what we talked about in the last installment. As a general rule, if you're not used to
being in the Linux world, in particular, this is the case, I think it's also true at least for
Windows and probably for Mac as well. GUIs are nice, but they don't have the range of options
that the command line does. So, the command line gives you more tools, let you do more things.
So, that's why expert mode throws you back to the command line. If you're using a GUI tool,
I'm assuming that that's what you wanted to do, so don't click expert mode, just click OK.
Now, at this point, it's going to ask you for a pass phrase. So, you want to give a good one.
I would recommend using something like last pass, which does generate secure pass phrases.
And, you know, those are the ones that look like a bunch of gobbledygook,
you know, lowercase r, capital case s, lowercase and the numerals for zero, lowercase th, capital f,
numeral 870, lowercase w, you get the picture here. So, that's secure.
So, if you do that, that will then bring you to a screen that says at the top, new key pair created.
So, you see the results. And then it says, you know, here is your name, here is your email,
and then there's a key ID. This is eight characters. And this is what identifies your key,
it's just a label. There's nothing particularly secure about it. But it identifies it on key servers.
So, if you ever wanted to work with someone out like my friend Tony Beemiss at Sunday Morning,
Linux Review, we have exchanged our keys. And we did that by me writing to him and saying,
here's my key ID. And then he would say, yep, yep, I found it on the key server. And then I'd say,
and tell me yours. And he gave me his eight character number. And then I added that to my key ring.
And now I can send him encrypted email anytime I want. Isn't life wonderful.
So, that's, you know, that's your key ID. So, in my sample, my example case here,
was e122ba67. And I have, I clicked a box. It says, set it as your default key. Now,
that's not it. I mean, this was an example I did. It's not my actual key. Every time I do one of
these shows, I've got to go through this process of creating something so I can show you all the steps.
So, there's also a check box at the bottom for revocation certificate. And we talked about that
before. If for any reason your key is compromised, you would want to be able to tell people, don't use
this anymore. You know, the, the past phrase got out. Someone else could be using this. I don't trust
it anymore. And that's what a revocation certificate does. It doesn't eliminate the key. Your key is
still going to be out there on key servers. But the key server is then going to add a little
indication of some kind. I don't, I don't know technically how they do this. But there's
something in there that's going to say, don't use this anymore. It has been revoked.
So, you want to set that you can create a revocation certificate. And there's also a check box there
to print it. You know, if for some reason you lost your past phrase, you lost control of this,
what have you. You didn't even know what it was anymore. If you had to print it out, you could
theoretically type in everything in the revocation certificate. It would be an enormous pain in the
butt, but you could do it. You could print this out, put it in a safe deposit box and store it
at your bank or something like that. So, you know, you create that. Now, otherwise what you're
doing is you're creating a text file that sits on your drive. And when you click save as,
there's a space there that's supposed to say where are you going to save it. So, mine says slash
home slash Kevin slash dot GNUPG slash swelnik dot revoke. So, that happens to be my certificate
and where that's stored. That's a typical Linux kind of file structure going on there.
Now, if you're creating a revocation certificate, the first thing it's going to do is ask you
for your past phrase. So, I hope you were careful about writing it down when you did all of that.
So, now, at this point, we've looked at two different ways of actually creating your GPG key.
And remember, GPG is just the open source implementation of PGP. They're really identical
for all useful purposes. So, what we need to get to next, which we will do in probably the next
program, is talk about, well, how do I use it? So, this is a hookah. And as always,
telling you, please don't forget to support free software. Goodbye.
You have been listening to Hacker Public Radio at Hacker Public Radio.
We are a community podcast network that releases shows every weekday and Monday through Friday.
Today's show, like all our shows, was contributed by a HBR listener like yourself.
If you ever consider recording a podcast, then visit our website to find out how easy it really is.
Hacker Public Radio was founded by the Digital.Pound and the Infonomicum Computer Club.
HBR is funded by the Binary Revolution at binref.com. All binref projects are crowd-responsive
by linear pages. From shared hosting to custom private clouds, go to lunarpages.com for all your
hosting needs. Unless otherwise stasis, today's show is released under a creative comments,
attribution, share a life, and it does our lives please.
Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-26 10:54:13 +00:00			`Episode: 1440`
			`Title: HPR1440: Creating a Key Pair - GUI Client`
			`Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1440/hpr1440.mp3`
			`Transcribed: 2025-10-18 02:51:13`

			`---`

			`—`
			`Hello, this is Ahuka. Welcome to Hecker Public Radio for another installment in our`
			`series on security and privacy. And what we want to do is talk about creating a key pair`
			`with kind of a gooey application. Last time we looked at doing it from the command line`
			`and for a lot of people, that's fine. But there are people out there that prefer to do`
			`it with a gooey. And there are a number of options. You've got on the Linux side, you certainly`
			`have a number of different desktop environments. So there's GNOME, Clients, KDE, Clients, there's`
			`Windows, Clients, there's Macintosh, Clients. So you've got a number of options depending`
			`on what platform you're on. I'm only going to pick one of them because I think trying`
			`to, you know, it would just be repeating the same stuff over and over. So, you know, I`
			`use Kabuntu, and that's a KDE distribution. So I'm going to use the KDE one, which is`
			`called KGPG. So, the first thing is to go to your package manager, check the repositories,`
			`and download the KGPG client and install it. So you do that, and then you open it up, and`
			`there's really nothing there because you haven't done anything yet. So the first thing you`
			`want to do is create a key pair. Now, to do this, you go to the keys menu and select generate`
			`key pair. And that's going to pop up a window, and you're going to have really the same kinds`
			`of information. You see, you start filling in the blanks. The first thing is your name,`
			`then your email address, and your comment. Now, those three things are used to generate`
			`your key ID. So your name and your email probably don't change a whole lot, but, you know,`
			`if you wanted to have different keys for whatever reason, using different comments would do`
			`that. So you could have one for business and one for personal use. Of course, you could`
			`probably get the same effect if you had, you know, a business email and a personal email.`
			`But, you know, those three things get the ID. Then you want to set the expiration. Now,`
			`we talked about this last time. If you're brand new to this, there is an argument to be`
			`made that you might want to set it to expire and say a year in case it ends up being a mistake`
			`of some kind. You know, that way you don't want to have a live key floating around that`
			`you don't know. And what would happen if that live key was out there? And, you know, if`
			`you had lost your passphrase, you would be unable to decrypt anything sent to you. So if`
			`you have a key that is out there that is still considered to be live, anyone can use your`
			`public key and encrypt a message to send to you or encrypt a file for you to decrypt and`
			`open any of that. And you would get it and you'd be unable to do anything because you've lost`
			`your passphrase. So the idea of putting in an expiration is that it would protect you in`
			`that case. Now, if you get so that you really understand how this works and you're very confident`
			`that your passphrase has not is not anything you're ever going to forget or lose track of, you`
			`can go back later. There is a procedure. We'll talk about that at some point that you can go in`
			`and change the expiration as long as you get there before it expires. You can go there and change`
			`the expiration. So in the example that I've done and I have all of this on my website with`
			`screenshots, which when you're talking about a GUI environment that would help, wouldn't it?`
			`So the example I set mine was one year. Then select the key size. Now, under no circumstances,`
			`should you choose 768 bits if you want security? It's simply too short for today's computers.`
			`Now, there are many people who will be fashionably cynical and claim that you can't really be`
			`secure because the NSA has billions of dollars and big supercomputers and a huge data center in`
			`Utah. Well, they're wrong. But you do need to understand how you can stay secure and key length`
			`is one of the two parameters you need to be secure. 768 bits is just easy to break. 1024 is`
			`possible with the right equipment. Now, right now, the National Institutes for Standard and Technology`
			`here in the United States says that 2048 bits is secure and they estimated will stay secure until`
			`the year 2030 based on the rate at which they expect computing power to grow. Now, if you`
			`distrust them, there's some reason why you might want to. It does. We've talked before. They`
			`seem to have put out a very bad standard for elliptical curve encryption and it looks as if they`
			`were led to doing that by the NSA, thereby hurting their own credibility, then go to 4096.`
			`Now, doubling the number of bits does not double the security. Oh, no. You are dealing with`
			`exponential mathematics. It's not just twice as secure. It is 3 times 10 to the 616th power times`
			`more secure. That's a three with 616 zeros after it. I don't even want to think about what`
			`zillion that amounts to. I don't even know that we have terms for numbers that large.`
			`So, the way to understand it, a brute force attack on something like that would require every`
			`computer and existence working for billions of years. Okay. Now, for what I've done in my example,`
			`I've gone with 2048. 4,096 bits does have a couple of drawbacks potentially. First, it can`
			`take longer to encrypt and decrypt data with a longer key. Second, I have seen reports that some`
			`smart cards cannot handle 4,096 bit keys. So, know your options, choose what works for you.`
			`Then, you need to choose the encryption algorithm. You have several choices. Basically,`
			`when you see two items on the same line, that means one key for signing and another for encryption`
			`uses. We want to do both. So, that means either the DSA and EI Gamal or RSA and RSA. Now, the`
			`difference here is essentially which one-way mathematical function they use, but if you're not an expert,`
			`I would say it doesn't particularly matter. I chose RSA and RSA for my key pair.`
			`Now, at this point, all you need to do is click the OK button. Now, if you click the expert mode button,`
			`what will happen? It'll close the GUI and throw you into a terminal, in which case you're back`
			`to doing what we talked about in the last installment. As a general rule, if you're not used to`
			`being in the Linux world, in particular, this is the case, I think it's also true at least for`
			`Windows and probably for Mac as well. GUIs are nice, but they don't have the range of options`
			`that the command line does. So, the command line gives you more tools, let you do more things.`
			`So, that's why expert mode throws you back to the command line. If you're using a GUI tool,`
			`I'm assuming that that's what you wanted to do, so don't click expert mode, just click OK.`
			`Now, at this point, it's going to ask you for a pass phrase. So, you want to give a good one.`
			`I would recommend using something like last pass, which does generate secure pass phrases.`
			`And, you know, those are the ones that look like a bunch of gobbledygook,`
			`you know, lowercase r, capital case s, lowercase and the numerals for zero, lowercase th, capital f,`
			`numeral 870, lowercase w, you get the picture here. So, that's secure.`
			`So, if you do that, that will then bring you to a screen that says at the top, new key pair created.`
			`So, you see the results. And then it says, you know, here is your name, here is your email,`
			`and then there's a key ID. This is eight characters. And this is what identifies your key,`
			`it's just a label. There's nothing particularly secure about it. But it identifies it on key servers.`
			`So, if you ever wanted to work with someone out like my friend Tony Beemiss at Sunday Morning,`
			`Linux Review, we have exchanged our keys. And we did that by me writing to him and saying,`
			`here's my key ID. And then he would say, yep, yep, I found it on the key server. And then I'd say,`
			`and tell me yours. And he gave me his eight character number. And then I added that to my key ring.`
			`And now I can send him encrypted email anytime I want. Isn't life wonderful.`
			`So, that's, you know, that's your key ID. So, in my sample, my example case here,`
			`was e122ba67. And I have, I clicked a box. It says, set it as your default key. Now,`
			`that's not it. I mean, this was an example I did. It's not my actual key. Every time I do one of`
			`these shows, I've got to go through this process of creating something so I can show you all the steps.`
			`So, there's also a check box at the bottom for revocation certificate. And we talked about that`
			`before. If for any reason your key is compromised, you would want to be able to tell people, don't use`
			`this anymore. You know, the, the past phrase got out. Someone else could be using this. I don't trust`
			`it anymore. And that's what a revocation certificate does. It doesn't eliminate the key. Your key is`
			`still going to be out there on key servers. But the key server is then going to add a little`
			`indication of some kind. I don't, I don't know technically how they do this. But there's`
			`something in there that's going to say, don't use this anymore. It has been revoked.`
			`So, you want to set that you can create a revocation certificate. And there's also a check box there`
			`to print it. You know, if for some reason you lost your past phrase, you lost control of this,`
			`what have you. You didn't even know what it was anymore. If you had to print it out, you could`
			`theoretically type in everything in the revocation certificate. It would be an enormous pain in the`
			`butt, but you could do it. You could print this out, put it in a safe deposit box and store it`
			`at your bank or something like that. So, you know, you create that. Now, otherwise what you're`
			`doing is you're creating a text file that sits on your drive. And when you click save as,`
			`there's a space there that's supposed to say where are you going to save it. So, mine says slash`
			`home slash Kevin slash dot GNUPG slash swelnik dot revoke. So, that happens to be my certificate`
			`and where that's stored. That's a typical Linux kind of file structure going on there.`
			`Now, if you're creating a revocation certificate, the first thing it's going to do is ask you`
			`for your past phrase. So, I hope you were careful about writing it down when you did all of that.`
			`So, now, at this point, we've looked at two different ways of actually creating your GPG key.`
			`And remember, GPG is just the open source implementation of PGP. They're really identical`
			`for all useful purposes. So, what we need to get to next, which we will do in probably the next`
			`program, is talk about, well, how do I use it? So, this is a hookah. And as always,`
			`telling you, please don't forget to support free software. Goodbye.`
			`You have been listening to Hacker Public Radio at Hacker Public Radio.`
			`We are a community podcast network that releases shows every weekday and Monday through Friday.`
			`Today's show, like all our shows, was contributed by a HBR listener like yourself.`
			`If you ever consider recording a podcast, then visit our website to find out how easy it really is.`
			`Hacker Public Radio was founded by the Digital.Pound and the Infonomicum Computer Club.`
			`HBR is funded by the Binary Revolution at binref.com. All binref projects are crowd-responsive`
			`by linear pages. From shared hosting to custom private clouds, go to lunarpages.com for all your`
			`hosting needs. Unless otherwise stasis, today's show is released under a creative comments,`
			`attribution, share a life, and it does our lives please.`