1. Introduction

PGP (Pretty Good Privacy) is a method of encryption and decryption of electronic messages and data. An ASCII-armored PGP secret key is a version of a PGP  secret key that’s encoded using ASCII characters for easier transmission and sharing.

By ASCII-armoring the secret key, we can display it as plain text, making it easier to include in text files or emails without binary data. However, extracting specific information, such as the fingerprint, requires parsing through this ASCII armor and isolating the relevant data.

In this tutorial, we’ll learn how to locate and extract the fingerprint of an ASCII-armored PGP secret and public key.

2. Using GPG

GPG (GNU Privacy Guard) is a free and open-source implementation of the OpenPGP standard. It’s a tool that encrypts data and creates digital signatures with a versatile key management system. Moreover, it has access modules for all kinds of public key directories.

There are two versions of GPG available:

  • gpg: standalone version suitable for servers and embedded platforms
  • gpg2: version for desktops; requires several additional modules to be installed

In some Linux distros such as Debian, the gnupg2 package is a dummy transitional package that provides symlinks from gpg2 to gpg.

2.1. Installation

In most Linux distributions, the GPG command comes pre-installed. However, we can install it on different Linux distros from the local package manager if it’s not already available.

For example, on Debian, we can employ APT:

$ sudo apt install gnupg

Alternatively, on Arch Linux, we can use YUM:

$ sudo yum install gnupg

Finally, we can employ DNF for Fedora:

$ sudo dnf install gnupg

Now, we can proceed with using GPG to get the fingerprint of an ASCII-armored PGP secret key.

2.2. Fingerprint ASCII PGP Key

Let’s first navigate to the directory containing the PGP key:

$ cd /path/to/key/directory

Next, we can use the gpg command to display the fingerprint:

$ gpg --with-fingerprint the-secret-key.asc
pub 2048R/<key-id> YYYY-MM-DD [expires: YYYY-MM-DD]
uid Your Name <[email protected]>
sub 2048R/12345678 YYYY-MM-DD [expires: YYYY-MM-DD]

We use the –with-fingerprint option to list the key and its fingerprint.

Let’s break down the output we get:

  • pub indicates a public key
  • 2048R represents the key size and type (2048-bit RSA)
  • <key-id> represents the key ID
  • YYYY-MM-DD [expires: YYYY-MM-DD] shows the creation and expiry date if available
  • Key fingerprint is a label indicating that the following line contains the fingerprint
  • the line starting with uid represents the user’s email address
  • finally, sub is a subkey that’s automatically associated with the primary key pair

Alternatively, in case we don’t know the exact directory of the PGP key secret key, we can use the keyring.

For public PGP keys, the command remains the same, but the input file points to a public PGP key.

2.3. Keyrings

The keyring is a central repository for storing cryptographic keys in PGP encryption systems. It’s a secure storage mechanism for public and private keys, offering structure and organization to environments for key management tasks.

There are two types of keyrings:

  • secret: also known as a private keyring, this is a storage repository for private keys
  • public: repository for storing public keys

We can use the gpg command to get the fingerprint of all PGP secret and public keys.

For instance, let’s list all available public keyrings:

$ gpg --list-keys --fingerprint

Alternatively, we can use the –list-secret-keys option to view all the secret keys:

$ gpg --list-secret-keys --fingerprint

These options are favorable when we’re unsure of the PGP key’s exact location.

Moreover, we can use the –no-default-keyring option to exclude default secret and public keys:

$ gpg --list-secret-keys --fingerprint --no-default-keyring

We can also specify or create a secret and public PGP keyring file. Specifying the keyring file helps to narrow down the results while creating a keyring file lets us store secret or public PGP keys in specific files.

2.4. Create PGP Keyring

For example, let’s create a PGP keyring:

$ gpg --no-default-keyring --keyring trustedkeys.gpg --fingerprint

The –keyring option creates the keyring trustedkeys.gpg, so we can use the gpg command to perform different operations.

Let’s look at the general format:

$ gpg --no-default-keyring --keyring trustedkeys.gpg <the-gpg-commands-here>

As an illustration, let’s list all the keys of the trustedkeys.gpg file:

$ gpg --no-default-keyring --keyring trustedkeys.gpg --list-keys

The command lists all keys stored in the trustedkeys.gpg keyring file.

3. Other Methods

We can also take a manual approach when extracting the fingerprint. This approach is favorable when we can’t access tools like gpg.

We can achieve this by navigating to the location of the PGP key file and using a common text editor such as nano to open the file:

$ nano /path/to/key/directory/secret-key.asc

Then we can search for a string that reads fingerprint that often precedes the actual fingerprint data.

Alternatively, we can use online tools and platforms such as Keybase which are dedicated to secure key management. They usually provide a user-friendly interface for viewing key details, including fingerprints, through a Web interface or application.

4. Verifying the Fingerprint

The obtained fingerprint is a string of characters unique to the PGP key. It serves as a cryptographic checksum, ensuring the integrity of the key.

We should cross-reference the fingerprint with the key owner through a secure communication channel to verify it. This step is crucial for establishing trust in the key’s authenticity.

The fingerprint verification process enhances security by mitigating the risk of key substitution or manipulation. Users can communicate the fingerprint through a secure channel, such as in-person meetings, phone calls, or encrypted messaging applications, to confirm the accuracy of the key.

The fingerprint of a PGP key plays a pivotal role in ensuring the security and authenticity of encrypted communication. In addition, verifying the fingerprint through trusted channels establishes a strong foundation for the Web of trust in the PGP ecosystem.

5. Conclusion

In this article, we’ve discussed different approaches to extracting fingerprints from ASCII-armored PGP keys.

The first method uses the gpg command to get the fingerprint from a specific PGP key file. In addition, we listed the fingerprints of all available secret and public keys. Overall, the public and secret keyrings are essential components of PGP encryption systems, facilitating secure communication, key management, and cryptographic operations.

In addition, we discussed a manual and online method we can use to view the fingerprint of a key. Finally, we learned how to verify the authenticity of a fingerprint to establish trust.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.