This document guides you through the steps of creating a GPG key. A new GPG key pair should be created for LeoMed. This pair should only be used for LeoMed.

The GPG key pair is used to encrypt a QR code needed for generating the second factor and for encrypting guest user account credentials. This encrypted code or credentials will be sent to you via email. You will be able to decrypt this file with your private GPG key.

  • the ed25519 algorithm for generating GPG key-pairs is recommended
  • the passphrase (non-empty, of minimum 16 characters) protection of the GPG key-pair is recommended
  • format convention for sharing the public GPG key: as file named <ETHZ-username>.gpg (ETH-externals without an existing ETHZ account should use <name-lastname>.gpg)

Terminal

To execute commands in the terminal

  1. open your terminal application 
  2. type or paste the command into the terminal window
  3. hit enter


Example:

[user@workstation]$ ls
  1. open your terminal application 
  2. type "ls" into the terminal window ([user@workstation]$ indicates the machine you are currently working on and might look different depending on your settings)
  3. hit enter
Table of Contents

Linux / Unix (macOS)

1

Install the GPG software using these terminal commands

a. Linux

[user@workstation]$ sudo apt-get install gnupg2

b. macOS

After installing homebrew, you can use the `brew` command to install GPG

[user@workstation]$ brew install gpg

Alternatively after installing MacPorts use the `port` command to install GPG (GnuPG)

[user@workstation]~% sudo port install gnupg2
2

a. Open your terminal application of choice

b. Generate the GPG key using the following command.

[user@workstation]$ gpg --gen-key
3

Fill in the required information including your real name and your work email

Important

Please avoid the use of special characters like umlauts



4Example
[user@workstation]$  gpg --gen-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: John Smith
Email address: john.smith@leomed.ethz.ch
You selected this USER-ID:
    "John Smith <john.smith@leomed.ethz.ch>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 94F3B324F9CA5741 marked as ultimately trusted
gpg: revocation certificate stored as '/home/<username>/.gnupg/openpgp-revocs.d/21AF418DC988D4B85B81C05894F3B324F9CA5741.rev'
public and secret key created and signed.

pub   rsa3072 2020-11-20 [SC] [expires: 2022-11-20]
      21AF418DC988D4B85B81C05894F3B324F9CA5741
uid                      John Smith <john.smith@leomed.ethz.ch>
sub   rsa3072 2020-11-20 [E] [expires: 2022-11-20]
5

Export public key

To export the public key into a file (for instance, on your Desktop), run the following command:

[user@workstation]$ gpg -a --output ~/Desktop/<username>.gpg --export <key_ID>
  • <username> should be replaced by your ETHZ-username (ETH-externals without an existing ETHZ account should use <name-lastname> instead)
  • <key_ID> should be replaced by the GPG key's ID (in the above example, "21AF418DC988D4B85B81C05894F3B324F9CA5741"; the `gpg --list-key` command can also be used to retrieve the key ID.)


Windows

1

a. Install GPG4Win (also known as Kleopatra)

b. Open Kleopatra

c. Create a new GPG key pair

d. Select Create a personal OpenGPG key pair


b. Kleopatra UI


c. Create a new GPG key pair

d. Key Pair creation

2

a. Fill in the required information including your real name and your work email

b. Make sure you protect the pair with a passphrase by checking the Protect the generated key with a passphrase checkbox.

c. Click the Advanced Settings button and update the Key Material to ECDSA/EdDSA and un-select the Valid until checkbox, as shown in the screenshot

Important

Please avoid the use of special characters like umlauts

3

Export the public key to a file

The filename should be <username>.gpg where <username> should be replaced by your ETHZ-username (ETH-externals without an existing ETHZ account should use <name-lastname>.gpg instead)

Key-pair verification

You can verify if your gpg key pair was created successfully with a dry run on a document (here called `document_original.pdf`) of your choice:

Encryption and Decryption
[user@workstation]$ sha256sum document_original.pdf
bd0d4a79dfb5cc883f2bc60f4c95aca7d15145123e1e388c12fd0bea8e4d01ad  document_original.pdf

# Encryption
[user@workstation]$ gpg --output document_original.pdf.gpg --encrypt --recipient john.smith@leomed.ethz.ch document_original.pdf

# Decryption
[user@workstation]$ gpg --output document_decrypted.pdf --decrypt document_original.pdf.gpg

# Check the bit-wise equivalence with respect to the original document
[user@workstation]$ sha256sum document_decrypted.pdf
bd0d4a79dfb5cc883f2bc60f4c95aca7d15145123e1e388c12fd0bea8e4d01ad  document_decrypted.pdf