LabEx
Log InJoin For Free

How to use docker trust key generate command to create signing keys

DockerDockerBeginner
Practice Now

Introduction

In this lab, you will learn how to generate signing key pairs using the gpg command, a fundamental step for secure communication and software distribution. You will generate a new RSA and RSA key pair with a specified keysize and validity period, providing essential user ID information during the process.

Following the key generation, you will learn how to enter and confirm the passphrase for your new key, a crucial security measure. You will then verify the generated public key file to ensure its correctness. Finally, you will explore how to generate a key pair in a specific directory, demonstrating flexibility in managing your keys.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL docker(("Docker")) -.-> docker/ContainerOperationsGroup(["Container Operations"]) docker/ContainerOperationsGroup -.-> docker/exec("Execute Command in Container") docker/ContainerOperationsGroup -.-> docker/create("Create Container") subgraph Lab Skills docker/exec -.-> lab-555252{{"How to use docker trust key generate command to create signing keys"}} docker/create -.-> lab-555252{{"How to use docker trust key generate command to create signing keys"}} end

Generate a new signing key pair

In this step, you will learn how to generate a new signing key pair using the gpg command. A signing key pair consists of a private key and a public key. The private key is used to sign data, and the public key is used to verify the signature. This is a fundamental concept in secure communication and software distribution.

First, open your terminal. You are already in the ~/project directory.

To generate a new key pair, use the following command:

gpg --full-generate-key

After running the command, you will be prompted to select the kind of key you want. For this lab, we will use the default option, which is RSA and RSA. Press Enter to accept the default.

gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1

Next, you will be asked about the keysize. A larger keysize provides more security but takes longer to generate and use. For this lab, we will use the default keysize of 3072 bits. Press Enter to accept the default.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)

You will then be asked how long the key should be valid. For this lab, we will make the key valid for one year. Type 1y and press Enter.

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y

Confirm that the key will expire on the date shown by typing y and pressing Enter.

Key expires at ...
Is this correct? (y/N) y

Now, you need to provide user ID information. This information is associated with your public key and helps others identify you.

First, enter your real name. For this lab, you can use LabEx User. Type LabEx User and press Enter.

Real name: LabEx User

Next, enter your email address. For this lab, you can use [email protected]. Type [email protected] and press Enter.

Email address: [email protected]

You can optionally add a comment. For this lab, you will leave the comment field empty. Press Enter to skip the comment.

Comment:

Review the information you entered. If it is correct, type O for Okay and press Enter. If you need to make changes, type C for Change or Q for Quit.

You selected this USER-ID:
    "LabEx User <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

Finally, you will be prompted to enter a passphrase to protect your private key. This is a crucial security step. Choose a strong passphrase that you can remember. You will need to enter this passphrase again in the next step.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator more entropy.

The system will then generate the key pair. This may take a moment.

Enter and confirm the passphrase for the new key

In the previous step, you initiated the process of generating a new GPG key pair. The final step in this process is to enter and confirm a passphrase for your private key. This passphrase is essential for protecting your private key from unauthorized use.

You should now see a dialog box or a prompt in your terminal asking you to enter a passphrase.

┌─────────┤ Please enter the passphrase to protect your new key ├─────────┐
│                                                                         │
│ Passphrase: _________________________________________                   │
│                                                                         │
│        <OK>                                          <Cancel>           │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

Enter a strong passphrase in the "Passphrase" field. Remember this passphrase, as you will need it whenever you use your private key (e.g., for signing). For this lab, you can use a simple passphrase like mypassphrase123. Type mypassphrase123 and press Enter or click <OK>.

You will then be asked to confirm your passphrase by entering it again. This helps ensure that you typed the passphrase correctly.

┌─────────┤ Please re-enter the passphrase to protect your new key ├─────────┐
│                                                                          │
│ Repeat passphrase: _________________________________________             │
│                                                                          │
│        <OK>                                           <Cancel>            │
│                                                                          │
└──────────────────────────────────────────────────────────────────────────┘

Enter the same passphrase (mypassphrase123) again in the "Repeat passphrase" field and press Enter or click <OK>.

After confirming the passphrase, GPG will finish generating your key pair. You should see output similar to this, indicating that the key generation is complete:

gpg: key ... marked as ultimately trusted
gpg: revocation certificate stored as '/home/labex/.gnupg/openpgp-revocs.d/....rev'
public and secret key created and signed.

pub   rsa3072 2023-10-27 [SC]
      ...
uid           [ultimate] LabEx User <[email protected]>
sub   rsa3072 2023-10-27 [E]

The output shows information about your newly generated key, including the key type (rsa3072), the creation date, the key ID (...), and the user ID you provided (LabEx User <[email protected]>). The pub line refers to the public key, and the sub line refers to the subkey (used for encryption).

You have now successfully generated a GPG key pair and protected your private key with a passphrase.

Verify the generated public key file

In the previous steps, you successfully generated a GPG key pair. Now, let's verify that the public key was generated correctly and is available. The public key is what you will share with others so they can verify your signatures or encrypt messages for you.

To list the public keys in your keyring, use the gpg --list-keys command. Since you specified "LabEx User" as the name during key generation, you can filter the output to show only your key.

gpg --list-keys "LabEx User"

You should see output similar to this, confirming the presence of your public key:

pub   rsa3072 2023-10-27 [SC]
      ...
uid           [ultimate] LabEx User <[email protected]>
sub   rsa3072 2023-10-27 [E]

This output shows the details of your public key, including the key type (pub), the algorithm (rsa3072), the creation date (2023-10-27), the capabilities ([SC] for Sign and Certify), the key ID (...), the user ID (LabEx User <[email protected]>), and information about the encryption subkey (sub).

To export your public key to a file, you can use the gpg --output <filename> --armor --export <user ID> command. The --armor option outputs the key in ASCII armored format, which is a human-readable text format. Let's export the public key for "LabEx User" to a file named labex_user_public.key in your current directory (~/project).

gpg --output labex_user_public.key --armor --export "LabEx User"

This command will create a file named labex_user_public.key in your ~/project directory containing your public key.

You can view the contents of this file using the cat command:

cat labex_user_public.key

The output will show the ASCII armored public key block, starting with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

-----BEGIN PGP PUBLIC KEY BLOCK-----

... (your public key content) ...

-----END PGP PUBLIC KEY BLOCK-----

This confirms that your public key has been successfully exported to a file. You can now share this file with others who need to verify your signatures or encrypt data for you.

Generate a key pair in a specified directory

In the previous steps, you generated a GPG key pair which was stored in the default GPG home directory (~/.gnupg). Sometimes, you might want to generate keys and store them in a different location, perhaps for specific projects or to keep them separate from your main keyring.

In this step, you will learn how to generate a GPG key pair and specify a different directory to store the key files.

First, let's create a new directory where we will store the new key pair. We will create a directory named mykeys inside your ~/project directory.

mkdir ~/project/mykeys

Now, to generate a key pair and store it in the ~/project/mykeys directory, you need to use the --homedir option with the gpg command. This option tells GPG to use the specified directory as its home directory instead of the default one.

Use the following command to start the key generation process, specifying the ~/project/mykeys directory:

gpg --homedir ~/project/mykeys --full-generate-key

You will be guided through the same key generation process as in Step 1 and Step 2.

  1. Select the kind of key: Choose the default RSA and RSA by pressing Enter.
  2. What keysize do you want? Choose the default 3072 by pressing Enter.
  3. Key is valid for? Enter 1y for one year and press Enter.
  4. Is this correct? Type y and press Enter.
  5. Real name: Enter Project User and press Enter.
  6. Email address: Enter [email protected] and press Enter.
  7. Comment: Leave empty by pressing Enter.
  8. Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? Type O and press Enter.
  9. Enter passphrase: Enter a passphrase (e.g., projectpassphrase456) and press Enter.
  10. Repeat passphrase: Enter the same passphrase (projectpassphrase456) again and press Enter.

After completing these steps, GPG will generate the key pair and store the necessary files within the ~/project/mykeys directory.

You can verify that the key was generated in the specified directory by listing the keys in that homedir:

gpg --homedir ~/project/mykeys --list-keys "Project User"

You should see output similar to this, showing the key you just generated:

gpg: directory '/home/labex/project/mykeys' created
gpg: keybox '/home/labex/project/mykeys/pubring.kbx' created
pub   rsa3072 2023-10-27 [SC]
      ...
uid           [ultimate] Project User <[email protected]>
sub   rsa3072 2023-10-27 [E]

Notice the lines indicating that the GPG directory and keybox were created within ~/project/mykeys. This confirms that the key was generated in the specified location.

Summary

In this lab, you learned how to generate a new signing key pair using the gpg command. This process involves selecting the key type (defaulting to RSA and RSA), specifying the keysize (defaulting to 3072 bits), and setting the key's validity period (set to one year in this lab). You also learned how to enter and confirm a passphrase for the new key to protect the private key. Finally, you verified the generated public key file and explored generating a key pair in a specified directory, understanding the fundamental concepts of private and public keys for secure communication and software distribution.

Related Docker Courses
Quick Start with Docker

Quick Start with Docker

Docker
Beginner
Docker Practice Challenges

Docker Practice Challenges

Docker
Beginner
Docker Practice Labs

Docker Practice Labs

Docker
Beginner