GPG Keys
GNU Privacy Guard (GPG) Keys
What is GPG?
GPG stands for GNU Privacy Guard, an implementation of public key cryptography, which can be used both for the more standard operations of encryption keys (encrypt/decrypt), and for message verification via signature. In Akeyless, it is expressed as an additional type for the creation of Classic Keys, enabling the user to leverage GPG's functionality while keeping it doubly secure under the Akeyless platform.
Working with GPG from the CLI
Key Creation
GPG keys are created using the same command structure as other classic keys, with an important new step, after the algorithm type is defined as GPG, the user must also add an additional parameter, gpg-alg
, which defines which key type will be used for the implementation.
The command goes as follows:
akeyless create-classic-key \
--name <key name> \
--alg gpg \
--gpg-alg <algorithm type> \
--gateway-url = 'https://<Your_Akeyless_GW_URL:8000>'
Where:
name
: The name of the Classic Key. The name can include the path to the virtual folder where you want to create the new key, using the slash/
separators. If the folder does not exist, it will be created together with the key.alg
: The type of key to be created.gpg-alg
: Relevant only if GPG key type selected; options: [RSA1024
,RSA2048
,RSA3072
,RSA4096
,X25519
]gateway-url
: Akeyless Gateway Configuration Manager URL (port8000
).
Other parameters can be found in the CLI Reference .
Key Usage
While the creation statement for GPG keys is the same as other classic keys, it has a unique set of commands for its usage: encrypt, decrypt, sign, and verify.
Encryption command:
akeyless encrypt-gpg -k <Key name> \
--display-id <Display id of the key to use in the encryption process \
--item-id <Item id of the key to use in the encryption process> \
--in <Path to the file to be encrypted in base64 format> \
The full parameters can be found in the CLI reference.
Decryption command:
akeyless decrypt-gpg --key-name <Key Name> \
--ciphertext <Ciphertext to be decrypt in base64 encoded format> \
--display-id <Display id of the key to use in the encryption process> \
--item-id <Item id of the key to use in the encryption process>
The full parameters can be found in the CLI reference.
Signing command:
akeyless sign-gpg --key-name <RSA signing key name> \
--message <Message to sign> \
--display-id <Display id of the key to use in the decryption process> \
--item-id <Item id of the key to use in the encryption process>
The full parameters can be found in the CLI reference.
Verification command:
akeyless verify-gpg --key-name <RSA Key> \
--message <message to verify> \
--signature <message signature> \
--display-id <Display id of the key to use in the decryption process> \
--item-id <Item id of the key to use in the encryption process>
The full parameters can be found in the CLI reference.
Working with GPG from the Console
While the console can create GPG-type keys, their full usage functionalities are available from the CLO.
Key Creation:
-
In the Akeyless console, select New>Encryption Key > Classic.
-
Define the following:
-
Name: The name of the Classic Key.
-
Location: The path to the virtual folder where you want to create the new key, using slash
/
separators. If the folder does not exist, it will be created together with the key. -
Description: General description of the key (optional).
-
Tags: Assign tags to the key (optional).
-
Key Type: The algorithm type of key to be created, select GPG.
-
GPG Key Type: The algorithm type for the GPG key to implement.
-
Generated By: Determines if the Classic Key should be generated by the Akeyless KMS, or uploaded from another source. If you select Import Classic Key, you can upload a file into the console.
-
Protection Key: The encryption key to encrypt the Classic Key (if your system includes multiple encryption keys). Otherwise, select
Default
. -
Gateway: Select the Gateway.
-
Auto Rotate: Indicate if the Classic Key should be automatically rotated, and select the frequency. This option is not available for imported keys. You may still rotate the key manually even if you did not apply this option.
- Select Save.
Updated about 1 year ago