GNU PG

Overview

Hints and tips for using GPG encryption and signing tool from the GnuPG system.


Create a new Public and Private key pair

See The default OpenSSH key encryption is worse than plaintext

  • gpg --gen-key

Specify a different directory for creating the keyrings

  • gpg --homedir /home/xxx --gen-key

Creating a detached ascii signature

  • gpg --sign --detach-sign --armor filetobe_signed

or

  • gpg -s -b -a filetobe_signed

Signature Compatible with PGP

See http://www.gnupg.org/documentation/faqs.en.html#q5.1

  • gpg --sign --detach-sign --armor --compress-algo 1 --cipher-algo cast5 filetobe_signed

    or

  • gpg --sign --detach-sign --armor --compress-algo 1 --cipher-algo 3des filetobe_signed


Verifying a detached signature

$ gpg --verify signature_file signed_file

Verifying with another keyring:

$ gpg --keyring public-keyring.gpg --verify signed_file

Exporting keys

These options allow you to transfer public and private keys to another machine. You can also export your trust database. You may also want to transfer your .gnupg/options or .gnupg/gpg.conf files too.

Export all public keys

  • gpg --export --armor > mypublickeys

Export specific public key

  • gpg --export --armor my.name@domain.tld > mypublickey

Export all private keys

  • gpg --export-secret-keys --armor > mysecretkeys

Export trust ownership

  • gpg --export-ownertrust --armor > myownertrust

Importing keys

Importing public keys

  • gpg --import mypublickeys

Importing private keys

  • gpg --import --allow-secret-key-import mysecretkeys

Importing owner trust relationships

  • gpg --import-ownertrust myownertrust

Import a key from a dowloaded KEY file

  • gpg --import KEYFILENAME

Importing a key from a public server

Imports the specified key from the specified public key server and adds it to your key chain.

  • gpg --keyserver pgp.mit.edu --recv-keys 0x5072E1F5
  • gpg --keyserver wwwkeys.pgp.net --recv-keys 0x5072E1F5

Configuration

When installed, gnupg should have created an example configuration file at ~/.gnupg/gpg.conf. You most likely want to change the following entries:

# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.

#default-key 621CC013

# If you do not pass a recipient to gpg, it will ask for one.  Using
# this option you can encrypt to a default key.  Key validation will
# not be done in this case.  The second form uses the default key as
# default recipient.

#default-recipient some-user-id
default-recipient-self

If you have more than one secret key, set the default key to one of those shown by the gpg --list-secret-keys command.


Display Fingerprint

  • gpg --fingerprint user.name

Signing a key

  • gpg --edit-key KEYNAME
  • sign
  • save

Trusting a key

You need to sign the key first. See Signing a key

  • gpg --edit-key KEYNAME
  • trust
  • 4
  • save

Updating the expiration date

  • gpg --edit-key YOUR_KEY
  • expire

Enter the period to extend the expiration date by, e.g. 1y

Then select the sub key and extend that too:

  • key 1
  • expire
  • 1y
  • save

Changing the Passphrase

  1. Find the KEY_ID

    $ gpg --list-keys $EMAIL
    
  2. Edit the key using the ID

    $ gpg --edit-key $KEY_ID
    
  3. Change the passphrase

    $ passwd
    
  4. Save the changes

    $ save
    

-- Frank Dean - 21 Jul 2023

Specifying an alternate location for the keyrings

gpg --keyring=/somewhere/else/pubring.gpg
   --secret-keyring=/somewhere/else/secring.gpg encrypted.gpg

Linux GUI Front-Ends for GnuPG

Windows Usage

See http://www.glump.net/dokuwiki/gpg/gpg_intro

Revoking Subkeys

$ gpg --edit-key $KEYNAME
  1. The chosen key will be displayed, listing the subkeys.

  2. Enter the number of the subkey and hit return. An asterisk is shown against the selected key.

    $ revuid
    
  3. Select option '4 = User ID is no longer valid'.

  4. Optionally, enter a description. A blank line terminates input.

  5. Confirm whether the changes are OK.

  6. Save the key.

  7. When everything looks good, update the public key servers with:

    $ gpg --keyserver pgp.mit.edu --send-keys $FINGERPRINT_ID
    

-- Frank Dean - 20-Jul-2018

Backup

  1. Shutdown gpg-agent, dirmngr and scdaemon if they are running:

    $ gpgconf --kill all
    
  2. Backup the ~/.gnupg folder and sub-folders, e.g.

    $ tar -zcf "${FILENAME}.tar.gz" ~/.gnupg
    

Generally, gpg-agent, dirmngr and scdaemon are restarted when required.

-- Frank Dean - 21 Jul 2023

Resources


-- Frank Dean - 26 Sep 2004

Related Topics: DebianTips, LinuxHintsAndTips