• Overview
• Create a new Public and Private key pair
• Creating a detached ascii signature
  • Signature Compatible with PGP
• Verifying a detached signature
• Exporting keys
  • Export all public keys
  • Export specific public key
  • Export all private keys
  • Export trust ownership
• Importing keys
  • Importing public keys
  • Importing private keys
  • Importing owner trust relationships
  • Import a key from a dowloaded KEY file
  • Importing a key from a public server
• Configuration
• Display Fingerprint
• Signing a key
• Trusting a key
• Updating the expiration date
• Changing the Passphrase
• Specifying an alternate location for the keyrings
• Linux GUI Front-Ends for GnuPG
• Windows Usage
• Revoking Subkeys
• Backup
• Resources

GNU PG

Overview

Hints and tips for using GPG encryption and signing tool from the GnuPG system.

---

Create a new Public and Private key pair

See The default OpenSSH key encryption is worse than plaintext

• gpg --gen-key

Specify a different directory for creating the keyrings

• gpg --homedir /home/xxx --gen-key

Creating a detached ascii signature

• gpg --sign --detach-sign --armor filetobe_signed

or

• gpg -s -b -a filetobe_signed

Signature Compatible with PGP

See http://www.gnupg.org/documentation/faqs.en.html#q5.1

• gpg --sign --detach-sign --armor --compress-algo 1 --cipher-algo cast5 filetobe_signed

  or

• gpg --sign --detach-sign --armor --compress-algo 1 --cipher-algo 3des filetobe_signed

---

Verifying a detached signature

$ gpg --verify signature_file signed_file

Verifying with another keyring:

$ gpg --keyring public-keyring.gpg --verify signed_file

---

Exporting keys

These options allow you to transfer public and private keys to another machine. You can also export your trust database. You may also want to transfer your .gnupg/options or .gnupg/gpg.conf files too.

Export all public keys

• gpg --export --armor > mypublickeys

Export specific public key

• gpg --export --armor my.name@domain.tld > mypublickey

Export all private keys

• gpg --export-secret-keys --armor > mysecretkeys

Export trust ownership

• gpg --export-ownertrust --armor > myownertrust

---

Importing keys

Importing public keys

• gpg --import mypublickeys

Importing private keys

• gpg --import --allow-secret-key-import mysecretkeys

Importing owner trust relationships

• gpg --import-ownertrust myownertrust

Import a key from a dowloaded KEY file

• gpg --import KEYFILENAME

Importing a key from a public server

Imports the specified key from the specified public key server and adds it to your key chain.

• gpg --keyserver --recv-keys KEY_ID
• gpg --keyserver keyserver.ubuntu.com --recv-keys KEY_ID
• gpg --keyserver hkps://keys.openpgp.org --recv-keys KEY_ID

Configuration

When installed, gnupg should have created an example configuration file at ~/.gnupg/gpg.conf. You most likely want to change the following entries:

# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.

#default-key 621CC013

# If you do not pass a recipient to gpg, it will ask for one.  Using
# this option you can encrypt to a default key.  Key validation will
# not be done in this case.  The second form uses the default key as
# default recipient.

#default-recipient some-user-id
default-recipient-self

If you have more than one secret key, set the default key to one of those shown by the gpg --list-secret-keys command.

---

Display Fingerprint

• gpg --fingerprint user.name

Signing a key

• gpg --edit-key KEYNAME
• sign
• save

Trusting a key

You need to sign the key first. See Signing a key

• gpg --edit-key KEYNAME
• trust
• 4
• save

Updating the expiration date

1. Select the key to edit:

   $ gpg --edit-key $FINGERPRINT_ID
   gpg> expire
   

2. Enter the period to extend the expiration date by, e.g. 1y

3. Then select the sub key and extend that too:

   gpg> key 1
   gpg> expire
   gpg> 1y
   gpg> save
   

4. Then update the key server(s):

   $ gpg --send-keys $FINGERPRINT_ID
   $ gpg --send-keys --keyserver hkps://keys.openpgp.org $FINGERPRINT_ID
   

Changing the Passphrase

1. Find the KEY_ID

   $ gpg --list-keys $EMAIL
   

2. Edit the key using the ID

   $ gpg --edit-key $KEY_ID
   

3. Change the passphrase

   $ passwd
   

4. Save the changes

   $ save
   

-- Frank Dean - 21 Jul 2023

Specifying an alternate location for the keyrings

gpg --keyring=/somewhere/else/pubring.gpg
   --secret-keyring=/somewhere/else/secring.gpg encrypted.gpg

Linux GUI Front-Ends for GnuPG

• Seahorse
• GPG-Crypter
• Gnu Privacy Assistant (Apparently work in progress as at 16-Sep-2007)

Windows Usage

• http://www.gpg4win.org/

See http://www.glump.net/dokuwiki/gpg/gpg_intro

Revoking Subkeys

$ gpg --edit-key $KEYNAME

1. The chosen key will be displayed, listing the subkeys.

2. Enter the number of the subkey and hit return. An asterisk is shown against the selected key.

   $ revuid
   

3. Select option '4 = User ID is no longer valid'.

4. Optionally, enter a description. A blank line terminates input.

5. Confirm whether the changes are OK.

6. Save the key.

7. When everything looks good, update the public key servers with:

   $ gpg --send-keys $FINGERPRINT_ID
   

-- Frank Dean - 20-Jul-2018

Backup

1. Shutdown gpg-agent, dirmngr and scdaemon if they are running:

   $ gpgconf --kill all
   

2. Backup the ~/.gnupg folder and sub-folders, e.g.

   $ tar -zcf "${FILENAME}.tar.gz" ~/.gnupg
   

Generally, gpg-agent, dirmngr and scdaemon are restarted when required.

-- Frank Dean - 21 Jul 2023

Resources

• http://www.gnupg.org/documentation/
• http://www.gnupg.org/gph/en/manual.html
• https://keys.openpgp.org
• https://blog.bmarwell.de/2020/11/21/fixing-old-sha1-infested-openpgp-keys.html
• https://varrette.gforge.uni.lu/blog/2017/03/14/tutorial-gpg-gnu-privacy-guard/#migrating--creating-a-new-key
• https://200ok.ch/posts/2019-07-17_update_a_pgp_primary_key.html

---

-- Frank Dean - 26 Sep 2004

Related Topics: DebianTips, LinuxHintsAndTips

• Viki
• Business
• Tech