GPG: Difference between revisions

From YM2149.org
Jump to navigationJump to search
No edit summary
No edit summary
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
* also known as GNU Privacy Guard or GnuPG
<div style="float: right">
* somewhat convenient way to manage your secrets
__TOC__
</div>
* Also known as GNU Privacy Guard or GnuPG
* Relatively convenient way to manage your secrets


== Config ==
== Config ==


* <code>~/.gnupg/gpg-agent.conf</code>
* <code>~/.gnupg/gpg-agent.conf</code>
** ~/.gnupg should have 700 permissions
* <code>default-cache-ttl ...</code> to lock a key after the given number of seconds if unused
* <code>default-cache-ttl ...</code> to lock a key after the given number of seconds if unused
* <code>max-cache-ttl ...</code> to lock a key after the given number of seconds no matter what
* <code>max-cache-ttl ...</code> to lock a key after the given number of seconds no matter what
== Share ==
* typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there
* <code>gpg --full-generate-key</code> to make a new key
** you should specify an expiry e.g. 1 year, this can always be extended
* <code>gpg --output payload --export ...@...</code> to dump its public key
* <code>gpg --import payload</code> on a target system to import the public key
** then you need to trust it, see below
=== Migrate ===
* when upgrading a server for example, key material including secrets can be exported from a backup using <code>--homedir</code>
== Shell ==
* <code>gpg --edit-key ...@...</code>
* <code>trust</code> to make an imported public key usable for encryption
* <code>expire</code> to update expiry of a secret key
** <code>key 1</code> to select the first subkey
* <code>passwd</code> to change the passphrase of a secret key


== Agent ==
== Agent ==
Line 14: Line 39:
* <code>gpg-connect-agent <<<reloadagent</code> to pick up new config
* <code>gpg-connect-agent <<<reloadagent</code> to pick up new config
** this also forgets cached passphrases
** this also forgets cached passphrases
* <code>gpg-connect-agent <<<'keyinfo --list'</code> to check which keys are currently unlocked, look for a <code>1</code>
* <code>gpg-connect-agent <<<'keyinfo --list'</code> to check which keys (by keygrip) are currently unlocked, look for a <code>1</code>
** note that all keys with the same passphrase are unlocked even if this shows just one of them is
** note that all keys with the same passphrase are unlocked even if this shows just one of them is
** <code>gpg --list-secret-keys --with-keygrip</code> to match the keygrips shown with your secret keys
** <code>gpg --list-secret-keys --with-keygrip</code> to show what keygrips your secret keys have
 
== Shell ==
 
* <code>gpg --edit-key ...</code>
* <code>trust</code> to make an imported public key usable for encryption
* <code>passwd</code> to change the passphrase


[[Category:Computing]]
[[Category:Wisdom]]
[[Category:Wisdom]]

Latest revision as of 08:16, 23 February 2025

  • Also known as GNU Privacy Guard or GnuPG
  • Relatively convenient way to manage your secrets

Config

  • ~/.gnupg/gpg-agent.conf
    • ~/.gnupg should have 700 permissions
  • default-cache-ttl ... to lock a key after the given number of seconds if unused
  • max-cache-ttl ... to lock a key after the given number of seconds no matter what

Share

  • typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there
  • gpg --full-generate-key to make a new key
    • you should specify an expiry e.g. 1 year, this can always be extended
  • gpg --output payload --export ...@... to dump its public key
  • gpg --import payload on a target system to import the public key
    • then you need to trust it, see below

Migrate

  • when upgrading a server for example, key material including secrets can be exported from a backup using --homedir

Shell

  • gpg --edit-key ...@...
  • trust to make an imported public key usable for encryption
  • expire to update expiry of a secret key
    • key 1 to select the first subkey
  • passwd to change the passphrase of a secret key

Agent

  • gpg-connect-agent <<<help for list of commands
    • gpg-connect-agent <<<'help ...' for help on a specific command
  • gpg-connect-agent <<<reloadagent to pick up new config
    • this also forgets cached passphrases
  • gpg-connect-agent <<<'keyinfo --list' to check which keys (by keygrip) are currently unlocked, look for a 1
    • note that all keys with the same passphrase are unlocked even if this shows just one of them is
    • gpg --list-secret-keys --with-keygrip to show what keygrips your secret keys have
Retrieved from ‘https://ym2149.org/s/ym2149.org/index.php?title=GPG&oldid=620