GPG: Difference between revisions
From YM2149.org
Jump to navigationJump to search
No edit summary |
No edit summary |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
* | <div style="float: right"> | ||
* | __TOC__ | ||
</div> | |||
* Also known as GNU Privacy Guard or GnuPG | |||
* Relatively convenient way to manage your secrets | |||
== Config == | == Config == | ||
* <code>~/.gnupg/gpg-agent.conf</code> | * <code>~/.gnupg/gpg-agent.conf</code> | ||
** ~/.gnupg should have 700 permissions | |||
* <code>default-cache-ttl ...</code> to lock a key after the given number of seconds if unused | * <code>default-cache-ttl ...</code> to lock a key after the given number of seconds if unused | ||
* <code>max-cache-ttl ...</code> to lock a key after the given number of seconds no matter what | * <code>max-cache-ttl ...</code> to lock a key after the given number of seconds no matter what | ||
| Line 11: | Line 15: | ||
* typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there | * typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there | ||
* <code>gpg --output payload --export ...</code> | * <code>gpg --full-generate-key</code> to make a new key | ||
* <code>gpg --import payload</code> on | ** you should specify an expiry e.g. 1 year, this can always be extended | ||
* <code>gpg --output payload --export ...@...</code> to dump its public key | |||
* <code>gpg --import payload</code> on a target system to import the public key | |||
** then you need to trust it, see below | ** then you need to trust it, see below | ||
=== Migrate === | |||
* when upgrading a server for example, key material including secrets can be exported from a backup using <code>--homedir</code> | |||
== Shell == | == Shell == | ||
* <code>gpg --edit-key ...</code> | * <code>gpg --edit-key ...@...</code> | ||
* <code>trust</code> to make an imported public key usable for encryption | * <code>trust</code> to make an imported public key usable for encryption | ||
* <code>expire</code> to update expiry of a secret key | |||
** <code>key 1</code> to select the first subkey | |||
* <code>passwd</code> to change the passphrase of a secret key | * <code>passwd</code> to change the passphrase of a secret key | ||
| Line 29: | Line 41: | ||
* <code>gpg-connect-agent <<<'keyinfo --list'</code> to check which keys (by keygrip) are currently unlocked, look for a <code>1</code> | * <code>gpg-connect-agent <<<'keyinfo --list'</code> to check which keys (by keygrip) are currently unlocked, look for a <code>1</code> | ||
** note that all keys with the same passphrase are unlocked even if this shows just one of them is | ** note that all keys with the same passphrase are unlocked even if this shows just one of them is | ||
** <code>gpg --list-secret-keys --with-keygrip</code> to show | ** <code>gpg --list-secret-keys --with-keygrip</code> to show what keygrips your secret keys have | ||
[[Category:Computing]] | |||
[[Category:Wisdom]] | [[Category:Wisdom]] | ||
Latest revision as of 08:16, 23 February 2025
- Also known as GNU Privacy Guard or GnuPG
- Relatively convenient way to manage your secrets
Config
~/.gnupg/gpg-agent.conf- ~/.gnupg should have 700 permissions
default-cache-ttl ...to lock a key after the given number of seconds if unusedmax-cache-ttl ...to lock a key after the given number of seconds no matter what
- typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there
gpg --full-generate-keyto make a new key- you should specify an expiry e.g. 1 year, this can always be extended
gpg --output payload --export ...@...to dump its public keygpg --import payloadon a target system to import the public key- then you need to trust it, see below
Migrate
- when upgrading a server for example, key material including secrets can be exported from a backup using
--homedir
Shell
gpg --edit-key ...@...trustto make an imported public key usable for encryptionexpireto update expiry of a secret keykey 1to select the first subkey
passwdto change the passphrase of a secret key
Agent
gpg-connect-agent <<<helpfor list of commandsgpg-connect-agent <<<'help ...'for help on a specific command
gpg-connect-agent <<<reloadagentto pick up new config- this also forgets cached passphrases
gpg-connect-agent <<<'keyinfo --list'to check which keys (by keygrip) are currently unlocked, look for a1- note that all keys with the same passphrase are unlocked even if this shows just one of them is
gpg --list-secret-keys --with-keygripto show what keygrips your secret keys have
