GPG: Difference between revisions

Latest revision as of 08:16, 23 February 2025

~/.gnupg/gpg-agent.conf
- ~/.gnupg should have 700 permissions
default-cache-ttl ... to lock a key after the given number of seconds if unused
max-cache-ttl ... to lock a key after the given number of seconds no matter what

typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there
gpg --full-generate-key to make a new key
- you should specify an expiry e.g. 1 year, this can always be extended
gpg --output payload --export ...@... to dump its public key
gpg --import payload on a target system to import the public key
- then you need to trust it, see below

when upgrading a server for example, key material including secrets can be exported from a backup using --homedir

gpg-connect-agent <<<help for list of commands
- gpg-connect-agent <<<'help ...' for help on a specific command
gpg-connect-agent <<<reloadagent to pick up new config
- this also forgets cached passphrases
gpg-connect-agent <<<'keyinfo --list' to check which keys (by keygrip) are currently unlocked, look for a 1
- note that all keys with the same passphrase are unlocked even if this shows just one of them is
- gpg --list-secret-keys --with-keygrip to show what keygrips your secret keys have

@@ Line 2: / Line 2: @@
 __TOC__
 </div>
-* also known as GNU Privacy Guard or GnuPG
+* Also known as GNU Privacy Guard or GnuPG
-* somewhat convenient way to manage your secrets
+* Relatively convenient way to manage your secrets
 == Config ==
@@ Line 43: / Line 43: @@
 ** <code>gpg --list-secret-keys --with-keygrip</code> to show what keygrips your secret keys have
+[[Category:Computing]]
 [[Category:Wisdom]]