GPG: Difference between revisions

From YM2149.org
Jump to navigationJump to search
No edit summary
No edit summary
Line 11: Line 11:


* typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there
* typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there
* <code>gpg --output payload --export ...</code> on the origin system to export a public key
* <code>gpg --full-generate-key</code> to make a new key
* <code>gpg --import payload</code> on the target system to import it
** you should specify an expiry e.g. 1 year, this can always be extended
* <code>gpg --output payload --export ...</code> to dump its public key
* <code>gpg --import payload</code> on a target system to import the public key
** then you need to trust it, see below
** then you need to trust it, see below


Line 19: Line 21:
* <code>gpg --edit-key ...</code>
* <code>gpg --edit-key ...</code>
* <code>trust</code> to make an imported public key usable for encryption
* <code>trust</code> to make an imported public key usable for encryption
* <code>expire</code> to update expiry of a secret key
* <code>passwd</code> to change the passphrase of a secret key
* <code>passwd</code> to change the passphrase of a secret key


Revision as of 17:59, 21 November 2024

  • also known as GNU Privacy Guard or GnuPG
  • somewhat convenient way to manage your secrets

Config

  • ~/.gnupg/gpg-agent.conf
  • default-cache-ttl ... to lock a key after the given number of seconds if unused
  • max-cache-ttl ... to lock a key after the given number of seconds no matter what

Share

  • typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there
  • gpg --full-generate-key to make a new key
    • you should specify an expiry e.g. 1 year, this can always be extended
  • gpg --output payload --export ... to dump its public key
  • gpg --import payload on a target system to import the public key
    • then you need to trust it, see below

Shell

  • gpg --edit-key ...
  • trust to make an imported public key usable for encryption
  • expire to update expiry of a secret key
  • passwd to change the passphrase of a secret key

Agent

  • gpg-connect-agent <<<help for list of commands
    • gpg-connect-agent <<<'help ...' for help on a specific command
  • gpg-connect-agent <<<reloadagent to pick up new config
    • this also forgets cached passphrases
  • gpg-connect-agent <<<'keyinfo --list' to check which keys (by keygrip) are currently unlocked, look for a 1
    • note that all keys with the same passphrase are unlocked even if this shows just one of them is
    • gpg --list-secret-keys --with-keygrip to show the keygrips of your secret keys
Retrieved from ‘https://ym2149.org/s/ym2149.org/index.php?title=GPG&oldid=426