GPG: Difference between revisions

• also known as GNU Privacy Guard or GnuPG
• somewhat convenient way to manage your secrets

Config

• ~/.gnupg/gpg-agent.conf
  • ~/.gnupg should have 700 permissions
• default-cache-ttl ... to lock a key after the given number of seconds if unused
• max-cache-ttl ... to lock a key after the given number of seconds no matter what

Share

• typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there
• gpg --full-generate-key to make a new key
  • you should specify an expiry e.g. 1 year, this can always be extended
• gpg --output payload --export ...@... to dump its public key
• gpg --import payload on a target system to import the public key
  • then you need to trust it, see below

Migrate

• when upgrading a server for example, key material including secrets can be exported from a backup using --homedir

Shell

• gpg --edit-key ...@...
• trust to make an imported public key usable for encryption
• expire to update expiry of a secret key
• passwd to change the passphrase of a secret key

Agent

• gpg-connect-agent <<<help for list of commands
  • gpg-connect-agent <<<'help ...' for help on a specific command
• gpg-connect-agent <<<reloadagent to pick up new config
  • this also forgets cached passphrases
• gpg-connect-agent <<<'keyinfo --list' to check which keys (by keygrip) are currently unlocked, look for a 1
  • note that all keys with the same passphrase are unlocked even if this shows just one of them is
  • gpg --list-secret-keys --with-keygrip to show what keygrips your secret keys have