GPG: Difference between revisions

Revision as of 17:14, 14 February 2025

~/.gnupg/gpg-agent.conf
- ~/.gnupg should have 700 permissions
default-cache-ttl ... to lock a key after the given number of seconds if unused
max-cache-ttl ... to lock a key after the given number of seconds no matter what

typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there
gpg --full-generate-key to make a new key
- you should specify an expiry e.g. 1 year, this can always be extended
gpg --output payload --export ...@... to dump its public key
gpg --import payload on a target system to import the public key
- then you need to trust it, see below

when upgrading a server for example, key material including secrets can be exported from a backup using --homedir

gpg-connect-agent <<<help for list of commands
- gpg-connect-agent <<<'help ...' for help on a specific command
gpg-connect-agent <<<reloadagent to pick up new config
- this also forgets cached passphrases
gpg-connect-agent <<<'keyinfo --list' to check which keys (by keygrip) are currently unlocked, look for a 1
- note that all keys with the same passphrase are unlocked even if this shows just one of them is
- gpg --list-secret-keys --with-keygrip to show what keygrips your secret keys have

@@ Line 30: / Line 30: @@
 * <code>trust</code> to make an imported public key usable for encryption
 * <code>expire</code> to update expiry of a secret key
+** <code>key 1</code> to select the first subkey
 * <code>passwd</code> to change the passphrase of a secret key