GPG

From YM2149.org

Revision as of 14:02, 23 January 2025 by Andrzej (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

also known as GNU Privacy Guard or GnuPG
somewhat convenient way to manage your secrets

Config

~/.gnupg/gpg-agent.conf
- ~/.gnupg should have 700 permissions
default-cache-ttl ... to lock a key after the given number of seconds if unused
max-cache-ttl ... to lock a key after the given number of seconds no matter what

Share

typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there
gpg --full-generate-key to make a new key
- you should specify an expiry e.g. 1 year, this can always be extended
gpg --output payload --export ...@... to dump its public key
gpg --import payload on a target system to import the public key
- then you need to trust it, see below

Migrate

when upgrading a server for example, key material including secrets can be exported from a backup using --homedir

Shell

gpg --edit-key ...@...
trust to make an imported public key usable for encryption
expire to update expiry of a secret key
passwd to change the passphrase of a secret key

Agent

gpg-connect-agent <<<help for list of commands
- gpg-connect-agent <<<'help ...' for help on a specific command
gpg-connect-agent <<<reloadagent to pick up new config
- this also forgets cached passphrases
gpg-connect-agent <<<'keyinfo --list' to check which keys (by keygrip) are currently unlocked, look for a 1
- note that all keys with the same passphrase are unlocked even if this shows just one of them is
- gpg --list-secret-keys --with-keygrip to show what keygrips your secret keys have

Retrieved from ‘https://ym2149.org/s/ym2149.org/index.php?title=GPG&oldid=444’

Wisdom

Navigation menu