gpg¶
GNU Privacy Guard (GnuPG) for encryption and signing (https://gnupg.org)
Show keys
Search for keys
gpg --search-keys '[email protected]'
To Encrypt a File
gpg --encrypt --recipient '[email protected]' example.txt
Export keys
Import keys
Revoke a key
Signing and Verifying files
If you are uploading files to launchpad you may also want to include
a GPG signature file.
gpg -ba filename
or if you need to specify a particular key:
gpg --default-key <key ID> -ba filename
This then produces a file with a .asc extension which can be uploaded.
If you need to set the default key more permanently then edit the
file ~/.gnupg/gpg.conf and set the default-key parameter.
To verify a downloaded file using its signature file.
gpg --verify filename.asc
Signing Public Keys
Import the public key or retrieve it from a server.
gpg --keyserver <keyserver> --recv-keys <Key_ID>
Check its fingerprint against any previously stated value.
gpg --fingerprint <Key_ID>
Sign the key.
gpg --sign-key <Key_ID>
Upload the signed key to a server.
gpg --keyserver <keyserver> --send-key <Key_ID>
Change the email address associated with a GPG key
Creating Subkeys
Subkeys can be useful if you don't wish to have your main GPG key
installed on multiple machines. In this way you can keep your
master key safe and have subkeys with expiry periods or which may be
separately revoked installed on various machines. This avoids
generating entirely separate keys and so breaking any web of trust
which has been established.
gpg --edit-key <key ID>
At the prompt type:
addkey
Choose RSA (sign only), 4096 bits and select an expiry period.
Entropy will be gathered.
At the prompt type:
save
You can also repeat the procedure, but selecting RSA (encrypt only).
To remove the master key, leaving only the subkey/s in place:
gpg --export-secret-subkeys <subkey ID> > subkeys
gpg --export <key ID> > pubkeys
gpg --delete-secret-key <key ID>
Import the keys back.
gpg --import pubkeys subkeys
Verify the import.
gpg -K
Should show sec# instead of just sec.
High-quality options for gpg for symmetric (secret key) encryption
This is what knowledgable people consider a good set of options for
symmetric encryption with gpg to give you a high-quality result.
gpg \
--symmetric \
--cipher-algo aes256 \
--digest-algo sha512 \
--cert-digest-algo sha512 \
--compress-algo none -z 0 \
--s2k-mode 3 \
--s2k-digest-algo sha512 \
--s2k-count 65011712 \
--force-mdc \
--pinentry-mode loopback \
--armor \
--no-symkey-cache \
--output somefile.gpg \
somefile # to encrypt
gpg \
--decrypt \
--pinentry-mode loopback \
--armor \
--output somefile.gpg \
somefile # to decrypt
Trust Own Key
https://unix.stackexchange.com/a/407070/93726
gpg --edit-key [email protected]
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
gpg> save
Import from lpass
Sign Others' Keys
wget http://example.com/pgp-public-key -O- | gpg --import
gpg --list-keys
gpg --sign-key [email protected]
Submit to keyserver
gpg --keyid-format LONG --list-keys [email protected]
pub rsa4096/ABCDEF0123456789 2018-01-01 [SCEA] [expires: 2021-01-01]
ABCDEF0123456789ABCDEF0123456789 uid [ ultimate ] John Doe
Revocation Certificate
gpg --output revoke.asc --gen-revoke [email protected]
Export gpg --export-secret-keys --armor $EMAIL > /path/to/secret-key-backup.asc
Send gpg private key to another computer
Permissions https://superuser.com/a/954536/352242