GnuPG

From Han Wiki
Jump to navigation Jump to search
  • Last tested on Ubuntu 16.04.5 LTS + GnuPG 2.1.11 (2018-09-04)

Cookbook

Create a new key

$ gpg --gen-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: Michael Han
Email address: mhan@domain.com
You selected this USER-ID:
    "Michael Han <mhan@domain.com>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...


Useful commands

// list the keys in the public ring
$ gpg --list-keys

// generate a revocation certificate
$ gpg --output revoke.asc --gen-revoke mykey

// generate a binary file (public key)
$ gpg --output mhankey.gpg --export mhan

// generate in ASCII-armored format
$ gpg --armor --export mhan


// add a key to public key ring
$ gpg --import didi.gpg

// validate
$ gpg --edit-key didi
Command> fpr
// after verifying fingerprint w/ owner
Command> sign
// check signature
Command> check

// change passphrase
$ gpg --edit-key didi
Command> passwd
// save
Command> save

// encrypt [and compress] a document
$ gpg --output filename.gpg --encrypt --recipient didi filename.doc

// decrypt a file
$ gpg --output filename.doc --decrypt filename.gpg

// symmetric cipher to encrypt
$ gpg --output filename.gpg --symmetric filename.doc


// create a signature for a document
$ gpg --output doc.sig --sign doc

// verify & extract doc
$ gpg --output doc --decrypt doc.sig

// clearsign document
$ gpg --clearsign doc

// create a deteached signature for a doc
$ gpg --output doc.sig --detach-sig doc

// verify the signature against the doc
$ gpg --verify doc.sig doc

Key management

adduid
add new user ID
uid, key
select UID or a key
deluid, delkey
delete UID or a key
revuid, revkey
revoke UID or a key
expire
update expiration time


in order to import a private key on a different machine.

// export the key using an ASCII-armored format
$ gpg --export-secret-keys -a mhan@mhan.net > pkey.asc

// copy to a target machine, and then on the target machine
$ gpg --import pkey.asc

Note: if key already existed, you may need to delete 'em via --delete-keys or --delete-secret-keys

Key distribution

// retrieve a key
$ gpg --keyserver certserver.pgp.com --recv-key 0xBB7576AC

// send a key
$ gpg --keyserver certserver.pgp.com --send-key mhan

Configuration

Change default cipher by adding the following to ~/.gnupg/gpg.conf

cipher-algo AES256

Troubleshooting

Kill any running agents

$ gpgconf --kill gpg-agent


Reset agent as a user

$ gpg-connect-agent RESET /bye


If you get Inappropriate ioctl for device you can add export GPG_TTY=$(tty) to either ~/.bashrc or ~/.profile (or ~/.bash_profile).

Keyservers

Links