GnuPG: Difference between revisions
→Troubleshooting: gpg-connect-agent RESET /bye |
|||
(8 intermediate revisions by the same user not shown) | |||
Line 56: | Line 56: | ||
Command> check | Command> check | ||
// change passphrase | |||
$ gpg --edit-key didi | |||
Command> passwd | |||
// save | |||
Command> save | |||
// encrypt [and compress] a document | // encrypt [and compress] a document | ||
Line 82: | Line 87: | ||
$ gpg --verify doc.sig doc | $ gpg --verify doc.sig doc | ||
</source> | </source> | ||
== Key management == | == Key management == | ||
Line 97: | Line 101: | ||
: update expiration time | : update expiration time | ||
in order to import a private key on a different machine. | |||
<source lang="console"> | |||
// export the key using an ASCII-armored format | |||
$ gpg --export-secret-keys -a mhan@mhan.net > pkey.asc | |||
// copy to a target machine, and then on the target machine | |||
$ gpg --import pkey.asc | |||
</source> | |||
Note: if key already existed, you may need to delete 'em via '''--delete-keys''' or '''--delete-secret-keys''' | |||
== Key distribution == | == Key distribution == | ||
Line 107: | Line 123: | ||
$ gpg --keyserver certserver.pgp.com --send-key mhan | $ gpg --keyserver certserver.pgp.com --send-key mhan | ||
</source> | </source> | ||
= Configuration = | |||
Change default cipher by adding the following to <span>~/.gnupg/gpg.conf</span class="package"> | |||
<source lang="console"> | |||
cipher-algo AES256 | |||
</source> | |||
= Troubleshooting = | |||
Kill any running agents | |||
<source lang="console"> | |||
$ gpgconf --kill gpg-agent | |||
</source> | |||
Reset agent as a user | |||
<source lang="console"> | |||
$ gpg-connect-agent RESET /bye | |||
</source> | |||
If you get ''Inappropriate ioctl for device'' you can add '''export GPG_TTY=$(tty)''' to either ~/.bashrc or ~/.profile (or ~/.bash_profile). | |||
= Keyservers = | = Keyservers = | ||
Line 119: | Line 161: | ||
* http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/ | * http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/ | ||
* [https://eligible.com/blog/commit-signing-with-git-hub-keybase-and-gpg/ Commit Signing With Git, Hub, Keybase, and GPG] |
Latest revision as of 14:21, 18 September 2020
- Last tested on Ubuntu 16.04.5 LTS + GnuPG 2.1.11 (2018-09-04)
Cookbook
Create a new key
$ gpg --gen-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: Michael Han
Email address: mhan@domain.com
You selected this USER-ID:
"Michael Han <mhan@domain.com>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...
Useful commands
// list the keys in the public ring
$ gpg --list-keys
// generate a revocation certificate
$ gpg --output revoke.asc --gen-revoke mykey
// generate a binary file (public key)
$ gpg --output mhankey.gpg --export mhan
// generate in ASCII-armored format
$ gpg --armor --export mhan
// add a key to public key ring
$ gpg --import didi.gpg
// validate
$ gpg --edit-key didi
Command> fpr
// after verifying fingerprint w/ owner
Command> sign
// check signature
Command> check
// change passphrase
$ gpg --edit-key didi
Command> passwd
// save
Command> save
// encrypt [and compress] a document
$ gpg --output filename.gpg --encrypt --recipient didi filename.doc
// decrypt a file
$ gpg --output filename.doc --decrypt filename.gpg
// symmetric cipher to encrypt
$ gpg --output filename.gpg --symmetric filename.doc
// create a signature for a document
$ gpg --output doc.sig --sign doc
// verify & extract doc
$ gpg --output doc --decrypt doc.sig
// clearsign document
$ gpg --clearsign doc
// create a deteached signature for a doc
$ gpg --output doc.sig --detach-sig doc
// verify the signature against the doc
$ gpg --verify doc.sig doc
Key management
- adduid
- add new user ID
- uid, key
- select UID or a key
- deluid, delkey
- delete UID or a key
- revuid, revkey
- revoke UID or a key
- expire
- update expiration time
in order to import a private key on a different machine.
// export the key using an ASCII-armored format
$ gpg --export-secret-keys -a mhan@mhan.net > pkey.asc
// copy to a target machine, and then on the target machine
$ gpg --import pkey.asc
Note: if key already existed, you may need to delete 'em via --delete-keys or --delete-secret-keys
Key distribution
// retrieve a key
$ gpg --keyserver certserver.pgp.com --recv-key 0xBB7576AC
// send a key
$ gpg --keyserver certserver.pgp.com --send-key mhan
Configuration
Change default cipher by adding the following to ~/.gnupg/gpg.conf
cipher-algo AES256
Troubleshooting
Kill any running agents
$ gpgconf --kill gpg-agent
Reset agent as a user
$ gpg-connect-agent RESET /bye
If you get Inappropriate ioctl for device you can add export GPG_TTY=$(tty) to either ~/.bashrc or ~/.profile (or ~/.bash_profile).
Keyservers
- http://pool.sks-keyservers.net (seems to redirect to somewhere on http protocol)
- http://na.pool.sks-keyservers.net
- https://keyserver.2ndquadrant.com/ (aka http://eu.pool.sks-keyservers.net)
- http://oc.pool.sks-keyservers.net/
- *.pool.sks-keyservers.net: p80, ipv4, ipv6, subset