GPG
From YM2149.org
Jump to navigationJump to search
- Also known as GNU Privacy Guard or GnuPG
- Alternative to keychain/keyring for managing your secrets
Config
~/.gnupg/gpg-agent.conf- ~/.gnupg should have
700permissions
- ~/.gnupg should have
default-cache-ttl ...to lock a key after the given number of seconds if unusedmax-cache-ttl ...to lock a key after the given number of seconds no matter what
- Typically you will generate a secret key per account and system for decryption, and copy its public key to other places for encryption there
gpg --full-generate-keyto make a new key- You should specify an expiry e.g. 1 year, this can always be extended
gpg --output payload --export ...@...to dump its public keygpg --import payloadon a target system to import the public key- Then you need to trust it, see below
Migrate
- When upgrading a server for example, key material including secrets can be exported from a backup using
--homedir
Shell
gpg --edit-key ...@...trustto make an imported public key usable for encryptionexpireto update expiry of a secret keykey 1to select the first subkey
passwdto change the passphrase of a secret key
Agent
gpg-connect-agent <<<helpfor list of commandsgpg-connect-agent <<<'help ...'for help on a specific command
gpg-connect-agent <<<reloadagentto pick up new config- This also forgets cached passphrases
gpg-connect-agent <<<'keyinfo --list'to check which keys (by keygrip) are currently unlocked, look for a1- Note that all keys with the same passphrase are unlocked even if this shows just one of them is
gpg --list-secret-keys --with-keygripto show what keygrips your secret keys have
SSH
When attempting to decrypt something on another machine via ssh this can hang and eventually timeout, presumably due to a passphrase dialog popping up there. (Perhaps caused by earlier locking the screen on that machine instead of logging out?) One solution is to set DBUS_SESSION_BUS_ADDRESS to garbage in which case gpg appears to fallback to console mode passphrase entry. A more sophisticated option is to install a custom pinentry program that delegates to pinentry-curses if ssh detected.
