Gpg keys
Basics
GPG Keys are what you use to encryt/decrypt text.
A user account will frequently have several public keys installed by other programs (ex: tor)
It is strongly encouraged to work with keys in a hierarchy.
- Day-to-day you interact with a master key
- Underneath it are several subkeys, limited in scope.
GPG keys can be assigned multiple identities.
Manage
gpg --list-keys # list all keys gpg --list-public-keys # list pub keys gpg --list-secret-keys # list prv keys
Export
# export public-key gpg \ --armor `# (opt) only ascii chars` \ --export foo@domain.com `# export` --homedir ~/foo-gpg `# (opt) alt homedir` \ > foo@domain.com.pub # export private-key gpg \ --armor `# (opt) only ascii chars` \ --export-secret-keys foo@domain.com \ --homedir ~/foo-gpg `# (opt) alt homedir` \ > foo@domain.com.prv
Import
# import key (pub/prv) gpg --import keyname.pub # trust imported key gpg --edit keyname > trust > 5 > quit # scripted trust imported key echo -e "5\ny\n" | gpg --command-fd 0 --edit-key keyname trust
Create Keys
Create Master Keys
Create a Key
gpg --full-generate-key # gen key with all options gpg --gen-key # gen key with basic options # choices: # user: name of gpgkey # email: user@server.com (it doesn't really matter)Create a Revocation Certificate
# If you will be sharing this key with a keyserver, # Revocation-Certs are a lever you can pull to stop your key # from being abused if it is ever stolen. # # Keep a designated backup USB (offline) to # store your revocation certificate # # Choose Reason '0' since you do not yet know why you # are revoking the cert. gpg \ --output revoke.asc \ --gen-revoke user@domain.comMaster/Sub Keys
Create multiple purpose-built master gpg-keys on a usb stick.
Export and add subkeys on devices.
Subkeys can be revoked or replaced, but the parent signature remains valid.
Keep history of subkeys, or you cannot decrypt old messages.NOTE:
Primarily useful for publicly exposed keys, for ability to revoke.
Creation
create usb media
# partition-table sudo fdisk /dev/sdb g # create gpt table n # create partition t # 11 (microsoft basic data) w # write # create partition sudo mkfs.fat /dev/sdb1 # mount, owned by current user sudo mount -o uid=`id -u`,gid=`id -g` /dev/sdb1 /mnt/usb # create gpg homedir mkdir /mnt/usb/gpg/${keyname}create master key
# create master key (WITH PASSPHRASE) gpg --homedir /mnt/usb/gpg/${keyname} --gen-key # prefer stronger hashes gpg --homedir /mnt/usb/${keyname} --edit-key user@domain.com gpg> setpref SHA512 SHA384 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP gpg> save # create revocation cert gpg --homedir /mnt/usb/gpg/${keyname} \ --output \ '/mnt/usb/user@domain.com.gpg-revocation-certificate' \ --gen-revoke user@domain.com gpg> 1 # key has been compromised gpg> # descriptioncreate subkey
# create signing key gpg --homedir /mnt/usb/gpg/${keyname} \ --edit-key user@domain.com gpg> addkey gpg> 4 # RSA (sign only) gpg> 4096 # max size gpg> 0 # does not expire gpg> save # export/remove signing subkey gpg --homedir /mnt/usb/gpg/${keyname} \ --armor \ --export-secret-subkeys user@domain.com \ > /mnt/usb/gpg/${keyname}.gpg.subkeyUsage
import subkey onto machine
# import onto your machine (encrypt/decrypt) gpg --import /mnt/usb/gpg/${keyname}.gpg.subkey # trust imported key gpg --edit-key user@domain.com > trust > 5 > quitencrypt/decrypt using subkey
# encrypt echo foo \ | gpg --encrypt -r user@domain.com `# encrypt` \ | gpg `# decrypt`Subkey Revocation
revoke
I haven't used this yet.
gpg --import /mnt/usb/ gpg --edit-key user@domain.com gpg> key1 # select first subkey gpg> key2 # select second subkey gpg> revkey # revoke selected # distribute revoked key to a keyserver
Expired Keys
Change Expiry date on an existing public key (private keys don't expire)
gpg --list-secret-keys gpg --edit-key foo@example.com key 1 # choose from displayed keys expire # set expiry date, or '0' for never
Delete Keys
gpg --delete-keys keyname gpg --delete-secret-keys keyname gpg --delete-secret-and-public-key keyname