GPG
GPG Usage
Create key
gpg --full-generate-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: B.Laataap
Email address: blaat@blaataap.com
Comment:
You selected this USER-ID:
"B.Laataap <blaat@blaataap.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key CDD08EA81B7CDB54 marked as ultimately trusted
gpg: revocation certificate stored as '/home/blaataap/.gnupg/openpgp-revocs.d/54416CDD6EAD400437DC4A97CDD08EA81B7CDB54.rev'
public and secret key created and signed.
pub rsa4096 2020-11-02 [SC]
54416CDD6EAD400437DC4A97CDD08EA81B7CDB54
uid B.Laataap <blaat@blaataap.com>
sub rsa4096 2020-11-02 [E]
Edit key
gpg --edit-key blaat@blaataap.com
Export key
gpg --output blaataap.gpg --armor --export blaat@blaataap.com
gpg --send-keys --keyserver hkp://pgp.mit.edu 54416CDD6EAD400437DC4A97CDD08EA81B7CDB54
Search key
gpg --keyserver keyserver.ubuntu.com --search 1B7CDB54
gpg --keyserver pgp.mit.edu --search blaat@blaataap.com
Encrypting
gpg --encrypt-files --recipient blaat@blaataap.com <filename>
#!/bin/sh
FILES=${1:-$(find . -type f \( -name '*secret.tfvars' -o -name '*.ovpn' \) )}
echo ${FILES}
gpg --encrypt-files \
--yes \
--recipient blaat@blaataap.com \
${FILES}
if [ $FILES = "bla.txt" ]; then
while true; do
read -p "Do you wish to delete this file?" yn
case $yn in
[Yy]* ) echo ${FILES}; rm ${FILES}; exit;;
[Nn]* ) echo "ok, no delete for you!"; exit;;
* ) echo "Please answer yes or no.";;
esac
done
fi
Decrypting
gpg --yes --decrypt-files testfile.gpg
#!/bin/sh
# first parameter: specify otherwise it will use find1:
FILES=${1:-$(find . -type f \( -name '*secret.tfvars' -o -name '*.ovpn' \) )}
gpg --decrypt-files \
--yes \
--recipient blaat@blaataap.com \
${FILES}
List public keys
gpg -k
gpg -k <keyring file>
gpg --list-keys
List private keys
gpg -K
gpg --list-secret-keys user@example.com
gpg --keyserver hkp://keys.gnupg.net/ --search-key 'blaat@blaataap.com'
The 8 characters at the end are the key id.
Exporting keys
gpg --armor --export > public.asc
gpg --armor --export-secret-keys > secret.asc
gpg --export-ownertrust > trustdb
Importing keys
gpg --import /location/public.asc /location/private.asc
gpg --import-ownertrust /location/trustdb
Deleting keys
gpg --delete-key <name>
gpg --delete-secret-key <name>
Printing fingerprints
gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}'
Trust the keys noninteractive in batch
Trusting a key involves going through a menu, setting a trust level and confirming that. Using the flag --command-fd 0 we instruct GnuPG to accept input from STDIN, thus allowing us to use a pipe with the correct input. The following command batch trusts all keys ultimately:
for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key $fpr trust; done
Signing the keys noninteractively in batch mode
Signing the keys tells other people that we verified the identity of the key owners and trusting their keys, confirming that with a signature of our own key.
for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "y\ny\n" | gpg --command-fd 0 --expert --edit-key $fpr sign; done
Publishing the keys to a keyserver noninteractive in batch mode
Trusted and signed keys can be published to a keyserver:
for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); do gpg --send-keys --keyserver pool.sks-keyservers.net $fpr; done
Loops inspired by: https://raymii.org/s/articles/GPG_noninteractive_batch_sign_trust_and_send_gnupg_keys.html
Copying the Key Files Directly
If you are on Linux, you should find the original keys in .gnupg. This directory should have files like pubring.gpg, secring.gpg and a few other files.
Either the individual keys, or the entire directory can be copied into a different computer’s home directory.
If you want the collected public keys to stay synchronized between computers, you could put the .gnupg folder onto a portable drive, and then softlink to it to it with the command
ln -s /drive/.gnupg ~/.gnupg
This way, whenever the drive is mounted, the GnuPG directory will accessible and all of your keys will be available.
I would suggest that you create a TrueCrypt file container to store the .gnupg folder on, rather than storing it in the clear.