aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/tools/gpg.md
blob: c37353f71c6a87956dcd1a5281d76fe43fd7589d (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# gpg(1)

```
gpg
  -o|--output                 Specify output file
  -a|--armor                  Create ascii output
  -u|--local-user <name>      Specify key for signing
  -r|--recipient              Encrypt for user
```

## Generate new keypair
```bash
gpg --full-generate-key
```

## List keys
```
gpg -k / --list-key               # public keys
gpg -K / --list-secret-keys       # secret keys
```

## Edit keys
```bash
gpg --edit-key <KEY ID>
```
Gives prompt to modify `KEY ID`, common commands:
```bash
help         show help
save         save & quit

list         list keys and user IDs
key <N>      select subkey <N>
uid <N>      select user ID <N>

expire       change expiration of selected key

adduid       add user ID
deluid       delete selected user ID

addkey       add subkey
delkey       delete selected subkey
```

## Export & Import Keys
```bash
gpg --export --armor --output <KEY.PUB> <KEY ID>
gpg --export-secret-key --armor --output <KEY.PUB> <KEY ID>
gpg --import <FILE>
```

## Search & Send keys
```bash
gpg --keyserver <SERVER> --send-keys <KEY ID>
gpg --keyserver <SERVER> --search-keys <KEY ID>
```

## Encrypt (passphrase)
Encrypt file using `passphrase` and write encrypted data to `<file>.gpg`.
```bash
gpg --symmetric <file>

# Decrypt using passphrase
gpg -o <file> --decrypt <file>.gpg
```

## Encrypt (public key)
Encrypt file with `public key` of specified `recipient` and write encrypted
data to `<file>.gpg`.
```bash
gpg --encrypt -r foo@bar.de <file>

# Decrypt at foos side (private key required)
gpg -o <file> --decrypt <file>.gpg
```

## Signing
Generate a signed file and write to `<file>.gpg`.
```bash
# Sign with private key of foo@bar.de
gpg --sign -u foor@bar.de <file>

# Verify with public key of foo@bar.de
gpg --verify <file>

# Extract content from signed file
gpg -o <file> --decrypt <file>.gpg
```
> Without `-u` use first private key in list `gpg -K` for signing.

Files can also be `signed` and `encrypted` at once, gpg will first sign the
file and then encrypt it.
```bash
gpg --sign --encrypt -r <recipient> <file>
```

## Signing (detached)
Generate a `detached` signature and write to `<file>.asc`.
Send `<file>.asc` along with `<file>` when distributing.
```bash
gpg --detach-sign --armor -u foor@bar.de <file>

# Verify
gpg --verify <file>.asc <file>
```
> Without `-u` use first private key in list `gpg -K` for signing.

## Abbreviations
- `sec` secret key
- `ssb` secret subkey
- `pub` public key
- `sub` public subkey

## Keyservers
- http://pgp.mit.edu
- http://keyserver.ubuntu.com
- hkps://pgp.mailbox.org

## Examples

### List basic key information from file with long keyids
```bash
gpg --keyid-format 0xlong <key.asc>
```

### Extend expiring key
```bash
gpg --edit-key <key id>

# By default we are on the primary key, can switch to sub key.
gpg> key 1

# Update the expire date.
gpg> expire

gpg> save

# Update keyserver(s) and/or export new pub keyfile.
```