aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/tools/gpg.md
blob: 316f53f0d32c3530a1829fe79d83c381c09d8375 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# gpg(1)

```
gpg
  -o|--output                 Specify output file
  -a|--armor                  Create ascii output
  -u|--local-user <name>      Specify key for signing
  -r|--recipient              Encrypt for user
```

## Generate new keypair
```bash
gpg --full-generate-key
```

## List keys
```
gpg -k / --list-key               # public keys
gpg -K / --list-secret-keys       # secret keys
```

## Edit keys
```bash
gpg --edit-key <KEY ID>
```
Gives prompt to modify `KEY ID`, common commands:
```bash
help         show help
save         save & quit

list         list keys and user IDs
key <N>      select subkey <N>
uid <N>      select user ID <N>

expire       change expiration of selected key

adduid       add user ID
deluid       delete selected user ID

addkey       add subkey
delkey       delete selected subkey
```

## Export & Import Keys
```bash
gpg --export --armor --output <KEY.PUB> <KEY ID>
gpg --import <FILE>
```

## Search & Send keys
```bash
gpg --keyserver <SERVER> --send-keys <KEY ID>
gpg --keyserver <SERVER> --search-keys <KEY ID>
```

## Encrypt (passphrase)
Encrypt file using `passphrase` and write encrypted data to `<file>.gpg`.
```bash
gpg --symmetric <file>

# Decrypt using passphrase
gpg -o <file> --decrypt <file>.gpg
```

## Encrypt (public key)
Encrypt file with `public key` of specified `recipient` and write encrypted
data to `<file>.gpg`.
```bash
gpg --encrypt -r foo@bar.de <file>

# Decrypt at foos side (private key required)
gpg -o <file> --decrypt <file>.gpg
```

## Signing
Generate a signed file and write to `<file>.gpg`.
```bash
# Sign with private key of foo@bar.de
gpg --sign -u foor@bar.de <file>

# Verify with public key of foo@bar.de
gpg --verify <file>

# Extract content from signed file
gpg -o <file> --decrypt <file>.gpg
```
> Without `-u` use first private key in list `gpg -K` for signing.

Files can also be `signed` and `encrypted` at once, gpg will first sign the
file and then encrypt it.
```bash
gpg --sign --encrypt -r <recipient> <file>
```

## Signing (detached)
Generate a `detached` signature and write to `<file>.asc`.
Send `<file>.asc` along with `<file>` when distributing.
```bash
gpg --detach-sign --armor -u foor@bar.de <file>

# Verify
gpg --verify <file>.asc <file>
```
> Without `-u` use first private key in list `gpg -K` for signing.

## Abbreviations
- `sec` secret key
- `ssb` secret subkey
- `pub` public key
- `sub` public subkey

## Keyservers
- http://pgp.mit.edu
- http://keyserver.ubuntu.com
- hkps://pgp.mailbox.org