dza + gpg   12

[no title]
gpg --list-keys

# create a new 2048 is fine
gpg --gen-key

# By default GnuPG uses the same subkey for signing (e.g. signing an email message) and certifying (e.g. signing another key). It is useful to separate those purposes as one is way more important than the other.
gpg --edit-key <short_key_fingerprint>
# choose (4) RSA (sign only)
gpg> addkey

# export public key as ASCII
gpg --export -a

# export private key as ASCII # wait until you added extra signing key if you want it included
gpg -a --export-secret-keys

# export secret subkeys as ASCII
gpg -a --export-secret-subkeys

# show keys with long keyid (less collidable, safer)
gpg --keyid-format LONG -k 0x<FINGERPRINT>

# Before importing a key, verify the fingerprint
gpg --with-fingerprint <keyfile>

# you want your keys to expire this way you can set an expiry if you don't have one or you need to extend your current key
gpg --edit-key '<fingerprint>'

# generate revocation cert ASCII
gpg --gen-revoke '<fingerprint>'

# Now select the subkey for which you want to set an expiration date (e.g. the first one), or none to set the expiration on your primary key and then issue the ‘expire’ command:
gpg> key 1
gpg> expire

# Then set the date to a reasonable one, and save the key and exit (e.g. 2 years):
Key is valid for? (0) 2y
gpg> save

# Then you may send your key to the keyservers to publish this change:
gpg --send-key '<fingerprint>'

## Keep private key completely offline
# extract the primary key (copy-paste)
gpg -a --export-secret-key

# extract the subkeys (copy-paste), which we will reimport later
# the ! at the end is intentional and required
gpg -a --export-secret-subkeys <ENCRYPT_KEY_ID>!
gpg -a --export-secret-subkeys <SIGN_KEY_ID>!

# *delete* the secret keys from the keyring, so only subkeys are left
$ gpg --delete-secret-keys
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

# verify everything is in order
$ gpg --list-secret-keys

# reimport the subkeys (they should be there still but if not)
$ gpg --import

## Usage

# Encrypting a message to a recipient and add yourself to be able to read the encrypted message
gpg -e -s -a -r -r

## Verify

# This will verify your key security (apt-get install hopenpgp-tools)
hkt export-pubkeys <KEY_ID> | hokey lint

# Verify passphrase is correct (exit status will be 0 in that case)
gpg -q --sign --local-user <KEY_ID> --output /dev/null --yes <DUMMY_FILE>
!gpg  gpg  from notes
november 2017 by dza
To encrypt a message for an email recipient (ascii):
gpg -e --sign -a -r

To create a key:
gpg --gen-key
generally you can select the defaults.

to export a public key into file public.key:
gpg --export -a "User Name" > public.key
This will create a file called public.key with the ascii representation of the public key for User Name. This is a variation on:
gpg --export
which by itself is basically going to print out a bunch of crap to your screen. I recommend against doing this.
gpg --export -a "User Name"
prints out the public key for User Name to the command line, which is only semi-useful

to export a private key:
gpg --export-secret-key -a "User Name" > private.key
This will create a file called private.key with the ascii representation of the private key for User Name.
It's pretty much like exporting a public key, but you have to override some default protections. There's a note (*) at the bottom explaining why you may want to do this.

to import a public key:
gpg --import public.key
This adds the public key in the file "public.key" to your public key ring.

to import a private key:
gpg --allow-secret-key-import --import private.key
This adds the private key in the file "private.key" to your private key ring. There's a note (*) at the bottom explaining why you may want to do this.

to delete a public key (from your public key ring):
gpg --delete-key "User Name"
This removes the public key from your public key ring.
NOTE! If there is a private key on your private key ring associated with this public key, you will get an error! You must delete your private key for this key pair from your private key ring first.

to delete an private key (a key on your private key ring):
gpg --delete-secret-key "User Name"
This deletes the secret key from your secret key ring.

To list the keys in your public key ring:
gpg --list-keys

To list the keys in your secret key ring:
gpg --list-secret-keys

To generate a short list of numbers that you can use via an alternative method to verify a public key, use:
gpg --fingerprint > fingerprint
This creates the file fingerprint with your fingerprint info.

To encrypt data, use:
gpg -e -u "Sender User Name" -r "Receiver User Name" somefile
There are some useful options here, such as -u to specify the secret key to be used, and -r to specify the public key of the recipient.

As an example: gpg -e -u "Charles Lockhart" -r "A Friend" mydata.tar
This should create a file called "mydata.tar.gpg" that contains the encrypted data. I think you specify the senders username so that the recipient can verify that the contents are from that person (using the fingerprint?).

NOTE!: mydata.tar is not removed, you end up with two files, so if you want to have only the encrypted file in existance, you probably have to delete mydata.tar yourself.
An interesting side note, I encrypted the preemptive kernel patch, a file of 55,247 bytes, and ended up with an encrypted file of 15,276 bytes.

SYMMETRIC Encryption (No recipient):
gpg --symmetric someFile

To decrypt data, use:
gpg -d mydata.tar.gpg
If you have multiple secret keys, it'll choose the correct one, or output an error if the correct one doesn't exist. You'll be prompted to enter your passphrase. Afterwards there will exist the file "mydata.tar", and the encrypted "original," mydata.tar.gpg.

NOTE: when I originally wrote this cheat sheet, that's how it worked on my system, however it looks now like "gpg -d mydata.tar.gpg" dumps the file contents to standard output. The working alternative (worked on my system, anyway) would be to use "gpg -o outputfile -d encryptedfile.gpg", or using mydata.tar.gpg as an example, I'd run "gpg -o mydata.tar -d mydata.tar.gpg". Alternatively you could run something like "gpg -d mydata.tar.gpg > mydata.tar" and just push the output into a file. Seemed to work either way.

Ok, so what if you're a paranoid bastard and want to encrypt some of your own files, so nobody can break into your computer and get them? Simply encrypt them using yourself as the recipient.

I haven't used the commands:
gpg --edit-key
gpg --gen-revoke

--gen-revoke creates a revocation certificate, which when distributed to people and keyservers tells them that your key is no longer valid, see
--edit-key allows you do do an assortment of key tasks, see
gpg  gnupg  pgp  howto  tutorial  guide  from notes
march 2012 by dza
Using autofs for GPG keys on a USB stick
loop-aes, autofs, and lomount used to create an USB holding 2 partitions. 1 that doesn't ensure Windows doesn't require it formatted, 2 the actual GPG partition, and loop-aes and autofs + script to load it automatically upon insert. A more secure way than standard GPG, but still room for improvement.
autofs  gpg  gnupg  howto  tutorial  guide  usb  encrypt  encrypted  encryption  security  lomount  urandom 
july 2011 by dza
The GNU Privacy Guard -
Encrypt and sign data and communication with a public/private key system.
gnupg  gpg  secure  security  encrypt  encryption  privacy  pgp  opensource  software  program  gnu  apps  app 
april 2008 by dza

Copy this bookmark: