-
Install gpg2 (for ubuntu)
sudo apt-get install gnupg2
-
Add following in ~/.bash_aliases
alias gpg='gpg2'
-
Source ~/.bashrc
source ~/.bashrc
-
Create ~/.gnupg using one of the following ---
- Copy any backed up .gnupg directory to ~/.gnupg, or
- Initialize ~/.gnupg directory using
gpg -k
-
Copy gpg.conf & gpg-agent.conf from this repository to ~/.gnupg
-
Add the following to ~/.bashrc or ~/.bash_profile
export GPG_TTY=$(tty) unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh" fi gpg-connect-agent /bye
-
Source ~/.bashrc
source ~/.bashrc
-
Now, logout and login
-
If needed,
- Create a new primary key using
gpg --expert --full-gen-key
- Use >=4096 bit RSA for primary key
- Use >=2048 bit RSA for sub keys
- Edit keys using
gpg --expert --edit-key <uid>
- Add new subkeys using
addkey
- Change passwords using
passwd
- Type
help
for more options
- Add new subkeys using
- Create a new primary key using
-
Create one subkey each of Authentication, Encryption, Signing
-
To add SSH support in gpg, you must create an Authentication subkey, marked as [A]
-
To generate sshcontrol file, type
ssh-add -l
-
List gpg keys by ---
- Public keys:
gpg -k
- Private keys:
gpg -K
. If # appears after sec or ssb, then it means private key is not present for that key-id
- Public keys:
-
Get keygrip of the keys
gpg -k --with-keygrip <uid>
-
Add keygrip of your authentication key to sshcontrol file in a new line
-
Export SSH public key to be put on the servers' ~/.ssh/authorized_keys
gpg --export-ssh-key <key-id>
-
You may now be able to SSH directly into the server
-
*** VERY IMPORTANT *** Backup the whole ~/.gnupg directory to a safe & secure place
-
After backup has been created, you must change passwords of the primary key & sub keys
-
Now delete the unnecessary private keys. To delete the private keys ---
- Find out the of the keys using the above command
- Delete ~/.gnupg/private-keys-v1.d/.key
-
To edit existing keys or to create a new subkey ---
- Backup the ~/.gnupg folder before proceeding (just in case anything goes wrong)
- Retrieve the remotely backed up .gnupg directory (this backup is different from the one created using the just above instruction) in a tmp-path/.gnupg folder. Note that this folder contains all of the secret keys
- Run relevant commands by adding homedir like,
gpg --homedir tmp-path/.gnupg ...
- Push the new changes to the keyserver using
gpg --homedir tmp-path/.gnupg --keyserver pgp.key-server.io --send-key <YOURMASTERKEYID>
- Retrieve changes to your ~/.gnupg using
gpg --keyserver pgp.key-server.io --recv-key <YOURMASTERKEYID>
- To transfer private keys to local folder, copy the tmp-path/.gnupg/private-keys-v1.d/.key to ~/.gnupg/private-keys-v1.d/.key
-
To search a key in the keyserver use
gpg --keyserver pgp.key-server.io --search-key <search-text>
-
Export keys using ---
- Public
gpg -a --export <uid>
-a
option is same as--armor
and is used to generate ASCII text
- Private
gpg -a --export-secret-keys <uid>
- Public
-
Run
gpgconf --kill gpg-agent
to kill any running agent that might be hung -
Run
gpg-connect-agent reloadagent /bye
to reload agent -
Run
gpgconf --list-dir agent-socket agent-extra-socket
to list actual location of sockets -
Run
gpg-connect-agent 'keyinfo --list' /bye
to list keys in the gpg-agent -
Run
gpg-connect-agent --dirmngr 'keyserver --hosttable'
to list available keyservers -
Kill dirmngr
gpgconf --kill dirmngr
- https://wiki.debian.org/Subkeys
- https://www.gnupg.org/documentation/manuals/gnupg/Agent-Configuration.html
- https://github.com/kylef/dotfiles/blob/master/.gnupg/gpg.conf
- https://www.gnupg.org/gph/en/manual/book1.html
- https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html