How to Manage GnuPG Keys

2 minutes

Have you issues to remember how to use GnuPG? GnuPG does not have a very user-friendly interface. Usually, I forget how to use it so that I decided to start this page. This is an article about documenting common use cases with GnuPG.

This blog post hopefully becomes a comprehensive guide overtime. However, here is an incomplete list to useful documentation:

Setup Testing Environment

1cd $(mktemp -d)
2export GNUPGHOME=$PWD
3export LANG=C
4chmod 0700 .
5gpg -k

Sometimes, I am confused about German translation of certain command line tools and man pages. For that reason, it is a personal taste to set export LANG=C.

In case this directory should be recycled, GPG agent must be restarted with killall gpg-agent.

Create New Primary Key

1uid="Sebastian Schulz (Test Key)"
2gpg \
3  --no-tty --batch --passphrase='' \
4  --quick-generate-key "$uid" ed25519 cert 5y

The parameters --no-tty, --batch and --passphrase='' suppress any questions. This is useful in case steps should be automated with some scripts.

I prefer rather Edwards-Curve than RSA nowadays.

Add Subkey

First, list all secret keys with fingerprint: gpg --with-subkey-fingerprints -K Second, add subkey with following command.

1gpg \
2--no-tty --batch --passphrase='' \
3--quick-add-key DEADBEEF ed25519 sign 1y

The parameters --no-tty, --batch and --passphrase='' suppress any questions.

I prefer rather Edwards-Curve than RSA nowadays.

Usage of the subkey could be sign, auth or encrypt. Comma-delimited list of those values are possible.

Set Expire Date of a Subkey

Show fingerprints of all secret keys including subkeys: gpg --with-subkey-fingerprint -K

Set new expire date with following command:

1primaryKey=DEADBEEF
2subKey=DEADBEEF
3gpg --batch --no-tty --quick-set-expire $primaryKey 4m $subKey
4gpg --with-subkey-fingerprint -K

In case, the primary key is protected with a password. This is an example which is using pass.

1pass my-test-key | gpg --homedir=. --pinentry-mode=loopback \
2  --batch --no-tty --passphrase-fd 0 \
3  --quick-set-expire $primaryKey 1d $subKey

If GNUPGHOME=$PWD is set, it must be unset because pass is using GnuPG in the background.

Export Secret Subkey without Primary Key

1cd /media/$USER/usb-stick
2export GNUPGHOME=$PWD
3export LANG=C
4gpg --armor --export-secret-subkeys DEADBEEF! > /tmp/exported-key.asc

Use --export-secret-subkeys instead of --export-secret-keys to avoid an export of the primary key.

Summary

This page contains some useful commands for your daily work. I am curious about your daily use cases with GnuPG! What are your common commands with this tool? How to you protect your primary key? I am looking forward reading from you. Do not hesitate to drop a comment below.