How to Manage GnuPG Keys
Have you issues to remember how to use GnuPG? GnuPG does not have a very user-friendly interface. Usually, I forget how to use it so that I decided to start this page. This is an article about documenting common use cases with GnuPG.
This blog post hopefully becomes a comprehensive guide overtime. However, here is an incomplete list to useful documentation:
Setup Testing Environment
1cd $(mktemp -d)
2export GNUPGHOME=$PWD
3export LANG=C
4chmod 0700 .
5gpg -k
Sometimes, I am confused about German translation of certain command line tools and man pages.
For that reason, it is a personal taste to set export LANG=C
.
In case this directory should be recycled, GPG agent must be restarted with killall gpg-agent
.
Create New Primary Key
1uid="Sebastian Schulz (Test Key)"
2gpg \
3 --no-tty --batch --passphrase='' \
4 --quick-generate-key "$uid" ed25519 cert 5y
The parameters --no-tty
, --batch
and --passphrase=''
suppress any questions.
This is useful in case steps should be automated with some scripts.
I prefer rather Edwards-Curve than RSA nowadays.
Add Subkey
First, list all secret keys with fingerprint: gpg --with-subkey-fingerprints -K
Second, add subkey with following command.
1gpg \
2--no-tty --batch --passphrase='' \
3--quick-add-key DEADBEEF ed25519 sign 1y
The parameters --no-tty
, --batch
and --passphrase=''
suppress any questions.
I prefer rather Edwards-Curve than RSA nowadays.
Usage of the subkey could be sign
, auth
or encrypt
.
Comma-delimited list of those values are possible.
Set Expire Date of a Subkey
Show fingerprints of all secret keys including subkeys:
gpg --with-subkey-fingerprint -K
Set new expire date with following command:
1primaryKey=DEADBEEF
2subKey=DEADBEEF
3gpg --batch --no-tty --quick-set-expire $primaryKey 4m $subKey
4gpg --with-subkey-fingerprint -K
In case, the primary key is protected with a password. This is an example which is using pass.
1pass my-test-key | gpg --homedir=. --pinentry-mode=loopback \
2 --batch --no-tty --passphrase-fd 0 \
3 --quick-set-expire $primaryKey 1d $subKey
If GNUPGHOME=$PWD
is set, it must be unset because pass
is using GnuPG in the background.
Export Secret Subkey without Primary Key
1cd /media/$USER/usb-stick
2export GNUPGHOME=$PWD
3export LANG=C
4gpg --armor --export-secret-subkeys DEADBEEF! > /tmp/exported-key.asc
Use --export-secret-subkeys
instead of --export-secret-keys
to avoid an export of the primary key.
Summary
This page contains some useful commands for your daily work. I am curious about your daily use cases with GnuPG! What are your common commands with this tool? How to you protect your primary key? I am looking forward reading from you. Do not hesitate to drop a comment below.