Working with gpg
Notes on working with gpg, creating and editing keys, exporting and importing backups et.c.
gpg manual
General tips
Commands
# list keys gpg -k # list private keys gpg -K
Key output
pub rsa2048 2019-03-04 [SC] [expires: 2023-03-03]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid [ unknown] Firstname Lastname <name@place.org>
sub rsa2048 2019-03-04 [E] [expires: 2023-03-03]
- the
XXX..is the keyid- it can be used as a name for the other commands
[ unknown]is the level of trust- if the key is expired it will be clear
- the
[SC]or[E](orA) stuff are key flags denoting the usagerelevant snippen from the code:
/* Usage flags */ #define PUBKEY_USAGE_SIG GCRY_PK_USAGE_SIGN /* Good for signatures. */ #define PUBKEY_USAGE_ENC GCRY_PK_USAGE_ENCR /* Good for encryption. */ #define PUBKEY_USAGE_CERT GCRY_PK_USAGE_CERT /* Also good to certify keys.*/ #define PUBKEY_USAGE_AUTH GCRY_PK_USAGE_AUTH /* Good for authentication. */
Export gpg keys
- the
--armoroptions exports the keys in ascii --exportis for public keys while--export-secret-keysis for private- when exporting for backup one should tell gpg to do so
--export-options export-backup
Import gpg keys
Just --import.
Also --pinentry-mode loopback is useful.
PoC of backup and restoration
Expand snippet...
whoami # laptop-me # assume we already have generated a keypair gpg --armor \ --export-secret-keys \ --export-options export-backup \ --output backup \ me@email # or keyid sudo cp backup /home/server-me/backup sudo chown server-me:server-me /home/server-me/backup su - server-me whoami # server-me gpg --pinentry-mode loopback \ --import \ backup