= GPG = '''GNU Privacy Guard''' ('''GPG''') is an implementation of the [[Encryption/PGP|PGP]] protocol. The primary utility is '''`gpg2(1)`'''. <> ---- == Installation == All [[Linux]] and [[BSD]] distributions offer a `gpg(1)` package. Some only offer `gpg2(1)` and have made the two synonymous. The package is likely still named `gpg`. Others offer both, in which case the `gpg2` package should be preferred. ---- == Configuration == The various component programs of GPG look for configuration files in `~/.gnupg` or, if set, in `$GNUPGHOME`. === GPG Agent === '''`gpg-agent(1)`''' manages keys for the user. It is configured with `$GNUPGHOME/gpg-agent.conf`. For example, the program that prompts a user for a password is configured with: {{{ pinentry-program /var/bin/pinentry-tty }}} On a headless system, this is often set to `/var/bin/pinentry-ncurses` instead. To force reload `gpg-agent(1)`, try `gpg-connect-agent reloadagent /bye`. ---- == Usage == === List Keys === To list public and private keys, use the `--list-keys` and `list-secret-keys` options, respectively. Note that the output will differ between versions. Compare the output of `gpg(1)`: {{{ pub 2048R/7A605FF0 2020-12-31 uid Your Name (Optional Comment) sub 2048R/7A605FF0 2020-12-31 }}} To the output of `gpg2(1)`, which is based on [[Encryption/Libgcrypt|Libgcrypt]]: {{{ pub rsa2048 2020-12-31 [SC] CBD17F206CE430EC21BDD1DC5E2AEDAC7A605FF0 uid [ultimate] Your Name (Optional Comment) sub rsa2048 2020-12-31 [E] }}} There are additional options that get `gpg2(1)` output closer to that of `gpg(1)`. First, note that sub-key fingerprints are hidden. Use the `--with-subkey-fingerprint` option to show this. Second, note that long keys are shown by default. To show short keys, use the `--keyid-format short` option. === Parsing Key Listings === Use `gpg2 --list-keys --with-colons` to produce a listing that is parseable. {{{ tru::1:1661040534:0:3:1:5 pub:u:2048:1:5E2AEDAC7A605FF0:1609372800:::u:::scESC::::::23::0: fpr:::::::::CBD17F206CE430EC21BDD1DC5E2AEDAC7A605FF0: uid:u::::1513993480::845C5AF9215BDE349F97DB024D506AE729A36DC8::Dominic Ricottone (does anyone see this?) ::::::::::0: sub:u:2048:1:BC8D5D2D234809BA:1609372800::::::e::::::23: fpr:::::::::E172BF957B81824D95B0E765BC8D5D2D234809BA: }}} '''`tru`''' records are about the trust datebase. * second field flags expired databases * blank means ''not expired'' *`o` means ''expired'' * third field is the trust model number * should be `1` * if not `1`, the second field should show `t` to flag the incompatible trust model * fourth field is database creation date * fifth field is database expiry date * sixth field is number of marginally-trusted users required to add a new key * seventh field is number of completely-trusted users required to add a new key * eighth field is maximum depth of certification chains '''`pub`''' records are about public keys. * second field flags validity * `u` means ''ultimate'' trust; typically a secret key is available * `m` means ''marginal'' trust * `f` means ''full'' or ''complete'' trust * `-` means the trust level is unknown; typically the key was imported without being signed by ''any'' marginally- or completely-trusted users * `r` means ''revoked'' * `e` means ''expired'' * third field is the key length * fourth field is the key algorithm number * `1` means RSA * fifth field is the key ID * sixth field is key creation date * seventh field is key expiry date * ninth field is ownertrust, essentially a simplification of the second field * `u` means ''ultimate'' trust * `m` means ''marginal'' trust * `f` means ''full'' or ''complete'' trust * `-` means the trust level is unknown * twelve field is capabilities * `e` means ''encryption'' * `s` means ''signing'' * `c` means ''certification'' * `a` means ''authentication'' * uppercase letters indicate that the primary key does not have this capability, but a subkey does * seventeenth field is the ECC curve name * eighteenth field is asserted compliance modes and screening results * `8` means ''compliant with RFC4880bis'' * `23` means ''compliant with compliance mode `de-vs`'' * `6001` means ''screening hit on the ROCA vulnerability'' * nineteenth field is last update date * twentieth field is origin * blank means unknown origin * any integer means a C-quoted string for the origin follows in the field '''`sub`''' records are about public subkeys. These fields mirror the `pub` records. '''`uid`''' records are about user IDs. * second field flags validity * `u` means ''ultimate'' trust; typically a secret key is available * `m` means ''marginal'' trust * `f` means ''full'' or ''complete'' trust * `-` means the trust level is unknown; typically the key was imported without being signed by ''any'' marginally- or completely-trusted users * `r` means ''revoked'' * `e` means ''expired'' * sixth field is self-signature date date * eighth field is the user ID hash * tenth field is a C-quoted string for the user ID itself * nineteenth field is last update date * twentieth field is an integer optionally followed by a space and a C-quoted string for the origin URL '''`fpr`''' records are about key fingerprints, stored in field 10. === Migrate Keys === To migrate keys from one host to another, try: {{{ # on host A gpg --export KEYID >pgp.pubkey gpg --export-secret-keys KEYID >pgp.key # on host B gpg --import pgp.key gpg --import pgp.pubkey }}} === Export Keys === To export a private or public key as an ASCII file, try: {{{ gpg --armor --export-options export-minimal --export KEYID >pgp.pubkey gpg --armor --export-secret-key KEYID >pgp.key }}} === Update or Remove Password === Running `gpg --edit-key KEYID` starts a GPG REPL. To manage the password, enter the `passwd` command. The user is then prompted for the old and new passwords. To ''remove'' a password from a private key, use L. Try: * enter current password * leave new password blank * read and agree to security warnings ---- == See also == [[https://man.archlinux.org/man/gpg.1|gpg(1)]] [[Encryption/PGP|PGP]] ---- CategoryRicottone