GPG

GNU Privacy Guard (GPG) is an implementation of the PGP protocol.

The primary utility is gpg2(1).

Installation

All Linux and BSD distributions offer a gpg(1) package.

Some only offer gpg2(1) and have made the two synonymous. The package is likely still named gpg. Others offer both, in which case the gpg2 package should be preferred.

Configuration

The various component programs of GPG look for configuration files in ~/.gnupg or, if set, in $GNUPGHOME.

GPG Agent

gpg-agent(1) manages keys for the user. It is configured with $GNUPGHOME/gpg-agent.conf.

For example, the program that prompts a user for a password is configured with:

pinentry-program /var/bin/pinentry-tty

On a headless system, this is often set to /var/bin/pinentry-ncurses instead.

To force reload gpg-agent(1), try gpg-connect-agent reloadagent /bye.

Usage

List Keys

To list public and private keys, use the --list-keys and list-secret-keys options, respectively.

Note that the output will differ between versions.

Compare the output of gpg(1):

pub 2048R/7A605FF0 2020-12-31
uid Your Name (Optional Comment) <[email protected]>
sub 2048R/7A605FF0 2020-12-31

To the output of gpg2(1), which is based on Libgcrypt:

pub   rsa2048 2020-12-31 [SC]
      CBD17F206CE430EC21BDD1DC5E2AEDAC7A605FF0
uid           [ultimate] Your Name (Optional Comment) <[email protected]>
sub   rsa2048 2020-12-31 [E]

There are additional options that get gpg2(1) output closer to that of gpg(1).

First, note that sub-key fingerprints are hidden. Use the --with-subkey-fingerprint option to show this.

Second, note that long keys are shown by default. To show short keys, use the --keyid-format short option.

Parsing Key Listings

Use gpg2 --list-keys --with-colons to produce a listing that is parseable.

tru::1:1661040534:0:3:1:5
pub:u:2048:1:5E2AEDAC7A605FF0:1609372800:::u:::scESC::::::23::0:
fpr:::::::::CBD17F206CE430EC21BDD1DC5E2AEDAC7A605FF0:
uid:u::::1513993480::845C5AF9215BDE349F97DB024D506AE729A36DC8::Dominic Ricottone (does anyone see this?) <[email protected]>::::::::::0:
sub:u:2048:1:BC8D5D2D234809BA:1609372800::::::e::::::23:
fpr:::::::::E172BF957B81824D95B0E765BC8D5D2D234809BA:

tru records are about the trust datebase.

• second field flags expired databases

  • blank means not expired

  • o means expired

• third field is the trust model number

  • should be 1

  • if not 1, the second field should show t to flag the incompatible trust model

• fourth field is database creation date
• fifth field is database expiry date
• sixth field is number of marginally-trusted users required to add a new key
• seventh field is number of completely-trusted users required to add a new key
• eighth field is maximum depth of certification chains

pub records are about public keys.

• second field flags validity

  • u means ultimate trust; typically a secret key is available

  • m means marginal trust

  • f means full or complete trust

  • - means the trust level is unknown; typically the key was imported without being signed by any marginally- or completely-trusted users

  • r means revoked

  • e means expired

• third field is the key length
• fourth field is the key algorithm number

  • 1 means RSA

• fifth field is the key ID
• sixth field is key creation date
• seventh field is key expiry date
• ninth field is ownertrust, essentially a simplification of the second field

  • u means ultimate trust

  • m means marginal trust

  • f means full or complete trust

  • - means the trust level is unknown

• twelve field is capabilities

  • e means encryption

  • s means signing

  • c means certification

  • a means authentication

  • uppercase letters indicate that the primary key does not have this capability, but a subkey does
• seventeenth field is the ECC curve name
• eighteenth field is asserted compliance modes and screening results

  • 8 means compliant with RFC4880bis

  • 23 means compliant with compliance mode de-vs

  • 6001 means screening hit on the ROCA vulnerability

• nineteenth field is last update date
• twentieth field is origin
  • blank means unknown origin
  • any integer means a C-quoted string for the origin follows in the field

sub records are about public subkeys. These fields mirror the pub records.

uid records are about user IDs.

• second field flags validity

  • u means ultimate trust; typically a secret key is available

  • m means marginal trust

  • f means full or complete trust

  • - means the trust level is unknown; typically the key was imported without being signed by any marginally- or completely-trusted users

  • r means revoked

  • e means expired

• sixth field is self-signature date date
• eighth field is the user ID hash
• tenth field is a C-quoted string for the user ID itself
• nineteenth field is last update date
• twentieth field is an integer optionally followed by a space and a C-quoted string for the origin URL

fpr records are about key fingerprints, stored in field 10.

Migrate Keys

To migrate keys from one host to another, try:

# on host A
gpg --export KEYID >pgp.pubkey
gpg --export-secret-keys KEYID >pgp.key

# on host B
gpg --import pgp.key
gpg --import pgp.pubkey

Export Keys

To export a private or public key as an ASCII file, try:

gpg --armor --export-options export-minimal --export KEYID >pgp.pubkey
gpg --armor --export-secret-key KEYID >pgp.key

Update or Remove Password

Running gpg --edit-key KEYID starts a GPG REPL. To manage the password, enter the passwd command. The user is then prompted for the old and new passwords.

To remove a password from a private key, use L. Try:

• enter current password
• leave new password blank
• read and agree to security warnings

See also

gpg(1)

PGP

CategoryRicottone