61 lines
1.5 KiB
Markdown
61 lines
1.5 KiB
Markdown
|
---
|
||
|
creation date: 2022-01-12
|
||
|
tags: [note,linux,gpg,pgp]
|
||
|
---
|
||
|
|
||
|
# GPG
|
||
|
|
||
|
## Creation
|
||
|
**Really, set up an expiration date, otherwise you'll end up with non-revokable keys!**
|
||
|
|
||
|
Or you do need the `revoke@example` trick which is ugly and not really revoking a key.
|
||
|
|
||
|
Generate at least 3072 bit key with an expiration date, e.g. with Seahorse or `gpg` command line tool.
|
||
|
|
||
|
## Distribution
|
||
|
|
||
|
* Use https://keys.openpgp.org (`hkps://keys.openpgp.org`) because of address validation
|
||
|
* SKS Pool is widely used (`hkp://eu.pool.sks-keyservers.net`) and pool syncs automatically
|
||
|
* https://pgp.mit.edu slow but has a lot of keys
|
||
|
|
||
|
## gpg.conf
|
||
|
|
||
|
```
|
||
|
keyserver hkp://keys.gnupg.net
|
||
|
keyserver hkps://keys.openpgp.org
|
||
|
keyserver hkp://pool.sks-keyservers.net:11371
|
||
|
keyserver hkp://pgp.mit.edu:11371
|
||
|
```
|
||
|
|
||
|
## Seahorse for GNOME
|
||
|
|
||
|
Search and edit with dconf `.../keyserver`:
|
||
|
|
||
|
```
|
||
|
['hkp://keys.gnupg.net', 'hkps://keys.openpgp.org', 'hkp://pool.sks-keyservers.net:11371', 'hkp://pgp.mit.edu:11371']
|
||
|
```
|
||
|
|
||
|
## Export/Revoke
|
||
|
|
||
|
```
|
||
|
export MY_GPG_ID=theID
|
||
|
gpg --armor --output public-key.gpg --export $MY_GPG_ID
|
||
|
gpg --armor --output private-key.gpg --export-secret-keys $MY_GPG_ID
|
||
|
gpg --output revocation-certificate.asc --gen-revoke $MY_GPG_ID
|
||
|
|
||
|
# optionally revoke with generated cert
|
||
|
# - import public key first
|
||
|
# - revoke
|
||
|
# - sync with keyserver of your choice
|
||
|
|
||
|
# gpg --import public-key.gpg
|
||
|
gpg --import revocation-certificate.asc
|
||
|
```
|
||
|
|
||
|
## pinentry
|
||
|
|
||
|
Edit your `gpg-agent.conf` and for a modernized look of pinentry add
|
||
|
|
||
|
```shell
|
||
|
pinentry-program /usr/bin/pinentry-gnome3
|
||
|
```
|