--- creation date: 2022-01-12 tags: [note,linux,gpg,pgp] --- ## Creation **Really, set up an expiration date, otherwise you'll end up with non-revokable keys!** Or you do need the `revoke@example` trick which is ugly and not really revoking a key. Generate at least 3072 bit key with an expiration date, e.g. with Seahorse or `gpg` command line tool. ## Distribution * Use https://keys.openpgp.org (`hkps://keys.openpgp.org`) because of address validation * SKS Pool is widely used (`hkp://eu.pool.sks-keyservers.net`) and pool syncs automatically * https://pgp.mit.edu slow but has a lot of keys ## gpg.conf ```shell keyserver hkp://keys.gnupg.net keyserver hkps://keys.openpgp.org keyserver hkp://pool.sks-keyservers.net:11371 keyserver hkp://pgp.mit.edu:11371 ``` ## Seahorse for GNOME Search and edit with dconf `/desktop/gnome/crypto/pgp/keyservers`: ```shell ['hkp://keys.gnupg.net', 'hkps://keys.openpgp.org', 'hkp://pool.sks-keyservers.net:11371', 'hkp://pgp.mit.edu:11371'] ``` ## Export/Revoke ```shell export MY_GPG_ID=theID gpg --armor --output public-key.gpg --export $MY_GPG_ID gpg --armor --output private-key.gpg --export-secret-keys $MY_GPG_ID gpg --output revocation-certificate.asc --gen-revoke $MY_GPG_ID # optionally revoke with generated cert # - import public key first # - revoke # - sync with keyserver of your choice # gpg --import public-key.gpg gpg --import revocation-certificate.asc ``` ## pinentry Edit your `gpg-agent.conf` and for a modernized look of pinentry add ```shell pinentry-program /usr/bin/pinentry-gnome3 ```