# GPG list ``` gpg --list-keys gpg --list-secret-keys ``` Change Passphrase ``` gpg --edit-key felix gpg> passwd gpg> save ``` GPG for SSH https://linode.com/docs/security/authentication/gpg-key-for-ssh-authentication/ Encrypt and Decrypt a File ``` echo hi > message.txt gpg -er felix@felixhummel.de message.txt gpg -d message.txt.gpg > hi_again ``` Export a Key ``` gpg --armor --export felix@felixhummel.de > felix@felixhummel.de.asc ``` ## Importing and Signing Import a key ``` gpg --import key.asc ``` Sign a key ``` gpg --sign-key alice@example.com ``` Test ``` echo "Hi Alice!" | gpg -aer alice@example.com > x.txt.asc ``` ## Keyservers and OpenKeychain Share key with [OpenKeychain](https://www.openkeychain.org/) ``` gpg --list-keys fingerprint=$(gpg --list-keys --with-colons felix | grep ^fpr | head -1 | cut -d: -f10) # e.g. EC34AC4BAE402D3805141363121006BF375F1AB6 # send to keyserver gpg --keyserver keys.openpgp.org --send-keys $fingerprint echo -n openpgp4fpr:$fingerprint | qrencode -o /tmp/qr.png display -filter box -resize 300x300 /tmp/qr.png ``` Note: keyserver.ubuntu.com web interface wants `0x` prefix in search. Export Openkeychain key: - select key - advanced - share Read fingerprint from openkeychain ``` sudo apt-get install -y zbar-tools zbarcam # scan QR, check STDOUT ``` Export local fingerprint as QR using [2qr][]: ``` echo -n openpgp4fpr:EC34AC4BAE402D3805141363121006BF375F1AB6 | 2qr ``` [2qr]: https://raw.githubusercontent.com/felixhummel/bin/master/2qr Note the `-n` to skip the line break. Trust levels: - https://security.stackexchange.com/questions/69062/what-is-the-difference-between-full-and-ultimate-trust/69089#69089 - https://security.stackexchange.com/questions/69062/what-is-the-difference-between-full-and-ultimate-trust/69089#69089 Trust another key ``` gpg --edit-key foo ``` ## Further Reading - https://thoughtbot.com/blog/pgp-and-you - https://www.saminiir.com/establish-cryptographic-identity-using-gnupg/ ## ASCII armor The `--armor` option means "use ASCII armor". > PGP documentation (RFC 4880) uses the term ASCII armor for binary-to-text encoding when referring to Base64. -- https://en.wikipedia.org/wiki/Binary-to-text_encoding ## GUI Clients https://kde.org/applications/en/kleopatra is nice ## SOPS Usage: ``` export SOPS_PGP_FP="4F8D9633CA819FDE9A454F2D9C1F4906BF00E5BD,9208D75C0F48FA5DCCAAAEA1D872C97EE9418CD3" sops foo.yml ``` There is also a [vscode plugin](https://github.com/signageos/vscode-sops).