GPG

list

gpg --list-keys
gpg --list-secret-keys

Change Passphrase

gpg --edit-key felix
gpg> passwd
gpg> save

GPG for SSH https://linode.com/docs/security/authentication/gpg-key-for-ssh-authentication/

Encrypt and Decrypt a File

echo hi > message.txt
gpg -er felix@felixhummel.de message.txt

gpg -d message.txt.gpg > hi_again

Export a Key

gpg --armor --export felix@felixhummel.de > felix@felixhummel.de.asc

Importing and Signing

Import a key

gpg --import key.asc

Sign a key

gpg --sign-key alice@example.com

Test

echo "Hi Alice!" | gpg -aer alice@example.com > x.txt.asc

Keyservers and OpenKeychain

Share key with OpenKeychain

gpg --list-keys
fingerprint=$(gpg --list-keys --with-colons felix | grep ^fpr | head -1 | cut -d: -f10)
# e.g. EC34AC4BAE402D3805141363121006BF375F1AB6
# send to keyserver
gpg --keyserver keys.openpgp.org --send-keys $fingerprint
echo -n openpgp4fpr:$fingerprint | qrencode -o /tmp/qr.png
display -filter box -resize 300x300 /tmp/qr.png

Note: keyserver.ubuntu.com web interface wants 0x prefix in search.

Export Openkeychain key:

  • select key

  • advanced

  • share

Read fingerprint from openkeychain

sudo apt-get install -y zbar-tools
zbarcam  # scan QR, check STDOUT

Export local fingerprint as QR:

echo -n openpgp4fpr:EC34AC4BAE402D3805141363121006BF375F1AB6 | 2qr

Note the -n to skip the line break.

Trust levels:

  • https://security.stackexchange.com/questions/69062/what-is-the-difference-between-full-and-ultimate-trust/69089#69089

  • https://security.stackexchange.com/questions/69062/what-is-the-difference-between-full-and-ultimate-trust/69089#69089

Trust another key

gpg --edit-key foo

Further Reading

  • https://thoughtbot.com/blog/pgp-and-you

  • https://www.saminiir.com/establish-cryptographic-identity-using-gnupg/

ASCII armor

The --armor option means “use ASCII armor”.

PGP documentation (RFC 4880) uses the term ASCII armor for binary-to-text encoding when referring to Base64.

– https://en.wikipedia.org/wiki/Binary-to-text_encoding

GUI Clients

https://kde.org/applications/en/kleopatra is nice

SOPS

Usage:

export SOPS_PGP_FP="4F8D9633CA819FDE9A454F2D9C1F4906BF00E5BD,9208D75C0F48FA5DCCAAAEA1D872C97EE9418CD3"
sops foo.yml

There is also a vscode plugin.