GPG#

list

gpg --list-keys
gpg --list-secret-keys

Change Passphrase

gpg --edit-key felix
gpg> passwd
gpg> save

GPG for SSH https://linode.com/docs/security/authentication/gpg-key-for-ssh-authentication/

Encrypt and Decrypt a File

echo hi > message.txt
gpg -er felix@felixhummel.de message.txt

gpg -d message.txt.gpg > hi_again

Export a Key

gpg --armor --export felix@felixhummel.de > felix@felixhummel.de.asc

Importing and Signing#

Import a key

gpg --import key.asc

Sign a key

gpg --sign-key alice@example.com

Test

echo "Hi Alice!" | gpg -aer alice@example.com > x.txt.asc

Keyservers and OpenKeychain#

Share key with OpenKeychain

gpg --list-keys
fingerprint=$(gpg --list-keys --with-colons felix | grep ^fpr | head -1 | cut -d: -f10)
# e.g. EC34AC4BAE402D3805141363121006BF375F1AB6
# send to keyserver
gpg --keyserver keys.openpgp.org --send-keys $fingerprint
echo -n openpgp4fpr:$fingerprint | qrencode -o /tmp/qr.png
display -filter box -resize 300x300 /tmp/qr.png

Note: keyserver.ubuntu.com web interface wants 0x prefix in search.

Export Openkeychain key:

  • select key

  • advanced

  • share

Read fingerprint from openkeychain

sudo apt-get install -y zbar-tools
zbarcam  # scan QR, check STDOUT

Export local fingerprint as QR using 2qr:

echo -n openpgp4fpr:EC34AC4BAE402D3805141363121006BF375F1AB6 | 2qr

Note the -n to skip the line break.

Trust levels:

Trust another key

gpg --edit-key foo

Further Reading#

ASCII armor#

The --armor option means “use ASCII armor”.

PGP documentation (RFC 4880) uses the term ASCII armor for binary-to-text encoding when referring to Base64.

https://en.wikipedia.org/wiki/Binary-to-text_encoding

GUI Clients#

https://kde.org/applications/en/kleopatra is nice

SOPS#

Usage:

export SOPS_PGP_FP="4F8D9633CA819FDE9A454F2D9C1F4906BF00E5BD,9208D75C0F48FA5DCCAAAEA1D872C97EE9418CD3"
sops foo.yml

There is also a vscode plugin.

On this page