add gpg import keys, delete keys, sign, and encrypt files

2025-10-20 17:25:26 -04:00
parent 487e03c0bd
commit 3fed164193
1 changed files with 87 additions and 3 deletions
--- a/active/software_gpg/gpg.md
+++ b/active/software_gpg/gpg.md
@@ -2,11 +2,15 @@

 - [GPG](#gpg)
  - [Searching for GPG Keys](#searching-for-gpg-keys)
+  - [Importing GPG Keys](#importing-gpg-keys)
  - [Generate GPG Keys](#generate-gpg-keys)
  - [Renewing GPG Keys](#renewing-gpg-keys)
  - [Export GPG Keys](#export-gpg-keys)
  - [GPG Key Servers](#gpg-key-servers)
+  - [Delete GPG Keys](#delete-gpg-keys)
  - [Using GPG keys](#using-gpg-keys)
+    - [Signing Files](#signing-files)
+    - [Encrypting Files](#encrypting-files)
  - [Linux Apps](#linux-apps)
    - [Evolution Email](#evolution-email)
  - [Android Apps](#android-apps)
@@ -23,6 +27,25 @@ I publish all my keys to <https://keys.openpgp.org>
 gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys <email>
 ```

+## Importing GPG Keys
+
+```bash
+# First, locate a key
+gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys git@ducoterra.net
+
+# Or import a key file
+gpg --import keys/git_ducoterra_net.pub
+
+# Sign the key with your own if you trust it
+gpg -u 7FC1B29700114F4FC589E7065FDDCFA544D77B8C --sign-key git@ducoterra.net
+
+# Then set the trust of the key
+# full == I trust other keys signed by this key
+# undefined == I'm choosing to defer to later
+# never == I don't trust this key
+gpg --quick-set-ownertrust git@ducoterra.net full
+```
+
 ## Generate GPG Keys

 ```bash
@@ -57,10 +80,10 @@ gpg --keyserver https://keys.openpgp.org --send-keys <key id>

 ```bash
 # Export your public key in ascii format
-gpg --export -a 'git@ducoterra.net' > keys/git_ducoterra_net.pub
+gpg -o keys/git-ducoterra-net.gpg --export -a 'git@ducoterra.net'

-# Export your private key
-gpg --export-secret-keys -a 'git@ducoterra.net' > git_ducoterra_net.key
+# Export your private key (careful with this one)
+gpg -o git-ducoterra-net.key --export-secret-keys -a 'git@ducoterra.net'
 ```

 ## GPG Key Servers
@@ -88,8 +111,69 @@ gpg --show-key keys/git_ducoterra_net.pub
 gpg --keyserver https://keys.openpgp.org --send-keys <key id>
 ```

+## Delete GPG Keys
+
+```bash
+# Delete a public key
+gpg --delete-keys <email>
+
+# Delete a secret key
+# Note, you'll also need to delete the public key after this command
+gpg --delete-secret-keys <email>
+```
+
 ## Using GPG keys

+### Signing Files
+
+```bash
+# -s --sign
+# -a --armor
+# -u --local-user
+# -e --encrypt
+# -b --detach-sign
+# -o --output
+
+# Sign a file and compress it. Output will be binary
+gpg -u 7FC1B29700114F4FC589E7065FDDCFA544D77B8C -o README.sig -s README.md
+
+# Decompress and verify the signed file
+gpg --output README.md --decrypt README.sig
+
+# Sign a file without compressing it. Useful for serving/sending signed documents without requiring decompression
+gpg -u 7FC1B29700114F4FC589E7065FDDCFA544D77B8C --clearsign -s -a README.md
+
+# Verify the document (ignore the WARNING about detached signature)
+gpg --verify README.md.asc
+
+# Create a detached signature. The most practical option since you don't need to modify the original file.
+gpg -u 7FC1B29700114F4FC589E7065FDDCFA544D77B8C -o README.md.sig -b README.md
+
+# Verify the detached signature
+gpg --verify README.md.sig README.md
+```
+
+### Encrypting Files
+
+```bash
+# -s --sign
+# -a --armor
+# -u --local-user
+# -e --encrypt
+
+# Encrypt a file with someone's public key
+gpg -o README.md.gpg -e --recipient git@ducoterra.net README.md
+
+# Decrypt the file if you have the private key
+gpg -o README.md --decrypt README.md.gpg
+
+# Encrypt with a password
+gpg -o README.md.gpg --symmetric README.md
+
+# Decrypt with a password
+gpg --decrypt README.md.gpg
+```
+
 ## Linux Apps

 ### Evolution Email