From 3fed164193c3a60a0564b27b423444c79e4dc2a7 Mon Sep 17 00:00:00 2001 From: ducoterra Date: Mon, 20 Oct 2025 17:25:26 -0400 Subject: [PATCH] add gpg import keys, delete keys, sign, and encrypt files --- active/software_gpg/gpg.md | 90 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 87 insertions(+), 3 deletions(-) diff --git a/active/software_gpg/gpg.md b/active/software_gpg/gpg.md index 0fcd6e6..4e56141 100644 --- a/active/software_gpg/gpg.md +++ b/active/software_gpg/gpg.md @@ -2,11 +2,15 @@ - [GPG](#gpg) - [Searching for GPG Keys](#searching-for-gpg-keys) + - [Importing GPG Keys](#importing-gpg-keys) - [Generate GPG Keys](#generate-gpg-keys) - [Renewing GPG Keys](#renewing-gpg-keys) - [Export GPG Keys](#export-gpg-keys) - [GPG Key Servers](#gpg-key-servers) + - [Delete GPG Keys](#delete-gpg-keys) - [Using GPG keys](#using-gpg-keys) + - [Signing Files](#signing-files) + - [Encrypting Files](#encrypting-files) - [Linux Apps](#linux-apps) - [Evolution Email](#evolution-email) - [Android Apps](#android-apps) @@ -23,6 +27,25 @@ I publish all my keys to gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys ``` +## Importing GPG Keys + +```bash +# First, locate a key +gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys git@ducoterra.net + +# Or import a key file +gpg --import keys/git_ducoterra_net.pub + +# Sign the key with your own if you trust it +gpg -u 7FC1B29700114F4FC589E7065FDDCFA544D77B8C --sign-key git@ducoterra.net + +# Then set the trust of the key +# full == I trust other keys signed by this key +# undefined == I'm choosing to defer to later +# never == I don't trust this key +gpg --quick-set-ownertrust git@ducoterra.net full +``` + ## Generate GPG Keys ```bash @@ -57,10 +80,10 @@ gpg --keyserver https://keys.openpgp.org --send-keys ```bash # Export your public key in ascii format -gpg --export -a 'git@ducoterra.net' > keys/git_ducoterra_net.pub +gpg -o keys/git-ducoterra-net.gpg --export -a 'git@ducoterra.net' -# Export your private key -gpg --export-secret-keys -a 'git@ducoterra.net' > git_ducoterra_net.key +# Export your private key (careful with this one) +gpg -o git-ducoterra-net.key --export-secret-keys -a 'git@ducoterra.net' ``` ## GPG Key Servers @@ -88,8 +111,69 @@ gpg --show-key keys/git_ducoterra_net.pub gpg --keyserver https://keys.openpgp.org --send-keys ``` +## Delete GPG Keys + +```bash +# Delete a public key +gpg --delete-keys + +# Delete a secret key +# Note, you'll also need to delete the public key after this command +gpg --delete-secret-keys +``` + ## Using GPG keys +### Signing Files + +```bash +# -s --sign +# -a --armor +# -u --local-user +# -e --encrypt +# -b --detach-sign +# -o --output + +# Sign a file and compress it. Output will be binary +gpg -u 7FC1B29700114F4FC589E7065FDDCFA544D77B8C -o README.sig -s README.md + +# Decompress and verify the signed file +gpg --output README.md --decrypt README.sig + +# Sign a file without compressing it. Useful for serving/sending signed documents without requiring decompression +gpg -u 7FC1B29700114F4FC589E7065FDDCFA544D77B8C --clearsign -s -a README.md + +# Verify the document (ignore the WARNING about detached signature) +gpg --verify README.md.asc + +# Create a detached signature. The most practical option since you don't need to modify the original file. +gpg -u 7FC1B29700114F4FC589E7065FDDCFA544D77B8C -o README.md.sig -b README.md + +# Verify the detached signature +gpg --verify README.md.sig README.md +``` + +### Encrypting Files + +```bash +# -s --sign +# -a --armor +# -u --local-user +# -e --encrypt + +# Encrypt a file with someone's public key +gpg -o README.md.gpg -e --recipient git@ducoterra.net README.md + +# Decrypt the file if you have the private key +gpg -o README.md --decrypt README.md.gpg + +# Encrypt with a password +gpg -o README.md.gpg --symmetric README.md + +# Decrypt with a password +gpg --decrypt README.md.gpg +``` + ## Linux Apps ### Evolution Email