From cf0a7373d496bb807c7722a2ea1a2f66b88a1aac Mon Sep 17 00:00:00 2001 From: ducoterra Date: Mon, 20 Oct 2025 12:18:49 -0400 Subject: [PATCH] move pgp to gpg and add export and expiration notes --- active/security_pgp/pgp.md | 103 -------------------------------- active/software_gpg/gpg.md | 119 +++++++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+), 103 deletions(-) delete mode 100644 active/security_pgp/pgp.md create mode 100644 active/software_gpg/gpg.md diff --git a/active/security_pgp/pgp.md b/active/security_pgp/pgp.md deleted file mode 100644 index 8d73528..0000000 --- a/active/security_pgp/pgp.md +++ /dev/null @@ -1,103 +0,0 @@ -# PGP - -- [PGP](#pgp) - - [Searching for Keys](#searching-for-keys) - - [GPG](#gpg) - - [Generate with GPG](#generate-with-gpg) - - [GPG Key Servers](#gpg-key-servers) - - [Fedora KDE](#fedora-kde) - - [Seahorse](#seahorse) - - [Evolution Email](#evolution-email) - - [Android](#android) - - [OpenKeychain](#openkeychain) - - [Fair Email](#fair-email) - -## Searching for Keys - -I publish all my keys to - -## GPG - -### Generate with GPG - -```bash -# Make sure you have pinentry installed -dnf install pinentry - -# Generate the key. The defaults should be good enough. -gpg --full-generate-key - -# Verify your key was created -gpg --list-keys -``` - -### GPG Key Servers - -Edit `~/.gnupg/gpg.conf` and add `keyserver hkps://keys.openpgp.org` - -Sync keys with keyserver using `gpg --refresh-keys` - -Search for a user's key `gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys git@ducoterra.net` - -Export your public key with `gpg --export -a 'git@ducoterra.net' > keys/git_ducoterra_net.pub` - -Inspect a public key with `gpg --show-key keys/git_ducoterra_net.pub` - -You can upload a key with `gpg --keyserver https://keys.openpgp.org --send-keys -7FC1B2970...` but the email won't be associated with it. Use the [upload -page](https://keys.openpgp.org/upload) and upload the key file generated above -instaed. You'll need to verify your email after upload for it to be searchable. - -## Fedora KDE - -### Seahorse - -Taken from - - 1. Launch Seahorse. It should be installed by default. - 2. Select GnuPG keys. - 3. Select the + sign to create a new key. - 4. Select PGP Key. - 5. Enter your email and the name you would like to be associated with the - key. This doesn’t need to be your real name. - 6. Select advanced options. - 7. Encryption type should be RSA. - 8. Key strength should be 3072. - 9. Expiration date should be within less then two years. You can always - extend the key expiration as long as you still have access to the key, - even after it has expired. Why should I set an expiration -. - 10. Enter a strong password that you can remember. If you forget this - password, it cannot be recovered and any encrypted data you have using it - for, including emails, will be permanently inaccessible. - 11. The computer will now generate the key, which may take some time. After - this, you will have an OpenPGP key pair that is ready to be used—Great! - You can manage the key options, export the public key, change the - password, delete and/or revoke the key, and perform other key adjustments - through the Seahorse user interface or the command line. - 12. Optional: At this point, you can publish your public key to a key server - where people can request it remotely to be able to send encrypted data - and emails to you. Before you continue, please make sure you have - selected a good keyserver. Once you are ready: - 1. Select the Key(s) you want to publish. Hold Ctrl and click to select - more than one, or press Ctrl+A to select all keys. - 2. Navigate to Remote → Sync and Publish Keys… - 3. Press the Key Servers button. - 4. Publish the keys to any keyserver (select one if the “Sync” button was - grayed out in the previous screen); they all synchronize with each - other, so your key will be on each one. - 5. Recommended: Check the Automatically retrieve keys from key servers - but do not check the Automatically synchronize modified keys with key - servers check boxes. Instead, please consider using parcimonie. - 6. Press the Close button and then the Sync button to synchronize your - keys. - -Your public key is now published on the key servers and is accessible to -others! - -### Evolution Email - -## Android - -### OpenKeychain - -### Fair Email \ No newline at end of file diff --git a/active/software_gpg/gpg.md b/active/software_gpg/gpg.md new file mode 100644 index 0000000..0fcd6e6 --- /dev/null +++ b/active/software_gpg/gpg.md @@ -0,0 +1,119 @@ +# GPG + +- [GPG](#gpg) + - [Searching for GPG Keys](#searching-for-gpg-keys) + - [Generate GPG Keys](#generate-gpg-keys) + - [Renewing GPG Keys](#renewing-gpg-keys) + - [Export GPG Keys](#export-gpg-keys) + - [GPG Key Servers](#gpg-key-servers) + - [Using GPG keys](#using-gpg-keys) + - [Linux Apps](#linux-apps) + - [Evolution Email](#evolution-email) + - [Android Apps](#android-apps) + - [OpenKeychain](#openkeychain) + - [Fair Email](#fair-email) + - [Troubleshooting](#troubleshooting) + +## Searching for GPG Keys + +I publish all my keys to + +```bash +# Search for an arbitrary user's key +gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys +``` + +## Generate GPG Keys + +```bash +# Make sure you have pinentry installed +dnf install pinentry + +# Generate the key. The defaults should be good enough. +gpg --full-generate-key + +# Verify your key was created +gpg --list-secret-keys + +# Edit a key in your keyring +gpg --edit-key +``` + +## Renewing GPG Keys + +You should set an expiration for your keys. You can extend that expiration (or +set it on existing keys) with: + +```bash +# Note 2y == "expire 2 years from now" +# You can also set '0' for no expiration or use 'd' days and 'w' for weeks +gpg --quick-set-expire 2y + +# Don't forget to republish your keys with new expirations +gpg --keyserver https://keys.openpgp.org --send-keys +``` + +## Export GPG Keys + +```bash +# Export your public key in ascii format +gpg --export -a 'git@ducoterra.net' > keys/git_ducoterra_net.pub + +# Export your private key +gpg --export-secret-keys -a 'git@ducoterra.net' > git_ducoterra_net.key +``` + +## GPG Key Servers + +Edit `~/.gnupg/gpg.conf` and add `keyserver hkps://keys.openpgp.org` + +```bash +# Sync keys with keyserver +gpg --refresh-keys + +# Search for a user's key +gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys git@ducoterra.net + +# Export your public key +gpg --export -a 'git@ducoterra.net' > keys/git_ducoterra_net.pub + +# Inspect a public key with +gpg --show-key keys/git_ducoterra_net.pub + +# Upload a key to a keyserver +# NOTE: if you upload your key to keys.openpgp.org with this command, the email +# won't be searchable. You'll need to Use the upload page +# (https://keys.openpgp.org/upload) and upload the key file generated above +# instaed. You'll need to verify your email after upload for it to be searchable. +gpg --keyserver https://keys.openpgp.org --send-keys +``` + +## Using GPG keys + +## Linux Apps + +### Evolution Email + +1. Edit -> Preferences -> Double click the account with a GPG key -> Security -> +OpenPGP Key ID +2. Always sign outgoing messages +3. Advanced Options -> Always trust keys in my keyring when encrypting + +## Android Apps + +### OpenKeychain + +### Fair Email + +## Troubleshooting + +"error receiving key from agent: No such file or directory - skipped" + +"error obtaining lock... process is in use by..." + +In general, the easiest way to fix gpg problems is by killing and restarting the agent. + +```bash +gpgconf --kill gpg-agent +gpgconf --reload gpg-agent +``` \ No newline at end of file