move pgp to gpg and add export and expiration notes

2025-10-20 12:18:49 -04:00
parent e0adee5362
commit cf0a7373d4
2 changed files with 119 additions and 103 deletions
--- a/active/security_pgp/pgp.md
+++ b/active/security_pgp/pgp.md
@@ -1,103 +0,0 @@
 # PGP
 - [PGP](#pgp)
  - [Searching for Keys](#searching-for-keys)
  - [GPG](#gpg)
    - [Generate with GPG](#generate-with-gpg)
    - [GPG Key Servers](#gpg-key-servers)
  - [Fedora KDE](#fedora-kde)
    - [Seahorse](#seahorse)
    - [Evolution Email](#evolution-email)
  - [Android](#android)
    - [OpenKeychain](#openkeychain)
    - [Fair Email](#fair-email)
 ## Searching for Keys
 I publish all my keys to <https://keys.openpgp.org>
 ## GPG
 ### Generate with GPG
 ```bash
 # Make sure you have pinentry installed
 dnf install pinentry
 # Generate the key. The defaults should be good enough.
 gpg --full-generate-key
 # Verify your key was created
 gpg --list-keys
 ```
 ### GPG Key Servers
 Edit `~/.gnupg/gpg.conf` and add `keyserver hkps://keys.openpgp.org`
 Sync keys with keyserver using `gpg --refresh-keys`
 Search for a user's key `gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys git@ducoterra.net`
 Export your public key with `gpg --export -a 'git@ducoterra.net' > keys/git_ducoterra_net.pub`
 Inspect a public key with `gpg --show-key keys/git_ducoterra_net.pub`
 You can upload a key with `gpg --keyserver https://keys.openpgp.org --send-keys
 7FC1B2970...` but the email won't be associated with it. Use the [upload
 page](https://keys.openpgp.org/upload) and upload the key file generated above
 instaed. You'll need to verify your email after upload for it to be searchable.
 ## Fedora KDE
 ### Seahorse
 Taken from <https://riseup.net/en/security/message-security/openpgp/gpg-keys>
  1. Launch Seahorse. It should be installed by default.
  2. Select GnuPG keys.
  3. Select the + sign to create a new key.
  4. Select PGP Key.
  5. Enter your email and the name you would like to be associated with the
     key. This doesn’t need to be your real name.
  6. Select advanced options.
  7. Encryption type should be RSA.
  8. Key strength should be 3072.
  9. Expiration date should be within less then two years. You can always
     extend the key expiration as long as you still have access to the key,
     even after it has expired. Why should I set an expiration -.
  10. Enter a strong password that you can remember. If you forget this
      password, it cannot be recovered and any encrypted data you have using it
      for, including emails, will be permanently inaccessible.
  11. The computer will now generate the key, which may take some time. After
      this, you will have an OpenPGP key pair that is ready to be used—Great!
      You can manage the key options, export the public key, change the
      password, delete and/or revoke the key, and perform other key adjustments
      through the Seahorse user interface or the command line.
  12. Optional: At this point, you can publish your public key to a key server
      where people can request it remotely to be able to send encrypted data
      and emails to you. Before you continue, please make sure you have
      selected a good keyserver. Once you are ready:
      1. Select the Key(s) you want to publish. Hold Ctrl and click to select
         more than one, or press Ctrl+A to select all keys.
      2. Navigate to Remote → Sync and Publish Keys…
      3. Press the Key Servers button.
      4. Publish the keys to any keyserver (select one if the “Sync” button was
         grayed out in the previous screen); they all synchronize with each
         other, so your key will be on each one.
      5. Recommended: Check the Automatically retrieve keys from key servers
         but do not check the Automatically synchronize modified keys with key
         servers check boxes. Instead, please consider using parcimonie.
      6. Press the Close button and then the Sync button to synchronize your
         keys.
 Your public key is now published on the key servers and is accessible to
 others!
 ### Evolution Email
 ## Android
 ### OpenKeychain
 ### Fair Email
--- a/active/software_gpg/gpg.md
+++ b/active/software_gpg/gpg.md
@@ -0,0 +1,119 @@
 # GPG
 - [GPG](#gpg)
  - [Searching for GPG Keys](#searching-for-gpg-keys)
  - [Generate GPG Keys](#generate-gpg-keys)
  - [Renewing GPG Keys](#renewing-gpg-keys)
  - [Export GPG Keys](#export-gpg-keys)
  - [GPG Key Servers](#gpg-key-servers)
  - [Using GPG keys](#using-gpg-keys)
  - [Linux Apps](#linux-apps)
    - [Evolution Email](#evolution-email)
  - [Android Apps](#android-apps)
    - [OpenKeychain](#openkeychain)
    - [Fair Email](#fair-email)
  - [Troubleshooting](#troubleshooting)
 ## Searching for GPG Keys
 I publish all my keys to <https://keys.openpgp.org>
 ```bash
 # Search for an arbitrary user's key
 gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys <email>
 ```
 ## Generate GPG Keys
 ```bash
 # Make sure you have pinentry installed
 dnf install pinentry
 # Generate the key. The defaults should be good enough.
 gpg --full-generate-key
 # Verify your key was created
 gpg --list-secret-keys
 # Edit a key in your keyring
 gpg --edit-key <id>
 ```
 ## Renewing GPG Keys
 You should set an expiration for your keys. You can extend that expiration (or
 set it on existing keys) with:
 ```bash
 # Note 2y == "expire 2 years from now"
 # You can also set '0' for no expiration or use 'd' days and 'w' for weeks
 gpg --quick-set-expire <key id> 2y
 # Don't forget to republish your keys with new expirations
 gpg --keyserver https://keys.openpgp.org --send-keys <key id>
 ```
 ## Export GPG Keys
 ```bash
 # Export your public key in ascii format
 gpg --export -a 'git@ducoterra.net' > keys/git_ducoterra_net.pub
 # Export your private key
 gpg --export-secret-keys -a 'git@ducoterra.net' > git_ducoterra_net.key
 ```
 ## GPG Key Servers
 Edit `~/.gnupg/gpg.conf` and add `keyserver hkps://keys.openpgp.org`
 ```bash
 # Sync keys with keyserver
 gpg --refresh-keys
 # Search for a user's key
 gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys git@ducoterra.net
 # Export your public key
 gpg --export -a 'git@ducoterra.net' > keys/git_ducoterra_net.pub
 # Inspect a public key with
 gpg --show-key keys/git_ducoterra_net.pub
 # Upload a key to a keyserver
 # NOTE: if you upload your key to keys.openpgp.org with this command, the email
 # won't be searchable. You'll need to Use the upload page
 # (https://keys.openpgp.org/upload) and upload the key file generated above
 # instaed. You'll need to verify your email after upload for it to be searchable.
 gpg --keyserver https://keys.openpgp.org --send-keys <key id>
 ```
 ## Using GPG keys
 ## Linux Apps
 ### Evolution Email
 1. Edit -> Preferences -> Double click the account with a GPG key -> Security ->
 OpenPGP Key ID
 2. Always sign outgoing messages
 3. Advanced Options -> Always trust keys in my keyring when encrypting
 ## Android Apps
 ### OpenKeychain
 ### Fair Email
 ## Troubleshooting
 "error receiving key from agent: No such file or directory - skipped"
 "error obtaining lock... process is in use by..."
 In general, the easiest way to fix gpg problems is by killing and restarting the agent.
 ```bash
 gpgconf --kill gpg-agent
 gpgconf --reload gpg-agent
 ```