move pgp to gpg and add export and expiration notes

2025-10-20 12:18:49 -04:00
parent e0adee5362
commit cf0a7373d4
2 changed files with 119 additions and 103 deletions
--- a/active/security_pgp/pgp.md
+++ b/active/security_pgp/pgp.md
@@ -1,103 +0,0 @@
-# PGP
-
- [PGP](#pgp)
-  - [Searching for Keys](#searching-for-keys)
-  - [GPG](#gpg)
-    - [Generate with GPG](#generate-with-gpg)
-    - [GPG Key Servers](#gpg-key-servers)
-  - [Fedora KDE](#fedora-kde)
-    - [Seahorse](#seahorse)
-    - [Evolution Email](#evolution-email)
-  - [Android](#android)
-    - [OpenKeychain](#openkeychain)
-    - [Fair Email](#fair-email)
-
-## Searching for Keys
-
-I publish all my keys to <https://keys.openpgp.org>
-
-## GPG
-
-### Generate with GPG
-
-```bash
-# Make sure you have pinentry installed
-dnf install pinentry
-
-# Generate the key. The defaults should be good enough.
-gpg --full-generate-key
-
-# Verify your key was created
-gpg --list-keys
-```
-
-### GPG Key Servers
-
-Edit `~/.gnupg/gpg.conf` and add `keyserver hkps://keys.openpgp.org`
-
-Sync keys with keyserver using `gpg --refresh-keys`
-
-Search for a user's key `gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys git@ducoterra.net`
-
-Export your public key with `gpg --export -a 'git@ducoterra.net' > keys/git_ducoterra_net.pub`
-
-Inspect a public key with `gpg --show-key keys/git_ducoterra_net.pub`
-
-You can upload a key with `gpg --keyserver https://keys.openpgp.org --send-keys
-7FC1B2970...` but the email won't be associated with it. Use the [upload
-page](https://keys.openpgp.org/upload) and upload the key file generated above
-instaed. You'll need to verify your email after upload for it to be searchable.
-
-## Fedora KDE
-
-### Seahorse
-
-Taken from <https://riseup.net/en/security/message-security/openpgp/gpg-keys>
-
-  1. Launch Seahorse. It should be installed by default.
-  2. Select GnuPG keys.
-  3. Select the + sign to create a new key.
-  4. Select PGP Key.
-  5. Enter your email and the name you would like to be associated with the
-     key. This doesn’t need to be your real name.
-  6. Select advanced options.
-  7. Encryption type should be RSA.
-  8. Key strength should be 3072.
-  9. Expiration date should be within less then two years. You can always
-     extend the key expiration as long as you still have access to the key,
-     even after it has expired. Why should I set an expiration -.
-  10. Enter a strong password that you can remember. If you forget this
-      password, it cannot be recovered and any encrypted data you have using it
-      for, including emails, will be permanently inaccessible.
-  11. The computer will now generate the key, which may take some time. After
-      this, you will have an OpenPGP key pair that is ready to be used—Great!
-      You can manage the key options, export the public key, change the
-      password, delete and/or revoke the key, and perform other key adjustments
-      through the Seahorse user interface or the command line.
-  12. Optional: At this point, you can publish your public key to a key server
-      where people can request it remotely to be able to send encrypted data
-      and emails to you. Before you continue, please make sure you have
-      selected a good keyserver. Once you are ready:
-      1. Select the Key(s) you want to publish. Hold Ctrl and click to select
-         more than one, or press Ctrl+A to select all keys.
-      2. Navigate to Remote → Sync and Publish Keys…
-      3. Press the Key Servers button.
-      4. Publish the keys to any keyserver (select one if the “Sync” button was
-         grayed out in the previous screen); they all synchronize with each
-         other, so your key will be on each one.
-      5. Recommended: Check the Automatically retrieve keys from key servers
-         but do not check the Automatically synchronize modified keys with key
-         servers check boxes. Instead, please consider using parcimonie.
-      6. Press the Close button and then the Sync button to synchronize your
-         keys.
-
-Your public key is now published on the key servers and is accessible to
-others!
-
-### Evolution Email
-
-## Android
-
-### OpenKeychain
-
-### Fair Email
--- a/active/software_gpg/gpg.md
+++ b/active/software_gpg/gpg.md
@@ -0,0 +1,119 @@
+# GPG
+
+- [GPG](#gpg)
+  - [Searching for GPG Keys](#searching-for-gpg-keys)
+  - [Generate GPG Keys](#generate-gpg-keys)
+  - [Renewing GPG Keys](#renewing-gpg-keys)
+  - [Export GPG Keys](#export-gpg-keys)
+  - [GPG Key Servers](#gpg-key-servers)
+  - [Using GPG keys](#using-gpg-keys)
+  - [Linux Apps](#linux-apps)
+    - [Evolution Email](#evolution-email)
+  - [Android Apps](#android-apps)
+    - [OpenKeychain](#openkeychain)
+    - [Fair Email](#fair-email)
+  - [Troubleshooting](#troubleshooting)
+
+## Searching for GPG Keys
+
+I publish all my keys to <https://keys.openpgp.org>
+
+```bash
+# Search for an arbitrary user's key
+gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys <email>
+```
+
+## Generate GPG Keys
+
+```bash
+# Make sure you have pinentry installed
+dnf install pinentry
+
+# Generate the key. The defaults should be good enough.
+gpg --full-generate-key
+
+# Verify your key was created
+gpg --list-secret-keys
+
+# Edit a key in your keyring
+gpg --edit-key <id>
+```
+
+## Renewing GPG Keys
+
+You should set an expiration for your keys. You can extend that expiration (or
+set it on existing keys) with:
+
+```bash
+# Note 2y == "expire 2 years from now"
+# You can also set '0' for no expiration or use 'd' days and 'w' for weeks
+gpg --quick-set-expire <key id> 2y
+
+# Don't forget to republish your keys with new expirations
+gpg --keyserver https://keys.openpgp.org --send-keys <key id>
+```
+
+## Export GPG Keys
+
+```bash
+# Export your public key in ascii format
+gpg --export -a 'git@ducoterra.net' > keys/git_ducoterra_net.pub
+
+# Export your private key
+gpg --export-secret-keys -a 'git@ducoterra.net' > git_ducoterra_net.key
+```
+
+## GPG Key Servers
+
+Edit `~/.gnupg/gpg.conf` and add `keyserver hkps://keys.openpgp.org`
+
+```bash
+# Sync keys with keyserver
+gpg --refresh-keys
+
+# Search for a user's key
+gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys git@ducoterra.net
+
+# Export your public key
+gpg --export -a 'git@ducoterra.net' > keys/git_ducoterra_net.pub
+
+# Inspect a public key with
+gpg --show-key keys/git_ducoterra_net.pub
+
+# Upload a key to a keyserver
+# NOTE: if you upload your key to keys.openpgp.org with this command, the email
+# won't be searchable. You'll need to Use the upload page
+# (https://keys.openpgp.org/upload) and upload the key file generated above
+# instaed. You'll need to verify your email after upload for it to be searchable.
+gpg --keyserver https://keys.openpgp.org --send-keys <key id>
+```
+
+## Using GPG keys
+
+## Linux Apps
+
+### Evolution Email
+
+1. Edit -> Preferences -> Double click the account with a GPG key -> Security ->
+OpenPGP Key ID
+2. Always sign outgoing messages
+3. Advanced Options -> Always trust keys in my keyring when encrypting
+
+## Android Apps
+
+### OpenKeychain
+
+### Fair Email
+
+## Troubleshooting
+
+"error receiving key from agent: No such file or directory - skipped"
+
+"error obtaining lock... process is in use by..."
+
+In general, the easiest way to fix gpg problems is by killing and restarting the agent.
+
+```bash
+gpgconf --kill gpg-agent
+gpgconf --reload gpg-agent
+```