cheatsheets/gpg.org

Introduction

Gnu Privacy Guard (GPG) is a tool for securing communicating with someone else. Traditionally, every user of GPG has a public key and a private key. In order to communicate everyone should share their public key, but you always want to keep your secret key, secret. Your public key is like a safe. When Bob wants to send you a message. He uses your public key to put your message in the safe. You then use your private key to open the safe. Since you are the only person that has your private key, you are the only person that can read the message Bob sent to you.

Most users, probably do not need to specify a date that your key expires. You can keep your key forever, if you so choose.

A key has at least one user ID associated with it like a name and email address, but it is possible to add more later.

A Revocation certificate, is a generated file that I should share with my friends if I lose my private key. It will mean that my friends should stop using the old key to encrypt messages to me. BUT if I still have the compromised private key, I can still decrypt encrypted messages that were sent with that key.

receive gpg keys:

gpg --recv-keys 0x7BD63126

list keys

gpg --list-keys

home/joshua.gnupg/pubring.kbx ------------------------------- pub rsa2048 2016-05-17 [SC] [expires: 2017-05-17] AAD617F76D505C188A558D0BC8FA3D82C7B1326F uid [ultimate] Joshua Branson (This is my hotmail gpg key.) sub rsa2048 2016-05-17 [E] [expires: 2017-05-17] sub rsa2048 2016-09-09 [A] [expires: 2018-09-09]

pub rsa4096 2010-07-21 [SC] [expires: 2016-11-15] A4626CBAFF376039D2D7554497BA9CE761A0963B uid [ unknown] William John Sullivan uid [ unknown] William John Sullivan uid [ unknown] William John Sullivan uid [ unknown] William John Sullivan sub rsa4096 2010-07-21 [E]

pub rsa2048 2014-07-08 [SCA] [expires: 2019-07-07] 3841FFC6AEB62783D42EE5AEAF241CE008FFB3A4 uid [ unknown] Jeanne Rasata sub rsa2048 2014-07-08 [E] [expires: 2019-07-07]

pub rsa2048 2013-02-22 [SC] 6E4574DBAE662DF315AEDE6ED26FFEC1474FA472 uid [ unknown] Jeann Rasata sub rsa2048 2013-02-22 [E]

Export your public gpg key

My userID is then C7B1326F

gpg --armor --export bransoj@hotmail.com > bransoj.gpg
cat bransoj.gpg

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFc7GcUBCAC4MLbnQJ2Hjh3xBRcTupmJuzFJzu8zx6bb0GBzucg+gDZ0PES9 pZWW7vekeoqkoFImeo/eaEzYSzqCdFb/p02mWEjpP4+DPv2qRYbDg3xGdvlxkPqi MmdiOCRaAdEBKtAaPJdm1yio2I5zVqK0fBumdrL47UTpeh4IZF1h+srKZNY7Ylaq E8FhjTVJLAaVbcC84xzAP+pJSHwu8jR/xJEo/p/GCMFd1TiOKEl+7imogd1iJRNC 1pRS52CAqYO5GPUOu5bLMC0O3npiJCcebJ84oaIwu7YPjsUv/ZXKbw2Bw8Sg9ZZD uUASdB8K2FFidJByV3q5UB58Tv1JSAg5xEepABEBAAG0Qkpvc2h1YSBCcmFuc29u IChUaGlzIGlzIG15IGhvdG1haWwgZ3BnIGtleS4pIDxicmFuc29qQGhvdG1haWwu Y29tPokBPQQTAQgAJwUCVzsZxQIbAwUJAeEzgAULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgAAKCRDI+j2Cx7Eyb0LyCACw2SR+pavE3RzSo86zy/mRFLn+UkpmYXqBp8sB j24ogRs2kI0VeM1kS1tKZ6h9IsWFuiQHtCCgD17mGmxZ51Uvx27aWfzlN91gmY4C DpZVX3PAZ4h5Q2jWNhkZE1K3U8GBzApYnwN0uJ5CT+oiLweCOQJqwDdKfalAwoH+ /eTbezip8DTD5hgaBu3day6LyJ6ajDIYL6jn/uUcXhGrykBUjqfe3rpeIRSjIlAt PwzBWlceRAYGgpUi6g5SBpjG6vP53X91U3fN7qqy6YNzLW3iGa9a/p7AsTBZFLgp E0VtN42uOJ2Vc8UhD3wdeYqf6HxUTpDoviDoc608SJuALUK8uQENBFc7GcUBCADE a5JosRi4VX4VYUdzXDhgoCRV0kl6TU304+D6Q27/k+Yy99txwClD3ug9JeLMiZ0L e2Sm/jkmPiivW68yV3Ipt800n8YB4SeEWJcOZH5E8MQyKX1DxAS28kG6XTU3CiCY gQDhWKcTkdptA74pq836EypBw7zwK/qKI66PefHccAKRe5ckNzhmuOgHaD47wtzC mxiKaTft883S8lidxVgbTa0pY22A1S8HlCxg56kStg2OHhwyPNSoasZJ4wkt95Ii xQS6qH7uNfTxQmwVslY9uSgO7H5CTMQJHBUYlqWSNmAvD1cW7W7yPC1JKE1Y2Lbt Fg859J7Z5kmMzCnXfVeNABEBAAGJASUEGAEIAA8FAlc7GcUCGwwFCQHhM4AACgkQ yPo9gsexMm8Uegf/f3mcwyeCcBZB/i0yxqkjcHky8OL77lUyIznTXhngd6xxh/kz OId4ixZ17LQSJfDINMZYMvC2YmlM8Q+RPcrVmtVGHlzGlDYziOb0GOX6ZZgi+uuI pbRi6mXMXLBjdJ8Az6JhnZTEbcLX36C7PrsYy6Vf/mkJWQ9dXiiWStZFkwH+jhux /5iEyzif4ufk2gMfaWE7pGO3PLewQyZYnvVBPmlb2EM7UbEXbKGjh0d0rwmljXBp Nm93zwF0DIhmaAVOGNlteScjCo07LPcAcb3RZJu9MM3vlnOuRWDJGYEkkQzoOAOt WARlwOYBOT7hp5sQKnwg2EKH+MF6yMu3HHso2rkBDQRX0gAxAQgA2f3oUu2g82tS aGdq7/KMyM7cDGkM5mcUVsmKSyesPqlw7/3ZhPEzly1ehvzDt3KC5s6XtSCgnFEw LH7akFG8ssmPnsB/fN7KZQiegK5acd5DcukznFBFWYOyYNi5Fwzu/y92TDAoQj/e /QmYdYy6MG8HzD4h/OEkrUz7ChUE1iJrSVNrIGzPLqK2HeXf0h/agwGvG/bXf7JB VmHKB5+gUFxh+pqP83bRniGyP3/Rb5YajFqAC/HCKUoJbGWrcpJyijcEi14pIZiv MkMemtKSEnXyptMfnC6pWWPAZwoHpM7eQ0i/sA5z15C8XczBYaXEZmAJAgPy3NZd nWPQ/voiLQARAQABiQElBBgBCAAPBQJX0gAxAhsgBQkDwmcAAAoJEMj6PYLHsTJv IbYH/jHTL/FdzHKSA0REET3DDwrqbxFJbLQyXzKMipwIfhPo2kVhT6CB+pLJAurN zVA9rm1IggAsdgeeDmxxdA3xHuouJ+vIfmKxqrrmJ/M7idyobbMM71isofR9eBKY ZBy8TuId1UdyNG7g7DR4cfm3TrhU1dmfOt0Y9WtDu1OokWjhRjrHAVu/6m58r3G1 8RA6g26cbp7XG2Uxd7S43oIe0uYeGYGJTwKRbxFPPV55rrhUAlJCOW6o3xKUVmKu u33TivQ1ySuHr4qMS64OfIYjYARDzIXKW+NZivwGe0x7IBwTleqanzip6s0VYTiC 8GqzXhfl9G+eoq42U15KQskVilg= =34nH -----END PGP PUBLIC KEY BLOCK-----

import a public key

gpg --import bransoj.gpg

Once a key has been imported, you should validate it.

gpg --edit-key johns@gnu.org
fpr

This will output the key's fingerprint. If johns@gnu.org if with you, he can tell you if the fingerprint is correct. If it is, then run the command sign.

encrypting and decrypting documents

The command check will show you the signature that you added to the key.

The basic scenario for two users to share a document is like this:

gpg --output somefile.gpg --encrypt --recipient someEmail@hotmail.com somefile.txt

But you can also encrypt a document so 2 users can read it. Like so:

gpg --output somefile.gpg --encrypt --recipient someEmail@hotmail.com --recipient bransoj@hotmail.com somefile.txt

For every person that you need to encrypt a document, you just add a --recipient email

To decrypt a document, use the following command

gpg --decrypt --output file.txt doc.gpg

symmetric encryption

change default key...I've no idea how to do this.

My stupid hotmail key is so annoying. It no longer works, but I have old documents that use it. grrr.

Making and validating signatures

Basically I just made my hotmail key not expire ever. A signature is a way to proving that a document has not been modified. If I encrypt a document to you, I should also send a document.sig file that acts like a signature. The signature, if it can be verified, proves that I sent the document, and whilst it was traveling to you, it has not changed.

learn some gpg from this blog

BUT what if someone changes the document and the signature whilst it is being sent to someone? https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/ https://riseup.net/en/security/message-security/openpgp/gpg-best-practices

https://www.reddit.com/r/GPGpractice/

I can learn a lot of gpg from this gnome site

https://help.gnome.org/users/seahorse/stable/index.html.en

create a new gpg key:

To do this: you need to create a gpg conf file. and ensure pinentry is installed.

  cat /home/joshua/.gnupg/gpg-agent.conf

default-cache-ttl 28800

pinentry-program home/joshua.guix-profile/bin/pinentry-curses allow-loopback-pinentry

enable-ssh-support

https://www.ryanlue.com/posts/2017-06-29-gpg-for-ssh-auth

kill gpg agent

gpgconf --kill gpg-agent

using gpg for ssh authentication linode

https://linode.com/docs/security/authentication/gpg-key-for-ssh-authentication/

good blog post too. https://www.ryanlue.com/posts/2017-06-29-gpg-for-ssh-auth

You need to import the gpg key into ssh.

vm2-$ gpg --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes --export-secret-subkeys 20EE3BF8 | openpgp2ssh 20EE3BF8 > '.anishn'

  gpg -k --with-keygrip

joshua@dobby ~/.gnupg$ gpg -k --with-keygrip /home/joshua/.gnupg/pubring.kbx ------------------------------- pub rsa4096 2019-10-05 [SC] /secret/ Keygrip = /secret/ uid [ultimate] Joshua Branson sub rsa4096 2019-10-05 [E] Keygrip = 5B85A72E18EAFCD69C212494B1DC92BE77A5CB62

The keygrip is "5B85A72E1..."

Somehow to need to import the gpg key into ssh-agent.

echo 5B85A72E18EAFCD69C212494B1DC92BE77A5CB62 > ~/.gnupg/sshcontrol

When you have done so, verify that the key is there via:

ssh-add -L, which will list all of your keys.

Now you can add your gpg keys to your remote server with

  ssh-copy-id root@<ip address>

This will copy your gpg key to your remote server. If the command succeeds, then you can then use your ssh key log into the remote server!

how to determine if gpg-agent is running:

gpg-agent

starting ssh agent

it will tell you. https://www.ssh.com/ssh/agent

this seems like a good guide for getting gpg-agent to work as ssh-agent

vocab

https://incenp.org/notes/2014/gnupg-for-ssh-authentication.html

archlinux.org

sec The master/primary secret key. Contains ( key size, keyid, creation date, expiration date and fingerprint) ssb Secret Subkeys. These can be your sub signing key, encryption key or authentication key. Users can have multiple subkeys uid User information associated with the secret key. You can have multiple uids. pub The following is public key Information sec# # after sec means that your secret key is missing from the machine contains a refrence ssb> > after ssb means that your subkeys are not the machine. Instead they are on a smartcard (YubiKube) sub your public subkey info.

https://wiki.archlinux.org/index.php/GnuPG#gpg-agent

  cat ~/.pam_environment

ls

using gpg-agent to authenticate to servers with gpg keys

it may not be a good idea to use GPG for server authentication

joshuaBPMan: so you have --enable-ssh-support in gpg-agent.conf, and "export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" in .bashrc? [18:26]

ssh keys are used for server authentication.

gpg keys are used for signing commits and sending emails.