Skip to content

Instantly share code, notes, and snippets.

@aaccioly

aaccioly/gpg_commands_and_best_pratices.md

Last active May 27, 2024 20:56
Show Gist options
  • Save aaccioly/435d622c6d59ff23cb5cbba9262e1a61 to your computer and use it in GitHub Desktop.
Save aaccioly/435d622c6d59ff23cb5cbba9262e1a61 to your computer and use it in GitHub Desktop.
Download ZIP
GPG Commands - Best Practices
Raw
gpg_commands_and_best_pratices.md

GPG Commands - Best Practices

1. Create a New Key

To generate an ed25519 key used for certification, use the following command:

gpg --quick-generate-key "Name (comment) <[email protected]>" ed25519 cert 10y

Enter the desired passphrase and take note of the generated key fingerprint.

Next, add encryption and signing subkeys:

gpg --quick-add-key fingerprint cv25519 encr 3y
gpg --quick-add-key fingerprint ed25519 sign 3y

Best Practice: Using ed25519 for certification and separate subkeys for encryption and signing enhances security and allows for better key management. The 10y and 3y durations ensure that keys are periodically refreshed, reducing the risk if a key is compromised.

2. Publish the Key

ggpg --send-keys key-id

Best Practice: Publishing your key allows others to verify your identity and encrypt messages to you.

3. Export All Keys

To back up all your keys, use:

gpg -a -o private.gpg --export-options backup --export-secret-keys

Best Practice: Regularly backing up your keys ensures that you can restore access if your keyring is lost or corrupted.

4. Export ownertrust

To export your trust settings, use:

gpg --export-ownertrust > otrust.txt

Best Practice: Exporting ownertrust settings preserves your web of trust, which is important for validating signatures from other users.

5. Import All Keys

To restore your keys, use:

gpg -a --import-options restore --import private.gpg

Best Practice: When restoring keys, ensure you import them in a secure environment to prevent unauthorized access.

6. Import Ownertrust

To restore your trust settings, use:

gpg --import-ownertrust < otrust.txt

Best Practice: Restoring ownertrust ensures that your trust settings are consistent across different environments.

7. Delete "Main" Certification Subkey

After backing up your keys to a secure location, you may want to remove your main certification key from your daily-usage machines.

Warning

Only do this after backing up the private.gpg file to a secure location.

Caution

If you choose to remove the main certification subkey, you will still be able to sign and encrypt content thanks to the other subkeys. However, you won't be able to edit your key without first restoring the main certification private key.

First obtain the subkey id:

gpg --list-secret-keys --keyid-format long

Then delete it by id (the exclamation mark is essential, otherwise all subkeys will be deleted):

gpg --delete-secret-keys key-id!

Best Practice: By removing the main certification subkey from your daily-usage machines, you reduce the risk of compromising your primary key. This practice limits the potential damage if your machine is compromised.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment