OverView

Todo

  • setpref, or elsehow at key generation

  • ! suffix to exclude subkeys

  • trust key

  • sign file

  • sign key

  • encrypt for [hidden-]recipient

  • delete secret key

  • import secret key

  • refresh keys

List

gpg --list-keys
gpg --list-signatures

Modify

gpg --expert --edit-key "KEY ID"

[…]

save

add a subkey to a master key

addkey
8 → RSA (set your own capabilities)

[…]

q → finished
4096
1y → key expires in 1 year
y → this is correct
y → really create

sign

e → toggle the encrypt capability
gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 auth 1y
gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 encr 1y
gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 sign 1y

encrypt

s → toggle the sign capability

authenticate

s → toggle the sign capability
e → toggle the encrypt capability
a → toggle the authenticate capability

set expiration date

expire
1y
y

add another UserID

adduid
First Last
user@domain.tld
comment
o

set primary UserID

uid 1
primary

Export

private key

gpg --armor --export-secret-keys FFIINNGGEERRPPRRIINNTT > key.gpg

private subkeys

gpg --armor --export-secret-subkeys FFIINNGGEERRPPRRIINNTT > subkeys.gpg

public key

gpg --armor --export "Key ID" > id.asc

public SSH key

gpg --armor --export-ssh-key "Key ID" > id.pub

Dump

gpg --list-packets
pgpdump pub.asc

Secure

hide the master key in an encrypted container

  • ~/.gnupg/private-keys-v1.d/KKEEYYGGRRIIPP.key

Sign

gpg --armor --detach-sign file

Revoke

gpg --import "FFIINNGGEERRPPRRIINNTT.rev"
gpg --send-keys "KEY ID"

Verify

gpg --verify file.asc file