GPG - GnuPG - PGP
Use With Caution
- Is pgp / gpg still sufficient for private encryption?
- Are there suffient people fixing security holes?
- See: A history of end-to-end encryption and the death of PGP
Table of Contents generated with DocToc
- Signing a File
- Encrypting a Message
- Using GPG with MailMate
- Administrating GPG Keys
- Links and References
Signing a File
gpg --sign --local-user you@example.com --detached --armor filename.txt
gpg --verify filename.txt
Encrypting a Message
gpg --encrypt --recipient you@example.com --recipient me@example.com --armor filename.txt
gpg --decrypt filename.txt.asc > filename.txt
Using GPG with MailMate
Install the GPG Suite (Support for Apple Mail is not required):
brew install gpg-suite-no-mail
More details: Section OpenPGP and S/MIME in the MailMate Manual : Preferences chapter.
Administrating GPG Keys
Receive Keys
- Find a key on the keyserver (e.g. pgp.mit.edu or keys.openpgp.org) and write down the full fingerprint
gpg --keyserver pool.sks-keyservers.net --recv-keys
Important: Always use the full fingerprint for receiving the key. Otherwise hackers can spoof the key.
See also: Question on Superuser.com
List Key ID and Details
gpg --list-keys pgpCA@ct.heise.de
This document describes the details of the listed record, e.g. the key sub types like sec, ssb, pub, etc.: GnuPG Details
Verify Keys
KEY_ID=<fingerprint>
gpg --edit-key "$KEY_ID"
fpr
...
trust
...
See also: The GNU Privacy Handbook: Validating other keys on your public keyring
Send Keys
KEY_ID=<fingerprint>
gpg --send-keys "$KEY_ID"
Revoke Keys
KEY_ID=<fingerprint>
gpg --export "$KEY_ID" | gpg --list-packets | grep revocation
GPG Revocation Reasons
Source: GPG Revocation Reasons
| Value | Description |
|---|---|
| 0 | No reason specified |
| 1 | Key has been compromised |
| 2 | Key is superseded |
| 3 | Key is no longer used |
Original Article
See also Email: Revoked keys and past signatures
$ KEY_ID=<fingerprint>
$ gpg2 --export "$KEY_ID" | gpg2 --list-packets
:public key packet:
version 4, algo 1, created 1393271747, expires 0
pkey[0]: [1024 bits]
pkey[1]: [17 bits]
keyid: xxxxxxxxxxxxxxxx
:signature packet: algo 1, keyid xxxxxxxxxxxxxxxx
version 4, created 1423566838, md5len 0, sigclass 0x20
digest algo 8, begin of digest 9c c5
hashed subpkt 2 len 4 (sig created 2015-02-10)
hashed subpkt 29 len 16 (revocation reason 0x01 (Test
revocation))
subpkt 16 len 8 (issuer key ID xxxxxxxxxxxxxxxx)
data: [1024 bits]
$ date -d "1970-01-01 +1423566838 secs UTC"
Tue 10 Feb 12:13:58 CET 2015
The RFC clearly states “key superseded” doesn’t invalidate old signatures
Export Keys to ASCII Armored File
Export a public key so that you can give it to friends:
gpg --output public.gpg.asc --armor --export username@email
Export the private key as unencrypted file:
gpg --output private.gpg.asc --armor --export-secret-key username@email
Extend an Expired Key
KEY_ID=0x<fingerprint>
gpg --edit-key "$KEY_ID"
# Extend the main key
gpg> expire
...
# Extend the first sub key (ssb)
gpg> key 1
gpg> expire
...
gpg> save
See:
Delete a key
Delete a public key from your keyring:
gpg --delete-key "User Name"
Delete a private key
gpg --delete-secret-key "User Name"