GNU Privacy Guard (GPG) reference
Table of Contents
1. Creating new keys
The following command can be used to create a new key interactively. See this article for more information.
gpg --full-generate-key # ... # # Please select what kind of key you want: # (1) RSA and RSA # (2) DSA and Elgamal # (3) DSA (sign only) # (4) RSA (sign only) # (9) ECC (sign and encrypt) *default* # (10) ECC (sign only) # (14) Existing key from card # Your selection? 1 # RSA keys may be between 1024 and 4096 bits long. # What keysize do you want? (3072) 4096 # Requested keysize is 4096 bits # Please specify how long the key should be valid. # 0 = key does not expire # <n> = key expires in n days # <n>w = key expires in n weeks # <n>m = key expires in n months # <n>y = key expires in n years # Key is valid for? (0) 0 # Key does not expire at all # Is this correct? (y/N) y # # ...
2. Listing keys
The following command can be used to list the private keys on your machine.
gpg --list-secret-keys
By adding the following option, the command will use the key format expected by
Git (the XXX
part will be needed in Git integration).
gpg --list-secret-keys --keyid-format=long # [keyboxd] # --------- # sec ed25519/XXXXXXXXXXXXXXXX 2024-03-29 [SC] [expires: 2027-03-29] # YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY # uid [ultimate] Foo Bar <foo.bar@example.com> # ssb cv25519/ZZZZZZZZZZZZZZZZ 2024-03-29 [E]
3. Exporting keys
See this StackOverflow answer for more information on these commands.
The following command will export an ASCII-armored version of the public key.
gpg --output public.pgp \ --armor \ --export \ 'foo.bar@example.com'
The following command will export an ASCII-armored version of the secret (i.e. private) key.
gpg --output private.pgp \ --armor \ --export-secret-key \ 'foo.bar@example.com'
If it’s a backup, the following should be used.
gpg --output backup.pgp \ --armor \ --export-secret-keys \ --export-options export-backup \ 'foo.bar@example.com'
4. Importing keys
A previously-exported key can be imported with the following command.
gpg --import private.gpg
The following should be better, but it failed for me on Gentoo, while the previous worked fine.
gpg --import-options restore \ --import \ backup.pgp
5. Changing the trust level of keys
The trust level of a key is displayed between square brackets when listing them. This trust level can be changed with the following command.
$ gpg --edit-key 'foo.bar@example.com' # ... gpg> trust # Please decide how far you trust this user to correctly verify other users' keys # (by looking at passports, checking fingerprints from different sources, etc.) # # 1 = I don't know or won't say # 2 = I do NOT trust # 3 = I trust marginally # 4 = I trust fully # 5 = I trust ultimately # m = back to the main menu # # Your decision? gpg> 5
6. Git integration with GPG
The following shows how to add a PGP key to Git, and how to enable commit
signing by default. Note that this command enables this settings globally, but
they can also be set in the current repository by removing the --global
flag.
The XXX
part is supposed to be the key shown in Listing.
git config --global user.signingkey "XXXXXXXXXXXXXXXX" git config --global commit.gpgsign true