Generate key pair

gpg --full-generate-key
------------------------
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Yuri Alek
Email address:
Comment: Example keys
You selected this USER-ID:
    "Yuri Alek (Example keys)"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
[...]
gpg: key AA21250888469FBC marked as ultimately trusted
gpg: directory '/home/yu/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/yu/.gnupg/openpgp-revocs.d/69215DC44E8303C83090F2F1AA21250888469FBC.rev'
public and secret key created and signed.

pub   rsa4096 2019-08-15 [SC]
      69215DC44E8303C83090F2F1AA21250888469FBC
uid                      Yuri Alek (Example keys)
sub   rsa4096 2019-08-15 [E]

Other ways

gpg --expert --gen-key

Edit key

gpg --homedir ./gnupg-test --expert --edit-key AA21250888469FBC

List key IDs

List secret keys. Your keys.

gpg --list-secret-keys --keyid-format LONG
------------------------------------------
sec   rsa4096/AA21250888469FBC 2019-08-15 [SC]
      69215DC44E8303C83090F2F1AA21250888469FBC
uid                 [ultimate] Yuri Alek (Example keys)
ssb   rsa4096/118727056C98BE57 2019-08-15 [E]

gpg -K
---
sec   rsa4096 2019-08-15 [SC]
      69215DC44E8303C83090F2F1AA21250888469FBC
uid           [ultimate] Yuri Alek (Example keys) <yurialek@localhost>
ssb   rsa4096 2019-08-15 [E]

List all keys

gpg --list-keys
gpg -k

List specific key by ID. You can use the three IDs to identify the key.

gpg --list-key AA21250888469FBC
gpg --list-key 69215DC44E8303C83090F2F1AA21250888469FBC
gpg --list-key 118727056C98BE57

The key ID is AA21250888469FBC.

Key flags: - [C] Key Certification (0x01) - [S] Sign Data (0x02) - [E] Encrypt Communications (0x04) - [E] Encrypt Storage (0x08) - Split key (0x10) - [A] Authentication (0x20) - Held by more than one person (0x80)

• sec Secret Key
• ssb Secret Subkey
• pub Public key
• sub Public Subkey
• # the secret key or subkey is currently not usable.
• > the key is stored on a smartcard.

Encrypt a file

gpg --output filename.gpg --encrypt --recipient user@example.com filename.ext
gpg --output filename.gpg --encrypt --recipient AA21250888469FBC filename.ext

Encrypt with symmetrical encryption (using a password).

gpg --output filename.gpg --symmetric filename.ext

Use --armor to generate an ASCII based text.

Decrypt a file

gpg --decrypt filename.gpg
gpg --output filename.ext --decrypt filename.gpg 

Sign a file

gpg --sign filename.ext
gpg --sign --default-key email@address filename.ext
gpg --sign --default-key AA21250888469FBC filename.ext

Check the signature.

gpg --verify filename.gpg

Export keys

List the IDs

gpg --list-secret-keys --keyid-format LONG
------------------------------------------
sec   rsa4096/AA21250888469FBC 2019-08-15 [SC]
      69215DC44E8303C83090F2F1AA21250888469FBC
uid                 [ultimate] Yuri Alek (Example keys)
ssb   rsa4096/118727056C98BE57 2019-08-15 [E]

Export public key

gpg --output gpg_pub.gpg --armor --export AA21250888469FBC
gpg --output gpg_pub.gpg --armor --export 118727056C98BE57
gpg --output gpg_pub.gpg --armor --export 69215DC44E8303C83090F2F1AA21250888469FBC

Export private key

gpg --output gpg_sec.gpg --armor --export-secret-key AA21250888469FBC

Import keys

gpg --import gpg_pub.gpg
gpg --allow-secret-key-import --import gpg_sec.gpg

Edit keys

gpg --edit-key AA21250888469FBC

Will pop an interactive shell; use help.

Revoke key

Generate a revoke cert.

gpg --output revoke.asc --gen-revoke AA21250888469FBC

Import a revoke certificate.

gpg --import revoke.asc

Upload the now revoked key.

gpg --send-keys AA21250888469FBC

A revoked key still works.

Remove key

Public keys

gpg --delete-key AA21250888469FBC

Private keys

gpg --delete-secret-key AA21250888469FBC
gpg --delete-key AA21250888469FBC

Pinentry program

It can be changed in ~/.gnupg/gpg-agent.conf

pinentry-program /usr/bin/pinentry-curses

Or in /bin/pinentry

#!/bin/sh

test -e /usr/lib/libgtk-x11-2.0.so.0 &&
exec /usr/bin/pinentry-curses "$@"
exec /usr/bin/pinentry-gtk-2  "$@"

Verify a download

You have two files file.ext and file.ext.asc.

Source

gpg --verify-options show-notations --verify file.ext.asc file.ext

Good signature.

gpg: Good signature from "HulaHoop" [unknown]

Bad signature.

gpg: BAD signature from "HulaHoop" [unknown]

Links

• https://blog.tinned-software.net/create-gnupg-key-with-sub-keys-to-sign-encrypt-authenticate/
• https://danielpecos.com/2019/03/30/how-to-rotate-your-openpgp-gnupg-keys/