gpg
gpg --default-new-key-algo rsa4096 --gen-key
gpg --edit-key me@email.com change-usage
gpg --list-public-keys --keyid-format long
gpg --list-secret-keys --keyid-format long --with-keygrip --with-subkey-fingerprints
gpg --list-options show-photos --photo-viewer "cat > <path>/0x%k.%t" --list-keys [key_identifier]
gpg --clear-sign --local-user me@email.com --output test.txt.asc test.txt
gpg --verify test.txt.asc
gpg --detach-sign --local-user me@email.com --armor --output test.txt.asc2 test.txt
gpg --verify test.txt.asc2 test.txt
gpg --encrypt --recipient username@email.com --output test.txt.gpg test.txt
gpg --sign --encrypt --digest-algo SHA256 [...]
gpg --encrypt --cipher-algo AES256 [...]
gpg --encrypt --compress-algo none [...]
sq inspect test.txt.gpg
gpg --decrypt test.txt.gpg --output test.decrypted.txt
gpg --list-packets -vv --show-session-key test.txt.gpg
gpg --output public.asc --armor --export username@email.com
gpg --output private.asc --armor --export-secret-key username@email.com
gpg --quick-set-expire 1111111190ABCDEF1234567890ABCDEF11111111 7w '*'
LANG=en gpg --version
gpg --export-ssh-key 1111111190ABCDEF1234567890ABCDEF11111111
bip39key --user-id="TestUser <testuser@email.com>" --format=pgp --armor --authorization-for-sign-key --use-concatenation | sq key password --cert-file - --output - > key.secured.pgp
sign vs. clear-sign vs. detach-sign
- sign: The user needs to have gpg installed to read the resulting .gpg file. The .gpg file contains both, the original file content plus the signature. The content is compressed.
- clear-sign: The output file contains both, the original file content plus the signature. The content is retained in plain-text, so no additional program like gpg is needed to read it on the other side. The content is not compressed though, so the resulting file size might be bigger.
- detach-sign:
The output file contains the signature only.
To have a signature in ASCII format, use the
--armorflag. Otherwise, it will be a binary signature.
In general, I also like to specify the --local-user flag explicitly to the signing commands.
If you do not specify it, the default private key is used.
The default key is the first key found in the secret keyring.
To set a default signing key, edit the file ~/.gnupg/gpg.conf and add the line:
default-key <key-id>
Where key-id is either the long keyid or the fingerprint of your key.
list-packets
list-packets shows detailed information about a .gpg file.
This information includes:
- who the recipient is The keyid hints who can decrypt the file. This info can be spoofed though.
- which algorithm has been used for the symmetric part See here for a list of algorithms.
gpg: session key: ‘8:32050C047C47C519E76901EFC47FDFED0CD87CDB85809AFE’
You can see the algorithm in the session key, the number before the colon. In this case, the algorithm is 8 (= AES192).
In my case it showed 9.2, which is AES256 in OCB mode.
TPM: Card error
I have seen this error when trying to encrypt and sign a file without specifying the digest-algo.
So if the algorithm is not compatible with the TPM, you might just see Card error instead of a proper error message.
Fix: Explicitly set the algorithm to SHA256, which must be supported by the TPM.
gpg --sign --encrypt --digest-algo SHA256 [...]
Nitrokey
Move private key to external smart card (e.g. Nitrokey)
gpg --edit-key --expert username@email.com
It will show you some info, then type the keytocard command to transfer the key to the NitroKey. I had to enter the admin PIN twice (default: 12345678). After this, type quit and confirm.
Import reference to private key on another computer
Import public key from file or server
gpg --import public.asc
Reference private key on smartcard
gpg --card-edit
then enter fetch and quit to import the reference to the secret key on the NitroKey.