Last modified: Apr, 2010
To generate a GPG private-public key pair, run
gpg --gen-key
It is an interactive and self-explanatory process.
To list public keys:
gpg --list-keys
and too list private keys:
gpg --list-secret-keys
To encrypt a file without a public key, run
gpg -c foo.txt
and enter a passphrase.
To encrypt a file with a public key, run
gpg --encrypt --recipient <email-address> foo.txt
The _
To decrypt a file which was encrypted without a public key, run
gpg foo.txt.gpg -o <file-decrypted>
and enter the passphrase.
To decrypt a file which was encrypted with a public key, run
gpg --output foo.txt --decrypt foo.txt.gpg
or
gpg --decrypt foo.txt.gpg > foo.txt
To import a public key, run
gpg --import public.key
To import a private key, run
gpg --allow-secret-key-import --import private.key
To export a public key, run
gpg --export -a [email protected] > public.key
To export a private key, run
gpg --export-secret-keys -a [email protected] > private.key
To sign a file with Person A’s own public key, A should do
gpg --clearsign msg.txt
That will gives a new signed file called msg.txt.asc which contains both the content and signature. “–clearsign” means the signature is in clear text.
For Person B, to verify A’s signature on a file, he should do
gpg --verify msg.txt.asc
given that B has the public key of A in his keyring. Here B can verify if msg.txt.asc is really from A using A’s public key.
gpg --fingerprint [email protected]
Delete a public key, run
gpg --delete-keys [email protected]
Delete a private key, run
gpg --delete-secret-keys [email protected]
$ gpg --edit-key [keyID]
gpg> passwd
Enter passphrase:
Enter the new passphrase for this secret key.
Enter passphrase:
Repeat passphrase:
gpg> save
NOTE: if you keep a copy of private key with original passphrase somewhere else, the encrypted file with the updated privated key can still be decrypted by the old private key. Only private key matters, and passphrase is irrelevant. So it is extremely important to keep the private key secure in your hands.
http://tech.michaelaltfield.net/wp/?p=414
.In GNOME
At least the following works for Ubuntu (GNOME).
According to “man gpg-agent” (also here), GPG agent can be started together with X by adding this line into $HOME/.xsession
eval $(gpg-agent --daemon)
And don’t forget to add
use-agent
to “‘$HOME/.gnupg/gpg.conf’”.
.In LXDE
However, in my Feodora 14 LXDE (as well as Lubuntu 10.10), it seems that file “‘$HOME/.xsession’” is not read when X is started. So I just add the following into “‘$HOME/.bashrc’”:
################
# Start the GnuPG agent and enable OpenSSH agent emulation
# https://wiki.archlinux.org/index.php/Using_SSH_Keys#Using_GnuPG_Agent
if pgrep -u "${USER}" gpg-agent >/dev/null 2>&1; # see if gpg-agent daemon is running
then
echo > /dev/null # do nothing
else
eval `gpg-agent --enable-ssh-support --daemon &> /dev/null` # start gpg-agent daemon with ssh support
fi
What it does is to start ‘gpg-agent’ when it is not there, or do nothing if it has been started. Note that ‘ssh-agent’ daemon is also started along with ‘gpg-agent’. If you have a ssh key, you need to add the key to the keyring by
ssh-add
It will guide you through the key adding process. For more ssh key manipulation, consult “ssh-add(1)”.
NOTE: Again, don’t forget to add “use-agent” to file “‘$HOME/.gnupg/gpg.conf’”, or ‘gpg-agent’ just won’t work.
Reference
The difference has been discussed in the post here.
And I quote:
Every key on a keyring there is at least one signing and one encryption key. The signing key is the primary key, the encryption key is the subkey.”
To see the difference,
Public KeyRing pub 1024D/069C39A4 2008-01-28 uid John Smith <[email protected]> sub 2048g/045D39H5 2008-01-28 Private Keyring sec 1024D/069C39A4 2008-01-28 uid John Smith <[email protected]> ssb 2048g/045D39H5 2008-01-28The public signing key is designated by pub 1024D/069C39A4. The corresponding private signing key is sec 1024D/06C39A4.
The public encryption key is designated by sub 2048g/045D39H5. The corresponding private encryption key is ssb 2048g/045D39H5. “
By default, GPG reads keys from “$HOME/.gnupg”. But if one use an external drive to use GPG, this default directory can be modified by set
export GNUPGHOME=/path/to/keys
in “$HOME/.bashrc”.