gpg-usage

Posted on In

安装

install gpg

概念

  • sec: private master key
  • pub: public master key
  • ssb: private sub key
  • sub: public sub key

创建公私钥

gpg --full-generate-key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
gpg (GnuPG) 2.2.13; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: liuqiulin
Email address: q_l_l@sina.com
Comment: qlliu
You selected this USER-ID:
    "liuqiulin (qlliu) <q_l_l@sina.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key F4F6D30C9442A4F3 marked as ultimately trusted
gpg: directory '/home/qlliu/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/qlliu/.gnupg/openpgp-revocs.d/8024A73585F84542B91866EEF4F6D30C9442A4F3.rev'
public and secret key created and signed.

pub   rsa4096 2019-02-23 [SC]
      8024A73585F84542B91866EEF4F6D30C9442A4F3
uid                      liuqiulin (qlliu) <q_l_l@sina.com>
sub   rsa4096 2019-02-23 [E]

注意此处的.gnupg/openpgp-revocs.d/8024A73585F84542B91866EEF4F6D30C9442A4F3.rev,已经默认生成revocation key了,将其妥善保存后建议删掉该文件。

8024A73585F84542B91866EEF4F6D30C9442A4F3这一串就是KEY ID。

send to key server

1
gpg --send-keys [KEY ID]

export sec

1
gpg -o [FILE NAME] --armor --export-secret-keys [KEY ID]

export revoke key

1
gpg -o [REVOKE FILE NAME] --generate-revocation [KEY ID]

import sec

1
gpg --import [FILE NAME]

delete sec

1
gpg --delete-secret-keys [KEY ID]

symmetric encryption

1
gpg --cipher-algo AES256 -c [FILE NAME TO BE ENCRYPTED]

revoke sec

1
2
gpg --import [REVOKE FILE NAME]
gpg --send-keys [KEY ID]

初次使用步骤

更换电脑步骤

强制密码

  • 旧版本:gpg-agent会缓存密码一小段时间。--no-use-agent或添加no-use-agent~/.gnupg/gpg.conf可解决。

  • 新版本(v2.1+):~/.gnupg/gpg-agent.conf添加如下内容

    1
    2
    default-cache-ttl 0
    max-cache-ttl 0

    重启代理即可:echo RELOADAGENT | gpg-connect-agent

StackExchangesecurity.stackexchange.com/questions/103034/gnupg-decryption-not-asking-for-passphrase/103037#103037

问题记录

错误 LOG,如果出现此错误,会导致 git 命令无法使用签名功能。

1
2
3
4
5
6
7
/ # echo "test" | gpg --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

test
gpg: signing failed: Inappropriate ioctl for device
gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device

解决方法

1
export GPG_TTY=$(tty)
StackExchangeunix.stackexchange.com/questions/257061/gentoo-linux-gpg-encrypts-properly-a-file-passed-through-parameter-but-throws-i/257065#257065