How to Setup GPG

From Linux Delta
Jump to: navigation, search

Overview[edit]

GNU Privacy Guard is a suite of tools for working with PGP keys and encrypting and decrypting data.

This guide was written for Ubuntu-based distributions of at least version 18.04. Other distros or older versions may have different commands, package names, and file locations.


Create GPG Key[edit]

  1. Generate a new GPG key.
    gpg --full-generate-key
  2. Select "1" for the type of key.
    Please select what kind of key you want:
       (1) RSA and RSA (default)
       (2) DSA and Elgamal
       (3) DSA (sign only)
       (4) RSA (sign only)
    Your selection? 1
  3. Enter "4096" for the key size.
    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (3072) 4096
  4. Enter "0" to never expire the key. Enter "y" when prompted for confirmation.
    Please specify how long the key should be valid.
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
    Key is valid for? (0) 0
    Key does not expire at all
    Is this correct? (y/N) y
  5. Enter a name, email and comment when prompted. Enter "o" when asked to confirm.
    GnuPG needs to construct a user ID to identify your key.
    
    Real name: First Last
    Email address: email@example.com
    Comment: pass-key
    You selected this USER-ID:
        "First Last (pass-key) <email@example.com>"
    
    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
  6. Enter a passphrase to encrypt the key. Enter it again to confirm.
    Please enter the passphrase to
    protect your new key
    Passphrase: 
    Repeat: 


Export/Import GPG Key[edit]

If a GPG key already exists and needs to be moved from one system to another, it must be exported, then imported and marked as trusted.

  1. On a system where the key exists, list the secret keys. Note the fingerprint of the key to be exported. It will be used in future steps.
    gpg --list-secret-keys
  2. Export the key to a file named "privkey.asc". Replace <fingerprint> with the fingerprint found previously.
    gpg --export-secret-keys --armor <fingerprint> > privkey.asc
  3. Transfer the key to the new system by a secure means such as a flash drive. Do not use any unencrypted medium such as email.
  4. Login to the new machine.
  5. Import key into the new machine.
    gpg --allow-secret-key-import --import privkey.asc
  6. Trust the imported key. Replace <fingerprint> with the fingerprint found previously.
    gpg --edit-key <fingerprint>
    1. Type "trust".
    2. Select "5" to trust ultimately.
    3. Type "y" when prompted.
    4. Type "quit".

(Optional) Change the Pin Entry Program[edit]

The default GPG pin entry program is a graphical utility. If gpg will be used purely in a CLI environment (e.g. via SSH), the a purely CLI pin entry program must be used.

  1. Make sure that pinentry-tty is installed.
    sudo apt install pinentry-tty
  2. Set the pin entry program to pinentry-tty
    echo pinentry-program /usr/bin/pinentry-tty > ~/.gnupg/gpg-agent.conf
  3. Restart the GPG agent.
    gpg-connect-agent reloadagent /bye