How to Setup GPG
GNU Privacy Guard is a suite of tools for working with PGP keys and encrypting and decrypting data.
This guide was written for Ubuntu-based distributions of at least version 18.04. Other distros or older versions may have different commands, package names, and file locations.
Create GPG Key
- Generate a new GPG key.
- Select "1" for the type of key.
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1
- Enter "4096" for the key size.
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 4096
- Enter "0" to never expire the key. Enter "y" when prompted for confirmation.
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y
- Enter a name, email and comment when prompted. Enter "o" when asked to confirm.
GnuPG needs to construct a user ID to identify your key. Real name: First Last Email address: firstname.lastname@example.org Comment: pass-key You selected this USER-ID: "First Last (pass-key) <email@example.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
- Enter a passphrase to encrypt the key. Enter it again to confirm.
Please enter the passphrase to protect your new key Passphrase: Repeat:
Export/Import GPG Key
If a GPG key already exists and needs to be moved from one system to another, it must be exported, then imported and marked as trusted.
- On a system where the key exists, list the secret keys. Note the fingerprint of the key to be exported. It will be used in future steps.
- Export the key to a file named "privkey.asc". Replace <fingerprint> with the fingerprint found previously.
gpg --export-secret-keys --armor <fingerprint> > privkey.asc
- Transfer the key to the new system by a secure means such as a flash drive. Do not use any unencrypted medium such as email.
- Login to the new machine.
- Import key into the new machine.
gpg --allow-secret-key-import --import privkey.asc
- Trust the imported key. Replace <fingerprint> with the fingerprint found previously.
gpg --edit-key <fingerprint>
- Type "trust".
- Select "5" to trust ultimately.
- Type "y" when prompted.
- Type "quit".
(Optional) Change the Pin Entry Program
The default GPG pin entry program is a graphical utility. If
gpg will be used purely in a CLI environment (e.g. via SSH), the a purely CLI pin entry program must be used.
- Make sure that
sudo apt install pinentry-tty
- Set the pin entry program to
echo pinentry-program /usr/bin/pinentry-tty > ~/.gnupg/gpg-agent.conf
- Restart the GPG agent.
gpg-connect-agent reloadagent /bye