About GPG Keys

Terminologies

• PGP (Pretty Good Privacy): The original encryption tool, proprietary or commercial in modern forms.
• OpenPGP: The open standard that defines the file formats and operations for encryption, decryption, signing, etc.
• GPG (GNU Privacy Guard): A free and open-source implementation of the OpenPGP standard, fully compatible with other PGP products.

In short, GPG is the open-source, standards-based successor to the original PGP software. They both use the same underlying concepts (public-key cryptography, digital signatures, key management) and are typically cross-compatible when both follow the OpenPGP standard.

References:

• The Difference Between PGP, OpenPGP, and GnuPG Encryption

Install GnuPG

• Debian/Ubuntu: sudo apt update && sudo apt install gnupg -y
• MacOS: brew install gnupg
• Windows: Download

Generate a new GPG key

We first set GPG_TTY to the current TTY to ensure prompt for passphrase does not fail.

export GPG_TTY=$(tty)

Here we specify the key type and subkey type for the key generation.

• Ed25519 for the primary key (for signing)

• Curve25519 for the subkey (for encryption).

• Create a configuration file for key generation

  cat > key.config << EOF
  Key-Type: EDDSA
  Key-Curve: Ed25519
  Key-Usage: sign
  Subkey-Type: ECDH
  Subkey-Curve: Curve25519
  Subkey-Usage: encrypt
  Name-Real: Your Name
  Name-Email: your.email@example.com
  Expire-Date: 0
  %commit
  EOF
  

  • Additional line %no-protection can be added above %commit to skip the passphrase protection.
• Generate the key

  gpg --batch --gen-key key.config
  

• Check the key

  gpg --list-secret-keys --keyid-format=long
  

References:

• Generating a new GPG key
• Telling Git about your signing key
• Signing commits

Export Your Public Key

gpg --armor --export KEY_ID_HERE > my_public_key.asc

Import Other's Public Key

gpg --import KEY_FILE_HERE

Complete Backup and Transfer Your GPG Keys

Warning

This section is for backup and transfer all of your GPG keys, which includes all your own key pairs (both private and public) and imported (public) keys if any.

Export on Original Computer

1. Export your private key (includes your subkeys and public keys)

   gpg --armor --export-secret-keys your.email@example.com > private.gpg
   

2. Export entire public keyring (includes all imported keys)

   gpg --armor --export > all_public_keys.gpg
   

3. Export trust database

   gpg --export-ownertrust > trust.txt
   

4. Create a secure archive

   tar -czf gpg-complete-backup.tar.gz private.gpg all_public_keys.gpg trust.txt
   export GPG_TTY=$(tty) # if headless, this is required
   gpg -c gpg-complete-backup.tar.gz  # Encrypt the archive with a passphrase
   

5. Securely delete the unencrypted files

   shred -u private.gpg all_public_keys.gpg trust.txt gpg-complete-backup.tar.gz
   

   shred can be installed on MacOS via brew install coreutils

Import on New Computer

1. Decrypt the backup

   export GPG_TTY=$(tty) # if headless, this is required
   gpg -d gpg-complete-backup.tar.gz.gpg > gpg-complete-backup-decrypted.tar.gz
   tar xzf gpg-complete-backup-decrypted.tar.gz
   

2. Import your private key (this automatically imports your public key too)

   gpg --import private.gpg
   

3. Import all public keys

   gpg --import all_public_keys.gpg
   

4. Import trust database

   gpg --import-ownertrust trust.txt
   

5. Verify the setup

   gpg --list-secret-keys
   gpg --list-keys 
   

6. Clean up

   shred -u private.gpg all_public_keys.gpg trust.txt gpg-complete-backup-decrypted.tar.gz
   

References:

• Killeroid's Gist
• Edit trust level manually
• GNUPG2 import error

Delete a GPG key

Check existing keys

# check all public keys
gpg --list-keys

# check my secret keys
gpg --list-secret-keys

Delete a key

# delete a public key
gpg --delete-key KEY_ID_HERE

# delete a secret key
gpg --delete-secret-key KEY_ID_HERE

Manage Multiple GPG Keys

References:

• How to manage GPG keys across multiple systems?
• How many OpenPGP keys should I make?
• What is the best way to manage gpg keys across multiple devices?
• Should I create separate GPG key pairs or just one GPG key pair for multiple uses (e.g. email, sign commits)?

File Encryption and Signing

Encrypt and sign a file for someone

Before you encrypt a file, you need to know the recipient's public key and import it.

gpg --recipient KEY_ID_HERE --encrypt --sign --armor FILE_NAME_HERE

• --recipient KEY_ID_HERE (or -r KEY_ID_HERE) specifies the public key to which you want to encrypt.
• --sign uses your private key to sign the file, allowing the recipient to verify that it was indeed you who sent it.
• --armor wraps the output in ASCII armor (text form), which is handy for sending via email or other text-based channels.

Encrypt a file for multiple recipients

gpg --recipient KEY_ID_A --recipient KEY_ID_B --encrypt --sign --armor FILE_NAME_HERE

• You can list as many --recipient options as you want.
• Each recipient will be able to decrypt the file using their private key.

Decrypt a file for yourself

gpg --decrypt FILE_NAME_HERE > decrypted.txt