Manage GPG Keys

find ~/.gnupg -type f -execdir chmod 600 {} \; # Set 600 for files
find ~/.gnupg -type d -execdir chmod 700 {} \; # Set 700 for directories

• Create a key pair:

  gpg2 --expert --full-gen-key

For general use most people want:

• RSA (Sign Only) and RSA (Encrypt only) key
• Default 2048 Value Keysize. ¹⁾
• An expiration date. A year is good enough for the average user. Can be extended without having to re-issue a new key.
• Name and email address
• NO optional comment.
• A secure passphrase

• List keys in your public key ring:

  gpg --list-keys

• List keys in your secret key ring:

  gpg --list-secret-keys

In order to send keys to other users or backup your keys, you need to export them.

• Generate an ASCII version of your public key (eg. to distribure it by email):

  gpg --armor --export <user-id>

• Generate an ASCII version of your public key (eg. to distribure it by email):

  gpg --output public.key --armor --export <user-id>

If you want to import the key on another computer to encrypt/sign, you will need the private key.

• List private keys:

  gpg2 --list-secret-keys

• Generate an ASCII version of your public key (eg. to distribute it by email):

  gpg --armor --export-secret-key <user-id>

• Generate an ASCII version of your public key (eg. to distribute it by email):

  gpg --output public.key --armor --export-secret-key <user-id>

• Or use a keyserver to share your key:

  gpg --send-keys <user-id>
  gpg --keyserver pgp.mit.edu --send-keys <user-id>
  gpg --keyserver keyserver.ubuntu.com --send-keys <user-id>
  gpg --keyserver keys.gnupg.net --send-keys <user-id>
  gpg --keyserver pool.sks-keyservers.net --send-keys <user-id>

In order to encrypt messages to others, as well as to verivy their signatures, you need their public key.

• Import a key:

  gpg --import public.key

• To find out details of a key on the keyserver without importing it:

  gpg --search-keys <user-id>

• To import a key from a key server:

  gpg --recv-keys <user-id>

• Check card for keys:

  gpg --card-status

• Export keys from card:

  gpg --card-edit
   
  # Then enter
  fetch
   
  # Then quit
  quit

The ownertrust reflects the level of trust, which you put into how thoroughly you think, the key owner acts when signing other keys. Trust-levels are not set for keys but for the certain key owners.

• Edit a key:

  gpg --edit-key [key-id]

• Set trust level:

  gpg> trust
  Please decide how far you trust this user to correctly verify other users' keys
  (by looking at passports, checking fingerprints from different sources, etc.)
  
    1 = I don't know or won't say
    2 = I do NOT trust
    3 = I trust marginally
    4 = I trust fully
    5 = I trust ultimately
    m = back to the main menu
  
  Your decision? 

Nothing is known about the owner's judgement in key signing. Keys on your public keyring that you do not own initially have this trust level.

The default state. It means, no ownertrust has been set yet. The key is not trusted.

The owner is known to improperly sign other keys.

Trust-level is identical to 'Unknown / Undefined' i.e. the key is not trusted. But in this case, you actively state, to never trust the key in question. That means, you know that the key owner is not accurately verifying other keys before signing them.

The owner understands the implications of key signing and properly validates keys before signing them.

Will make a key show as valid, if it has been signed by at least three keys which you set to 'Marginal' trust-level. Example: If you set Alice's, Bob's and Peter's key to 'Marginal' and they all sign Ed's key, Ed's key will be valid. Due to the complexity of this status, we do not recommend using it.

The owner has an excellent understanding of key signing, and his signature on a key would be as good as your own.

Used for keys, which you trust to sign other keys. That means, if Alice's key is signed by your Buddy Bob, whose key you set the ownertrust to Full, Alice's key will be trusted. You should only be using Full ownertrust after verifying and signing Bob's key.

Only used for your own keys. You trust this key 'per se'. Any message signed with that key, will be trusted. This is also the reason why any key from a friend, that is signed by you, will also show as valid (green), even though you did not change the ownertrust of the signed key. The signed key will be valid due to the ultimate ownertrust of your own key.

So, now after the year has passed, we need to renew the sub-keys so they will not expire.

• Edit key:

  gpg2 --edit-key <user-id>

• Expire:

  gpg> expire

• Set expiration length of the primary key:

  Key is valid for? (0) 0

• Select all sub keys:

  gpg> key 1
  gpg> key 2
  gpg> key 3

• Expire the sub keys:

  gpg> expire

• Set expiration length of sub keys:

  Key is valid for? (0) 1y

• Save changes:

  gpg> save

• Update the keys on keyservers:

  gpg --keyserver pgp.mit.edu --send-keys <user-id>
  gpg --keyserver keyserver.ubuntu.com --send-keys <user-id>
  gpg --keyserver keys.gnupg.net --send-keys <user-id>
  gpg --keyserver pool.sks-keyservers.net --send-keys <user-id>

• List keys:

  gpg2 --list-keys

• Delete key:

  gpg2 --delete-key <keyID> [<keyID> <keyID>...]

When you generate keys then both public and private keys are generated.

• Delete private key:

  gpg --delete-secret-key <keyID>

• Then delete public key:

  gpg2 --delete-key <keyID>