- .gpg - generic binary gpg file
- .sig - binary signature file, used to verify that a file is authentic
- .asc - ascii file (rather than binary, usually has stuff like "---- BEGIN SUCHANDSUCH ----" in it)
Any of the following can be used in place of <key-ID>
- Key fingerprint: SHA-1 / MD5 hash of the key, best option (albeit the longest)
- Long key-ID: last 8 bytes of the fingerprint, risky to use days as it is technically possible to create another key with an identical key-ID
- Short key-ID: last 4 bytes of the fingerprint, definitely risky and different keys with identical short key-IDs have been demonstrated possible
- Original file
<filename>.sigor<filename>.asc- OR Just
<filename>.gpg, which contains the original file - Public key (preferably trustworthy)
- Your name + email address
- A plan of what to use it for, and a timeframe
- A secure passcode / passphrase and a place to store it (preferably not your brain, depending on your threat model)
- Keyserver / Friends (optional, don't worry)
- A private key suitable for signing + the passcode / passphrase
- A file
- A private key suitable for encryption (and preferably signing) + the passcode / passphrase
- A file
- The public key of the recipient
To get the public key, either:
- Copy + Paste key from website
- Download key from website
- Locate the key using the key ID or email
- Auto locate the key using the email address
- Search a keyserver / internet for the key
$gpg --refresh-keys, optionally with--keyserverto select the server.
$vim <companyname>.gpgto open a new key file[Ctrl+V]to paste the public key:wqto write the file and quit vim OR:q!to exit and try again- Go to Import Public Key
- Obtain the company / user's email address
$gpg --search-keys <email / key-ID>
- Obtain the key ID from the signature file
$gpg --recv-keys <key-ID>
- Find the email address of the owner
$gpg --auto-key-locate --locate-keys <email>orgpg --auto-key-locate nodefault,wkd --locate-keys <email>to exclude searching the local keyring
$gpg --import <companyname>.gpg to import the new key
$gpg --list-keysto show the new key and get the key hash$gpg --edit-key <keyhash> trustto set the trust level<trust level>ORmto abort and exit to main menuqto quit
$gpg --full-generate-key1(or4if only for signing)- enter expiration time (or 0)
y- (enter name and email, and a comment so you don't get confused later)
O- Enter a secure passphrase / passcode. Ideally your private key should be kept securely so this shouldn't be necessary in an ideal world, but private keys are inevitably lost, accidentally uploaded, compromsed etc. and this gives peace of mind. Store the passphrase / passcode somewhere safe and inaccessable (locked KeePass database on a pendrive in a secure location, or a notebook in a secure location).
- (wait for random generation, shouldn't take very long) Optional:
- Export with
$gpg --output <file>.keyring --export <key-ID> - Give someone trusted your revocation certificate in case your private key is lost, or you are compromised
- Tell everyone your (public) key hash and give everyone your public key and email, write it on your cards or post it on a permanent archive, and make sure people know how to find and verify it
- Upload to a keyserver with
$gpg --send-key <key-ID>(you can select a keyserver with the--keyserveroption). Don't forget to verify your email address. - Have someone you know, and who other people trust, sign your public key
$gpg --list-secret-keys
- If you have a revocation certificate, jump to step 4
$gpg --output revoke.asc --gen-revoke <key-ID>$gpg --import <revocation_cert>.ascto mark that key as revoked If you have uploaded to a keyserver:$gpg --keyserver <server> --search-keys <key-ID>$gpg --keyserver <server> --send-keys <key-ID>
$gpg --delete-key <key-ID>
$gpg -a --export <key-ID> > <name>.asc OR $gpg -a --export-secret-key <key-ID> > <secret_name>.asc
Use this to manage your keys or to transfer it to someone else (or you could just export the key)
$gpg --output <name>.keyring --export <key-ID>
$gpg --sign <file>assuming the file is in cwd OR$gpg -local-user 0x<key-ID> --sign <file>to sign with a specific key- Enter the passphrase
- The file will be
<file>.gpg
$gpg --detach-sig --sign <file>assuming the file is in cwd OR$gpg --detach-sig -local-user 0x<key-ID> --sign <file>to sign with a specific key- Enter the passphrase
- The file will be
<file>.sig
- Import the public key if you haven't already
$gpg --list-keys <email>$gpg --sign-key <key-ID>
$gpg --send-key <key-ID>NOTE: This will show others that you trust this key, however this can be a downside if you don't want others to know you have used this key
- Ensure the file is in cwd
$gpg --encrypt --sign -r <email / key-ID> <file>. GPG will sign then encrypt the file.
$gpg --fingerprint <email>- Phone / Zoom / Talk to the person IRL and ask what their key fingerprint is, and check they match
- If they do match, you can probably improve the trust of the fingerprint (but never set it to Ultimate)
- Optionally sign the key and upload to a keyserver, to show yourself and others that you trust this key to be authentic
- Make sure
<file>and<file>.<sig|asc>are in the cwd - Either Step 3 (lite mode) or Step 4 (heavy mode) or Step 5 (ultra lite)
$gpgv <file>.<sig|asc>OR$gpgv <signature>.<sig|asc> <file>(if the file is not named the same as the signature). Important: gpgv does not check for revoked or expired keys, and assumes ALL keys in the keyring are trustworthy and valid$gpg --verify <file>.<sig|asc>OR$gpg --verify <signature>.<sig|asc> <file>- Check that it says "Good signature made"
Note: If your file is encrypted, you will need to decrypt it instead
- Make sure
<file>.gpgis in cwd $gpg --verify <file>.gpg- Check that it says "Good signature made"
$gpg --output <file> --decrypt <file>.gpg(will also automatically verify)
$gpg --output <file> --decrypt <file>.gpg. This will automatically verify the decrypted file if it is signed and you have the public key