Difference between revisions of "Short GnuPG reference card"
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | |||
− | ==Short gpg reference card== |
||
Note on commands syntax: |
Note on commands syntax: |
||
Line 6: | Line 4: | ||
*optional items are written between [] |
*optional items are written between [] |
||
*some options have an alternative short notation, proposed behind a |, e.g. --decrypt|-d (choose only one syntax) |
*some options have an alternative short notation, proposed behind a |, e.g. --decrypt|-d (choose only one syntax) |
||
− | + | =Setting a keyserver as default= |
|
Edit ~/.gnupg/gpg.conf: |
Edit ~/.gnupg/gpg.conf: |
||
keyserver hkp://<my.best.keyserver.org> |
keyserver hkp://<my.best.keyserver.org> |
||
Line 12: | Line 10: | ||
'''WinPT''': "Keyserver" menu -> right-click somewhere in the white area -> "Add" -> HKP Keyserver, Hostname: <my.best.keyserver.org>, Port: 11371 -> "Add" -> Select your keyserver and press "Set default". |
'''WinPT''': "Keyserver" menu -> right-click somewhere in the white area -> "Add" -> HKP Keyserver, Hostname: <my.best.keyserver.org>, Port: 11371 -> "Add" -> Select your keyserver and press "Set default". |
||
− | + | =encrypting (and signing) a file= |
|
gpg [[--local-user|-u <yourself@foo.com>] --sign|-s] # if you want to sign (opt with another key than your main key) |
gpg [[--local-user|-u <yourself@foo.com>] --sign|-s] # if you want to sign (opt with another key than your main key) |
||
[--armor|-a] # if you want to armor (ASCII) the output, else it's binary |
[--armor|-a] # if you want to armor (ASCII) the output, else it's binary |
||
Line 21: | Line 19: | ||
[--output|-o <file.asc>] |
[--output|-o <file.asc>] |
||
<filename> |
<filename> |
||
− | + | =decrypting (and verifying) a file= |
|
gpg [--decrypt|-d] |
gpg [--decrypt|-d] |
||
[--output|-o <filename>] |
[--output|-o <filename>] |
||
<file.asc> |
<file.asc> |
||
So, yes, without any option gpg will decrypt/verify |
So, yes, without any option gpg will decrypt/verify |
||
− | + | =searching a key on the keyserver= |
|
gpg --keyserver <my.best.keyserver.org> |
gpg --keyserver <my.best.keyserver.org> |
||
--search <someone> # search only on full words |
--search <someone> # search only on full words |
||
From here you can directly import a key by providing its numeral (1, 2, 3...) |
From here you can directly import a key by providing its numeral (1, 2, 3...) |
||
− | + | =importing a key from the keyserver= |
|
gpg --keyserver <my.best.keyserver.org> |
gpg --keyserver <my.best.keyserver.org> |
||
--recv-key <key_id> # key-id is the last 8 bytes of the fingerprint |
--recv-key <key_id> # key-id is the last 8 bytes of the fingerprint |
||
− | + | =exporting a key to the keyserver= |
|
gpg --keyserver <my.best.keyserver.org> |
gpg --keyserver <my.best.keyserver.org> |
||
--send-key <key_id> # key-id is the last 8 bytes of the fingerprint |
--send-key <key_id> # key-id is the last 8 bytes of the fingerprint |
||
− | + | =importing a key from a file= |
|
gpg --import <pubkey.asc> |
gpg --import <pubkey.asc> |
||
− | + | =exporting your publickey to a file= |
|
gpg --armor|-a --output|-o <yourpubkey.asc> --export <yourself@foo.com> |
gpg --armor|-a --output|-o <yourpubkey.asc> --export <yourself@foo.com> |
||
− | + | =printing your fingerprint= |
|
(e.g. to put in your mails footers) |
(e.g. to put in your mails footers) |
||
gpg --fingerprint <yourself>|grep -i fingerprint |
gpg --fingerprint <yourself>|grep -i fingerprint |
||
− | + | =printing the fingerprint of an exported keyfile= |
|
gpg --with-fingerprint <exported_keyfile>|grep -i fingerprint |
gpg --with-fingerprint <exported_keyfile>|grep -i fingerprint |
||
− | + | =signing a key= |
|
(see also below) |
(see also below) |
||
gpg --sign-key <someone> |
gpg --sign-key <someone> |
||
Then you can upload it to the keyserver |
Then you can upload it to the keyserver |
||
<br>'''WinPT''': When signing, don't forget to un-check the "Sign local only" box otherwise your signature cannot be exported to the server. |
<br>'''WinPT''': When signing, don't forget to un-check the "Sign local only" box otherwise your signature cannot be exported to the server. |
||
− | + | =trusting a key owner= |
|
How far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) |
How far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) |
||
gpg --edit-key <someone> |
gpg --edit-key <someone> |
||
Line 58: | Line 56: | ||
=> save changes |
=> save changes |
||
Remember that trust is not exported and purely local |
Remember that trust is not exported and purely local |
||
− | + | =revoking a subkey or a UID= |
|
(old email address,...) |
(old email address,...) |
||
gpg --edit-key <yourself> |
gpg --edit-key <yourself> |
||
Line 68: | Line 66: | ||
Then you can upload it to the keyserver |
Then you can upload it to the keyserver |
||
− | + | =extracting a session key= |
|
If you're forced to by a decryption order... |
If you're forced to by a decryption order... |
||
gpg --show-session-key --output|-o /dev/null <encrypted_file> |
gpg --show-session-key --output|-o /dev/null <encrypted_file> |
||
Line 74: | Line 72: | ||
<br>It can be used to decrypt that file |
<br>It can be used to decrypt that file |
||
gpg --override-session-key <9:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF> <encrypted_file> |
gpg --override-session-key <9:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF> <encrypted_file> |
||
− | + | =Creating fresh keys= |
|
Preferably RSA keys >= 2048 bits |
Preferably RSA keys >= 2048 bits |
||
<br>E.g. create first a RSA key for signing only then add a RSA encryption key: |
<br>E.g. create first a RSA key for signing only then add a RSA encryption key: |
||
Line 92: | Line 90: | ||
Command> quit |
Command> quit |
||
=> save changes |
=> save changes |
||
− | + | =Importing a secret key from PGP= |
|
If you've already a PGP key you can import it into GnuPG: |
If you've already a PGP key you can import it into GnuPG: |
||
<br>Under PGP, choose to export your key and ack to export also the secret key, tell where to put your ascii file, e.g. mykey.asc |
<br>Under PGP, choose to export your key and ack to export also the secret key, tell where to put your ascii file, e.g. mykey.asc |
||
<br>With GnuPG, import the ascii file with the following command: |
<br>With GnuPG, import the ascii file with the following command: |
||
gpg --import --allow-secret-key-import < <mykey.asc> |
gpg --import --allow-secret-key-import < <mykey.asc> |
||
− | + | =Recovering a public key from a secret key= |
|
In case you destroyed your public key and cannot fetch it from the keyserver, you can reconstruct it: |
In case you destroyed your public key and cannot fetch it from the keyserver, you can reconstruct it: |
||
gpg --export-secret-key <myname> | gpgsplit --no-split --secret-to-public |gpg import |
gpg --export-secret-key <myname> | gpgsplit --no-split --secret-to-public |gpg import |
||
− | + | =Generating a revocation certificate= |
|
just in case... |
just in case... |
||
Print it and keep it safe in case your key is compromised or you definitively forgot your passphrase: |
Print it and keep it safe in case your key is compromised or you definitively forgot your passphrase: |
||
gpg --gen-revoke <yourself> |
gpg --gen-revoke <yourself> |
||
− | + | =Signing keys the right way= |
|
Signing keys involve more than a few GPG commands as it implies trust. |
Signing keys involve more than a few GPG commands as it implies trust. |
||
<br>Get the public key of someone, either via keyserver or import file |
<br>Get the public key of someone, either via keyserver or import file |
||
Line 120: | Line 118: | ||
gpg --sign-key <key_id> |
gpg --sign-key <key_id> |
||
gpg --keyserver <my.best.keyserver.org> --send-key <key_id> |
gpg --keyserver <my.best.keyserver.org> --send-key <key_id> |
||
+ | =Enumerating encryption keys of an encrypted file= |
||
+ | gpg --no-default-keyring --secret-keyring /dev/null -a --list-only <encrypted_file> |
Latest revision as of 19:21, 8 March 2015
Note on commands syntax:
- keywords are written between <> and are supposed to be replaced by something meaningful...
- optional items are written between []
- some options have an alternative short notation, proposed behind a |, e.g. --decrypt|-d (choose only one syntax)
Setting a keyserver as default
Edit ~/.gnupg/gpg.conf:
keyserver hkp://<my.best.keyserver.org>
If you do so you won't need to specify the keyserver manually anymore as option in the commands given in the next sections.
WinPT: "Keyserver" menu -> right-click somewhere in the white area -> "Add" -> HKP Keyserver, Hostname: <my.best.keyserver.org>, Port: 11371 -> "Add" -> Select your keyserver and press "Set default".
encrypting (and signing) a file
gpg [[--local-user|-u <yourself@foo.com>] --sign|-s] # if you want to sign (opt with another key than your main key) [--armor|-a] # if you want to armor (ASCII) the output, else it's binary --encrypt|-e --recipient|-r <someone@foo.com> [--encrypt-to <second_recipient@foo.com>] # if you want other people to be able to decrypt as well [--encrypt-to <yourself@foo.com>] # if you want yourself to be able to decrypt as well [--output|-o <file.asc>] <filename>
decrypting (and verifying) a file
gpg [--decrypt|-d] [--output|-o <filename>] <file.asc>
So, yes, without any option gpg will decrypt/verify
searching a key on the keyserver
gpg --keyserver <my.best.keyserver.org> --search <someone> # search only on full words
From here you can directly import a key by providing its numeral (1, 2, 3...)
importing a key from the keyserver
gpg --keyserver <my.best.keyserver.org> --recv-key <key_id> # key-id is the last 8 bytes of the fingerprint
exporting a key to the keyserver
gpg --keyserver <my.best.keyserver.org> --send-key <key_id> # key-id is the last 8 bytes of the fingerprint
importing a key from a file
gpg --import <pubkey.asc>
exporting your publickey to a file
gpg --armor|-a --output|-o <yourpubkey.asc> --export <yourself@foo.com>
printing your fingerprint
(e.g. to put in your mails footers)
gpg --fingerprint <yourself>|grep -i fingerprint
printing the fingerprint of an exported keyfile
gpg --with-fingerprint <exported_keyfile>|grep -i fingerprint
signing a key
(see also below)
gpg --sign-key <someone>
Then you can upload it to the keyserver
WinPT: When signing, don't forget to un-check the "Sign local only" box otherwise your signature cannot be exported to the server.
trusting a key owner
How far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.)
gpg --edit-key <someone> Command> trust
=> Choose the proper trust level
Command> quit
=> save changes Remember that trust is not exported and purely local
revoking a subkey or a UID
(old email address,...)
gpg --edit-key <yourself>
=> select UID(s) or subkey(s) by its numeral: 1, 2, 3...
Command> uid/key <n> Command> revuid/revkey Command> quit
=> save changes
Then you can upload it to the keyserver
extracting a session key
If you're forced to by a decryption order...
gpg --show-session-key --output|-o /dev/null <encrypted_file>
This will give you a long string: the session key
It can be used to decrypt that file
gpg --override-session-key <9:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF> <encrypted_file>
Creating fresh keys
Preferably RSA keys >= 2048 bits
E.g. create first a RSA key for signing only then add a RSA encryption key:
gpg --expert --gen-key => (5) RSA (sign only) => 2048 or bigger => validity: forever is ok => your name & email => choose a strong passphrase and be sure not to forget it!
gpg --edit-key <yourself> Command> addkey => re-type your passphrase => (6) RSA (encrypt only) => 2048 or bigger => validity: forever is ok Command> quit => save changes
Importing a secret key from PGP
If you've already a PGP key you can import it into GnuPG:
Under PGP, choose to export your key and ack to export also the secret key, tell where to put your ascii file, e.g. mykey.asc
With GnuPG, import the ascii file with the following command:
gpg --import --allow-secret-key-import < <mykey.asc>
Recovering a public key from a secret key
In case you destroyed your public key and cannot fetch it from the keyserver, you can reconstruct it:
gpg --export-secret-key <myname> | gpgsplit --no-split --secret-to-public |gpg import
Generating a revocation certificate
just in case...
Print it and keep it safe in case your key is compromised or you definitively forgot your passphrase:
gpg --gen-revoke <yourself>
Signing keys the right way
Signing keys involve more than a few GPG commands as it implies trust.
Get the public key of someone, either via keyserver or import file
Get the owner of the key in contact with you
Verify his identity (authenticate the owner)
Show him the fingerprint of his key from your computer (when you want to sign the soft will show you the fingerprint)
He must verify his fingerprint and make sure you are about to sign *his* key (the owner authenticates his key)
Sign the key, in an exportable way
Send the signed key to the server
Skipping the social aspect, a signature via gpg will look like:
gpg --keyserver <my.best.keyserver.org> --search <someone> # either import interactively the key or find the key_id and get it: gpg --keyserver <my.best.keyserver.org> --recv-key <key_id> gpg --sign-key <key_id> gpg --keyserver <my.best.keyserver.org> --send-key <key_id>
Enumerating encryption keys of an encrypted file
gpg --no-default-keyring --secret-keyring /dev/null -a --list-only <encrypted_file>