The Basics

View Keys

List all your keys.

gpg -K
gpg -K --keyid-format=long # Long version shows the key id
gpg -K --list-options show-unusable-subkeys # show expired subkeys

View info for key that’s not in the current keystore. source

cat keyfile.key | gpg --import-options show-only --import
gpg --export-secret-subkeys | gpg --import-options show-only --import

Create a new key.

gpg --full-generate-key

Update Expired Keys

gpg --edit-key <id/name>
> key <subkey id> # select subkey
> expire          # change expiration
> save

Isolation

Gpg has a global configuration directory where all the keys go by default which can make it hard to manage subkeys.

mkdir /tmp/gpg
sudo mount -t ramfs -o size=2M ramfs /tmp/gpg
sudo chown "$USER:$USER" /tmp/gpg
gpg --homedir /tmp/gpg --import /path/to/other/keys
gpg --homedir /tmp/gpg --list-secret-keys

Import from External Keystore

gpg \
  --homedir /media/me/usbdrive/.gnupg \
  --export-secret-subkeys \
  | gpg --import

Now if you run gpg -K you will see sec# indicating that the root key is not in the local key storage.

It is best practice to keep a root signing key in an air-gaped environment and to use it to sign additional encryption keys called subkeys.

Edit Keys

Remove an Email

gpg --edit-key <id/name>
> uid 2
> revuid
> save

LUKS

Open and mount encrypted drive.

sudo cryptsetup luksOpen /dev/sda mapped_name
sudo mount /dev/mapper/mapped_name /tmp/mountpoint/

Unmount and lock encrypted drive.

sudo umount /tmp/mountpoint
sudo cryptsetup close mapped_name

References

• Creating the Perfect GPG KeyPair
• Subkeys - Debian
• Creating newer ECC keys for GnuPG