The Basics
View Keys
List all your keys.
gpg -K
gpg -K --keyid-format=long # Long version shows the key id
gpg -K --list-options show-unusable-subkeys # show expired subkeys
View info for key that’s not in the current keystore. source
cat keyfile.key | gpg --import-options show-only --import
gpg --export-secret-subkeys | gpg --import-options show-only --import
Create a new key.
gpg --full-generate-key
Update Expired Keys
gpg --edit-key <id/name>
> key <subkey id> # select subkey
> expire # change expiration
> save
Isolation
Gpg has a global configuration directory where all the keys go by default which can make it hard to manage subkeys.
mkdir /tmp/gpg
sudo mount -t ramfs -o size=2M ramfs /tmp/gpg
sudo chown "$USER:$USER" /tmp/gpg
gpg --homedir /tmp/gpg --import /path/to/other/keys
gpg --homedir /tmp/gpg --list-secret-keys
Import from External Keystore
gpg \
--homedir /media/me/usbdrive/.gnupg \
--export-secret-subkeys \
| gpg --import
Now if you run gpg -K
you will see sec#
indicating that the root key is not in the local key storage.
It is best practice to keep a root signing key in an air-gaped environment and to use it to sign additional encryption keys called subkeys.
Edit Keys
Remove an Email
gpg --edit-key <id/name>
> uid 2
> revuid
> save
LUKS
Open and mount encrypted drive.
sudo cryptsetup luksOpen /dev/sda mapped_name
sudo mount /dev/mapper/mapped_name /tmp/mountpoint/
Unmount and lock encrypted drive.
sudo umount /tmp/mountpoint
sudo cryptsetup close mapped_name