gpg2 – importing, exporting and revoking your keys


lets start by listing your keys

gpg2 --list-keys

you should see one or more than one key when you run the above command, depends on how many you have in your gpg keyring. i get this when i run the above command on my test centos 7 server instance

[root@terminaltwister ~]# gpg2 --list-keys
 /root/.gnupg/pubring.gpg
 ------------------------
 pub   4096R/D37A732F 2019-08-22 [expires: 2020-08-21]
 uid                  terminaltwister (test user for demo) <email@address.com>
 sub   4096R/7C7D2187 2019-08-22 [expires: 2020-08-21]
 

 [root@terminaltwister ~]#

exporting the keys

the switch to export the keys is --export.
gpg exports the keys on the standard output by default, which can be saved to a file using the bash’s file redirection operator > but we would be using the --output switch to have the command save it to a file directly.

there are 2 kinds of keys we can export
– public (you can share this one with the world)
– private (must never share this with anyone and keep it safe in some password manager, or a private usb stick)

export a public key

gpg2 --export --armor --output <filename.asc> <email_address>

i will use it to create a public key file called public-key.asc . also we use the --armor switch to make it ascii text, which can be read programmatically. remove this switch to get a binary file instead. choice depends on how you wish to use the files.

[root@terminaltwister ~]# gpg2 --armor --export --output public-key.asc email@address.com
 [root@terminaltwister ~]# ls -lh 
 total 4.0K
 -rw-r--r-- 1 root root 3.1K Aug 23 06:33 public-key.asc
 [root@terminaltwister ~]# 

export a private key

you will want to export a private key for backup purposes, just in case you wish to set it up on a new instance/server installation.

gpg2 --export-secret-keys --armor --output <filename.asc> <email_address>

i will use it to create a private key file called the private-key.asc and just because i want the exported key in ascii format, i will use the --armor switch.

[root@terminaltwister ~]# gpg2 --armor --export-secret-keys --output private-key.asc email@address.com
 [root@terminaltwister ~]# ls -lh
 total 12K
 -rw-r--r-- 1 root root 6.6K Aug 23 07:28 private-key.asc
 -rw-r--r-- 1 root root 3.1K Aug 23 06:33 public-key.asc
 [root@terminaltwister ~]# 

importing keys

you might want to import your peers/friends public key to your keyring, or you might want to import your own private key to a new server installation. many reasons, simple syntax. do not forget to set the appropriate trust level with this key after you import it.

import the keys

the syntax is the same for both the private and public keys, which is

gpg2 --import <keyfile_name>

i will import a public key file and a private key file in the terminal of my centos 7 terminal

[root@terminaltwister ~]# gpg2 --list-keys
 [root@terminaltwister ~]# ls -lh
 total 16K
 -rw-r--r-- 1 root root 6.6K Aug 23 07:28 private-key.asc
 -rw-r--r-- 1 root root 3.1K Aug 23 06:33 public-key.asc
 -rw-r--r-- 1 root root  930 Aug 23 07:40 revoke.asc
 [root@terminaltwister ~]# gpg2 --import private-key.asc 
 gpg: key D37A732F: secret key imported
 gpg: key D37A732F: public key "terminaltwister (test user for demo) <email@address.com>" imported
 gpg: Total number processed: 1
 gpg:               imported: 1  (RSA: 1)
 gpg:       secret keys read: 1
 gpg:   secret keys imported: 1
 [root@terminaltwister ~]# 
 [root@terminaltwister ~]# gpg2 --import public-key.asc 
 gpg: key D37A732F: "terminaltwister (test user for demo) <email@address.com>" not changed
 gpg: Total number processed: 1
 gpg:              unchanged: 1
 [root@terminaltwister ~]# 
 [root@terminaltwister ~]# gpg2 --list-keys
 /root/.gnupg/pubring.gpg
 ------------------------
 pub   4096R/D37A732F 2019-08-22 [expires: 2020-08-21]
 uid                  terminaltwister (test user for demo) <email@address.com>
 sub   4096R/7C7D2187 2019-08-22 [expires: 2020-08-21]
 
 [root@terminaltwister ~]# 
 [root@terminaltwister ~]# gpg2 --list-secret-keys
 /root/.gnupg/secring.gpg
 ------------------------
 sec   4096R/D37A732F 2019-08-22 [expires: 2020-08-21]
 uid                  terminaltwister (test user for demo) <email@address.com>
 ssb   4096R/7C7D2187 2019-08-22
 
 [root@terminaltwister ~]#

setting up the trust for the imported keys

setting trust is important. usually you would want your personal/primary key which you will be using to sign everything to have the ultimate trust. these options are available interactively when you set up the trust.

the command syntax to setup the trust is

gpg2 --edit-keys <email_address>

i will show you how i setup trust with my newly imported keys. to complete this demo, i revoked and deleted the keys from my gpg2 keyring, just to have a fresh start. please note that typing this command will take you to the gpg prompt. you type in trust command there to begin the process. you exit from this gpg prompt by typing quit, just like any other standard linux command.

[root@terminaltwister ~]# gpg2 --edit-key email@address.com
 gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
 
 Secret key is available.
 
 pub  4096R/D37A732F  created: 2019-08-22  expires: 2020-08-21  usage: SC  
                      trust: unknown       validity: ultimate
 sub  4096R/7C7D2187  created: 2019-08-22  expires: 2020-08-21  usage: E   
 [ultimate] (1). terminaltwister (test user for demo) <email@address.com>
 
 gpg> trust
 pub  4096R/D37A732F  created: 2019-08-22  expires: 2020-08-21  usage: SC  
                      trust: unknown       validity: ultimate
 sub  4096R/7C7D2187  created: 2019-08-22  expires: 2020-08-21  usage: E   
 [ultimate] (1)* terminaltwister (test user for demo) <email@address.com>
 
 Please decide how far you trust this user to correctly verify other users' keys
 (by looking at passports, checking fingerprints from different sources, etc.)
 
   1 = I don't know or won't say
   2 = I do NOT trust
   3 = I trust marginally
   4 = I trust fully
   5 = I trust ultimately
   m = back to the main menu
 
 Your decision? 5
 Do you really want to set this key to ultimate trust? (y/N) y
 

 pub  4096R/D37A732F  created: 2019-08-22  expires: 2020-08-21  usage: SC  
                      trust: ultimate      validity: ultimate
 sub  4096R/7C7D2187  created: 2019-08-22  expires: 2020-08-21  usage: E   
 [ultimate] (1)* terminaltwister (test user for demo) <email@address.com>
 Please note that the shown key validity is not necessarily correct
 unless you restart the program.
 
 gpg> quit
 [root@terminaltwister ~]#

the revoke key

there is no denying the fact that your gpg2 keys may be compromised. what steps do you take to disable your key?
answer is – create a revoke key and do use it if your private key is compromised!

create a revoke key

when you create a revoke key, gpg2 will ask you for a reason. you need to supply that to proceed.

gpg --armour --output <filename.asc> --gen-revoke <email_address>

i will paste the output from my centos 7 terminal here, just to describe the process a little better 🙂

[root@terminaltwister ~]# gpg2 --armor --output revoke.asc --gen-revoke email@address.com
 
 sec  4096R/D37A732F 2019-08-22 terminaltwister (test user for demo) <email@address.com>
 
 Create a revocation certificate for this key? (y/N) y
 Please select the reason for the revocation:
   0 = No reason specified
   1 = Key has been compromised
   2 = Key is superseded
   3 = Key is no longer used
   Q = Cancel
 (Probably you want to select 1 here)
 Your decision? 1
 Enter an optional description; end it with an empty line:
 > compromised! oh no!
 > 
 Reason for revocation: Key has been compromised
 compromised! oh no!
 Is this okay? (y/N) y
 
 You need a passphrase to unlock the secret key for
 user: "terminaltwister (test user for demo) <email@address.com>"
 4096-bit RSA key, ID D37A732F, created 2019-08-22
 
 Revocation certificate created.
 
 Please move it to a medium which you can hide away; if Mallory gets
 access to this certificate he can use it to make your key unusable.
 It is smart to print this certificate and store it away, just in case
 your media become unreadable.  But have some caution:  The print system of
 your machine might store the data and make it available to others!
 [root@terminaltwister ~]#

using the revoke key (compromised? uh oh!)

it’s all about the trust!
when your private key is compromised, you must use the revoke key to revoke the trust your gpg2 program had with your private key stored in the trust database.
each key is stored in gpg2 with 3 headers – pub, uid and sub. you can see this trust when you list your keys.

[root@terminaltwister ~]# gpg2 --list-keys
 /root/.gnupg/pubring.gpg
 ------------------------
 pub   4096R/D37A732F 2019-08-22 [expires: 2020-08-21]
 uid                  terminaltwister (test user for demo) <email@address.com>
 sub   4096R/7C7D2187 2019-08-22 [expires: 2020-08-21]
 
 [root@terminaltwister ~]#

to revoke a key, you just import the revoke key file you created earlier. this changes the output when you list the keys. the next and the final step to complete this process would be to delete both the public and private keys from the gpg keyring with the --delete-secret-and-public-key gpg2 switch.

the command syntax to import and then delete the previous keys is:

gpg2 --import <revoke_cert_filename>
gpg2 --delete-secret-and-public-key <email_address>

i’ve pasted the terminal output from my centos 7 below with verbose output from the terminal for a better understanding

[root@terminaltwister ~]# gpg2 --import revoke.asc 
 gpg: key D37A732F: "terminaltwister (test user for demo) <email@address.com>" revocation certificate imported
 gpg: Total number processed: 1
 gpg:    new key revocations: 1
 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
 gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
 gpg: next trustdb check due at 2020-08-21
 [root@terminaltwister ~]# gpg2 --list-keys
 /root/.gnupg/pubring.gpg
 ------------------------
 pub   4096R/D37A732F 2019-08-22 [revoked: 2019-08-23]
 uid                  terminaltwister (test user for demo) <email@address.com>
 
[root@terminaltwister ~]# 
[root@terminaltwister ~]# gpg2 --delete-secret-and-public-key email@address.com
 gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.

 sec  4096R/D37A732F 2019-08-22 terminaltwister (test user for demo) <email@address.com>
 
 Delete this key from the keyring? (y/N) y
 This is a secret key! - really delete? (y/N) y
 
 pub  4096R/D37A732F 2019-08-22 terminaltwister (test user for demo) <email@address.com>
 
 Delete this key from the keyring? (y/N) y
[root@terminaltwister ~]# 

faq’s

q. change my key to a different key

  • generate a revoke key for your current key
  • use the revoke key
  • generate a new key for yourself in the same way you created a new one last time

q. need to encrypt or decrypt text with gpg2?

a. read the other document here

q. what are the other options supported by gpg2 package? or i need a different options than mentioned in this document?

a. read the man page! #rtfm

One response to “gpg2 – importing, exporting and revoking your keys”

  1. […] of course! gpg2 was created with having multiple public keys in its keyring in mind. you can have as many public key files in your personal gpg2 keyring as you want. you use the recipient switch to tell gpg2 whose public key you wish to use to encrypt the document. this way only the recipient with their private key can decrypt the document intended just for them! check my other document to know more about importing and exporting the keys here […]

Leave a Reply

Your email address will not be published. Required fields are marked *