lets start by listing your keys
gpg2 --list-keys
you should see one or more than one key when you run the above command, depends on how many you have in your gpg keyring. i get this when i run the above command on my test centos 7 server instance
[root@terminaltwister ~]# gpg2 --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 4096R/D37A732F 2019-08-22 [expires: 2020-08-21] uid terminaltwister (test user for demo) <email@address.com> sub 4096R/7C7D2187 2019-08-22 [expires: 2020-08-21] [root@terminaltwister ~]#
exporting the keys
the switch to export the keys is --export
.
gpg exports the keys on the standard output by default, which can be saved to a file using the bash’s file redirection operator >
but we would be using the --output
switch to have the command save it to a file directly.
there are 2 kinds of keys we can export
– public (you can share this one with the world)
– private (must never share this with anyone and keep it safe in some password manager, or a private usb stick)
export a public key
gpg2 --export --armor --output <filename.asc> <email_address>
i will use it to create a public key file called public-key.asc
. also we use the --armor
switch to make it ascii text, which can be read programmatically. remove this switch to get a binary file instead. choice depends on how you wish to use the files.
[root@terminaltwister ~]# gpg2 --armor --export --output public-key.asc email@address.com [root@terminaltwister ~]# ls -lh total 4.0K -rw-r--r-- 1 root root 3.1K Aug 23 06:33 public-key.asc [root@terminaltwister ~]#
export a private key
you will want to export a private key for backup purposes, just in case you wish to set it up on a new instance/server installation.
gpg2 --export-secret-keys --armor --output <filename.asc> <email_address>
i will use it to create a private key file called the private-key.asc
and just because i want the exported key in ascii format, i will use the --armor
switch.
[root@terminaltwister ~]# gpg2 --armor --export-secret-keys --output private-key.asc email@address.com [root@terminaltwister ~]# ls -lh total 12K -rw-r--r-- 1 root root 6.6K Aug 23 07:28 private-key.asc -rw-r--r-- 1 root root 3.1K Aug 23 06:33 public-key.asc [root@terminaltwister ~]#
importing keys
you might want to import your peers/friends public key to your keyring, or you might want to import your own private key to a new server installation. many reasons, simple syntax. do not forget to set the appropriate trust level with this key after you import it.
import the keys
the syntax is the same for both the private and public keys, which is
gpg2 --import <keyfile_name>
i will import a public key file and a private key file in the terminal of my centos 7 terminal
[root@terminaltwister ~]# gpg2 --list-keys [root@terminaltwister ~]# ls -lh total 16K -rw-r--r-- 1 root root 6.6K Aug 23 07:28 private-key.asc -rw-r--r-- 1 root root 3.1K Aug 23 06:33 public-key.asc -rw-r--r-- 1 root root 930 Aug 23 07:40 revoke.asc [root@terminaltwister ~]# gpg2 --import private-key.asc gpg: key D37A732F: secret key imported gpg: key D37A732F: public key "terminaltwister (test user for demo) <email@address.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: secret keys read: 1 gpg: secret keys imported: 1 [root@terminaltwister ~]# [root@terminaltwister ~]# gpg2 --import public-key.asc gpg: key D37A732F: "terminaltwister (test user for demo) <email@address.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 [root@terminaltwister ~]# [root@terminaltwister ~]# gpg2 --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 4096R/D37A732F 2019-08-22 [expires: 2020-08-21] uid terminaltwister (test user for demo) <email@address.com> sub 4096R/7C7D2187 2019-08-22 [expires: 2020-08-21] [root@terminaltwister ~]# [root@terminaltwister ~]# gpg2 --list-secret-keys /root/.gnupg/secring.gpg ------------------------ sec 4096R/D37A732F 2019-08-22 [expires: 2020-08-21] uid terminaltwister (test user for demo) <email@address.com> ssb 4096R/7C7D2187 2019-08-22 [root@terminaltwister ~]#
setting up the trust for the imported keys
setting trust is important. usually you would want your personal/primary key which you will be using to sign everything to have the ultimate trust. these options are available interactively when you set up the trust.
the command syntax to setup the trust is
gpg2 --edit-keys <email_address>
i will show you how i setup trust with my newly imported keys. to complete this demo, i revoked and deleted the keys from my gpg2 keyring, just to have a fresh start. please note that typing this command will take you to the gpg prompt. you type in trust
command there to begin the process. you exit from this gpg prompt by typing quit
, just like any other standard linux command.
[root@terminaltwister ~]# gpg2 --edit-key email@address.com gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 4096R/D37A732F created: 2019-08-22 expires: 2020-08-21 usage: SC trust: unknown validity: ultimate sub 4096R/7C7D2187 created: 2019-08-22 expires: 2020-08-21 usage: E [ultimate] (1). terminaltwister (test user for demo) <email@address.com> gpg> trust pub 4096R/D37A732F created: 2019-08-22 expires: 2020-08-21 usage: SC trust: unknown validity: ultimate sub 4096R/7C7D2187 created: 2019-08-22 expires: 2020-08-21 usage: E [ultimate] (1)* terminaltwister (test user for demo) <email@address.com> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub 4096R/D37A732F created: 2019-08-22 expires: 2020-08-21 usage: SC trust: ultimate validity: ultimate sub 4096R/7C7D2187 created: 2019-08-22 expires: 2020-08-21 usage: E [ultimate] (1)* terminaltwister (test user for demo) <email@address.com> Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> quit [root@terminaltwister ~]#
the revoke key
there is no denying the fact that your gpg2 keys may be compromised. what steps do you take to disable your key?
answer is – create a revoke key and do use it if your private key is compromised!
create a revoke key
when you create a revoke key, gpg2 will ask you for a reason. you need to supply that to proceed.
gpg --armour --output <filename.asc> --gen-revoke <email_address>
i will paste the output from my centos 7 terminal here, just to describe the process a little better 🙂
[root@terminaltwister ~]# gpg2 --armor --output revoke.asc --gen-revoke email@address.com sec 4096R/D37A732F 2019-08-22 terminaltwister (test user for demo) <email@address.com> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > compromised! oh no! > Reason for revocation: Key has been compromised compromised! oh no! Is this okay? (y/N) y You need a passphrase to unlock the secret key for user: "terminaltwister (test user for demo) <email@address.com>" 4096-bit RSA key, ID D37A732F, created 2019-08-22 Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others! [root@terminaltwister ~]#
using the revoke key (compromised? uh oh!)
it’s all about the trust!
when your private key is compromised, you must use the revoke key to revoke the trust your gpg2 program had with your private key stored in the trust database.
each key is stored in gpg2 with 3 headers – pub, uid and sub. you can see this trust when you list your keys.
[root@terminaltwister ~]# gpg2 --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 4096R/D37A732F 2019-08-22 [expires: 2020-08-21] uid terminaltwister (test user for demo) <email@address.com> sub 4096R/7C7D2187 2019-08-22 [expires: 2020-08-21] [root@terminaltwister ~]#
to revoke a key, you just import the revoke key file you created earlier. this changes the output when you list the keys. the next and the final step to complete this process would be to delete both the public and private keys from the gpg keyring with the --delete-secret-and-public-key
gpg2 switch.
the command syntax to import and then delete the previous keys is:
gpg2 --import <revoke_cert_filename> gpg2 --delete-secret-and-public-key <email_address>
i’ve pasted the terminal output from my centos 7 below with verbose output from the terminal for a better understanding
[root@terminaltwister ~]# gpg2 --import revoke.asc gpg: key D37A732F: "terminaltwister (test user for demo) <email@address.com>" revocation certificate imported gpg: Total number processed: 1 gpg: new key revocations: 1 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2020-08-21 [root@terminaltwister ~]# gpg2 --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 4096R/D37A732F 2019-08-22 [revoked: 2019-08-23] uid terminaltwister (test user for demo) <email@address.com> [root@terminaltwister ~]# [root@terminaltwister ~]# gpg2 --delete-secret-and-public-key email@address.com gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec 4096R/D37A732F 2019-08-22 terminaltwister (test user for demo) <email@address.com> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y pub 4096R/D37A732F 2019-08-22 terminaltwister (test user for demo) <email@address.com> Delete this key from the keyring? (y/N) y [root@terminaltwister ~]#
faq’s
q. change my key to a different key
- generate a revoke key for your current key
- use the revoke key
- generate a new key for yourself in the same way you created a new one last time
q. need to encrypt or decrypt text with gpg2?
a. read the other document here
q. what are the other options supported by gpg2 package? or i need a different options than mentioned in this document?
a. read the man page! #rtfm
One response to “gpg2 – importing, exporting and revoking your keys”
[…] of course! gpg2 was created with having multiple public keys in its keyring in mind. you can have as many public key files in your personal gpg2 keyring as you want. you use the recipient switch to tell gpg2 whose public key you wish to use to encrypt the document. this way only the recipient with their private key can decrypt the document intended just for them! check my other document to know more about importing and exporting the keys here […]