Skip to content

Instantly share code, notes, and snippets.

@SansGuidon
Last active November 5, 2023 09:28
Show Gist options
  • Save SansGuidon/5e6b89d351d34dfbc576db610b0c02e8 to your computer and use it in GitHub Desktop.
Save SansGuidon/5e6b89d351d34dfbc576db610b0c02e8 to your computer and use it in GitHub Desktop.
GPG Cheat Sheet

Basics

generate key in batch mode using a custom profile

gpg --gen-key --batch gpgspecs

create a file with your fingerprint info and display the related information. A fingerprint is used as a robust key identifier

gpg --fingerprint

Best practices

check you have at least a OpenPGPv4 key (v3 is not considered as robust)

gpg --export-options export-minimal --export '<fingerprint>' | gpg --list-packets | grep version

check you have at least a DSA-2 or (preferably) RSA key with a length of 4K (or more).

gpg --export-options export-minimal --export '<fingerprint>' | gpg --list-packets | grep -A2 '^:public key packet:$'| grep algo

check the output : RSA corresponds to algo 1, DSA to algo 17, ECDSA corresponds to algo 19, ECC to algo 18

in case you have RSA or DSA, check you have at least a key with a length of at least 4K (RSA) or at least 1K (DSA-2). ECDSA and ECC have different kind of keys

gpg --export-options export-minimal --export '<fingerprint>' | gpg --list-packets | grep -A2 'public key'| grep 'pkey\[0\]:'

auto signatures should not use MD5. check that with the following command.

gpg --export-options export-minimal --export '<fingerprint>' | gpg --list-packets | grep -A 2 signature| grep 'digest algo'

auto signatures should not use SHA-1. check that with the following command.

gpg --export-options export-minimal --export '<fingerprint>' | gpg --list-packets | grep -A 2 signature| grep 'digest algo 2,'

If any of previous commands results contains 'digest algo 1' or 'digest algo 2', you should regenerate your key after adding cert-digest-algo SHA512 in ~/.gnupg/gpg.conf :

echo "cert-digest-algo SHA512" >> ~/.gnupg/gpg.conf

you can regenerate an existing key, by simply updating the expiry date

gpg --edit-key '<fingerprint>'
gpg> expire
gpg> 2y
...
gpg> save

check if your preferences for hashing algorithm include a member of SHA-2 family before SHA-1 and MD5.

gpg --export-options export-minimal --export '<fingerprint>' | gpg --list-packets | grep 'pref-hash-algos'

if you see one of numbers '3', '2' ou '1' preceeding '11', '10', '9' or '8', you have weak preferences. Fix them

echo "default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed" >> ~/.gnupg/gpg.conf

then fix your key :

gpg --edit-key '<fingerprint>'
gpg> setpref
...
gpg> save

check you key expiry date, it should be max 2 years in the future from now

gpg --export-options export-minimal --export '<fingerprint>' | gpg --list-packets | grep 'key expires after'

or

gpg --list-keys '<fingerprint>'

you can fix that it it's not the case

gpg --edit-key '<fingerprint>'
gpg> expire
gpg> 2y
...
gpg> save

List your keys

list your public keys, printing also fingerprint because default ids are too short and not secure

gpg --list-keys --with-fingerprint

list your private keys, with fingerprint since default ids are too short and not secure

gpg --list-secret-keys --with-fingerprint

avoid passing --with-fingerprint each time, by changing your default settings :

echo "with-fingerprint" >> ~/.gnupg/gpg.conf

Export your keys

export a public key

gpg -ao [email protected] --export '<fingerprint>'

export a private key

gpg -ao [email protected] --export-secret-keys '<fingerprint>'

or

gpg --export-secret-keys --armor <fingerprint> > /path/to/secret-key-backup.asc

Export the GPG trust database

You can simply backup the file at ~/.gnupg/trustdb.gpg. Or you can also export it with the following command:

gpg --export-ownertrust > /path/to/trustdb-backup.txt

Revocation and deletion

generate a revocation key (in case you forget your pass or your key is compromised)

gpg --output revoke.asc --gen-revoke '<fingerprint>'

delete private keys

gpg --delete-secret-keys '<fingerprint>'

delete public keys

gpg --delete-keys '<fingerprint>'

Import

check the fingerprint of a key before you import it

gpg --with-fingerprint <keyfile>

Import it (either it be private or public) gpg --import <path to key>

Encrypt files

create an archive of your secret files

tar czf mysecrets.tar.gz folder_with_secrets
tar -ztvf mysecrets.tar.gz
gpg --encrypt --recipient <uid> mysecrets.tar.gz // or gpg --encrypt --recipient <fingerprint> mysecrets.tar.gz

decrypt file the archive

gpg --output restoredsecrets.tar.gz --decrypt mysecrets.tar.gz.gpg
tar -ztvf restoredsecrets.tar.gz
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: <Firstname Lastname>
Name-Comment: <user@system>
Name-Email: <[email protected]>
#Passphrase: <specify the passphrase or be prompted for entering it later>
Expire-Date: 2y
# note : it's better to set an expiry date less or equal to 2 years (2y), otherwise people may be reticent to trust your key