GPG Keys Cheatsheet

Generate GPG Keys

Run:

gpg --gen-key

You will be asked:

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 

Hit ENTER to select default.

Next, you will be asked:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 

Hit ENTER to select default 2048 length.

Next, you will be asked:

Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)

Hit ENTER to select default 0 i.e. key does not expire.

It will again ask you to confirm your choice.

Key does not expire at all
Is this correct? (y/N)

Press ‘y’ this time.

Then it will ask you for your:

Real name:
Email address:
Comment:

Enter your details. You can use comment to enter something like purpose of the key.

Next you will be  asked to enter passphrase twice. Remember this passphrase.

Next, you may see a message like:

generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 281 more bytes)

Just open another terminal window and run some commands which generates plenty of activity.

My favorite is running a disk write performance benchmark using:

dd bs=1M count=1024 if=/dev/zero of=test conv=fdatasync

You will something like:

gpg: key 0B2B9B37 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/0B2B9B37 2014-05-01
      Key fingerprint = 4AEC D912 EA8F D319 F3A7  EF49 E8F8 5A12 0B2B 9B37
uid                  rtCamp (S3 Backup) <admin@example.com>
sub   2048R/3AA184AD 2014-05-01

Output all this, line containing: pub   2048R/0B2B9B37 2014-05 -01 is most important.

0B2B9B37 is your GPG Key in this case.

List Keys

In case you forget to copy your key, you can find it list keys commands.

List Public Keys

gpg --list-keys

You will see something like:

/root/.gnupg/pubring.gpg
------------------------
pub   1024D/CD2EFD2A 2009-12-15
uid                  Percona MySQL Development Team <mysql-dev@percona.com>
sub   2048g/2D607DAF 2009-12-15

pub   2048R/0B2B9B37</strong> 2014-05-01
uid                  rtCamp (S3 Backup) <admin@example.com>
sub   2048R/3AA184AD 2014-05-01

List Private Keys

gpg --list-secret-keys

You may notice lesser number of keys. It’s perfectly fine as you might have others public key in your keyring which earlier command displayed. (e.g. Percona public key).

Export Keys

If you lose your private keys, you will eventually lose access to your data!

Export Public Key

gpg --export -a "rtCamp" > public.key

Export Private Key

gpg --export-secret-key -a "rtCamp" > private.key

Now don’t forget to backup public and private keys.

You can email these keys to yourself using swaks command:

swaks --attach public.key --attach private.key --body "GPG Keys for `hostname`" --h-Subject  "GPG Keys for `hostname`"  -t admin@example.com

Importing Keys

If you ever have to import keys then use following commands.

Import Public Key

gpg --import public.key

Import Private Key

gpg --allow-secret-key-import --import private.key

Deleting Keys

At time you may want to delete keys.

Delete Public key

gpg --delete-key "Real Name"

Delete Private key

gpg --delete-secret-key "Real Name"

Generate Fingerprint

Sometime you need to generate fingerprint.

gpg --fingerprint

Will show something like:

pub   2048R/0B2B9B37 2014-05-01
      Key fingerprint = 4AEC D912 EA8F D319 F3A7  EF49 E8F8 5A12 0B2B 9B37</strong>
uid                  rtCamp (S3 Backup) <sys@rtcamp.com>
sub   2048R/3AA184AD 2014-05-01

Encrypt Data

gpg -e -u "Sender (Your) Real Name" -r "Receiver User Name" file.txt

This will encrypt file.txt using receiver’s public key.

Encrypted file will have .gpg extension. In this case it will be file.txt.gpg which you can send across.

I think -u is not necessary for encryption. It basically adds senders fingerprint (which we saw above). This way receiver can verify who sent message.

Decrypt Data

gpg -d file.txt.gpg

Decrypt command will pick correct secret key (if you have one).