GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC 4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories.
- GnuPG
This details how to install and setup GnuPG and Pinentry.
-
Install the
gnupgpackage (should come preinstalled by default in most cases) usingyay. -
Install the
pinentrypackage (should come preinstalled by default in most cases) usingyay. -
(Optional) If you use KDE Wallet, you can also use it to store GPG key passphrases.
This details how to generate a GPG key.
-
Launch a Terminal application (i.e. Konsole).
-
Generate a GPG key using the
gpgcommand:gpg --full-gen-key
-
Add the following values when prompted:
- What kind of key:
9(ECC (sign and encrypt) *default*) - Which elliptic curve you want:
1(Curve 25519 *default*) - Key is valid for:
1y - Is this correct:
y - Real name:
My Name(Add your real name here) - Email address:
[email protected](Add your email address here) - Comment: (Leave this blank or add a comment)
- Change name, comment, email, or okay/quit:
o
Make any of your own adjustments to the above values as desired.
- What kind of key:
-
Enter a passphrase when prompted or leave it empty. Save to the system's password manager if given the option.
This details how to get certain values relating to our GPG key.
This details how to acquire the unique identifier (long key ID) that is used to identify our GPG key:
-
List the system's GPG secret keys:
gpg --list-secret-keys --keyid-format long
Sample output:
/home/user/.gnupg/pubring.kbx ------------------------------ sec ed25519/1H89FHO4MGAJTJ9Z 2024-01-15 [SC] [expires: 2026-01-15] 0A41C9F6335DBF47A1A186FAC82F22229FCCE1BF uid [ultimate] My Name <[email protected]> ssb cv25519/A1B2C3D4E5F6G7H8 2024-01-15 [E] [expires: 2026-01-15] -
From this output, locate our GPG key and take note of the value of the second column from the row that says
sec(Secret key) in the first column:sec ed25519/1H89FHO4MGAJTJ9ZFrom this example, such value is
ed25519/1H89FHO4MGAJTJ9Z. -
Copy the value trailing the
/character (i.e.1H89FHO4MGAJTJ9Z), which is our GPG key ID:1H89FHO4MGAJTJ9Z
This details how to get the public key of our GPG key:
-
After acquiring our GPG key ID (i.e.
1H89FHO4MGAJTJ9Z), use it to export our GPG public key:gpg --armor --export 1H89FHO4MGAJTJ9Z
-
Copy the GPG public key from the output accordingly.
Sample output:
-----BEGIN PGP PUBLIC KEY BLOCK----- 7Ze49bA33Xzun7SbusOQspoUIYsgPny2eitPOKRvavumM+397nTftVhHia/eI410 ... Lz8/MGzO2FgC33XdFwhyyp3yQH18XCnV4IMUgrFNrG== =iT48 -----END PGP PUBLIC KEY BLOCK-----
This details how we can enforce automatic signing for all our commits and tags in Git and GitHub/GitLab.
-
Copy the public key of our GPG key.
-
Register the public key to GitHub:
- Go to GitHub's SSH and GPG keys page.
- Under the GPG keys section, click the New GPG key button.
- Add a title for the GPG key (i.e. your system's user and hostname).
- Paste our GPG public key into the Key text field.
- Click the Add GPG key button.
-
Register the public key to GitLab:
- Go to GitLab's GPG Keys page.
- Click the Add new key button.
- Paste our GPG public key into the Key text field.
- Click the Add key button.
-
Configure Git to use our GPG key and enforce automatic signing for all our commits and tags.
-
Register our GPG key ID (i.e.
1H89FHO4MGAJTJ9Z) to Git:git config --global user.signingkey 1H89FHO4MGAJTJ9Z
-
Set automatic commit signing:
git config --global commit.gpgSign true -
Set automatic tag signing:
git config --global tag.gpgSign true
-
-
To ensure that GPG uses the correct terminal for user interaction when performing cryptographic operations, set
GPG_TTYto the value ofttyin your default shell profile.-
Update the profile of your default shell (i.e.
fish) with the following variable assignment:set -x GPG_TTY (tty)If your default shell is
bash, add the following line instead to its shell profile:export GPG_TTY=$(tty)
-
Reload the updated shell profile (i.e.
~/.config/fish/config.fish) to apply the changes:source ~/.config/fish/config.fish
-
This details how to update the GnuPG agent configuration.
-
Create or update an existing
gpg-agent.confconfig file:nano ~/.gnupg/gpg-agent.conf -
Write and save any necessary changes to the config file.
-
Reload the updated config:
gpg-connect-agent reloadagent /bye
This details how to update the passphrase of a GPG key.
-
Get our GPG key ID (i.e.
1H89FHO4MGAJTJ9Z). -
Edit the GPG key using the following command:
gpg --edit-key <gpg-key-id>
Replace
<gpg-key-id>with the value of our GPG key ID (i.e.1H89FHO4MGAJTJ9Z) accordingly. -
In the
gpg>prompt, enter thepasswdsubcommand to change the passphrase:passwd
-
Enter the current passphrase of the GPG key when prompted.
-
Enter the new passphrase and confirm it when prompted.
You may need to enter the
savesubcommand in thegpg>prompt to save changes made to the GPG key.
This details how to renew expired GPG keys.
-
Get our GPG key ID (i.e.
1H89FHO4MGAJTJ9Z). -
Edit the GPG key using the following command:
gpg --edit-key <gpg-key-id>
Replace
<gpg-key-id>with the value of our GPG key ID (i.e.1H89FHO4MGAJTJ9Z) accordingly. -
In the
gpg>prompt, enter theexpiresubcommand to update the GPG key's expiration date:expire
-
When prompted, submit the following values to renew the secret key:
- Key is valid for? (0):
1yfor one year - Is this correct? (y/N):
yto accept the key's new expiration date
Sample output:
sec ed25519/1H89FHO4MGAJTJ9Z created: 2024-01-15 expires: 2026-01-15 usage: SC trust: ultimate validity: ultimate ssb cv25519/A1B2C3D4E5F6G7H8 created: 2024-01-15 expired: 2025-01-14 usage: E [ultimate] (1). My Name <[email protected]> - Key is valid for? (0):
-
After renewing the GPG key's secret key, you may need to renew the GPG key's subkey(s) as well if you have received a warning like the following:
gpg: WARNING: Your encryption subkey expires soon. gpg: You may want to change its expiration date too. gpg: WARNING: No valid encryption subkey left over.-
In the same
gpg>session, enter thelistsubcommand to show your GPG key:list
Sample output:
sec ed25519/1H89FHO4MGAJTJ9Z created: 2024-01-15 expires: 2026-01-15 usage: SC trust: ultimate validity: ultimate ssb cv25519/A1B2C3D4E5F6G7H8 created: 2024-01-15 expired: 2025-01-14 usage: E [ultimate] (1). My Name <[email protected]>You will need to renew every subkey(s) (denoted by the
ssbprefix) that has expired. -
To select the first subkey (i.e.
1), enter the following command:key 1
Sample output:
ssb* cv25519/A1B2C3D4E5F6G7H8The asterisk (
*) indicates that the subkey has been selected. -
Enter the
expiresubcommand to update the selected subkey's expiration date:expire
Enter the same values you have submitted to renew the secret key earlier when prompted. Sample output:
sec ed25519/1H89FHO4MGAJTJ9Z created: 2024-01-15 expires: 2026-01-15 usage: SC trust: ultimate validity: ultimate ssb* cv25519/A1B2C3D4E5F6G7H8 created: 2024-01-15 expires: 2026-01-15 usage: E [ultimate] (1). My Name <[email protected]>The expiration date of each of your GPG key's subkey(s) should be updated accordingly.
-
-
After the GPG key's secret key and subkey(s) expiration date have been updated, enter the
trustsubcommand to update the GPG key's trust level:trust
When prompted, select the
ultimatetrust level (i.e.5):5
Confirm the selected trust level:
y
-
After the GPG key's secret key and subkey(s) expiration date have been updated, enter the
savesubcommand (in thegpg>prompt) to save changes made to the GPG key:save
-
If you have previously registered the public key of your GPG key with any services such as GitHub or GitLab, you may need to update them with your new public key accordingly.