PGP Key Management in Command Line
Complete Guide to PGP Key Management in Command Line
Introduction
Pretty Good Privacy (PGP) and its free and open-source counterpart, GNU Privacy Guard (GPG), have become essential tools for secure communication and data protection. They offer robust encryption for emails, file encryption, and even software verification. However, many users lean on Graphical User Interfaces (GUIs) to manage their keys, which, while user-friendly, don't offer the same flexibility and depth as command-line tools.
This guide will introduce you to managing PGP keys using the command line, from basic concepts to advanced setups and troubleshooting. Whether you're a beginner looking to understand PGP encryption or a seasoned user improving your cryptographic workflow, you're in the right place.
Basic Concepts
PGP is fundamentally built around public-key cryptography, which uses a keypair system:
- Public Key: This key is shared with others so they can encrypt messages for you or verify your signatures. Sharing it doesnât compromise security.
- Private Key: This must be kept secret. It allows you to decrypt messages sent to you and to sign data so others can verify authenticity.
- Subkeys: These are additional cryptographic keys tied to the primary key. Subkeys allow you to perform specific functions (e.g., signing, encrypting) without exposing your primary key.
Why Subkeys?
Think of the primary key as your identity or master key, while subkeys are tools you use to perform operations. Keeping your primary key offline and using subkeys for daily tasks minimizes risk if a subkey is compromised.
Installation and Setup
Before diving into key management, ensure GPG is installed on your system.
Installing GPG
- On Linux (Debian/Ubuntu):
sudo apt update && sudo apt install gnupg
- On macOS:
Install via Homebrew:brew install gnupg
- On Windows:
Download the Gpg4win installer from Gpg4win's website.
Verify installation by running:
gpg --version
Key Management Operations
Using the GPG command line tools, you can create, import, export, edit, and revoke your keys. Below are common operations with clear examples.
1. Creating a New Key Pair
To create a new keypair:
gpg --full-generate-key
Follow the prompts: choose an algorithm, key length (4096-bit recommended), and expiration date. Youâll also be asked to set a passphraseâchoose one thatâs strong and unique.
Once generated, confirm its creation:
gpg --list-keys
2. Importing and Exporting Keys
You may need to migrate keys or share your public key.
- Importing a key:
gpg --import keyfile.asc
- Exporting your public key:
gpg --export --armor YOUR_EMAIL > public.asc
- Exporting your private key (Backup only!):
gpg --export-secret-keys --armor YOUR_EMAIL > private.asc
3. Editing Existing Keys
Edit your key for various purposes:
gpg --edit-key YOUR_KEY_ID
From the interactive prompt, possible commands include:
adduid(Add email/User ID)revuid(Revoke User ID)expire(Set or change expiration date)passwd(Change passphrase)
Or if you want to change the key purpose:
Command> change-usage
Possible actions:
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
4. Revoking a Key
Compromised keys should be swiftly revoked:
gpg --gen-revoke YOUR_KEY_ID > revoke.asc
Share the revocation certificate to notify others that your key is no longer safe to use.
Safety First
Managing PGP keys comes with great responsibility. Here are some critical precautions:
Always create backups of your keys:
- Public keys can be freely shared, but private keys should never be leaked.
- Use an encrypted USB drive or a secure cloud location for private key backups.
Encrypt your Key Backups: Use symmetric encryption for added security:
gpg --symmetric --cipher-algo AES256 private.asc
Test on Dummy Keys:
Before making irreversible changes, experiment with a test keypair.
Understanding Subkeys
Subkeys are vital for optimal security. They allow you to delegate specific functionality (e.g., signing or encryption) to secondary keys, while your master key remains untouched.
Creating Subkeys
gpg --edit-key YOUR_KEY_ID
gpg> addkey
Choose from available options such as encryption, signing, or authentication.
Listing Subkeys
gpg --list-secret-keys --keyid-format LONG
Rotating Subkeys
To maintain long-term security, itâs a good idea to periodically regenerate and replace subkeys while keeping the primary key intact.
Advanced Usage
Take your GPG setup to the next level with these tips:
1. Sign and Verify Data
- Signing a File:
gpg --sign file.txt
- Verifying a Signature:
gpg --verify file.txt.gpg
2. Encrypting and Decrypting Files
- Encrypting a File:
Encrypt for a specific recipient:gpg --encrypt --recipient RECIPIENT_EMAIL file.txt
- Decrypting a File:
gpg --decrypt file.txt.gpg
3. Sharing Your Public Key via Keyservers
Make your public key widely available:
gpg --send-keys --keyserver keys.openpgp.org YOUR_KEY_ID
Common Use Cases
- Secure Email: Use GPG with email clients like Thunderbird (via Enigmail) for encrypted communication.
- Signed Git Commits: Sign your commits for added authenticity:
git config --global user.signingkey KEY_ID git commit -S -m "Your signed commit"
- Encrypted Backups: Encrypt personal or sensitive files with GPG before uploading them to the cloud.
Troubleshooting
1. "No such key" error
- Ensure the key exists:
gpg --list-keys
2. Passphrase forgotten
- Without the passphrase, you cannot decrypt data. Always revocation-certificates in such situations.
Best Practices
Regularly refresh keys from keyservers:
gpg --refresh-keysMinimal disclosure: Only upload your public key to avoid exposing non-essential metadata.
Offline backups: Always keep a secure backup of your private key and revocation certificate.
Further Reading and Tools
- Official GnuPG Documentation
- Electronic Frontier Foundation's PGP Guide
- Tools:
- Keyoxide: Verify your OpenPGP key online.
- PaperKey: Print your key as a paper backup.
Wrapping up, the command line offers unparalleled power and granularity when it comes to managing PGP keys. Treat your keys with the respect they deserve, and youâll find PGP an invaluable tool for securing your digital life.