https://wiki.archlinux.org/api.php?action=feedcontributions&user=Ahstro&feedformat=atomArchWiki - User contributions [en]2024-03-28T17:55:30ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=GnuPG&diff=505897GnuPG2018-01-03T15:47:55Z<p>Ahstro: Use correct synonymous abbreviation of "for example"</p>
<hr />
<div>[[Category:Encryption]]<br />
[[es:GnuPG]]<br />
[[ja:GnuPG]]<br />
[[ru:GnuPG]]<br />
[[zh-hans:GnuPG]]<br />
[[zh-hant:GnuPG]]<br />
{{Related articles start}}<br />
{{Related|pacman/Package signing}}<br />
{{Related|Disk encryption}}<br />
{{Related|List of applications/Security#Encryption, signing, steganography}}<br />
{{Related articles end}}<br />
<br />
According to the [https://www.gnupg.org/ official website]:<br />
<br />
:GnuPG is a complete and free implementation of the [http://openpgp.org/about/ OpenPGP] standard as defined by [https://tools.ietf.org/html/rfc4880 RFC4880] (also known as PGP). GnuPG allows you to encrypt and sign your data and communication. It features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh).<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|gnupg}} package.<br />
<br />
This will also install {{Pkg|pinentry}}, a collection of simple PIN or passphrase entry dialogs which GnuPG uses for passphrase entry. Which ''pinentry'' dialog is used is determined by the symbolic link {{ic|/usr/bin/pinentry}}, which by default points to {{ic|/usr/bin/pinentry-gtk-2}}.<br />
<br />
If you want to use a graphical frontend or program that integrates with GnuPG, see [[List of applications/Security#Encryption, signing, steganography]].<br />
<br />
== Configuration ==<br />
<br />
=== Directory location ===<br />
{{ic|$GNUPGHOME}} is used by GnuPG to point to the directory where its configuration files are stored. By default {{ic|$GNUPGHOME}} is not set and your {{ic|$HOME}} is used instead; thus, you will find a {{ic|~/.gnupg}} directory right after installation. <br />
<br />
To change the default location, either run gpg this way {{ic|$ gpg --homedir ''path/to/file''}} or set {{ic|GNUPGHOME}} in one of your regular [[startup files]].<br />
<br />
=== Configuration files ===<br />
<br />
The default configuration files are {{ic|~/.gnupg/gpg.conf}} and {{ic|~/.gnupg/dirmngr.conf}}. <br />
<br />
By default, the gnupg directory has its [[permissions]] set to {{ic|700}} and the files it contains have their permissions set to {{ic|600}}. Only the owner of the directory has permission to read, write, and access the files. This is for security purposes and should not be changed. In case this directory or any file inside it does not follow this security measure, you will get warnings about unsafe file and home directory permissions.<br />
<br />
Append to these files any long options you want. Do not write the two dashes, but simply the name of the option and required arguments. You will find skeleton files in {{ic|/usr/share/gnupg}}. These files are copied to {{ic|~/.gnupg}} the first time gpg is run if they do not exist there. Other examples are found in [[#See also]].<br />
<br />
Additionally, [[pacman]] uses a different set of configuration files for package signature verification. See [[Pacman/Package signing]] for details.<br />
<br />
=== Default options for new users ===<br />
<br />
If you want to setup some default options for new users, put configuration files in {{ic|/etc/skel/.gnupg/}}. When the new user is added in system, files from here will be copied to its GnuPG home directory. There is also a simple script called ''addgnupghome'' which you can use to create new GnuPG home directories for existing users:<br />
<br />
# addgnupghome user1 user2<br />
<br />
This will add the respective {{ic|/home/user1/.gnupg}} and {{ic|/home/user2/.gnupg}} and copy the files from the skeleton directory to it. Users with existing GnuPG home directory are simply skipped.<br />
<br />
== Usage ==<br />
<br />
{{Note|Whenever a ''{{ic|user-id}}'' is required in a command, it can be specified with your key ID, fingerprint, a part of your name or email address, etc. GnuPG is flexible on this.<br />
}}<br />
<br />
=== Create key pair ===<br />
<br />
Generate a key pair by typing in a terminal:<br />
<br />
$ gpg --full-gen-key<br />
<br />
{{Tip|Use the {{ic|--expert}} option for getting alternative ciphers like [[wikipedia:Elliptic_curve_cryptography|ECC]].}}<br />
<br />
The command will prompt for answers to several questions. For general use most people will want: <br />
<br />
* the RSA (sign only) and a RSA (encrypt only) key.<br />
* a keysize of the default value (2048). A larger keysize of 4096 "gives us almost nothing, while costing us quite a lot"[https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096].<br />
* an expiration date. A period of a year is good enough for the average user. This way even if access is lost to the keyring, it will allow others to know that it is no longer valid. Later, if necessary, the expiration date can be extended without having to re-issue a new key.<br />
* your name and email address. You can add multiple identities to the same key later (''e.g.'', if you have multiple email addresses you want to associate with this key).<br />
* ''no'' optional comment. Since the semantics of the comment field are [https://lists.gnupg.org/pipermail/gnupg-devel/2015-July/030150.html not well-defined], it has limited value for identification.<br />
* [[Security#Choosing_secure_passwords|a secure passphrase]].<br />
<br />
{{Note|The name and email address you enter here will be seen by anybody who imports your key.}}<br />
<br />
=== List keys ===<br />
<br />
To list keys in your public key ring:<br />
<br />
$ gpg --list-keys<br />
<br />
To list keys in your secret key ring:<br />
<br />
$ gpg --list-secret-keys<br />
<br />
=== Export your public key ===<br />
<br />
gpg's main usage is to ensure confidentiality of exchanged messages via public-key cryptography. With it each user distributes the public key of their keyring, which can be be used by others to encrypt messages to the user. The private key must ''always'' be kept private, otherwise confidentiality is broken. See [[w:Public-key cryptography]] for examples about the message exchange. <br />
<br />
So, in order for others to send encrypted messages to you, they need your public key. <br />
<br />
To generate an ASCII version of a user's public key to file {{ic|''public.key''}} (e.g. to distribute it by e-mail):<br />
<br />
$ gpg --output ''public.key'' --armor --export ''user-id''<br />
<br />
Alternatively, or in addition, you can [[#Use a keyserver]] to share your key. <br />
<br />
{{Tip|Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.}}<br />
<br />
=== Import a public key ===<br />
<br />
In order to encrypt messages to others, as well as verify their signatures, you need their public key. To import a public key with file name {{ic|''public.key''}} to your public key ring:<br />
<br />
$ gpg --import ''public.key''<br />
<br />
Alternatively, [[#Use a keyserver]] to find a public key.<br />
<br />
=== Use a keyserver ===<br />
<br />
You can register your key with a public PGP key server, so that others can retrieve your key without having to contact you directly:<br />
<br />
$ gpg --send-keys ''user-id''<br />
<br />
To find out details of a key on the keyserver, without importing it, do:<br />
<br />
$ gpg --search-keys ''user-id''<br />
<br />
To import a key from a key server:<br />
<br />
$ gpg --recv-keys ''key-id''<br />
<br />
{{Warning|<br />
* You should verify the authenticity of the retrieved public key by comparing its fingerprint with one that the owner published on an independent source(s) (e.g., contacting the person directly). See [[Wikipedia:Public key fingerprint]] for more information.<br />
* Using a short ID may encounter collisions. All keys will be imported that have the short ID. To avoid this, use the full fingerprint or long key ID when receiving a key.[https://lkml.org/lkml/2016/8/15/445]}}<br />
<br />
{{Tip|<br />
* Adding {{ic|keyserver-options auto-key-retrieve}} to {{ic|gpg.conf}} will automatically fetch keys from the key server as needed. <br />
* An alternative key server is {{ic|pool.sks-keyservers.net}} and can be specified with {{ic|keyserver}} in {{ic|dirmngr.conf}}; see also [[wikipedia:Key server (cryptographic)#Keyserver examples]].<br />
* If your network blocks ports used for hkp/hkps, you may need to specify port 80, i.e. {{ic|pool.sks-keyservers.net:80}}<br />
* You can connect to the keyserver over [[Tor]] using {{ic|--use-tor}}. See this [https://gnupg.org/blog/20151224-gnupg-in-november-and-december.html GnuPG blog post] for more information.<br />
* You can connect to a keyserver using a proxy by setting the {{ic|http_proxy}} environment variable and setting {{ic|honor-http-proxy}} in {{ic|dirmngr.conf}}. Alternatively, set {{ic|http-proxy ''host[:port]''}} in {{ic|dirmngr.conf}}, overriding the {{ic|http_proxy}} environment variable.<br />
* If you wish to import a key ID to install a specific Arch Linux package, see [[pacman/Package signing#Managing the keyring]] and [[Makepkg#Signature checking]].}}<br />
<br />
=== Encrypt and decrypt ===<br />
<br />
==== Asymmetric ====<br />
You need to [[#Import a public key]] of a user before encrypting (options {{ic|--encrypt}} or {{ic|-e}}) a file or message to that recipient (options {{ic|--recipient}} or {{ic|-r}}). Additionally you need to [[#Create key pair]] if you have not already done so.<br />
<br />
To encrypt a file with the name ''doc'', use:<br />
<br />
$ gpg --recipient ''user-id'' --encrypt ''doc''<br />
<br />
To decrypt (option {{ic|--decrypt}} or {{ic|-d}}) a file with the name ''doc''.gpg encrypted with your public key, use:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
''gpg'' will prompt you for your passphrase and then decrypt and write the data from ''doc''.gpg to ''doc''. If you omit the {{ic|-o}} ({{ic|--output}}) option, ''gpg'' will write the decrypted data to stdout.<br />
<br />
{{Tip|<br />
* Add {{ic|--armor}} to encrypt a file using ASCII armor (suitable for copying and pasting a message in text format)<br />
* Use {{ic|-R ''user-id''}} or {{ic|--hidden-recipient ''user-id''}} instead of {{ic|-r}} to not put the recipient key IDs in the encrypted message. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis.<br />
* Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.<br />
* You can use gnupg to encrypt your sensitive documents by using your own user-id as recipient or by using the {{ic|--default-recipient-self}} flag instead; however, you can only do this one file at a time, although you can always tarball various files and then encrypt the tarball. See also [[Disk encryption#Available methods]] if you want to encrypt directories or a whole file-system.}}<br />
<br />
==== Symmetric ====<br />
Symmetric encryption does not require the generation of a key pair and can be used to simply encrypt data with a passphrase. Simply use {{ic|--symmetric}} or {{ic|-c}} to perform symmetic encryption:<br />
<br />
$ gpg -c ''doc''<br />
<br />
The following example:<br />
<br />
* Encrypts {{ic|''doc''}} with a symmetric cipher using a passphrase<br />
* Uses the AES-256 cipher algorithm to encrypt the passphrase<br />
* Uses the SHA-512 digest algorithm to mangle the passphrase<br />
* Mangles the passphrase for 65536 iterations<br />
<br />
$ gpg -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-count 65536 ''doc''<br />
<br />
To decrypt a symmetrically encrypted {{ic|''doc''.gpg}} using a passphrase and output decrypted contents into the same directory as {{ic|''doc''}} do:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
== Key maintenance ==<br />
<br />
=== Backup your private key ===<br />
<br />
To backup your private key do the following:<br />
<br />
$ gpg --export-secret-keys --armor ''<user-id>'' > ''privkey.asc''<br />
<br />
Note that ''gpg'' release 2.1 changed default behaviour so that the above command enforces a passphrase protection, even if you deliberately chose not to use one on key creation. This is because otherwise anyone who gains access to the above exported file would be able to encrypt and sign documents as if they were you ''without'' needing to know your passphrase. <br />
<br />
{{Warning|The passphrase is usually the weakest link in protecting your secret key. Place the private key in a safe place on a different system/device, such as a locked container or encrypted drive. It is the only safety you have to regain control to your keyring in case of, for example, a drive failure, theft or worse.}}<br />
<br />
To import the backup of your private key:<br />
$ gpg --import ''privkey.asc''<br />
<br />
=== Edit your key ===<br />
<br />
Running the {{ic|gpg --edit-key ''<user-id>''}} command will present a menu which enables you to do most of your key management related tasks.<br />
<br />
Some useful commands in the edit key sub menu:<br />
> passwd # change the passphrase<br />
> clean # compact any user ID that is no longer usable (e.g revoked or expired)<br />
> revkey # revoke a key<br />
> addkey # add a subkey to this key<br />
> expire # change the key expiration time<br />
<br />
Type {{ic|help}} in the edit key sub menu for more commands.<br />
<br />
{{Tip|If you have multiple email accounts you can add each one of them as an identity, using {{ic|adduid}} command. You can then set your favourite one as {{ic|primary}}.}}<br />
<br />
=== Exporting subkey ===<br />
<br />
If you plan to use the same key across multiple devices, you may want to strip out your master key and only keep the bare minimum encryption subkey on less secure systems.<br />
<br />
First, find out which subkey you want to export.<br />
<br />
$ gpg -K<br />
<br />
Select only that subkey to export.<br />
<br />
$ gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.gpg<br />
<br />
{{Warning|If you forget to add the !, all of your subkeys will be exported.}}<br />
<br />
At this point you could stop, but it is most likely a good idea to change the passphrase as well. Import the key into a temporary folder. <br />
<br />
$ gpg --homedir /tmp/gpg --import /tmp/subkey.gpg<br />
$ gpg --homedir /tmp/gpg --edit-key ''<user-id>''<br />
> passwd<br />
> save<br />
$ gpg --homedir /tmp/gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.altpass.gpg<br />
<br />
{{Note|You will get a warning that the master key was not available and the password was not changed, but that can safely be ignored as the subkey password was.}}<br />
<br />
At this point, you can now use {{ic|/tmp/subkey.altpass.gpg}} on your other devices.<br />
<br />
=== Rotating subkeys ===<br />
<br />
{{Warning|'''Never''' delete your expired or revoked subkeys unless you have a good reason. Doing so will cause you to lose the ability to decrypt files encrypted with the old subkey. Please '''only''' delete expired or revoked keys from other users to clean your keyring.}}<br />
<br />
If you have set your subkeys to expire after a set time, you can create new ones. Do this a few weeks in advance to allow others to update their keyring.<br />
<br />
{{Tip|You do not need to create a new key simply because it is expired. You can extend the expiration date.}}<br />
<br />
Create new subkey (repeat for both signing and encrypting key)<br />
<br />
$ gpg --edit-key ''<user-id>''<br />
> addkey<br />
<br />
And answer the following questions it asks (see [[#Create key pair]] for suggested settings).<br />
<br />
Save changes<br />
<br />
> save<br />
<br />
Update it to a keyserver.<br />
<br />
$ gpg --keyserver pgp.mit.edu --send-keys ''<user-id>''<br />
<br />
{{Tip|Revoking expired subkeys is unnecessary and arguably bad form. If you are constantly revoking keys, it may cause others to lack confidence in you.}}<br />
<br />
== Signatures ==<br />
<br />
Signatures certify and timestamp documents. If the document is modified, verification of the signature will fail. Unlike encryption which uses public keys to encrypt a document, signatures are created with the user's private key. The recipient of a signed document then verifies the signature using the sender's public key.<br />
<br />
=== Create a signature ===<br />
<br />
==== Sign a file ====<br />
<br />
To sign a file use the {{ic|--sign}} or {{ic|-s}} flag:<br />
<br />
$ gpg --output ''doc''.sig --sign ''doc''<br />
<br />
{{ic|''doc''.sig}} contains both the compressed content of the original file {{ic|''doc''}} and the signature in a binary format, but the file is not encrypted. However, you can combine signing with [[#Encrypt and decrypt|encrypting]].<br />
<br />
==== Clearsign a file or message ====<br />
<br />
To sign a file without compressing it into binary format use:<br />
<br />
$ gpg --output ''doc''.sig --clearsign ''doc''<br />
<br />
Here both the content of the original file {{ic|''doc''}} and the signature are stored in human-readable form in {{ic|''doc''.sig}}.<br />
<br />
==== Make a detached signature ====<br />
<br />
To create a separate signature file to be distributed separately from the document or file itself, use the {{ic|--detach-sig}} flag:<br />
<br />
$ gpg --output ''doc''.sig --detach-sig ''doc''<br />
<br />
Here the signature is stored in {{ic|''doc''.sig}}, but the contents of {{ic|''doc''}} are not stored in it. This method is often used in distributing software projects to allow users to verify that the program has not been modified by a third party.<br />
<br />
=== Verify a signature ===<br />
<br />
To verify a signature use the {{ic|--verify}} flag:<br />
<br />
$ gpg --verify ''doc''.sig<br />
<br />
where {{ic|''doc''.sig}} is the signed file containing the signature you wish to verify.<br />
<br />
If you are verifying a detached signature, both the signed data file and the signature file must be present when verifying. For example, to verify Arch Linux's latest iso you would do:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig<br />
<br />
where {{ic|archlinux-''version''.iso}} must be located in the same directory.<br />
<br />
You can also specify the signed data file with a second argument:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig ''/path/to/''archlinux-''version''.iso<br />
<br />
If a file as been encrypted in addition to being signed, simply [[#Encrypt and decrypt|decrypt]] the file and its signature will also be verified.<br />
<br />
== gpg-agent ==<br />
<br />
''gpg-agent'' is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. {{Pkg|gnupg}} comes with [[systemd/User|systemd user]] sockets which are enabled by default. These sockets are {{ic|gpg-agent.socket}}, {{ic|gpg-agent-extra.socket}}, {{ic|gpg-agent-browser.socket}}, {{ic|gpg-agent-ssh.socket}}, and {{ic|dirmngr.socket}}.<br />
<br />
{{Expansion|Add {{ic|gpg-agent-browser.socket}} to the list.}}<br />
<br />
* The main {{ic|gpg-agent.socket}} is used by ''gpg'' to connect to the ''gpg-agent'' daemon.<br />
* The intended use for the {{ic|gpg-agent-extra.socket}} on a local system is to set up a Unix domain socket forwarding from a remote system. This enables to use ''gpg'' on the remote system without exposing the private keys to the remote system. See {{man|1|gpg-agent}} for details.<br />
* The {{ic|gpg-agent-ssh.socket}} can be used by [[SSH]] to cache [[SSH keys]] added by the ''ssh-add'' program. See [[#SSH agent]] for the necessary configuration.<br />
* The {{ic|dirmngr.socket}} starts a GnuPG daemon handling connections to keyservers.<br />
<br />
{{Note|If you use non-default GnuPG [[#Directory location]], you will need to [[edit]] all socket files to use the path in the socket directory that {{ic|gpgconf --create-socketdir}} creates.}}<br />
<br />
=== Configuration ===<br />
<br />
gpg-agent can be configured via {{ic|~/.gnupg/gpg-agent.conf}} file. The configuration options are listed in {{man|1|gpg-agent}}. For example you can change cache ttl for unused keys:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl 3600<br />
}}<br />
<br />
{{Tip|To cache your passphrase for the whole session, please run the following command:<br />
$ /usr/lib/gnupg/gpg-preset-passphrase --preset XXXXXX<br />
<br />
where XXXX is the keygrip. You can get its value when running {{ic|gpg --with-keygrip -K}}. Passphrase will be stored until {{ic|gpg-agent}} is restarted. If you set up {{ic|default-cache-ttl}} value, it will take precedence.<br />
}}<br />
<br />
=== Reload the agent ===<br />
<br />
After changing the configuration, reload the agent using ''gpg-connect-agent'':<br />
<br />
$ gpg-connect-agent reloadagent /bye<br />
<br />
The command should print {{ic|OK}}.<br />
<br />
However in some cases only the restart may not be sufficient, like when {{ic|keep-screen}} has been added to the agent configuration.<br />
In this case you firstly need to kill the ongoing gpg-agent process and then you can restart it as was explained above.<br />
<br />
=== pinentry ===<br />
<br />
Finally, the agent needs to know how to ask the user for the password. This can be set in the gpg-agent configuration file.<br />
<br />
The default uses a gtk dialog. There are other options - see {{ic|info pinentry}}. To change the dialog implementation set {{ic|pinentry-program}} configuration option:<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
<br />
# PIN entry program<br />
# pinentry-program /usr/bin/pinentry-curses<br />
# pinentry-program /usr/bin/pinentry-qt<br />
# pinentry-program /usr/bin/pinentry-kwallet<br />
<br />
pinentry-program /usr/bin/pinentry-gtk-2<br />
}}<br />
<br />
{{Tip|For using {{ic|/usr/bin/pinentry-kwallet}} you have to install the {{AUR|kwalletcli}} package.}}<br />
<br />
After making this change, reload the gpg-agent.<br />
<br />
=== Unattended passphrase ===<br />
<br />
Starting with GnuPG 2.1.0 the use of gpg-agent and pinentry is required, which may break backwards compatibility for passphrases piped in from STDIN using the {{ic|--passphrase-fd 0}} commandline option. In order to have the same type of functionality as the older releases two things must be done:<br />
<br />
First, edit the gpg-agent configuration to allow ''loopback'' pinentry mode:<br />
<br />
{{hc|1=~/.gnupg/gpg-agent.conf|2=<br />
allow-loopback-pinentry<br />
}}<br />
<br />
Restart the gpg-agent process if it is running to let the change take effect.<br />
<br />
Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:<br />
<br />
$ gpg --pinentry-mode loopback ...<br />
<br />
...or if this is not possible, add the option to the configuration:<br />
<br />
{{hc|1=~/.gnupg/gpg.conf|2=<br />
pinentry-mode loopback<br />
}}<br />
<br />
{{Note|The upstream author indicates setting {{ic|pinentry-mode loopback}} in {{ic|gpg.conf}} may break other usage, using the commandline option should be preferred if at all possible. [https://bugs.g10code.com/gnupg/issue1772]}}<br />
<br />
=== SSH agent ===<br />
<br />
''gpg-agent'' has OpenSSH agent emulation. If you already use the GnuPG suite, you might consider using its agent to also cache your [[SSH keys]]. Additionally, some users may prefer the PIN entry dialog GnuPG agent provides as part of its passphrase management.<br />
<br />
To start using GnuPG agent for your SSH keys, enable SSH support in the {{ic|~/.gnupg/gpg-agent.conf}} file:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
enable-ssh-support<br />
}}<br />
<br />
Then set {{ic|SSH_AUTH_SOCK}} so that SSH will use ''gpg-agent'' instead of ''ssh-agent''. To make sure each process can find your ''gpg-agent'' instance regardless of e.g. the type of shell it is child of use [[Environment_variables#Using_pam_env|pam_env]].<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
}}<br />
<br />
Alternatively, depend on Bash:<br />
<br />
{{hc|~/.bashrc|<nowiki><br />
# Set SSH to use gpg-agent<br />
unset SSH_AGENT_PID<br />
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then<br />
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"<br />
fi<br />
</nowiki>}}<br />
<br />
{{Note|1=<nowiki></nowiki><br />
* If you use non-default GnuPG [[#Directory location]], run {{ic|gpgconf --create-socketdir}} to create a socket directory under {{ic|/run/user/$UID/gnupg/}}. Otherwise the socket will be placed in the GnuPG home directory.<br />
* The test involving the {{ic|gnupg_SSH_AUTH_SOCK_by}} variable is for the case where the agent is started as {{ic|gpg-agent --daemon /bin/sh}}, in which case the shell inherits the {{ic|SSH_AUTH_SOCK}} variable from the parent, ''gpg-agent'' [http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/gpg-agent.c;hb=7bca3be65e510eda40572327b87922834ebe07eb#l1307].<br />
}}<br />
<br />
Also set the GPG_TTY and refresh the TTY in case user has switched into an X session as stated in {{man|1|gpg-agent}}. For example:<br />
<br />
{{hc|~/.bashrc|<nowiki><br />
# Set GPG TTY<br />
export GPG_TTY=$(tty)<br />
<br />
# Refresh gpg-agent tty in case user switches into an X session<br />
gpg-connect-agent updatestartuptty /bye >/dev/null<br />
</nowiki>}}<br />
<br />
Once ''gpg-agent'' is running you can use ''ssh-add'' to approve keys, following the same steps as for [[SSH keys#ssh-agent|ssh-agent]]. The list of approved keys is stored in the {{ic|~/.gnupg/sshcontrol}} file. Once your key is approved, you will get a ''pinentry'' dialog every time your passphrase is needed. You can control passphrase caching in the {{ic|~/.gnupg/gpg-agent.conf}} file. The following example would have ''gpg-agent'' cache your keys for 3 hours:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl-ssh 10800<br />
max-cache-ttl-ssh 10800<br />
}}<br />
<br />
== Smartcards ==<br />
<br />
GnuPG uses ''scdaemon'' as an interface to your smartcard reader, please refer to the [[man page]] for details.<br />
<br />
=== GnuPG only setups ===<br />
<br />
{{Note| To allow scdaemon direct access to USB smarcard readers the optional dependency {{Pkg|libusb-compat}} have to be installed}}<br />
<br />
If you do not plan to use other cards but those based on GnuPG, you should check the {{Ic|reader-port}} parameter in {{ic|~/.gnupg/scdaemon.conf}}. The value '0' refers to the first available serial port reader and a value of '32768' (default) refers to the first USB reader.<br />
<br />
=== GnuPG with pcscd (PCSC Lite) ===<br />
<br />
{{Note|{{Pkg|pcsclite}} and {{Pkg|ccid}} have to be installed, and the contained [[systemd#Using units|systemd]] service {{ic|pcscd.service}} has to be running, or the socket {{ic|pcscd.socket}} has to be listening.}}<br />
<br />
pcscd is a daemon which handles access to smartcard (SCard API). If GnuPG's scdaemon fails to connect the smartcard directly (e.g. by using its integrated CCID support), it will fallback and try to find a smartcard using the PCSC Lite driver.<br />
<br />
==== Always use pcscd ====<br />
<br />
If you are using any smartcard with an opensc driver (e.g.: ID cards from some countries) you should pay some attention to GnuPG configuration. Out of the box you might receive a message like this when using {{Ic|gpg --card-status}}<br />
<br />
gpg: selecting openpgp failed: ec=6.108<br />
<br />
By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together. In order to point scdaemon to use pcscd you should remove {{Ic|reader-port}} from {{ic|~/.gnupg/scdaemon.conf}}, specify the location to {{ic|libpcsclite.so}} library and disable ccid so we make sure that we use pcscd:<br />
<br />
{{hc|~/.gnupg/scdaemon.conf|<nowiki><br />
pcsc-driver /usr/lib/libpcsclite.so<br />
card-timeout 5<br />
disable-ccid<br />
</nowiki>}}<br />
<br />
Please check {{man|1|scdaemon}} if you do not use OpenSC.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Different algorithm ===<br />
<br />
You may want to use stronger algorithms:<br />
<br />
{{hc|~/.gnupg/gpg.conf|<br />
...<br />
<br />
personal-digest-preferences SHA512<br />
cert-digest-algo SHA512<br />
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed<br />
personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES<br />
}}<br />
<br />
In the latest version of GnuPG, the default algorithms used are SHA256 and AES, both of which are secure enough for most people. However, if you are using a version of GnuPG older than 2.1, or if you want an even higher level of security, then you should follow the above step.<br />
<br />
=== Encrypt a password ===<br />
<br />
It can be useful to encrypt some password, so it will not be written in clear on a configuration file. A good example is your email password.<br />
<br />
First create a file with your password. You '''need''' to leave '''one''' empty line after the password, otherwise gpg will return an error message when evaluating the file.<br />
<br />
Then run:<br />
<br />
$ gpg -e -a -r ''<user-id>'' ''your_password_file''<br />
<br />
{{ic|-e}} is for encrypt, {{ic|-a}} for armor (ASCII output), {{ic|-r}} for recipient user ID.<br />
<br />
You will be left with a new {{ic|''your_password_file''.asc}} file.<br />
<br />
{{Tip|[[pass]] automates this process.}}<br />
<br />
=== Revoking a key ===<br />
<br />
{{Warning|<br />
*Anybody having access to your revocation certificate can revoke your key, rendering it useless.<br />
*Key revocation should only be performed if your key is compromised or lost, or you forget your passphrase.}}<br />
<br />
Revocation certificates are automatically generated for newly generated keys, although one can be generated manually by the user later. These are located at {{ic|~/.gnupg/openpgp-revocs.d/}}. The filename of the certificate is the fingerprint of the key it will revoke.<br />
<br />
To revoke your key, simply import the revocation certificate:<br />
<br />
$ gpg --import ''<fingerprint>''.rev<br />
<br />
Now update the keyserver:<br />
<br />
$ gpg --keyserver subkeys.pgp.net --send-keys ''<userid>''<br />
<br />
=== Change trust model ===<br />
<br />
By default GnuPG uses the [[Wikipedia::Web of Trust|Web of Trust]] as the trust model. You can change this to [[Wikipedia::Trust on first use|Trust on first use]] by adding {{ic|1=--trust-model=tofu}} when adding a key or adding this option to your GnuPG configuration file. More details are in [https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030341.html this email to the GnuPG list].<br />
<br />
=== Hide all recipient id's ===<br />
<br />
By default the recipient's key ID is in the encrypted message. This can be removed at encryption time for a recipient by using {{ic|hidden-recipient ''<user-id>''}}. To remove it for all recipients add {{ic|throw-keyids}} to your configuration file. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis. (Using a little social engineering anyone who is able to decrypt the message can check whether one of the other recipients is the one he suspects.) On the receiving side, it may slow down the decryption process because all available secret keys must be tried (''e.g.'' with {{ic|--try-secret-key ''<user-id>''}}).<br />
<br />
=== Using caff for keysigning parties ===<br />
<br />
To allow users to validate keys on the keyservers and in their keyrings (i.e. make sure they are from whom they claim to be), PGP/GPG uses the [[Wikipedia::Web of Trust|Web of Trust]]. Keysigning parties allow users to get together at a physical location to validate keys. The [[Wikipedia:Zimmermann–Sassaman key-signing protocol|Zimmermann-Sassaman]] key-signing protocol is a way of making these very effective. [http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html Here] you will find a how-to article.<br />
<br />
For an easier process of signing keys and sending signatures to the owners after a keysigning party, you can use the tool ''caff''. It can be installed from the AUR with the package {{AUR|caff-svn}}.<br />
<br />
To send the signatures to their owners you need a working [[Wikipedia:Message transfer agent|MTA]]. If you do not have already one, install [[msmtp]].<br />
<br />
=== Always show long ID's and fingerprints ===<br />
<br />
To always show long key ID's add {{ic|keyid-format 0xlong}} to your configuration file. To always show full fingerprints of keys, add {{ic|with-fingerprint}} to your configuration file.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Not enough random bytes available ===<br />
When generating a key, gpg can run into this error:<br />
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy!<br />
To check the available entropy, check the kernel parameters:<br />
cat /proc/sys/kernel/random/entropy_avail<br />
A healthy Linux system with a lot of entropy available will have return close to the full 4,096 bits of entropy. If the value returned is less than 200, the system is running low on entropy. <br />
<br />
To solve it, remember you do not often need to create keys and best just do what the message suggests (e.g. create disk activity, move the mouse, edit the wiki - all will create entropy). If that does not help, check which service is using up the entropy and consider stopping it for the time. If that is no alternative, see [[Random number generation#Alternatives]].<br />
<br />
=== su ===<br />
<br />
When using {{Ic|pinentry}}, you must have the proper permissions of the terminal device (e.g. {{Ic|/dev/tty1}}) in use. However, with ''su'' (or ''sudo''), the ownership stays with the original user, not the new one. This means that pinentry will fail, even as root. The fix is to change the permissions of the device at some point before the use of pinentry (i.e. using gpg with an agent). If doing gpg as root, simply change the ownership to root right before using gpg:<br />
<br />
# chown root /dev/ttyN # where N is the current tty<br />
<br />
and then change it back after using gpg the first time. The equivalent is likely to be true with {{Ic|/dev/pts/}}.<br />
<br />
{{Note|The owner of tty ''must'' match with the user for which pinentry is running. Being part of the group {{Ic|tty}} '''is not''' enough.}}<br />
<br />
{{Tip|If you run gpg with {{ic|script}} it will use a new tty with the correct ownership:<br />
<br />
# script -q -c "gpg --gen-key" /dev/null<br />
}}<br />
<br />
=== Agent complains end of file ===<br />
<br />
The default pinentry program is pinentry-gtk-2, which needs a DBus session bus to run properly. See [[General troubleshooting#Session permissions]] for details.<br />
<br />
Alternatively, you can use {{ic|pinentry-qt}}. See [[#pinentry]].<br />
<br />
=== KGpg configuration permissions ===<br />
<br />
There have been issues with {{Pkg|kgpg}} being able to access the {{ic|~/.gnupg/}} options. One issue might be a result of a deprecated ''options'' file, see the [https://bugs.kde.org/show_bug.cgi?id=290221 bug] report.<br />
<br />
=== GNOME on Wayland overrides SSH agent socket ===<br />
<br />
For Wayland sessions, {{Ic|gnome-session}} sets {{Ic|SSH_AUTH_SOCK}} to the standard gnome-keyring socket, {{Ic|$XDG_RUNTIME_DIR/keyring/ssh}}. This overrides any value set in {{Ic|~/.pam_environmment}} or systemd unit files.<br />
<br />
To disable this behavior, set the {{Ic|GSM_SKIP_AGENT_WORKAROUND}} variable:<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
GSM_SKIP_SSH_AGENT_WORKAROUND DEFAULT="true"<br />
}}<br />
<br />
=== mutt and gpg ===<br />
<br />
To be asked for your GnuPG password only once per session, see [https://bbs.archlinux.org/viewtopic.php?pid=1490821#p1490821 this forum thread].<br />
<br />
=== "Lost" keys, upgrading to gnupg version 2.1 ===<br />
<br />
When {{ic|gpg --list-keys}} fails to show keys that used to be there, and applications complain about missing or invalid keys, some keys may not have been migrated to the new format.<br />
<br />
Please read [http://jo-ke.name/wp/?p=111 GnuPG invalid packet workaround]. Basically, it says that there is a bug with keys in the old {{ic|pubring.gpg}} and {{ic|secring.gpg}} files, which have now been superseded by the new {{ic|pubring.kbx}} file and the {{ic|private-keys-v1.d/}} subdirectory and files. Your missing keys can be recovered with the following commnads:<br />
<br />
$ cd<br />
$ cp -r .gnupg gnupgOLD<br />
$ gpg --export-ownertrust > otrust.txt<br />
$ gpg --import .gnupg/pubring.gpg<br />
$ gpg --import-ownertrust otrust.txt<br />
$ gpg --list-keys<br />
<br />
=== gpg hanged for all keyservers (when trying to receive keys) ===<br />
<br />
If gpg hanged with a certain keyserver when trying to receive keys, you might need to kill dirmngr in order to get access to other keyservers which are actually working, otherwise it might keeping hanging for all of them.<br />
<br />
=== Smartcard not detected ===<br />
<br />
Your user might not have the permission to access the smartcard which results in a {{ic|card error}} to be thrown, even though the card is correctly set up and inserted.<br />
<br />
One possible solution is to add a new group {{ic|scard}} including the users who need access to the smartcard.<br />
<br />
Then use an [[Udev#Writing_udev_rules|udev]] rule, similar to the following:<br />
{{hc|/etc/udev/rules.d/71-gnupg-ccid.rules|<nowiki><br />
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116|0111", MODE="660", GROUP="scard"<br />
</nowiki>}}<br />
One needs to adapt VENDOR and MODEL according to the {{ic|lsusb}} output, the above example is for a YubikeyNEO.<br />
<br />
=== gpg: WARNING: server 'gpg-agent' is older than us (x < y) ===<br />
<br />
This warning appears if {{ic|gnupg}} is upgraded and the old gpg-agent is still running. [[Restart]] the ''user'''s {{ic|gpg-agent.socket}} (i.e., use the {{ic|--user}} flag when restarting).<br />
<br />
=== gpg: ..., IPC connect call failed ===<br />
<br />
{{Accuracy|The {{ic|gpg-agent*.socket}} systemd sockets provided by the {{Pkg|gnupg}} package create the sockets in {{ic|/run/user/$UID/gnupg/}} which is guaranteed to be an appropriate file system.}}<br />
<br />
Make sure {{ic|gpg-agent}} and {{ic|dirmngr}} are not running with {{ic|killall gpg-agent dirmngr}} and the {{ic|$GNUPGHOME/crls.d/}} folder has permission set to {{ic|700}}.<br />
<br />
If your keyring is stored on a vFat filesystem (e.g. a USB drive), {{ic|gpg-agent}} will fail to create the required sockets (vFat does not support sockets), you can create redirects to a location that handles sockets, e.g. {{ic|/dev/shm}}:<br />
<br />
# export GNUPGHOME=/custom/gpg/home<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent\n' > $GNUPGHOME/S.gpg-agent<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.browser\n' > $GNUPGHOME/S.gpg-agent.browser<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.extra\n' > $GNUPGHOME/S.gpg-agent.extra<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.ssh\n' > $GNUPGHOME/S.gpg-agent.ssh<br />
<br />
Test that gpg-agent starts successfully with {{ic|gpg-agent --daemon}}.<br />
<br />
=== Error: [key] could not be locally signed or gpg: No default secret key: No public key ===<br />
<br />
{{Move|Yubikey#Troubleshooting|There is a dedicated page for yubikey problems.}}<br />
<br />
Occurs when attempting to sign keys on a non-standard keyring while a yubikey is plugged in, e.g. as [[Pacman/Package_signing|Pacman]] does in {{ic|pacman-key --populate archlinux}}. The solution is to remove the offending yubikey and start over.<br />
<br />
== See also ==<br />
<br />
* [https://gnupg.org/ GNU Privacy Guard Homepage]<br />
* [https://tools.ietf.org/html/rfc4880 RFC4880 "OpenPGP Message Format"]<br />
* [https://fedoraproject.org/wiki/Creating_GPG_Keys Creating GPG Keys (Fedora)]<br />
* [https://wiki.debian.org/Subkeys OpenPGP subkeys in Debian]<br />
* [https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/ A more comprehensive gpg Tutorial]<br />
* [https://help.riseup.net/en/security/message-security/openpgp/gpg-best-practices gpg.conf recommendations and best practices]<br />
* [https://github.com/ioerror/torbirdy/blob/master/gpg.conf Torbirdy gpg.conf]<br />
* [https://www.reddit.com/r/GPGpractice/ /r/GPGpractice - a subreddit to practice using GnuPG.]<br />
* [https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md Protecting code integrity with PGP]</div>Ahstrohttps://wiki.archlinux.org/index.php?title=Comparison_of_tiling_window_managers&diff=465655Comparison of tiling window managers2017-01-17T16:07:30Z<p>Ahstro: Changed dswm's maintenance to "Abandoned"</p>
<hr />
<div>[[Category:Tiling WMs]]<br />
[[ja:タイル型ウィンドウマネージャの比較]]<br />
[[ru:Comparison of tiling window managers]]<br />
This article provides an unbiased comparison of the most popular ''tiling'' [[window manager]]s (as opposed to ''floating'' window managers).<br />
<br />
== Comparison table ==<br />
The following table lists the most popular tiling window managers alongside notable features, providing readers with a quick overview.<br />
<br />
{| class="wikitable sortable"<br />
|+ Comparison of tiling window managers<br />
! scope="col" | Window Manager<br />
! scope="col" | Written in<br />
! scope="col" | Configured with<br />
! scope="col" | Management style<br />
! scope="col" | System tray support<br />
! scope="col" | On-the-fly reload<br />
! scope="col" class="unsortable" | Information bars<br />
! scope="col" | Compositing<br />
! scope="col" class="unsortable" | Default layouts<br />
! scope="col" class="unsortable" | Pixel usage<br />
! scope="col" class="unsortable" | External control<br />
! scope="col" | Library<br />
! scope="col" class="unsortable" | Multiple (n) monitor behavior<br />
! scope="col" | ICCCM/EWMH compliant<br />
! scope="col" | Maintenance<br />
|-<br />
! [[alopex]]<br />
| C || C (recompile) || Hybrid || None || No || Built-in; call script/program as first argument || external || max, h-stack, v-stack, h-tab || Variable borders; titles in-statusbar || || Xlib || six tags, two views available by default || || Active<br />
|-<br />
! [[Awesome]]<br />
| C || Lua || Dynamic || Built-in || Yes || Built-in, images and text || external || max, nh-stack (and invert), nv-stack (and invert), free || variable borders, optional h-tab titles || dbus (if enabled) || XCB || n-tags (workspaces). Per default 9 are enabled. [https://awesome.naquadah.org/images/6mon.medium.png Example] || Yes || Active<br />
|-<br />
! [[bspwm]]<br />
| C || Anything || Hybrid || None || Yes || Can write internal state to a FIFO || External || v-split, h-split || Variable borders || via {{ic|bspc}} || XCB || Monitors hold Desktops || Yes || Active<br />
|-<br />
! [[catwm]]<br />
| C || C (recompile) || Dynamic || None || No || None || No || v-stack, max || 1-pix borders || || Xlib || || || Abandoned<br />
|-<br />
! dswm<br />
| Lisp || Lisp || Manual || None || Yes || Yes || No || || || || || || || Abandoned<br />
|-<br />
! [[dwm]]<br />
| C || C (recompile) || Dynamic || Optional Patch || [[Dwm#Restart dwm without logging out or closing programs|Optional]] || Built-in, reads from root window name || external || v-stack, max || || || Xlib || n regions, 9 workspaces fixed to each region || || Active<br />
|-<br />
! [[echinus]]<br />
| C || Text || Dynamic || None || Yes || {{AUR|ourico}} || external || v-stack, b-stack, max || Variable borders & optional titles || || Xlib || || Yes || Unknown<br />
|-<br />
! euclid-wm<br />
| C || Text || Hybrid || None || Yes || External ([[dzen]]) || || rows, columns || 1-pix borders || || Xlib || || || Dormant<br />
|-<br />
! [[FrankenWM]]<br />
| C || C (recompile) || Dynamic || None || No || No, outputs information to stdout, which can easily be parsed and displayed by an external monitor or panel (dzen2, conky, etc) || external || v-stack (and invert), h-stack (and invert), dual-v/h-stack, grid, fibonacci (vh-stack), rows, columns, max, free || Variable borders || || XCB || || || Active<br />
|-<br />
! [[herbstluftwm]]<br />
| C || Text || Manual || None || Yes || || || rows, columns || 1-pix borders || commands via herbstclient || Xlib and Glib || n regions, 9 workspaces visible in any region || || Active<br />
|-<br />
! [[i3]] <br />
| C || Text || Dynamic || i3bar || Yes (Layout is preserved) || text piped to i3bar ({{Ic|i3status}}/{{Ic|conky}} and others can be used) || external || tree, v-split, h-split, stacked, tabbed, max, can be nested infinitely || none, 1-pix or 2-pix, optional titlebars, can hide edge borders || commands via ipc (or i3-msg, which uses ipc) || XCB || n regions || Yes || Active<br />
|-<br />
! [[Ion3]] <br />
| C || Lua || Manual || trayion || Yes || configurable || ? || h-tab, max || || || || || || Abandoned<br />
|-<br />
! [[monsterwm]]<br />
| C || C (recompile) || Dynamic || None || Optional, but windows are lost || No, outputs information to stdout, which can easily be parsed and displayed by an external monitor or panel ({{ic|dzen2}}, {{ic|conky}}, etc) || external || h-stack, v-stack, grid, max || || supports {{ic|_NET_ACTIVE_WINDOW}}, so external control can be supplied by {{ic|xdotool}} and similar tools || [[Monsterwm#Installation|Xlib primary and XCB fork]]{{Broken section link}} || n workspaces per monitor || || Unknown<br />
|-<br />
! [[Musca]]<br />
| C || Text, own command set, C(recompile) || Manual || None || No, but allows running of musca commands on the fly || None || No || h-split, v-split, max || || commands, hooks || Xlib || || || Abandoned<br />
|-<br />
! [[Notion]] <br />
| C, Lua || Lua, compatible with Ion3 configs || Manual || trayion, stalonetray || Yes || configurable || ? || h-tab, max || Configurable borders and titlebars/tabs || EWMH, arbitrary Lua scripts which have access to the rich internal API || Xlib || n workspaces on each monitor. Supports on-the-fly changes in topology || || Active<br />
|-<br />
! [[qtile]] <br />
| Python || Python || Dynamic || Yes || Yes || Yes || external || tree, v-split, h-split, stacked, tabbed, max || No borders, although customizable || Hooks, Server mode || XCB || || || Active<br />
|-<br />
! [[Ratpoison]]<br />
| C || Text || Manual || None || Yes || Yes || external || max || || || || || No || Active<br />
|-<br />
! [[Snapwm]]<br />
| C || Reloadable Text || Dynamic || None || Yes || Built-in, reads from root window name || External || nVertical, Fullscreen, nHorizontal, Grid, Center Stacking || variable borders, no titles || || Xlib || Number of desktops distributed evenly between monitors || || Active<br />
|-<br />
! [[Spectrwm]]<br />
| C || Text || Dynamic || None || Yes || Built-in, reads from user script || No || nv-stack, nh-stack, max || 1-pix borders, no titles || || XCB || n regions, 10 workspaces visible in any region || Yes || Active<br />
|-<br />
! [[Stumpwm]]<br />
| Lisp || Lisp || Manual || None || Yes || Yes || No || || || || || || No || Active<br />
|-<br />
! [[sway]] <br />
| C || Text (i3 compatible) || Dynamic || swaybar || Yes (Layout is preserved) || text piped to swaybar ({{Ic|i3status}}/{{Ic|conky}} and others can be used) || yes || tree, v-split, h-split, stacked, tabbed, max, can be nested infinitely || none, 1-pix or 2-pix, optional titlebars, can hide edge borders || commands via ipc (or swaymsg, which uses ipc) || wlc (wayland) || n regions || No || Active<br />
|-<br />
! [[subtle]]<br />
| C || Ruby || Manual || Built-in || Yes || Built-in (Ruby), external can be used as well || external || Variable grid || Variable borders, no titles || Hooks (Ruby), subtler (CLI), subtlext (Ruby extension) || Xlib || One workspace (view) per monitor (screen), placement on views via tags and per runtime || Yes || Active<br />
|-<br />
! [[Wingo]]<br />
| Go || Text || Dynamic || None || Yes || No || external || floating, nv-stack, nh-stack, max || title bars in floating, skinny borders in tiling || via [https://github.com/BurntSushi/wingo/blob/master/HOWTO-COMMANDS wingo-cmd] or UNIX sockets in any programming language || [https://github.com/BurntSushi/xgb X Go Binding] || n regions, workspaces visible in any region || Yes || Active<br />
|-<br />
! [[WMFS]]<br />
| C || Text || Dynamic || Built-in || Yes || Built-in, set with command, color text, images || external || nh-stack (and invert), nv-stack (and invert), mirror-v, mirror-h, grid, free, max || variable borders, titles or no titles || commands || Xlib || Up to 36 tags(workspaces) per screen || Yes || Active<br />
|-<br />
! [[wmii]]<br />
| C || Anything || Manual || witray || Yes || Built-in || external || columns, max, v-tab || titles || [http://9p.cat-v.org 9P filesystem] || || one big region || Yes || Active<br />
|-<br />
! [[xmonad]]<br />
| Haskell || Haskell || Dynamic || None || Yes || No || Yes, with xmonad-contrib and an external manager || nv-stack, nh-stack, max || variable borders, no titles || via [http://xmonad.org/xmonad-docs/xmonad-contrib/XMonad-Hooks-ServerMode.html XMonad-Hooks-ServerMode] || Xlib || n regions, 9 workspaces visible in any region || Yes / ? || Active<br />
|-<br />
|-class="sortbottom"<br />
! Window Manager !! Written in !! Configured with !! Management style !! System tray support !! On-the-fly reload !! Information bars !! Compositing !! Default layouts !! Pixel usage || External control !! Library !! Multiple (n) monitor behavior !! ICCCM/EWMH compliant !! Maintenance<br />
|}<br />
<br />
{{Tip|External control can also be achieved by programs like {{Pkg|xdotool}} which simulate keystrokes.}}<br />
<br />
=== Management style ===<br />
Dynamic management emphasizes automatic management of window layouts for speed and simplicity. Manual management emphasizes manual adjustment of layout and sizing with potentially more precise control, at the cost of more time spent moving and sizing windows.<br />
<br />
=== Layouts ===<br />
A number of common layout types appear in several tiling WMs, although the terminology varies somewhat.<br />
* max: one window shown fullscreen (with or without a status bar, title and borders). Aka: monocle (dwm, monsterwm).<br />
* h-stack: master area in top half, other windows stack up horizontally in the bottom half. The master area may be resizable. May be inverted top-bottom (wmfs). Aka: bottom stack (dwm), bstack(monsterwm).<br />
* v-stack: master area in left half, other windows stack up vertically in the right half. The master area may be resizable. May be inverted left-right (wmfs). Aka: tile (dwm, monsterwm).<br />
* nh-stack: h-stack allowing >=1 windows in master area. Aka: nbstack (dwm)<br />
* nv-stack: v-stack allowing >=1 windows in master area. Aka: ntile (dwm)<br />
* mirror-h: nh-stack with stacks above and below the master area<br />
* mirror-v: nv-stack with stacks to the left and right of the master area<br />
* h-tab: one window shown fullscreen with all window titles shown horizontally (like browser tabs)<br />
* v-tab: one window shown fullscreen with all window titles shown vertically. Aka: stack (wmii).<br />
* h-split: a keybinding splits the current window horizontally creating space for another<br />
* v-split: a keybinding splits the current window vertically creating space for another<br />
* columns: manual layout style which treats windows as belonging to vertical columns<br />
* rows: manual layout style which treats windows as belonging to horizontal rows<br />
* grid: window positions and sizes based on a regular NxM grid. May be automatic (like wmfs, monsterwm) or manual (like Subtle).<br />
<br />
=== Key bindings ===<br />
Tiling window managers are usually designed to be used entirely with the keyboard or with keyboard & mouse. This is for speed (reaching for and moving a mouse is slow) and ease of use. Sensible key bindings are crucial to making workflow fast and efficient. Some default sets are better than others, but generally the keys can be rebound as desired by the user.<br />
<br />
== External links ==<br />
* [http://sawfish.wikia.com/wiki/Comparison_of_extensible_window_managers Comparison of extensible window managers] compares WMs "extensible" by scripting, like Xmonad and Sawfish.</div>Ahstrohttps://wiki.archlinux.org/index.php?title=Comparison_of_tiling_window_managers&diff=465654Comparison of tiling window managers2017-01-17T16:06:16Z<p>Ahstro: Capitalize "active" in two entries</p>
<hr />
<div>[[Category:Tiling WMs]]<br />
[[ja:タイル型ウィンドウマネージャの比較]]<br />
[[ru:Comparison of tiling window managers]]<br />
This article provides an unbiased comparison of the most popular ''tiling'' [[window manager]]s (as opposed to ''floating'' window managers).<br />
<br />
== Comparison table ==<br />
The following table lists the most popular tiling window managers alongside notable features, providing readers with a quick overview.<br />
<br />
{| class="wikitable sortable"<br />
|+ Comparison of tiling window managers<br />
! scope="col" | Window Manager<br />
! scope="col" | Written in<br />
! scope="col" | Configured with<br />
! scope="col" | Management style<br />
! scope="col" | System tray support<br />
! scope="col" | On-the-fly reload<br />
! scope="col" class="unsortable" | Information bars<br />
! scope="col" | Compositing<br />
! scope="col" class="unsortable" | Default layouts<br />
! scope="col" class="unsortable" | Pixel usage<br />
! scope="col" class="unsortable" | External control<br />
! scope="col" | Library<br />
! scope="col" class="unsortable" | Multiple (n) monitor behavior<br />
! scope="col" | ICCCM/EWMH compliant<br />
! scope="col" | Maintenance<br />
|-<br />
! [[alopex]]<br />
| C || C (recompile) || Hybrid || None || No || Built-in; call script/program as first argument || external || max, h-stack, v-stack, h-tab || Variable borders; titles in-statusbar || || Xlib || six tags, two views available by default || || Active<br />
|-<br />
! [[Awesome]]<br />
| C || Lua || Dynamic || Built-in || Yes || Built-in, images and text || external || max, nh-stack (and invert), nv-stack (and invert), free || variable borders, optional h-tab titles || dbus (if enabled) || XCB || n-tags (workspaces). Per default 9 are enabled. [https://awesome.naquadah.org/images/6mon.medium.png Example] || Yes || Active<br />
|-<br />
! [[bspwm]]<br />
| C || Anything || Hybrid || None || Yes || Can write internal state to a FIFO || External || v-split, h-split || Variable borders || via {{ic|bspc}} || XCB || Monitors hold Desktops || Yes || Active<br />
|-<br />
! [[catwm]]<br />
| C || C (recompile) || Dynamic || None || No || None || No || v-stack, max || 1-pix borders || || Xlib || || || Abandoned<br />
|-<br />
! dswm<br />
| Lisp || Lisp || Manual || None || Yes || Yes || No || || || || || || || Active<br />
|-<br />
! [[dwm]]<br />
| C || C (recompile) || Dynamic || Optional Patch || [[Dwm#Restart dwm without logging out or closing programs|Optional]] || Built-in, reads from root window name || external || v-stack, max || || || Xlib || n regions, 9 workspaces fixed to each region || || Active<br />
|-<br />
! [[echinus]]<br />
| C || Text || Dynamic || None || Yes || {{AUR|ourico}} || external || v-stack, b-stack, max || Variable borders & optional titles || || Xlib || || Yes || Unknown<br />
|-<br />
! euclid-wm<br />
| C || Text || Hybrid || None || Yes || External ([[dzen]]) || || rows, columns || 1-pix borders || || Xlib || || || Dormant<br />
|-<br />
! [[FrankenWM]]<br />
| C || C (recompile) || Dynamic || None || No || No, outputs information to stdout, which can easily be parsed and displayed by an external monitor or panel (dzen2, conky, etc) || external || v-stack (and invert), h-stack (and invert), dual-v/h-stack, grid, fibonacci (vh-stack), rows, columns, max, free || Variable borders || || XCB || || || Active<br />
|-<br />
! [[herbstluftwm]]<br />
| C || Text || Manual || None || Yes || || || rows, columns || 1-pix borders || commands via herbstclient || Xlib and Glib || n regions, 9 workspaces visible in any region || || Active<br />
|-<br />
! [[i3]] <br />
| C || Text || Dynamic || i3bar || Yes (Layout is preserved) || text piped to i3bar ({{Ic|i3status}}/{{Ic|conky}} and others can be used) || external || tree, v-split, h-split, stacked, tabbed, max, can be nested infinitely || none, 1-pix or 2-pix, optional titlebars, can hide edge borders || commands via ipc (or i3-msg, which uses ipc) || XCB || n regions || Yes || Active<br />
|-<br />
! [[Ion3]] <br />
| C || Lua || Manual || trayion || Yes || configurable || ? || h-tab, max || || || || || || Abandoned<br />
|-<br />
! [[monsterwm]]<br />
| C || C (recompile) || Dynamic || None || Optional, but windows are lost || No, outputs information to stdout, which can easily be parsed and displayed by an external monitor or panel ({{ic|dzen2}}, {{ic|conky}}, etc) || external || h-stack, v-stack, grid, max || || supports {{ic|_NET_ACTIVE_WINDOW}}, so external control can be supplied by {{ic|xdotool}} and similar tools || [[Monsterwm#Installation|Xlib primary and XCB fork]]{{Broken section link}} || n workspaces per monitor || || Unknown<br />
|-<br />
! [[Musca]]<br />
| C || Text, own command set, C(recompile) || Manual || None || No, but allows running of musca commands on the fly || None || No || h-split, v-split, max || || commands, hooks || Xlib || || || Abandoned<br />
|-<br />
! [[Notion]] <br />
| C, Lua || Lua, compatible with Ion3 configs || Manual || trayion, stalonetray || Yes || configurable || ? || h-tab, max || Configurable borders and titlebars/tabs || EWMH, arbitrary Lua scripts which have access to the rich internal API || Xlib || n workspaces on each monitor. Supports on-the-fly changes in topology || || Active<br />
|-<br />
! [[qtile]] <br />
| Python || Python || Dynamic || Yes || Yes || Yes || external || tree, v-split, h-split, stacked, tabbed, max || No borders, although customizable || Hooks, Server mode || XCB || || || Active<br />
|-<br />
! [[Ratpoison]]<br />
| C || Text || Manual || None || Yes || Yes || external || max || || || || || No || Active<br />
|-<br />
! [[Snapwm]]<br />
| C || Reloadable Text || Dynamic || None || Yes || Built-in, reads from root window name || External || nVertical, Fullscreen, nHorizontal, Grid, Center Stacking || variable borders, no titles || || Xlib || Number of desktops distributed evenly between monitors || || Active<br />
|-<br />
! [[Spectrwm]]<br />
| C || Text || Dynamic || None || Yes || Built-in, reads from user script || No || nv-stack, nh-stack, max || 1-pix borders, no titles || || XCB || n regions, 10 workspaces visible in any region || Yes || Active<br />
|-<br />
! [[Stumpwm]]<br />
| Lisp || Lisp || Manual || None || Yes || Yes || No || || || || || || No || Active<br />
|-<br />
! [[sway]] <br />
| C || Text (i3 compatible) || Dynamic || swaybar || Yes (Layout is preserved) || text piped to swaybar ({{Ic|i3status}}/{{Ic|conky}} and others can be used) || yes || tree, v-split, h-split, stacked, tabbed, max, can be nested infinitely || none, 1-pix or 2-pix, optional titlebars, can hide edge borders || commands via ipc (or swaymsg, which uses ipc) || wlc (wayland) || n regions || No || Active<br />
|-<br />
! [[subtle]]<br />
| C || Ruby || Manual || Built-in || Yes || Built-in (Ruby), external can be used as well || external || Variable grid || Variable borders, no titles || Hooks (Ruby), subtler (CLI), subtlext (Ruby extension) || Xlib || One workspace (view) per monitor (screen), placement on views via tags and per runtime || Yes || Active<br />
|-<br />
! [[Wingo]]<br />
| Go || Text || Dynamic || None || Yes || No || external || floating, nv-stack, nh-stack, max || title bars in floating, skinny borders in tiling || via [https://github.com/BurntSushi/wingo/blob/master/HOWTO-COMMANDS wingo-cmd] or UNIX sockets in any programming language || [https://github.com/BurntSushi/xgb X Go Binding] || n regions, workspaces visible in any region || Yes || Active<br />
|-<br />
! [[WMFS]]<br />
| C || Text || Dynamic || Built-in || Yes || Built-in, set with command, color text, images || external || nh-stack (and invert), nv-stack (and invert), mirror-v, mirror-h, grid, free, max || variable borders, titles or no titles || commands || Xlib || Up to 36 tags(workspaces) per screen || Yes || Active<br />
|-<br />
! [[wmii]]<br />
| C || Anything || Manual || witray || Yes || Built-in || external || columns, max, v-tab || titles || [http://9p.cat-v.org 9P filesystem] || || one big region || Yes || Active<br />
|-<br />
! [[xmonad]]<br />
| Haskell || Haskell || Dynamic || None || Yes || No || Yes, with xmonad-contrib and an external manager || nv-stack, nh-stack, max || variable borders, no titles || via [http://xmonad.org/xmonad-docs/xmonad-contrib/XMonad-Hooks-ServerMode.html XMonad-Hooks-ServerMode] || Xlib || n regions, 9 workspaces visible in any region || Yes / ? || Active<br />
|-<br />
|-class="sortbottom"<br />
! Window Manager !! Written in !! Configured with !! Management style !! System tray support !! On-the-fly reload !! Information bars !! Compositing !! Default layouts !! Pixel usage || External control !! Library !! Multiple (n) monitor behavior !! ICCCM/EWMH compliant !! Maintenance<br />
|}<br />
<br />
{{Tip|External control can also be achieved by programs like {{Pkg|xdotool}} which simulate keystrokes.}}<br />
<br />
=== Management style ===<br />
Dynamic management emphasizes automatic management of window layouts for speed and simplicity. Manual management emphasizes manual adjustment of layout and sizing with potentially more precise control, at the cost of more time spent moving and sizing windows.<br />
<br />
=== Layouts ===<br />
A number of common layout types appear in several tiling WMs, although the terminology varies somewhat.<br />
* max: one window shown fullscreen (with or without a status bar, title and borders). Aka: monocle (dwm, monsterwm).<br />
* h-stack: master area in top half, other windows stack up horizontally in the bottom half. The master area may be resizable. May be inverted top-bottom (wmfs). Aka: bottom stack (dwm), bstack(monsterwm).<br />
* v-stack: master area in left half, other windows stack up vertically in the right half. The master area may be resizable. May be inverted left-right (wmfs). Aka: tile (dwm, monsterwm).<br />
* nh-stack: h-stack allowing >=1 windows in master area. Aka: nbstack (dwm)<br />
* nv-stack: v-stack allowing >=1 windows in master area. Aka: ntile (dwm)<br />
* mirror-h: nh-stack with stacks above and below the master area<br />
* mirror-v: nv-stack with stacks to the left and right of the master area<br />
* h-tab: one window shown fullscreen with all window titles shown horizontally (like browser tabs)<br />
* v-tab: one window shown fullscreen with all window titles shown vertically. Aka: stack (wmii).<br />
* h-split: a keybinding splits the current window horizontally creating space for another<br />
* v-split: a keybinding splits the current window vertically creating space for another<br />
* columns: manual layout style which treats windows as belonging to vertical columns<br />
* rows: manual layout style which treats windows as belonging to horizontal rows<br />
* grid: window positions and sizes based on a regular NxM grid. May be automatic (like wmfs, monsterwm) or manual (like Subtle).<br />
<br />
=== Key bindings ===<br />
Tiling window managers are usually designed to be used entirely with the keyboard or with keyboard & mouse. This is for speed (reaching for and moving a mouse is slow) and ease of use. Sensible key bindings are crucial to making workflow fast and efficient. Some default sets are better than others, but generally the keys can be rebound as desired by the user.<br />
<br />
== External links ==<br />
* [http://sawfish.wikia.com/wiki/Comparison_of_extensible_window_managers Comparison of extensible window managers] compares WMs "extensible" by scripting, like Xmonad and Sawfish.</div>Ahstro