https://wiki.archlinux.org/api.php?action=feedcontributions&user=Sudoforge&feedformat=atomArchWiki - User contributions [en]2024-03-29T06:03:48ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Package_Maintainers&diff=725631Package Maintainers2022-04-07T05:22:08Z<p>Sudoforge: /* Active Trusted Users */ update contact information for sudoforge, due to this page being scanned and used for spam</p>
<hr />
<div>[[Category:Arch development]]<br />
[[Category:Teams]]<br />
[[es:Trusted Users]]<br />
[[fr:Trusted Users]]<br />
[[ja:Trusted Users]]<br />
[[pt:Trusted Users]]<br />
[[zh-hans:Trusted Users]]<br />
The [https://archlinux.org/people/trusted-users/ Trusted Users] serve the following purposes:<br />
# Maintain the ''community'' repository as an intermediary between Arch Linux's [[official repositories]] and the unsupported package collection in the [[AUR]].<br />
# Maintain, manage, and watch over the operation of the [[AUR]].<br />
<br />
== How do I become a TU? ==<br />
<br />
The ''minimum'' requirements to becoming a TU are as follows:<br />
* know basic shell scripting<br />
* maintain a few packages in AUR with clean, high-quality PKGBUILDs<br />
* basic community involvement (mailing list, forums, IRC)<br />
* know Google-Fu<br />
* a general idea of the kind of packages you want to maintain (basically, why do you want to become TU?)<br />
<br />
Even though you could become a TU by merely fulfilling those minimum requirements, the people judging you during the [https://aur.archlinux.org/trusted-user/TUbylaws.html#_standard_voting_procedure standard voting procedure] might expect more from you. Such as:<br />
* involvement in the bug tracker (reporting, research, info)<br />
* patches for Arch projects<br />
* involvement in a few open-source projects (even if they are your own)<br />
<br />
If you still feel up to becoming a TU after reading these lines, the first step is to find two TUs who agree to sponsor you. Once sponsored, you should write a witty application signed with your GPG key to the [https://lists.archlinux.org/listinfo/aur-general aur-general mailing list].<br />
<br />
{{Note|Should a TU you contact decline to sponsor your application, you should make this fact known if you seek sponsorship from another TU.}}<br />
<br />
For more information, see the [https://aur.archlinux.org/trusted-user/TUbylaws.html Trusted User Bylaws], [[Trusted Users Bylaw Amendment]] and [[AUR Trusted User Guidelines]].<br />
<br />
== Active Trusted Users ==<br />
<br />
{| class="wikitable"<br />
! Nick<br />
! Name<br />
! E-Mail<br />
|-<br />
|[https://aur.archlinux.org/packages/?K=ainola&SeB=m ainola]||Brett Cornwall||nvabyn@nepuyvahk.bet (rot13)<br />
|-<br />
|[https://aur.archlinux.org/packages?K=alerque&SeB=m alerque]||Caleb Maclennan||caleb@alerque.com<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=M&K=alex19EP alex19EP]||Alexander Epaneshnikov||alex19ep@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=alucryd&SeB=m alucryd]||Maxime Gauduin||alucryd@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=anatolik&SeB=m anatolik]||Anatol Pomozov||anatol dot pomozov + arch at gmail<br />
|-<br />
|[https://aur.archlinux.org/packages?K=andrewSC&SeB=m andrewSC]||Andrew Crerar||andrew (at) crerar (dot) io<br />
|-<br />
|[https://aur.archlinux.org/packages?K=anthraxx&SeB=m anthraxx]||[[User:anthraxx|Levente Polyak]]||anthraxx [at] archlinux [dot] org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ArchangeGabriel&SeB=m ArchangeGabriel]||Bruno Pagani||archange@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=artafinde artafinde]||Leonidas Spyropoulos||artafinde (at) gmail (dot) com<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=arojas arojas]||Antonio Rojas||arojas@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=bastelfreak bastelfreak]||Tim Meusel||bastelfreak@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=BlackIkeEagle&SeB=m BlackIkeEagle]||[[User:BlackEagle|Ike Devolder]]||ike DOT devolder AT gmail DOT com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=City-busz&SeB=m City-busz]||[[User:City-busz|Balló György]]||ballogyor+arch at gmail dot com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=coderobe&SeB=m coderobe]||Mara Robin Broda||coderobe at arch linux org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ConnorBehan&SeB=m ConnorBehan]||Connor Behan||connor.behan@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=lfleischer&SeB=m lfleischer]||Lukas Fleischer||lfleischer at archlinux dot org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=eworm&SeB=m eworm]||Christian Hesse||mail@eworm.de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=daurnimator&SeB=m daurnimator]||Daurnimator||quae at daurnimator com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dbermond&SeB=m dbermond]||Daniel Bermond||gmail-com: danielbermond<br />
|-<br />
|[https://aur.archlinux.org/packages?K=demize&SeB=m demize]||[[User:Kyrias|Johannes Löthberg]]||johannes@kyriasis.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=diabonas&SeB=m diabonas]||[[User:Diabonas|Jonas Witschel]]||diabonas@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Dragonlord&SeB=m Dragonlord]||[[User:Drag0nl0rd|Jaroslav Lichtblau]]||svetlemodry @ archlinux org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dvzrv&SeB=m dvzrv]||[[User:Davezerave|David Runge]]|| dave@sleepmap.de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=escondida&SeB=m escondida]||Ivy Foster||code @ escondida dot tk<br />
|-<br />
|[https://aur.archlinux.org/packages?K=farseerfc&SeB=m farseerfc]||Jiachen Yang||farseerfc[at]gmail[dot]com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=felixonmars&SeB=m felixonmars]||Felix Yan||felixonmars@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=FFY00&SeB=m FFY00]||Filipe Laíns||[mailto:lains@archlinux.org lains@archlinux.org]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Foxboron&SeB=m Foxboron]||Morten Linderud||foxboron@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=foxxx0&SeB=m foxxx0]||Thore Bödecker||me [at] foxxx0 [dot] de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=freswa&SeB=m freswa]||Frederik Schwan||freswa at archlinux dot org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=grawlinson&SeB=m grawlinson]||[[User:Grawlinson|George Rawlinson]]||george@rawlinson.net.nz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=giniu&SeB=m giniu]||[[User:giniu|Andrzej Giniewicz]]||gginiu@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=heftig&SeB=m heftig]||Jan Alexander Steffens||jan.steffens@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=hashworks&SeB=m hashworks]||Justin Kromlinger||hashworks@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=jelly&SeB=m jelly]||Jelle van der Waa|| jelle vdwaa nl<br />
|-<br />
|[https://aur.archlinux.org/packages?K=jleclanche&SeB=m jleclanche]||[[User:jleclanche|Jerome Leclanche]]||jerome''@''leclan''.''ch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=jsteel&SeB=m jsteel]||Jonathan Steel||jsteel at aur.archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=kgizdov&SeB=m kgizdov]||Konstantin Gizdov||arch@kge.pw<br />
|-<br />
|[https://aur.archlinux.org/packages?K=kpcyrd&SeB=m kpcyrd]||kpcyrd||git@rxv.cc<br />
|-<br />
|[https://aur.archlinux.org/packages?K=keenerd&SeB=m keenerd]||Kyle Keen||keenerd@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=lordheavy&SeB=m Lordheavy]||[[User:Lordheavy|Laurent Carlier]]||lordheavym at gmail com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=maximbaz&SeB=m maximbaz]||Maxim Baz||archlinux at maximbaz dot com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Morganamilo&SeB=m Morganamilo]||Morgan Adamiec||morganamilo@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=mtorromeo&SeB=m mtorromeo]||Massimiliano Torromeo||massimiliano.torromeo@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Muflone&SeB=m Muflone]||Fabio Castelli||muflone (at) archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=NicoHood&SeB=m NicoHood]||NicoHood||archlinux (cat) nicohood (dog) de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=orhun&SeB=m orhun]||Orhun Parmaksız||orhun@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=polyzen&SeB=m polyzen]||Daniel M. Capella||polyzen@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=raster&SeB=m raster]||Carsten Haitzler||raster@rasterman.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=rgacogne&SeB=m rgacogne]||Remi Gacogne||rgacogne @ archlinux dot org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=sangy&SeB=m sangy]||Santiago Torres-Arias|| santiago @ archlinux ⇶ org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=schuay&SeB=m schuay]||Jakob Gruber||jakob.gruber@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=seblu&SeB=m seblu]||Sébastien Luttringer||s е b l u ''at'' a r c h l і n ux ''dot'' o r g<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Segaja&SeB=m Segaja]||Andreas Schleifer||segaja [at] archlinux [dot] org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=sergej&SeB=m sergej]||[[User:Sergej|Sergej Pupykin]]||pupykin.s+arch@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=shibumi&SeB=m shibumi]||[[User:shibumi|Christian Rebischke]]||Chris.Rebischke [at] archlinux [dot] org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=stativ&SeB=m stativ]||Lukas Jirkovsky||l.jirkovsky strange_curved_character gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=sudoforge&SeB=m sudoforge]||sudoforge||[https://twitter.com/sudoforge @sudoforge]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=svenstaro&SeB=m svenstaro]||[[User:svenstaro|Sven-Hendrik Haase]]||sven@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=tensor5&SeB=m tensor5]||Nicola Squartini||tensor5@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=wild&SeB=m wild]||[[User:vild|Dan Printzell]]||[mailto:arch@vild.io arch@vild.io]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Xyne&SeB=m Xyne]||Xyne||ca . archlinux @ xyne, in reverse order<br />
|-<br />
|[https://aur.archlinux.org/packages?K=xyproto&SeB=m xyproto]||Alexander F. Rødseth||xyproto@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=yan12125&SeB=m yan12125]||[[User:Yan12125|Chih-Hsuan Yen]]||yan12125@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=zorun&SeB=m zorun]||Baptiste Jonglez||archlinux bitsofnetworks org<br />
|}<br />
<br />
== Inactive Trusted Users ==<br />
<br />
{| class="wikitable"<br />
! Nick<br />
! Name<br />
! E-Mail<br />
! Comments/Reference<br />
|-<br />
|}<br />
<br />
== Some Past Trusted Users ==<br />
<br />
{| class="wikitable"<br />
! Nick<br />
! Name<br />
|-<br />
|[https://aur.archlinux.org/packages?K=abhidg&SeB=m abhidg]||Abhishek Dasgupta<br />
|-<br />
|[https://aur.archlinux.org/packages/?K=Alad&SeB=m alad]||[[User:Alad|Alad Wenter]]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Allan&SeB=m Allan]||Allan McRae<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Ambrevar&SeB=m Ambrevar]||[[User:Ambrevar|Pierre Neidhardt]]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=anders&SeB=m anders]||Anders Bergh<br />
|-<br />
|[https://aur.archlinux.org/packages?K=angvp&SeB=m angvp]||[[User:Angvp|Angel Velásquez]]<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=arcanis arcanis]||Evgeniy Alekseev<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Atsutane&SeB=m Atsutane]||Thorsten Töpper<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bardo&SeB=m bardo]||Corrado Primier<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Barthalion&SeB=m Barthalion]||Bartłomiej Piotrowski<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ndr&SeB=m ndr]||Andrea Scarpino<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bfinch&SeB=m bfinch]||Bob Finch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bluewind&SeB=m Bluewind]||Florian Pritz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=brain0&SeB=m brain0]||Thomas Bächler<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bjorn&SeB=m bjorn]||[[User:Bjørn|Bjørn Lindeijer]]<br />
|- <br />
|[https://aur.archlinux.org/packages/?K=Cinelli&SeB=m cinelli] ||Federico Cinelli<br />
|-<br />
|[https://aur.archlinux.org/packages?K=codemac&SeB=m codemac]||Jeff Mickey<br />
|-<br />
|[https://aur.archlinux.org/packages?K=cmb&SeB=m cmb]||Chris Brannon<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Daenyth&SeB=m Daenyth]||Daenyth Blank<br />
|-<br />
|[https://aur.archlinux.org/packages?K=DaNiMoTh&SeB=m DaNiMoTh]||JJ. DaNiMoTh<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dejari&SeB=m dejari]||Leslie P. Polzer<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dsa&SeB=m dsa]||Douglas Soares de Andrade<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dtw&SeB=m dtw]||Phil Dillon-Thiselton<br />
|-<br />
|[https://aur.archlinux.org/packages?K=elasticdog&SeB=m elasticdog]||Aaron Bull Schaefer<br />
|-<br />
|[https://aur.archlinux.org/packages?K=encelo&SeB=m encelo]||Angelo Theodorou<br />
|-<br />
|[https://aur.archlinux.org/packages?K=eschwartz&SeB=m eschwartz]||Eli Schwartz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=even&SeB=m even] ||Kessia Pinheiro<br />
|-<br />
|[https://aur.archlinux.org/packages?K=faidoc&SeB=m Faidoc]||Alexandre Filgueira<br />
|-<br />
|[https://aur.archlinux.org/packages?K=falconindy&SeB=m falconindy]||Dave Reisner<br />
|-<br />
|[https://aur.archlinux.org/packages?K=foutrelis&SeB=m foutrelis]||Evangelos Foutras<br />
|-<br />
|[https://aur.archlinux.org/packages?K=filoktetes&SeB=m filoktetes]||Robert Emil Berge<br />
|-<br />
|[https://aur.archlinux.org/packages?K=firmicus&SeB=m firmicus]||François Charette<br />
|-<br />
|[https://aur.archlinux.org/packages?K=flexiondotorg&SeB=m flexiondotorg]||Martin Wimpress<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ganja_guru&SeB=m ganja_guru]||Varun Acharya<br />
|-<br />
|[https://aur.archlinux.org/packages?K=gcarrier&SeB=m gcarrier]||Geoffroy Carrier<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Ghost1227&SeB=m Ghost1227]||Dan Griffiths<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=grazzolini grazzolini]||Giancarlo Razzolini<br />
|-<br />
|[https://aur.archlinux.org/packages?K=gtmanfred&SeB=m gtmanfred]||Daniel Wallace<br />
|-<br />
|[https://aur.archlinux.org/packages?K=gummibaerchen&SeB=m gummibaerchen]||Timm Preetz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=hdoria&SeB=m hdoria]||Hugo Doria<br />
|-<br />
|[https://aur.archlinux.org/packages?K=iphitus&SeB=m iphitus]||James Rayner<br />
|-<br />
|[https://aur.archlinux.org/packages?K=itsbrad212&SeB=m itsbrad212]||Brad Fanella<br />
|-<br />
|[https://aur.archlinux.org/packages?K=kaitocracy&SeB=m kaitocracy]||Kaiting Chen<br />
|-<br />
|[https://aur.archlinux.org/packages?K=louipc&SeB=m louipc]||Loui Chang<br />
|-<br />
|[https://aur.archlinux.org/packages?K=mOLOk&SeB=m mOLOk]||Alessio Bolognino<br />
|-<br />
|[https://aur.archlinux.org/packages?K=nesl247&SeB=m nesl247]||Alex Heck<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Neverth&SeB=m Neverth]||Mikko Seppälä<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Partition&SeB=m Partition]||Mateusz Herych<br />
|-<br />
|[https://aur.archlinux.org/packages?K=petelewis&SeB=m petelewis]||Peter Lewis<br />
|-<br />
|[https://aur.archlinux.org/packages?K=PirateJonno&SeB=m PirateJonno]||Jonathan Conder<br />
|-<br />
|[https://aur.archlinux.org/packages?K=phrakture&SeB=m phrakture]||Aaron Griffin<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Pierre&SeB=m Pierre]||Pierre Schmitz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=pizzapunk&SeB=m pizzapunk]||Alexander Fehr<br />
|-<br />
|[https://aur.archlinux.org/packages?K=pjmattal&SeB=m pjmattal]||Paul Mattal<br />
|-<br />
|[https://aur.archlinux.org/packages?K=pressh&SeB=m pressh]||Ronald van Haren<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Ranguvar&SeB=m Ranguvar]||Devin Cofer<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Romashka&SeB=m Romashka]||Roman Kyrylych<br />
|-<br />
|[https://aur.archlinux.org/packages?K=schivmeister&SeB=m schivmeister]||[[User:Schivmeister|Ray Rashif]]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=shastry&SeB=m shastry]||Vinay S Shastry<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Snowman&SeB=m Snowman]||Eric Bélanger<br />
|-<br />
|[https://aur.archlinux.org/packages?K=shinlun&SeB=m shinlun]||Shinlun Hsieh<br />
|-<br />
|[https://aur.archlinux.org/packages?K=speps&SeB=m speps]||SpepS<br />
|-<br />
|[https://aur.archlinux.org/packages?K=StefanHusmann&SeB=m StefanHusmann]||Stefan Husmann<br />
|-<br />
|[https://aur.archlinux.org/packages?K=STiAT&SeB=m STiAT]||Georg Grabler<br />
|-<br />
|[https://aur.archlinux.org/packages?K=swiergot&SeB=m swiergot]||Jaroslaw Swierczynski<br />
|-<br />
|[https://aur.archlinux.org/packages?K=tardo&SeB=m tardo]||Shehzad Qureshi<br />
|-<br />
|[https://aur.archlinux.org/packages?K=td123&SeB=m td123]||Thomas Dziedzic<br />
|-<br />
|[https://aur.archlinux.org/packages?K=thatch45&SeB=m thatch45]||Thomas S Hatch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=thotypous&SeB=m thotypous]||Paulo Matias<br />
|-<br />
|[https://aur.archlinux.org/packages?K=tredaelli&SeB=m tredaelli]||Timothy Redaelli<br />
|-<br />
|[https://aur.archlinux.org/packages?K=vegai&SeB=m vegai]||Vesa Kaihlavirta<br />
|-<br />
|[https://aur.archlinux.org/packages?K=voidnull&SeB=m voidnull]||Giovanni Scafora<br />
|-<br />
|[https://aur.archlinux.org/packages?K=wizzomafizzo&SeB=m wizzomafizzo]||Callan Barrett<br />
|-<br />
|[https://aur.archlinux.org/packages?K=wonder&SeB=m wonder]|| Ionut Biru<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Xilon&SeB=m Xilon]||Sebastian Nowicki<br />
|-<br />
|[https://aur.archlinux.org/packages?K=xterminus&SeB=m xterminus]||Charles Mauch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=zeus&SeB=m zeus]||Zhukov Pavel<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Dicebot&SeB=m Dicebot]||Mihails Strasuns<br />
|-<br />
|[https://aur.archlinux.org/packages?K=thestinger&SeB=m thestinger]||Daniel Micay<br />
|}</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=Package_Maintainers&diff=724863Package Maintainers2022-03-31T06:01:39Z<p>Sudoforge: alphabetically order TU list (by username)</p>
<hr />
<div>[[Category:Arch development]]<br />
[[Category:Teams]]<br />
[[es:Trusted Users]]<br />
[[fr:Trusted Users]]<br />
[[ja:Trusted Users]]<br />
[[pt:Trusted Users]]<br />
[[zh-hans:Trusted Users]]<br />
The [https://archlinux.org/people/trusted-users/ Trusted Users] serve the following purposes:<br />
# Maintain the ''community'' repository as an intermediary between Arch Linux's [[official repositories]] and the unsupported package collection in the [[AUR]].<br />
# Maintain, manage, and watch over the operation of the [[AUR]].<br />
<br />
== How do I become a TU? ==<br />
<br />
The ''minimum'' requirements to becoming a TU are as follows:<br />
* know basic shell scripting<br />
* maintain a few packages in AUR with clean, high-quality PKGBUILDs<br />
* basic community involvement (mailing list, forums, IRC)<br />
* know Google-Fu<br />
* a general idea of the kind of packages you want to maintain (basically, why do you want to become TU?)<br />
<br />
Even though you could become a TU by merely fulfilling those minimum requirements, the people judging you during the [https://aur.archlinux.org/trusted-user/TUbylaws.html#_standard_voting_procedure standard voting procedure] might expect more from you. Such as:<br />
* involvement in the bug tracker (reporting, research, info)<br />
* patches for Arch projects<br />
* involvement in a few open-source projects (even if they are your own)<br />
<br />
If you still feel up to becoming a TU after reading these lines, the first step is to find two TUs who agree to sponsor you. Once sponsored, you should write a witty application signed with your GPG key to the [https://lists.archlinux.org/listinfo/aur-general aur-general mailing list].<br />
<br />
{{Note|Should a TU you contact decline to sponsor your application, you should make this fact known if you seek sponsorship from another TU.}}<br />
<br />
For more information, see the [https://aur.archlinux.org/trusted-user/TUbylaws.html Trusted User Bylaws], [[Trusted Users Bylaw Amendment]] and [[AUR Trusted User Guidelines]].<br />
<br />
== Active Trusted Users ==<br />
<br />
{| class="wikitable"<br />
! Nick<br />
! Name<br />
! E-Mail<br />
|-<br />
|[https://aur.archlinux.org/packages/?K=ainola&SeB=m ainola]||Brett Cornwall||nvabyn@nepuyvahk.bet (rot13)<br />
|-<br />
|[https://aur.archlinux.org/packages?K=alerque&SeB=m alerque]||Caleb Maclennan||caleb@alerque.com<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=M&K=alex19EP alex19EP]||Alexander Epaneshnikov||alex19ep@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=alucryd&SeB=m alucryd]||Maxime Gauduin||alucryd@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=anatolik&SeB=m anatolik]||Anatol Pomozov||anatol dot pomozov + arch at gmail<br />
|-<br />
|[https://aur.archlinux.org/packages?K=andrewSC&SeB=m andrewSC]||Andrew Crerar||andrew (at) crerar (dot) io<br />
|-<br />
|[https://aur.archlinux.org/packages?K=anthraxx&SeB=m anthraxx]||[[User:anthraxx|Levente Polyak]]||anthraxx [at] archlinux [dot] org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ArchangeGabriel&SeB=m ArchangeGabriel]||Bruno Pagani||archange@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=artafinde artafinde]||Leonidas Spyropoulos||artafinde (at) gmail (dot) com<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=arojas arojas]||Antonio Rojas||arojas@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=bastelfreak bastelfreak]||Tim Meusel||bastelfreak@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=BlackIkeEagle&SeB=m BlackIkeEagle]||[[User:BlackEagle|Ike Devolder]]||ike DOT devolder AT gmail DOT com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=City-busz&SeB=m City-busz]||[[User:City-busz|Balló György]]||ballogyor+arch at gmail dot com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=coderobe&SeB=m coderobe]||Mara Robin Broda||coderobe at arch linux org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ConnorBehan&SeB=m ConnorBehan]||Connor Behan||connor.behan@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=lfleischer&SeB=m lfleischer]||Lukas Fleischer||lfleischer at archlinux dot org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=eworm&SeB=m eworm]||Christian Hesse||mail@eworm.de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=daurnimator&SeB=m daurnimator]||Daurnimator||quae at daurnimator com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dbermond&SeB=m dbermond]||Daniel Bermond||gmail-com: danielbermond<br />
|-<br />
|[https://aur.archlinux.org/packages?K=demize&SeB=m demize]||[[User:Kyrias|Johannes Löthberg]]||johannes@kyriasis.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=diabonas&SeB=m diabonas]||[[User:Diabonas|Jonas Witschel]]||diabonas@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Dragonlord&SeB=m Dragonlord]||[[User:Drag0nl0rd|Jaroslav Lichtblau]]||svetlemodry @ archlinux org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dvzrv&SeB=m dvzrv]||[[User:Davezerave|David Runge]]|| dave@sleepmap.de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=escondida&SeB=m escondida]||Ivy Foster||code @ escondida dot tk<br />
|-<br />
|[https://aur.archlinux.org/packages?K=farseerfc&SeB=m farseerfc]||Jiachen Yang||farseerfc[at]gmail[dot]com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=felixonmars&SeB=m felixonmars]||Felix Yan||felixonmars@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=FFY00&SeB=m FFY00]||Filipe Laíns||[mailto:lains@archlinux.org lains@archlinux.org]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Foxboron&SeB=m Foxboron]||Morten Linderud||foxboron@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=foxxx0&SeB=m foxxx0]||Thore Bödecker||me [at] foxxx0 [dot] de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=freswa&SeB=m freswa]||Frederik Schwan||freswa at archlinux dot org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=grawlinson&SeB=m grawlinson]||[[User:Grawlinson|George Rawlinson]]||george@rawlinson.net.nz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=giniu&SeB=m giniu]||[[User:giniu|Andrzej Giniewicz]]||gginiu@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=heftig&SeB=m heftig]||Jan Alexander Steffens||jan.steffens@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=hashworks&SeB=m hashworks]||Justin Kromlinger||hashworks@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=jelly&SeB=m jelly]||Jelle van der Waa|| jelle vdwaa nl<br />
|-<br />
|[https://aur.archlinux.org/packages?K=jleclanche&SeB=m jleclanche]||[[User:jleclanche|Jerome Leclanche]]||jerome''@''leclan''.''ch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=jsteel&SeB=m jsteel]||Jonathan Steel||jsteel at aur.archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=kgizdov&SeB=m kgizdov]||Konstantin Gizdov||arch@kge.pw<br />
|-<br />
|[https://aur.archlinux.org/packages?K=kpcyrd&SeB=m kpcyrd]||kpcyrd||git@rxv.cc<br />
|-<br />
|[https://aur.archlinux.org/packages?K=keenerd&SeB=m keenerd]||Kyle Keen||keenerd@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=lordheavy&SeB=m Lordheavy]||[[User:Lordheavy|Laurent Carlier]]||lordheavym at gmail com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=maximbaz&SeB=m maximbaz]||Maxim Baz||archlinux at maximbaz dot com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Morganamilo&SeB=m Morganamilo]||Morgan Adamiec||morganamilo@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=mtorromeo&SeB=m mtorromeo]||Massimiliano Torromeo||massimiliano.torromeo@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Muflone&SeB=m Muflone]||Fabio Castelli||muflone (at) archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=NicoHood&SeB=m NicoHood]||NicoHood||archlinux (cat) nicohood (dog) de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=orhun&SeB=m orhun]||Orhun Parmaksız||orhun@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=polyzen&SeB=m polyzen]||Daniel M. Capella||polyzen@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=raster&SeB=m raster]||Carsten Haitzler||raster@rasterman.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=rgacogne&SeB=m rgacogne]||Remi Gacogne||rgacogne @ archlinux dot org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=sangy&SeB=m sangy]||Santiago Torres-Arias|| santiago @ archlinux ⇶ org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=schuay&SeB=m schuay]||Jakob Gruber||jakob.gruber@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=seblu&SeB=m seblu]||Sébastien Luttringer||s е b l u ''at'' a r c h l і n ux ''dot'' o r g<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Segaja&SeB=m Segaja]||Andreas Schleifer||segaja [at] archlinux [dot] org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=sergej&SeB=m sergej]||[[User:Sergej|Sergej Pupykin]]||pupykin.s+arch@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=shibumi&SeB=m shibumi]||[[User:shibumi|Christian Rebischke]]||Chris.Rebischke [at] archlinux [dot] org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=stativ&SeB=m stativ]||Lukas Jirkovsky||l.jirkovsky strange_curved_character gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=sudoforge&SeB=m sudoforge]||Ben Denhartog||cc86c55bf30c@sudoforge.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=svenstaro&SeB=m svenstaro]||[[User:svenstaro|Sven-Hendrik Haase]]||sven@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=tensor5&SeB=m tensor5]||Nicola Squartini||tensor5@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=wild&SeB=m wild]||[[User:vild|Dan Printzell]]||[mailto:arch@vild.io arch@vild.io]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Xyne&SeB=m Xyne]||Xyne||ca . archlinux @ xyne, in reverse order<br />
|-<br />
|[https://aur.archlinux.org/packages?K=xyproto&SeB=m xyproto]||Alexander F. Rødseth||xyproto@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=yan12125&SeB=m yan12125]||[[User:Yan12125|Chih-Hsuan Yen]]||yan12125@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=zorun&SeB=m zorun]||Baptiste Jonglez||archlinux bitsofnetworks org<br />
|}<br />
<br />
== Inactive Trusted Users ==<br />
<br />
{| class="wikitable"<br />
! Nick<br />
! Name<br />
! E-Mail<br />
! Comments/Reference<br />
|-<br />
|}<br />
<br />
== Some Past Trusted Users ==<br />
<br />
{| class="wikitable"<br />
! Nick<br />
! Name<br />
|-<br />
|[https://aur.archlinux.org/packages?K=abhidg&SeB=m abhidg]||Abhishek Dasgupta<br />
|-<br />
|[https://aur.archlinux.org/packages/?K=Alad&SeB=m alad]||[[User:Alad|Alad Wenter]]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Allan&SeB=m Allan]||Allan McRae<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Ambrevar&SeB=m Ambrevar]||[[User:Ambrevar|Pierre Neidhardt]]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=anders&SeB=m anders]||Anders Bergh<br />
|-<br />
|[https://aur.archlinux.org/packages?K=angvp&SeB=m angvp]||[[User:Angvp|Angel Velásquez]]<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=arcanis arcanis]||Evgeniy Alekseev<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Atsutane&SeB=m Atsutane]||Thorsten Töpper<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bardo&SeB=m bardo]||Corrado Primier<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Barthalion&SeB=m Barthalion]||Bartłomiej Piotrowski<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ndr&SeB=m ndr]||Andrea Scarpino<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bfinch&SeB=m bfinch]||Bob Finch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bluewind&SeB=m Bluewind]||Florian Pritz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=brain0&SeB=m brain0]||Thomas Bächler<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bjorn&SeB=m bjorn]||[[User:Bjørn|Bjørn Lindeijer]]<br />
|- <br />
|[https://aur.archlinux.org/packages/?K=Cinelli&SeB=m cinelli] ||Federico Cinelli<br />
|-<br />
|[https://aur.archlinux.org/packages?K=codemac&SeB=m codemac]||Jeff Mickey<br />
|-<br />
|[https://aur.archlinux.org/packages?K=cmb&SeB=m cmb]||Chris Brannon<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Daenyth&SeB=m Daenyth]||Daenyth Blank<br />
|-<br />
|[https://aur.archlinux.org/packages?K=DaNiMoTh&SeB=m DaNiMoTh]||JJ. DaNiMoTh<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dejari&SeB=m dejari]||Leslie P. Polzer<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dsa&SeB=m dsa]||Douglas Soares de Andrade<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dtw&SeB=m dtw]||Phil Dillon-Thiselton<br />
|-<br />
|[https://aur.archlinux.org/packages?K=elasticdog&SeB=m elasticdog]||Aaron Bull Schaefer<br />
|-<br />
|[https://aur.archlinux.org/packages?K=encelo&SeB=m encelo]||Angelo Theodorou<br />
|-<br />
|[https://aur.archlinux.org/packages?K=eschwartz&SeB=m eschwartz]||Eli Schwartz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=even&SeB=m even] ||Kessia Pinheiro<br />
|-<br />
|[https://aur.archlinux.org/packages?K=faidoc&SeB=m Faidoc]||Alexandre Filgueira<br />
|-<br />
|[https://aur.archlinux.org/packages?K=falconindy&SeB=m falconindy]||Dave Reisner<br />
|-<br />
|[https://aur.archlinux.org/packages?K=foutrelis&SeB=m foutrelis]||Evangelos Foutras<br />
|-<br />
|[https://aur.archlinux.org/packages?K=filoktetes&SeB=m filoktetes]||Robert Emil Berge<br />
|-<br />
|[https://aur.archlinux.org/packages?K=firmicus&SeB=m firmicus]||François Charette<br />
|-<br />
|[https://aur.archlinux.org/packages?K=flexiondotorg&SeB=m flexiondotorg]||Martin Wimpress<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ganja_guru&SeB=m ganja_guru]||Varun Acharya<br />
|-<br />
|[https://aur.archlinux.org/packages?K=gcarrier&SeB=m gcarrier]||Geoffroy Carrier<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Ghost1227&SeB=m Ghost1227]||Dan Griffiths<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=grazzolini grazzolini]||Giancarlo Razzolini<br />
|-<br />
|[https://aur.archlinux.org/packages?K=gtmanfred&SeB=m gtmanfred]||Daniel Wallace<br />
|-<br />
|[https://aur.archlinux.org/packages?K=gummibaerchen&SeB=m gummibaerchen]||Timm Preetz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=hdoria&SeB=m hdoria]||Hugo Doria<br />
|-<br />
|[https://aur.archlinux.org/packages?K=iphitus&SeB=m iphitus]||James Rayner<br />
|-<br />
|[https://aur.archlinux.org/packages?K=itsbrad212&SeB=m itsbrad212]||Brad Fanella<br />
|-<br />
|[https://aur.archlinux.org/packages?K=kaitocracy&SeB=m kaitocracy]||Kaiting Chen<br />
|-<br />
|[https://aur.archlinux.org/packages?K=louipc&SeB=m louipc]||Loui Chang<br />
|-<br />
|[https://aur.archlinux.org/packages?K=mOLOk&SeB=m mOLOk]||Alessio Bolognino<br />
|-<br />
|[https://aur.archlinux.org/packages?K=nesl247&SeB=m nesl247]||Alex Heck<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Neverth&SeB=m Neverth]||Mikko Seppälä<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Partition&SeB=m Partition]||Mateusz Herych<br />
|-<br />
|[https://aur.archlinux.org/packages?K=petelewis&SeB=m petelewis]||Peter Lewis<br />
|-<br />
|[https://aur.archlinux.org/packages?K=PirateJonno&SeB=m PirateJonno]||Jonathan Conder<br />
|-<br />
|[https://aur.archlinux.org/packages?K=phrakture&SeB=m phrakture]||Aaron Griffin<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Pierre&SeB=m Pierre]||Pierre Schmitz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=pizzapunk&SeB=m pizzapunk]||Alexander Fehr<br />
|-<br />
|[https://aur.archlinux.org/packages?K=pjmattal&SeB=m pjmattal]||Paul Mattal<br />
|-<br />
|[https://aur.archlinux.org/packages?K=pressh&SeB=m pressh]||Ronald van Haren<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Ranguvar&SeB=m Ranguvar]||Devin Cofer<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Romashka&SeB=m Romashka]||Roman Kyrylych<br />
|-<br />
|[https://aur.archlinux.org/packages?K=schivmeister&SeB=m schivmeister]||[[User:Schivmeister|Ray Rashif]]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=shastry&SeB=m shastry]||Vinay S Shastry<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Snowman&SeB=m Snowman]||Eric Bélanger<br />
|-<br />
|[https://aur.archlinux.org/packages?K=shinlun&SeB=m shinlun]||Shinlun Hsieh<br />
|-<br />
|[https://aur.archlinux.org/packages?K=speps&SeB=m speps]||SpepS<br />
|-<br />
|[https://aur.archlinux.org/packages?K=StefanHusmann&SeB=m StefanHusmann]||Stefan Husmann<br />
|-<br />
|[https://aur.archlinux.org/packages?K=STiAT&SeB=m STiAT]||Georg Grabler<br />
|-<br />
|[https://aur.archlinux.org/packages?K=swiergot&SeB=m swiergot]||Jaroslaw Swierczynski<br />
|-<br />
|[https://aur.archlinux.org/packages?K=tardo&SeB=m tardo]||Shehzad Qureshi<br />
|-<br />
|[https://aur.archlinux.org/packages?K=td123&SeB=m td123]||Thomas Dziedzic<br />
|-<br />
|[https://aur.archlinux.org/packages?K=thatch45&SeB=m thatch45]||Thomas S Hatch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=thotypous&SeB=m thotypous]||Paulo Matias<br />
|-<br />
|[https://aur.archlinux.org/packages?K=tredaelli&SeB=m tredaelli]||Timothy Redaelli<br />
|-<br />
|[https://aur.archlinux.org/packages?K=vegai&SeB=m vegai]||Vesa Kaihlavirta<br />
|-<br />
|[https://aur.archlinux.org/packages?K=voidnull&SeB=m voidnull]||Giovanni Scafora<br />
|-<br />
|[https://aur.archlinux.org/packages?K=wizzomafizzo&SeB=m wizzomafizzo]||Callan Barrett<br />
|-<br />
|[https://aur.archlinux.org/packages?K=wonder&SeB=m wonder]|| Ionut Biru<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Xilon&SeB=m Xilon]||Sebastian Nowicki<br />
|-<br />
|[https://aur.archlinux.org/packages?K=xterminus&SeB=m xterminus]||Charles Mauch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=zeus&SeB=m zeus]||Zhukov Pavel<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Dicebot&SeB=m Dicebot]||Mihails Strasuns<br />
|-<br />
|[https://aur.archlinux.org/packages?K=thestinger&SeB=m thestinger]||Daniel Micay<br />
|}</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=Package_Maintainers&diff=724862Package Maintainers2022-03-31T05:57:01Z<p>Sudoforge: update generated email address</p>
<hr />
<div>[[Category:Arch development]]<br />
[[Category:Teams]]<br />
[[es:Trusted Users]]<br />
[[fr:Trusted Users]]<br />
[[ja:Trusted Users]]<br />
[[pt:Trusted Users]]<br />
[[zh-hans:Trusted Users]]<br />
The [https://archlinux.org/people/trusted-users/ Trusted Users] serve the following purposes:<br />
# Maintain the ''community'' repository as an intermediary between Arch Linux's [[official repositories]] and the unsupported package collection in the [[AUR]].<br />
# Maintain, manage, and watch over the operation of the [[AUR]].<br />
<br />
== How do I become a TU? ==<br />
<br />
The ''minimum'' requirements to becoming a TU are as follows:<br />
* know basic shell scripting<br />
* maintain a few packages in AUR with clean, high-quality PKGBUILDs<br />
* basic community involvement (mailing list, forums, IRC)<br />
* know Google-Fu<br />
* a general idea of the kind of packages you want to maintain (basically, why do you want to become TU?)<br />
<br />
Even though you could become a TU by merely fulfilling those minimum requirements, the people judging you during the [https://aur.archlinux.org/trusted-user/TUbylaws.html#_standard_voting_procedure standard voting procedure] might expect more from you. Such as:<br />
* involvement in the bug tracker (reporting, research, info)<br />
* patches for Arch projects<br />
* involvement in a few open-source projects (even if they are your own)<br />
<br />
If you still feel up to becoming a TU after reading these lines, the first step is to find two TUs who agree to sponsor you. Once sponsored, you should write a witty application signed with your GPG key to the [https://lists.archlinux.org/listinfo/aur-general aur-general mailing list].<br />
<br />
{{Note|Should a TU you contact decline to sponsor your application, you should make this fact known if you seek sponsorship from another TU.}}<br />
<br />
For more information, see the [https://aur.archlinux.org/trusted-user/TUbylaws.html Trusted User Bylaws], [[Trusted Users Bylaw Amendment]] and [[AUR Trusted User Guidelines]].<br />
<br />
== Active Trusted Users ==<br />
<br />
{| class="wikitable"<br />
! Nick<br />
! Name<br />
! E-Mail<br />
|-<br />
|[https://aur.archlinux.org/packages/?K=ainola&SeB=m ainola]||Brett Cornwall||nvabyn@nepuyvahk.bet (rot13)<br />
|-<br />
|[https://aur.archlinux.org/packages?K=alerque&SeB=m alerque]||Caleb Maclennan||caleb@alerque.com<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=M&K=alex19EP alex19EP]||Alexander Epaneshnikov||alex19ep@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=alucryd&SeB=m alucryd]||Maxime Gauduin||alucryd@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=anatolik&SeB=m anatolik]||Anatol Pomozov||anatol dot pomozov + arch at gmail<br />
|-<br />
|[https://aur.archlinux.org/packages?K=andrewSC&SeB=m andrewSC]||Andrew Crerar||andrew (at) crerar (dot) io<br />
|-<br />
|[https://aur.archlinux.org/packages?K=anthraxx&SeB=m anthraxx]||[[User:anthraxx|Levente Polyak]]||anthraxx [at] archlinux [dot] org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ArchangeGabriel&SeB=m ArchangeGabriel]||Bruno Pagani||archange@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=artafinde artafinde]||Leonidas Spyropoulos||artafinde (at) gmail (dot) com<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=arojas arojas]||Antonio Rojas||arojas@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=bastelfreak bastelfreak]||Tim Meusel||bastelfreak@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=BlackIkeEagle&SeB=m BlackIkeEagle]||[[User:BlackEagle|Ike Devolder]]||ike DOT devolder AT gmail DOT com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=City-busz&SeB=m City-busz]||[[User:City-busz|Balló György]]||ballogyor+arch at gmail dot com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=coderobe&SeB=m coderobe]||Mara Robin Broda||coderobe at arch linux org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ConnorBehan&SeB=m ConnorBehan]||Connor Behan||connor.behan@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=lfleischer&SeB=m lfleischer]||Lukas Fleischer||lfleischer at archlinux dot org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=eworm&SeB=m eworm]||Christian Hesse||mail@eworm.de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=daurnimator&SeB=m daurnimator]||Daurnimator||quae at daurnimator com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dbermond&SeB=m dbermond]||Daniel Bermond||gmail-com: danielbermond<br />
|-<br />
|[https://aur.archlinux.org/packages?K=demize&SeB=m demize]||[[User:Kyrias|Johannes Löthberg]]||johannes@kyriasis.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=diabonas&SeB=m diabonas]||[[User:Diabonas|Jonas Witschel]]||diabonas@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Dragonlord&SeB=m Dragonlord]||[[User:Drag0nl0rd|Jaroslav Lichtblau]]||svetlemodry @ archlinux org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dvzrv&SeB=m dvzrv]||[[User:Davezerave|David Runge]]|| dave@sleepmap.de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=escondida&SeB=m escondida]||Ivy Foster||code @ escondida dot tk<br />
|-<br />
|[https://aur.archlinux.org/packages?K=farseerfc&SeB=m farseerfc]||Jiachen Yang||farseerfc[at]gmail[dot]com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=felixonmars&SeB=m felixonmars]||Felix Yan||felixonmars@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=FFY00&SeB=m FFY00]||Filipe Laíns||[mailto:lains@archlinux.org lains@archlinux.org]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Foxboron&SeB=m Foxboron]||Morten Linderud||foxboron@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=foxxx0&SeB=m foxxx0]||Thore Bödecker||me [at] foxxx0 [dot] de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=freswa&SeB=m freswa]||Frederik Schwan||freswa at archlinux dot org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=grawlinson&SeB=m grawlinson]||[[User:Grawlinson|George Rawlinson]]||george@rawlinson.net.nz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=giniu&SeB=m giniu]||[[User:giniu|Andrzej Giniewicz]]||gginiu@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=heftig&SeB=m heftig]||Jan Alexander Steffens||jan.steffens@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=hashworks&SeB=m hashworks]||Justin Kromlinger||hashworks@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=jelly&SeB=m jelly]||Jelle van der Waa|| jelle vdwaa nl<br />
|-<br />
|[https://aur.archlinux.org/packages?K=jleclanche&SeB=m jleclanche]||[[User:jleclanche|Jerome Leclanche]]||jerome''@''leclan''.''ch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=jsteel&SeB=m jsteel]||Jonathan Steel||jsteel at aur.archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=kgizdov&SeB=m kgizdov]||Konstantin Gizdov||arch@kge.pw<br />
|-<br />
|[https://aur.archlinux.org/packages?K=kpcyrd&SeB=m kpcyrd]||kpcyrd||git@rxv.cc<br />
|-<br />
|[https://aur.archlinux.org/packages?K=keenerd&SeB=m keenerd]||Kyle Keen||keenerd@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=lordheavy&SeB=m Lordheavy]||[[User:Lordheavy|Laurent Carlier]]||lordheavym at gmail com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=maximbaz&SeB=m maximbaz]||Maxim Baz||archlinux at maximbaz dot com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Morganamilo&SeB=m Morganamilo]||Morgan Adamiec||morganamilo@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=mtorromeo&SeB=m mtorromeo]||Massimiliano Torromeo||massimiliano.torromeo@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Muflone&SeB=m Muflone]||Fabio Castelli||muflone (at) archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=NicoHood&SeB=m NicoHood]||NicoHood||archlinux (cat) nicohood (dog) de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=orhun&SeB=m orhun]||Orhun Parmaksız||orhun@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=polyzen&SeB=m polyzen]||Daniel M. Capella||polyzen@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=raster&SeB=m raster]||Carsten Haitzler||raster@rasterman.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=rgacogne&SeB=m rgacogne]||Remi Gacogne||rgacogne @ archlinux dot org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=sangy&SeB=m sangy]||Santiago Torres-Arias|| santiago @ archlinux ⇶ org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=schuay&SeB=m schuay]||Jakob Gruber||jakob.gruber@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=seblu&SeB=m seblu]||Sébastien Luttringer||s е b l u ''at'' a r c h l і n ux ''dot'' o r g<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Segaja&SeB=m Segaja]||Andreas Schleifer||segaja [at] archlinux [dot] org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=sergej&SeB=m sergej]||[[User:Sergej|Sergej Pupykin]]||pupykin.s+arch@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=shibumi&SeB=m shibumi]||[[User:shibumi|Christian Rebischke]]||Chris.Rebischke [at] archlinux [dot] org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=stativ&SeB=m stativ]||Lukas Jirkovsky||l.jirkovsky strange_curved_character gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=svenstaro&SeB=m svenstaro]||[[User:svenstaro|Sven-Hendrik Haase]]||sven@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=tensor5&SeB=m tensor5]||Nicola Squartini||tensor5@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=wild&SeB=m wild]||[[User:vild|Dan Printzell]]||[mailto:arch@vild.io arch@vild.io]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Xyne&SeB=m Xyne]||Xyne||ca . archlinux @ xyne, in reverse order<br />
|-<br />
|[https://aur.archlinux.org/packages?K=xyproto&SeB=m xyproto]||Alexander F. Rødseth||xyproto@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=yan12125&SeB=m yan12125]||[[User:Yan12125|Chih-Hsuan Yen]]||yan12125@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=zorun&SeB=m zorun]||Baptiste Jonglez||archlinux bitsofnetworks org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=sudoforge&SeB=m sudoforge]||Ben Denhartog||cc86c55bf30c@sudoforge.com<br />
|}<br />
<br />
== Inactive Trusted Users ==<br />
<br />
{| class="wikitable"<br />
! Nick<br />
! Name<br />
! E-Mail<br />
! Comments/Reference<br />
|-<br />
|}<br />
<br />
== Some Past Trusted Users ==<br />
<br />
{| class="wikitable"<br />
! Nick<br />
! Name<br />
|-<br />
|[https://aur.archlinux.org/packages?K=abhidg&SeB=m abhidg]||Abhishek Dasgupta<br />
|-<br />
|[https://aur.archlinux.org/packages/?K=Alad&SeB=m alad]||[[User:Alad|Alad Wenter]]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Allan&SeB=m Allan]||Allan McRae<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Ambrevar&SeB=m Ambrevar]||[[User:Ambrevar|Pierre Neidhardt]]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=anders&SeB=m anders]||Anders Bergh<br />
|-<br />
|[https://aur.archlinux.org/packages?K=angvp&SeB=m angvp]||[[User:Angvp|Angel Velásquez]]<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=arcanis arcanis]||Evgeniy Alekseev<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Atsutane&SeB=m Atsutane]||Thorsten Töpper<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bardo&SeB=m bardo]||Corrado Primier<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Barthalion&SeB=m Barthalion]||Bartłomiej Piotrowski<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ndr&SeB=m ndr]||Andrea Scarpino<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bfinch&SeB=m bfinch]||Bob Finch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bluewind&SeB=m Bluewind]||Florian Pritz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=brain0&SeB=m brain0]||Thomas Bächler<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bjorn&SeB=m bjorn]||[[User:Bjørn|Bjørn Lindeijer]]<br />
|- <br />
|[https://aur.archlinux.org/packages/?K=Cinelli&SeB=m cinelli] ||Federico Cinelli<br />
|-<br />
|[https://aur.archlinux.org/packages?K=codemac&SeB=m codemac]||Jeff Mickey<br />
|-<br />
|[https://aur.archlinux.org/packages?K=cmb&SeB=m cmb]||Chris Brannon<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Daenyth&SeB=m Daenyth]||Daenyth Blank<br />
|-<br />
|[https://aur.archlinux.org/packages?K=DaNiMoTh&SeB=m DaNiMoTh]||JJ. DaNiMoTh<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dejari&SeB=m dejari]||Leslie P. Polzer<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dsa&SeB=m dsa]||Douglas Soares de Andrade<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dtw&SeB=m dtw]||Phil Dillon-Thiselton<br />
|-<br />
|[https://aur.archlinux.org/packages?K=elasticdog&SeB=m elasticdog]||Aaron Bull Schaefer<br />
|-<br />
|[https://aur.archlinux.org/packages?K=encelo&SeB=m encelo]||Angelo Theodorou<br />
|-<br />
|[https://aur.archlinux.org/packages?K=eschwartz&SeB=m eschwartz]||Eli Schwartz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=even&SeB=m even] ||Kessia Pinheiro<br />
|-<br />
|[https://aur.archlinux.org/packages?K=faidoc&SeB=m Faidoc]||Alexandre Filgueira<br />
|-<br />
|[https://aur.archlinux.org/packages?K=falconindy&SeB=m falconindy]||Dave Reisner<br />
|-<br />
|[https://aur.archlinux.org/packages?K=foutrelis&SeB=m foutrelis]||Evangelos Foutras<br />
|-<br />
|[https://aur.archlinux.org/packages?K=filoktetes&SeB=m filoktetes]||Robert Emil Berge<br />
|-<br />
|[https://aur.archlinux.org/packages?K=firmicus&SeB=m firmicus]||François Charette<br />
|-<br />
|[https://aur.archlinux.org/packages?K=flexiondotorg&SeB=m flexiondotorg]||Martin Wimpress<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ganja_guru&SeB=m ganja_guru]||Varun Acharya<br />
|-<br />
|[https://aur.archlinux.org/packages?K=gcarrier&SeB=m gcarrier]||Geoffroy Carrier<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Ghost1227&SeB=m Ghost1227]||Dan Griffiths<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=grazzolini grazzolini]||Giancarlo Razzolini<br />
|-<br />
|[https://aur.archlinux.org/packages?K=gtmanfred&SeB=m gtmanfred]||Daniel Wallace<br />
|-<br />
|[https://aur.archlinux.org/packages?K=gummibaerchen&SeB=m gummibaerchen]||Timm Preetz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=hdoria&SeB=m hdoria]||Hugo Doria<br />
|-<br />
|[https://aur.archlinux.org/packages?K=iphitus&SeB=m iphitus]||James Rayner<br />
|-<br />
|[https://aur.archlinux.org/packages?K=itsbrad212&SeB=m itsbrad212]||Brad Fanella<br />
|-<br />
|[https://aur.archlinux.org/packages?K=kaitocracy&SeB=m kaitocracy]||Kaiting Chen<br />
|-<br />
|[https://aur.archlinux.org/packages?K=louipc&SeB=m louipc]||Loui Chang<br />
|-<br />
|[https://aur.archlinux.org/packages?K=mOLOk&SeB=m mOLOk]||Alessio Bolognino<br />
|-<br />
|[https://aur.archlinux.org/packages?K=nesl247&SeB=m nesl247]||Alex Heck<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Neverth&SeB=m Neverth]||Mikko Seppälä<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Partition&SeB=m Partition]||Mateusz Herych<br />
|-<br />
|[https://aur.archlinux.org/packages?K=petelewis&SeB=m petelewis]||Peter Lewis<br />
|-<br />
|[https://aur.archlinux.org/packages?K=PirateJonno&SeB=m PirateJonno]||Jonathan Conder<br />
|-<br />
|[https://aur.archlinux.org/packages?K=phrakture&SeB=m phrakture]||Aaron Griffin<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Pierre&SeB=m Pierre]||Pierre Schmitz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=pizzapunk&SeB=m pizzapunk]||Alexander Fehr<br />
|-<br />
|[https://aur.archlinux.org/packages?K=pjmattal&SeB=m pjmattal]||Paul Mattal<br />
|-<br />
|[https://aur.archlinux.org/packages?K=pressh&SeB=m pressh]||Ronald van Haren<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Ranguvar&SeB=m Ranguvar]||Devin Cofer<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Romashka&SeB=m Romashka]||Roman Kyrylych<br />
|-<br />
|[https://aur.archlinux.org/packages?K=schivmeister&SeB=m schivmeister]||[[User:Schivmeister|Ray Rashif]]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=shastry&SeB=m shastry]||Vinay S Shastry<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Snowman&SeB=m Snowman]||Eric Bélanger<br />
|-<br />
|[https://aur.archlinux.org/packages?K=shinlun&SeB=m shinlun]||Shinlun Hsieh<br />
|-<br />
|[https://aur.archlinux.org/packages?K=speps&SeB=m speps]||SpepS<br />
|-<br />
|[https://aur.archlinux.org/packages?K=StefanHusmann&SeB=m StefanHusmann]||Stefan Husmann<br />
|-<br />
|[https://aur.archlinux.org/packages?K=STiAT&SeB=m STiAT]||Georg Grabler<br />
|-<br />
|[https://aur.archlinux.org/packages?K=swiergot&SeB=m swiergot]||Jaroslaw Swierczynski<br />
|-<br />
|[https://aur.archlinux.org/packages?K=tardo&SeB=m tardo]||Shehzad Qureshi<br />
|-<br />
|[https://aur.archlinux.org/packages?K=td123&SeB=m td123]||Thomas Dziedzic<br />
|-<br />
|[https://aur.archlinux.org/packages?K=thatch45&SeB=m thatch45]||Thomas S Hatch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=thotypous&SeB=m thotypous]||Paulo Matias<br />
|-<br />
|[https://aur.archlinux.org/packages?K=tredaelli&SeB=m tredaelli]||Timothy Redaelli<br />
|-<br />
|[https://aur.archlinux.org/packages?K=vegai&SeB=m vegai]||Vesa Kaihlavirta<br />
|-<br />
|[https://aur.archlinux.org/packages?K=voidnull&SeB=m voidnull]||Giovanni Scafora<br />
|-<br />
|[https://aur.archlinux.org/packages?K=wizzomafizzo&SeB=m wizzomafizzo]||Callan Barrett<br />
|-<br />
|[https://aur.archlinux.org/packages?K=wonder&SeB=m wonder]|| Ionut Biru<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Xilon&SeB=m Xilon]||Sebastian Nowicki<br />
|-<br />
|[https://aur.archlinux.org/packages?K=xterminus&SeB=m xterminus]||Charles Mauch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=zeus&SeB=m zeus]||Zhukov Pavel<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Dicebot&SeB=m Dicebot]||Mihails Strasuns<br />
|-<br />
|[https://aur.archlinux.org/packages?K=thestinger&SeB=m thestinger]||Daniel Micay<br />
|}</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=Package_Maintainers&diff=724861Package Maintainers2022-03-31T04:29:22Z<p>Sudoforge: add active trusted user: sudoforge</p>
<hr />
<div>[[Category:Arch development]]<br />
[[Category:Teams]]<br />
[[es:Trusted Users]]<br />
[[fr:Trusted Users]]<br />
[[ja:Trusted Users]]<br />
[[pt:Trusted Users]]<br />
[[zh-hans:Trusted Users]]<br />
The [https://archlinux.org/people/trusted-users/ Trusted Users] serve the following purposes:<br />
# Maintain the ''community'' repository as an intermediary between Arch Linux's [[official repositories]] and the unsupported package collection in the [[AUR]].<br />
# Maintain, manage, and watch over the operation of the [[AUR]].<br />
<br />
== How do I become a TU? ==<br />
<br />
The ''minimum'' requirements to becoming a TU are as follows:<br />
* know basic shell scripting<br />
* maintain a few packages in AUR with clean, high-quality PKGBUILDs<br />
* basic community involvement (mailing list, forums, IRC)<br />
* know Google-Fu<br />
* a general idea of the kind of packages you want to maintain (basically, why do you want to become TU?)<br />
<br />
Even though you could become a TU by merely fulfilling those minimum requirements, the people judging you during the [https://aur.archlinux.org/trusted-user/TUbylaws.html#_standard_voting_procedure standard voting procedure] might expect more from you. Such as:<br />
* involvement in the bug tracker (reporting, research, info)<br />
* patches for Arch projects<br />
* involvement in a few open-source projects (even if they are your own)<br />
<br />
If you still feel up to becoming a TU after reading these lines, the first step is to find two TUs who agree to sponsor you. Once sponsored, you should write a witty application signed with your GPG key to the [https://lists.archlinux.org/listinfo/aur-general aur-general mailing list].<br />
<br />
{{Note|Should a TU you contact decline to sponsor your application, you should make this fact known if you seek sponsorship from another TU.}}<br />
<br />
For more information, see the [https://aur.archlinux.org/trusted-user/TUbylaws.html Trusted User Bylaws], [[Trusted Users Bylaw Amendment]] and [[AUR Trusted User Guidelines]].<br />
<br />
== Active Trusted Users ==<br />
<br />
{| class="wikitable"<br />
! Nick<br />
! Name<br />
! E-Mail<br />
|-<br />
|[https://aur.archlinux.org/packages/?K=ainola&SeB=m ainola]||Brett Cornwall||nvabyn@nepuyvahk.bet (rot13)<br />
|-<br />
|[https://aur.archlinux.org/packages?K=alerque&SeB=m alerque]||Caleb Maclennan||caleb@alerque.com<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=M&K=alex19EP alex19EP]||Alexander Epaneshnikov||alex19ep@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=alucryd&SeB=m alucryd]||Maxime Gauduin||alucryd@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=anatolik&SeB=m anatolik]||Anatol Pomozov||anatol dot pomozov + arch at gmail<br />
|-<br />
|[https://aur.archlinux.org/packages?K=andrewSC&SeB=m andrewSC]||Andrew Crerar||andrew (at) crerar (dot) io<br />
|-<br />
|[https://aur.archlinux.org/packages?K=anthraxx&SeB=m anthraxx]||[[User:anthraxx|Levente Polyak]]||anthraxx [at] archlinux [dot] org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ArchangeGabriel&SeB=m ArchangeGabriel]||Bruno Pagani||archange@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=artafinde artafinde]||Leonidas Spyropoulos||artafinde (at) gmail (dot) com<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=arojas arojas]||Antonio Rojas||arojas@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=bastelfreak bastelfreak]||Tim Meusel||bastelfreak@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=BlackIkeEagle&SeB=m BlackIkeEagle]||[[User:BlackEagle|Ike Devolder]]||ike DOT devolder AT gmail DOT com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=City-busz&SeB=m City-busz]||[[User:City-busz|Balló György]]||ballogyor+arch at gmail dot com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=coderobe&SeB=m coderobe]||Mara Robin Broda||coderobe at arch linux org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ConnorBehan&SeB=m ConnorBehan]||Connor Behan||connor.behan@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=lfleischer&SeB=m lfleischer]||Lukas Fleischer||lfleischer at archlinux dot org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=eworm&SeB=m eworm]||Christian Hesse||mail@eworm.de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=daurnimator&SeB=m daurnimator]||Daurnimator||quae at daurnimator com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dbermond&SeB=m dbermond]||Daniel Bermond||gmail-com: danielbermond<br />
|-<br />
|[https://aur.archlinux.org/packages?K=demize&SeB=m demize]||[[User:Kyrias|Johannes Löthberg]]||johannes@kyriasis.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=diabonas&SeB=m diabonas]||[[User:Diabonas|Jonas Witschel]]||diabonas@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Dragonlord&SeB=m Dragonlord]||[[User:Drag0nl0rd|Jaroslav Lichtblau]]||svetlemodry @ archlinux org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dvzrv&SeB=m dvzrv]||[[User:Davezerave|David Runge]]|| dave@sleepmap.de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=escondida&SeB=m escondida]||Ivy Foster||code @ escondida dot tk<br />
|-<br />
|[https://aur.archlinux.org/packages?K=farseerfc&SeB=m farseerfc]||Jiachen Yang||farseerfc[at]gmail[dot]com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=felixonmars&SeB=m felixonmars]||Felix Yan||felixonmars@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=FFY00&SeB=m FFY00]||Filipe Laíns||[mailto:lains@archlinux.org lains@archlinux.org]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Foxboron&SeB=m Foxboron]||Morten Linderud||foxboron@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=foxxx0&SeB=m foxxx0]||Thore Bödecker||me [at] foxxx0 [dot] de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=freswa&SeB=m freswa]||Frederik Schwan||freswa at archlinux dot org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=grawlinson&SeB=m grawlinson]||[[User:Grawlinson|George Rawlinson]]||george@rawlinson.net.nz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=giniu&SeB=m giniu]||[[User:giniu|Andrzej Giniewicz]]||gginiu@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=heftig&SeB=m heftig]||Jan Alexander Steffens||jan.steffens@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=hashworks&SeB=m hashworks]||Justin Kromlinger||hashworks@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=jelly&SeB=m jelly]||Jelle van der Waa|| jelle vdwaa nl<br />
|-<br />
|[https://aur.archlinux.org/packages?K=jleclanche&SeB=m jleclanche]||[[User:jleclanche|Jerome Leclanche]]||jerome''@''leclan''.''ch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=jsteel&SeB=m jsteel]||Jonathan Steel||jsteel at aur.archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=kgizdov&SeB=m kgizdov]||Konstantin Gizdov||arch@kge.pw<br />
|-<br />
|[https://aur.archlinux.org/packages?K=kpcyrd&SeB=m kpcyrd]||kpcyrd||git@rxv.cc<br />
|-<br />
|[https://aur.archlinux.org/packages?K=keenerd&SeB=m keenerd]||Kyle Keen||keenerd@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=lordheavy&SeB=m Lordheavy]||[[User:Lordheavy|Laurent Carlier]]||lordheavym at gmail com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=maximbaz&SeB=m maximbaz]||Maxim Baz||archlinux at maximbaz dot com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Morganamilo&SeB=m Morganamilo]||Morgan Adamiec||morganamilo@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=mtorromeo&SeB=m mtorromeo]||Massimiliano Torromeo||massimiliano.torromeo@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Muflone&SeB=m Muflone]||Fabio Castelli||muflone (at) archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=NicoHood&SeB=m NicoHood]||NicoHood||archlinux (cat) nicohood (dog) de<br />
|-<br />
|[https://aur.archlinux.org/packages?K=orhun&SeB=m orhun]||Orhun Parmaksız||orhun@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=polyzen&SeB=m polyzen]||Daniel M. Capella||polyzen@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=raster&SeB=m raster]||Carsten Haitzler||raster@rasterman.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=rgacogne&SeB=m rgacogne]||Remi Gacogne||rgacogne @ archlinux dot org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=sangy&SeB=m sangy]||Santiago Torres-Arias|| santiago @ archlinux ⇶ org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=schuay&SeB=m schuay]||Jakob Gruber||jakob.gruber@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=seblu&SeB=m seblu]||Sébastien Luttringer||s е b l u ''at'' a r c h l і n ux ''dot'' o r g<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Segaja&SeB=m Segaja]||Andreas Schleifer||segaja [at] archlinux [dot] org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=sergej&SeB=m sergej]||[[User:Sergej|Sergej Pupykin]]||pupykin.s+arch@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=shibumi&SeB=m shibumi]||[[User:shibumi|Christian Rebischke]]||Chris.Rebischke [at] archlinux [dot] org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=stativ&SeB=m stativ]||Lukas Jirkovsky||l.jirkovsky strange_curved_character gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=svenstaro&SeB=m svenstaro]||[[User:svenstaro|Sven-Hendrik Haase]]||sven@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=tensor5&SeB=m tensor5]||Nicola Squartini||tensor5@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=wild&SeB=m wild]||[[User:vild|Dan Printzell]]||[mailto:arch@vild.io arch@vild.io]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Xyne&SeB=m Xyne]||Xyne||ca . archlinux @ xyne, in reverse order<br />
|-<br />
|[https://aur.archlinux.org/packages?K=xyproto&SeB=m xyproto]||Alexander F. Rødseth||xyproto@archlinux.org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=yan12125&SeB=m yan12125]||[[User:Yan12125|Chih-Hsuan Yen]]||yan12125@gmail.com<br />
|-<br />
|[https://aur.archlinux.org/packages?K=zorun&SeB=m zorun]||Baptiste Jonglez||archlinux bitsofnetworks org<br />
|-<br />
|[https://aur.archlinux.org/packages?K=sudoforge&SeB=m sudoforge]||Ben Denhartog||2701a12b7dfa@sudoforge.com<br />
|}<br />
<br />
== Inactive Trusted Users ==<br />
<br />
{| class="wikitable"<br />
! Nick<br />
! Name<br />
! E-Mail<br />
! Comments/Reference<br />
|-<br />
|}<br />
<br />
== Some Past Trusted Users ==<br />
<br />
{| class="wikitable"<br />
! Nick<br />
! Name<br />
|-<br />
|[https://aur.archlinux.org/packages?K=abhidg&SeB=m abhidg]||Abhishek Dasgupta<br />
|-<br />
|[https://aur.archlinux.org/packages/?K=Alad&SeB=m alad]||[[User:Alad|Alad Wenter]]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Allan&SeB=m Allan]||Allan McRae<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Ambrevar&SeB=m Ambrevar]||[[User:Ambrevar|Pierre Neidhardt]]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=anders&SeB=m anders]||Anders Bergh<br />
|-<br />
|[https://aur.archlinux.org/packages?K=angvp&SeB=m angvp]||[[User:Angvp|Angel Velásquez]]<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=arcanis arcanis]||Evgeniy Alekseev<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Atsutane&SeB=m Atsutane]||Thorsten Töpper<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bardo&SeB=m bardo]||Corrado Primier<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Barthalion&SeB=m Barthalion]||Bartłomiej Piotrowski<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ndr&SeB=m ndr]||Andrea Scarpino<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bfinch&SeB=m bfinch]||Bob Finch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bluewind&SeB=m Bluewind]||Florian Pritz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=brain0&SeB=m brain0]||Thomas Bächler<br />
|-<br />
|[https://aur.archlinux.org/packages?K=bjorn&SeB=m bjorn]||[[User:Bjørn|Bjørn Lindeijer]]<br />
|- <br />
|[https://aur.archlinux.org/packages/?K=Cinelli&SeB=m cinelli] ||Federico Cinelli<br />
|-<br />
|[https://aur.archlinux.org/packages?K=codemac&SeB=m codemac]||Jeff Mickey<br />
|-<br />
|[https://aur.archlinux.org/packages?K=cmb&SeB=m cmb]||Chris Brannon<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Daenyth&SeB=m Daenyth]||Daenyth Blank<br />
|-<br />
|[https://aur.archlinux.org/packages?K=DaNiMoTh&SeB=m DaNiMoTh]||JJ. DaNiMoTh<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dejari&SeB=m dejari]||Leslie P. Polzer<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dsa&SeB=m dsa]||Douglas Soares de Andrade<br />
|-<br />
|[https://aur.archlinux.org/packages?K=dtw&SeB=m dtw]||Phil Dillon-Thiselton<br />
|-<br />
|[https://aur.archlinux.org/packages?K=elasticdog&SeB=m elasticdog]||Aaron Bull Schaefer<br />
|-<br />
|[https://aur.archlinux.org/packages?K=encelo&SeB=m encelo]||Angelo Theodorou<br />
|-<br />
|[https://aur.archlinux.org/packages?K=eschwartz&SeB=m eschwartz]||Eli Schwartz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=even&SeB=m even] ||Kessia Pinheiro<br />
|-<br />
|[https://aur.archlinux.org/packages?K=faidoc&SeB=m Faidoc]||Alexandre Filgueira<br />
|-<br />
|[https://aur.archlinux.org/packages?K=falconindy&SeB=m falconindy]||Dave Reisner<br />
|-<br />
|[https://aur.archlinux.org/packages?K=foutrelis&SeB=m foutrelis]||Evangelos Foutras<br />
|-<br />
|[https://aur.archlinux.org/packages?K=filoktetes&SeB=m filoktetes]||Robert Emil Berge<br />
|-<br />
|[https://aur.archlinux.org/packages?K=firmicus&SeB=m firmicus]||François Charette<br />
|-<br />
|[https://aur.archlinux.org/packages?K=flexiondotorg&SeB=m flexiondotorg]||Martin Wimpress<br />
|-<br />
|[https://aur.archlinux.org/packages?K=ganja_guru&SeB=m ganja_guru]||Varun Acharya<br />
|-<br />
|[https://aur.archlinux.org/packages?K=gcarrier&SeB=m gcarrier]||Geoffroy Carrier<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Ghost1227&SeB=m Ghost1227]||Dan Griffiths<br />
|-<br />
|[https://aur.archlinux.org/packages/?SeB=m&K=grazzolini grazzolini]||Giancarlo Razzolini<br />
|-<br />
|[https://aur.archlinux.org/packages?K=gtmanfred&SeB=m gtmanfred]||Daniel Wallace<br />
|-<br />
|[https://aur.archlinux.org/packages?K=gummibaerchen&SeB=m gummibaerchen]||Timm Preetz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=hdoria&SeB=m hdoria]||Hugo Doria<br />
|-<br />
|[https://aur.archlinux.org/packages?K=iphitus&SeB=m iphitus]||James Rayner<br />
|-<br />
|[https://aur.archlinux.org/packages?K=itsbrad212&SeB=m itsbrad212]||Brad Fanella<br />
|-<br />
|[https://aur.archlinux.org/packages?K=kaitocracy&SeB=m kaitocracy]||Kaiting Chen<br />
|-<br />
|[https://aur.archlinux.org/packages?K=louipc&SeB=m louipc]||Loui Chang<br />
|-<br />
|[https://aur.archlinux.org/packages?K=mOLOk&SeB=m mOLOk]||Alessio Bolognino<br />
|-<br />
|[https://aur.archlinux.org/packages?K=nesl247&SeB=m nesl247]||Alex Heck<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Neverth&SeB=m Neverth]||Mikko Seppälä<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Partition&SeB=m Partition]||Mateusz Herych<br />
|-<br />
|[https://aur.archlinux.org/packages?K=petelewis&SeB=m petelewis]||Peter Lewis<br />
|-<br />
|[https://aur.archlinux.org/packages?K=PirateJonno&SeB=m PirateJonno]||Jonathan Conder<br />
|-<br />
|[https://aur.archlinux.org/packages?K=phrakture&SeB=m phrakture]||Aaron Griffin<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Pierre&SeB=m Pierre]||Pierre Schmitz<br />
|-<br />
|[https://aur.archlinux.org/packages?K=pizzapunk&SeB=m pizzapunk]||Alexander Fehr<br />
|-<br />
|[https://aur.archlinux.org/packages?K=pjmattal&SeB=m pjmattal]||Paul Mattal<br />
|-<br />
|[https://aur.archlinux.org/packages?K=pressh&SeB=m pressh]||Ronald van Haren<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Ranguvar&SeB=m Ranguvar]||Devin Cofer<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Romashka&SeB=m Romashka]||Roman Kyrylych<br />
|-<br />
|[https://aur.archlinux.org/packages?K=schivmeister&SeB=m schivmeister]||[[User:Schivmeister|Ray Rashif]]<br />
|-<br />
|[https://aur.archlinux.org/packages?K=shastry&SeB=m shastry]||Vinay S Shastry<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Snowman&SeB=m Snowman]||Eric Bélanger<br />
|-<br />
|[https://aur.archlinux.org/packages?K=shinlun&SeB=m shinlun]||Shinlun Hsieh<br />
|-<br />
|[https://aur.archlinux.org/packages?K=speps&SeB=m speps]||SpepS<br />
|-<br />
|[https://aur.archlinux.org/packages?K=StefanHusmann&SeB=m StefanHusmann]||Stefan Husmann<br />
|-<br />
|[https://aur.archlinux.org/packages?K=STiAT&SeB=m STiAT]||Georg Grabler<br />
|-<br />
|[https://aur.archlinux.org/packages?K=swiergot&SeB=m swiergot]||Jaroslaw Swierczynski<br />
|-<br />
|[https://aur.archlinux.org/packages?K=tardo&SeB=m tardo]||Shehzad Qureshi<br />
|-<br />
|[https://aur.archlinux.org/packages?K=td123&SeB=m td123]||Thomas Dziedzic<br />
|-<br />
|[https://aur.archlinux.org/packages?K=thatch45&SeB=m thatch45]||Thomas S Hatch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=thotypous&SeB=m thotypous]||Paulo Matias<br />
|-<br />
|[https://aur.archlinux.org/packages?K=tredaelli&SeB=m tredaelli]||Timothy Redaelli<br />
|-<br />
|[https://aur.archlinux.org/packages?K=vegai&SeB=m vegai]||Vesa Kaihlavirta<br />
|-<br />
|[https://aur.archlinux.org/packages?K=voidnull&SeB=m voidnull]||Giovanni Scafora<br />
|-<br />
|[https://aur.archlinux.org/packages?K=wizzomafizzo&SeB=m wizzomafizzo]||Callan Barrett<br />
|-<br />
|[https://aur.archlinux.org/packages?K=wonder&SeB=m wonder]|| Ionut Biru<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Xilon&SeB=m Xilon]||Sebastian Nowicki<br />
|-<br />
|[https://aur.archlinux.org/packages?K=xterminus&SeB=m xterminus]||Charles Mauch<br />
|-<br />
|[https://aur.archlinux.org/packages?K=zeus&SeB=m zeus]||Zhukov Pavel<br />
|-<br />
|[https://aur.archlinux.org/packages?K=Dicebot&SeB=m Dicebot]||Mihails Strasuns<br />
|-<br />
|[https://aur.archlinux.org/packages?K=thestinger&SeB=m thestinger]||Daniel Micay<br />
|}</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=General_recommendations&diff=687339General recommendations2021-07-09T13:39:34Z<p>Sudoforge: /* Package management */ change verbiage regarding familiarization with pacman to be a bit less totalitarian, and more reader-friendly</p>
<hr />
<div>[[Category:System administration]]<br />
[[ar:General recommendations]]<br />
[[bs:General recommendations]]<br />
[[cs:General recommendations]]<br />
[[el:General recommendations]]<br />
[[es:General recommendations]]<br />
[[fa:توصیههای عمومی]]<br />
[[fr:General recommendations]]<br />
[[it:General recommendations]]<br />
[[ja:一般的な推奨事項]]<br />
[[ko:General recommendations]]<br />
[[lt:General recommendations]]<br />
[[pl:General recommendations]]<br />
[[pt:General recommendations]]<br />
[[ru:General recommendations]]<br />
[[tr:General recommendations]]<br />
[[uk:General recommendations]]<br />
[[zh-hans:General recommendations]]<br />
[[zh-hant:General recommendations]]<br />
{{Related articles start}}<br />
{{Related|Frequently asked questions}}<br />
{{Related|Installation guide}}<br />
{{Related|List of applications}}<br />
{{Related articles end}}<br />
<br />
This document is an annotated index of popular articles and important information for improving and adding functionalities to the installed Arch system. Readers are assumed to have read and followed the [[Installation guide]] to obtain a basic Arch Linux installation. Having read and understood the concepts explained in [[#System administration]] and [[#Package management]] is ''required'' for following the other sections of this page and the other articles in the wiki.<br />
<br />
== System administration ==<br />
<br />
This section deals with administrative tasks and system management. See [[Core utilities]] and [[:Category:System administration]] for more.<br />
<br />
=== Users and groups ===<br />
<br />
A new installation leaves you with only the [[Wikipedia:Superuser|superuser]] account, better known as "root". Logging in as root for prolonged periods of time, possibly even exposing it via [[SSH]] on a server, [https://apple.stackexchange.com/questions/192365/is-it-ok-to-use-the-root-user-as-a-normal-user/192422#192422 is insecure]. Instead, you should create and use unprivileged user account(s) for most tasks, only using the root account for system administration. See [[Users and groups#User management]] for details.<br />
<br />
Users and groups are a mechanism for ''access control''; administrators may fine-tune group membership and ownership to grant or deny users and services access to system resources. Read the [[Users and groups]] article for details and potential security risks.<br />
<br />
=== Privilege elevation ===<br />
<br />
The following command line utilities allow running commands or starting an interactive shell as another user (e.g. root).<br />
<br />
* {{App|[[su]]|Allows to assume the identity of another user as long as you know the target user's password. root can assume other identities without needing a password.|https://github.com/karelzak/util-linux|{{Pkg|util-linux}} (a dependency of {{Pkg|base}})}}<br />
* {{App|[[sudo]]|Allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. In default configuration only usable by root .|https://www.sudo.ws/sudo/|{{Pkg|sudo}}}}<br />
* {{App|{{man|1|pkexec}}|A [[Polkit]] application that allows an authorized user to run commands or an interactive shell as another user. Configured using Polkit rules.|https://gitlab.freedesktop.org/polkit/polkit/|{{Pkg|polkit}}}}<br />
* {{App|[[Wikipedia:doas|doas]]|A smaller, simpler alternative to ''sudo''.|https://github.com/Duncaen/OpenDoas|{{Pkg|opendoas}}}}<br />
<br />
=== Service management ===<br />
<br />
Arch Linux uses [[systemd]] as the [[init]] process, which is a system and service manager for Linux. For maintaining your Arch Linux installation, it is a good idea to learn the basics about it. Interaction with ''systemd'' is done through the ''systemctl'' command. Read [[systemd#Basic systemctl usage]] for more information.<br />
<br />
=== System maintenance ===<br />
<br />
Arch is a rolling release system and has rapid package turnover, so users have to take some time to do [[system maintenance]]. Read [[Security]] for recommendations and best practices on hardening the system.<br />
<br />
== Package management ==<br />
<br />
This section contains helpful information related to package management. See [[FAQ#Package management]] and [[:Category:Package management]] for more.<br />
<br />
{{Note|It is imperative to keep up to date with changes in Arch Linux that require manual intervention '''before''' upgrading your system. Subscribe to the [https://mailman.archlinux.org/mailman/listinfo/arch-announce/ arch-announce mailing list] or the [https://archlinux.org/feeds/news/ recent news RSS feed]. Alternatively, check the front page [https://archlinux.org/ Arch news] every time before you update.}}<br />
<br />
=== pacman ===<br />
<br />
[[pacman]] is the Arch Linux ''pac''kage ''man''ager: it is highly encouraged to become familiar with it before reading any other articles.<br />
<br />
See [[pacman/Tips and tricks]] for suggestions on how to improve your interaction with ''pacman'' and package management in general.<br />
<br />
=== Repositories ===<br />
<br />
See the [[Official repositories]] article for details about the purpose of each officially maintained repository.<br />
<br />
If you plan on using 32-bit applications, you will want to enable the [[multilib]] repository. <br />
<br />
The [[Unofficial user repositories]] article lists several other unsupported repositories.<br />
<br />
You may consider installing the [[pkgstats]] service.<br />
<br />
=== Mirrors ===<br />
<br />
Visit the [[Mirrors]] article for steps on taking full advantage of using the fastest and most up to date mirrors of the official repositories. As explained in the article, a particularly good advice is to routinely check the [https://archlinux.org/mirrors/status/ Mirror Status] page for a list of mirrors that have been recently synced.<br />
<br />
=== Arch Build System ===<br />
<br />
''Ports'' is a system initially used by BSD distributions consisting of build scripts that reside in a directory tree on the local system. Simply put, each port contains a script within a directory intuitively named after the installable third-party application.<br />
<br />
The [[Arch Build System]] offers the same functionality by providing build scripts called [[PKGBUILD]]s, which are populated with information for a given piece of software: integrity hashes, project URL, version, license and build instructions. These PKGBUILDs are parsed by [[makepkg]], the actual program that generates packages that are cleanly manageable by ''pacman''.<br />
<br />
Every package in the repositories along with those present in the AUR are subject to recompilation with ''makepkg''.<br />
<br />
=== Arch User Repository ===<br />
<br />
While the Arch Build System allows the ability of building software available in the official repositories, the [[Arch User Repository]] (AUR) is the equivalent for user submitted packages. It is an unsupported repository of build scripts accessible through the [https://aur.archlinux.org/ web interface] or through the [[Aurweb RPC interface]].<br />
<br />
== Booting ==<br />
<br />
This section contains information pertaining to the boot process. An overview of the Arch boot process can be found at [[Arch boot process]]. See [[:Category:Boot process]] for more.<br />
<br />
=== Hardware auto-recognition ===<br />
<br />
Hardware should be auto-detected by [[udev]] during the boot process by default. A potential improvement in boot time can be achieved by disabling module auto-loading and specifying required modules manually, as described in [[Kernel modules]]. Additionally, [[Xorg]] should be able to auto-detect required drivers using {{ic|udev}}, but users have the option to configure the X server manually too.<br />
<br />
=== Microcode ===<br />
<br />
Processors may have [https://www.anandtech.com/show/8376/intel-disables-tsx-instructions-erratum-found-in-haswell-haswelleep-broadwelly faulty behaviour], which the kernel can correct by updating the ''microcode'' on startup. See [[Microcode]] for details.<br />
<br />
=== Retaining boot messages ===<br />
<br />
Once it concludes, the screen is cleared and the login prompt appears, leaving users unable to gather feedback from the boot process. [[Disable clearing of boot messages]] to overcome this limitation.<br />
<br />
=== Num Lock activation ===<br />
<br />
[[Wikipedia:Num Lock|Num Lock]] is a toggle key found in most keyboards. For activating Num Lock's number key-assignment during startup, see [[Activating numlock on bootup]].<br />
<br />
== Graphical user interface ==<br />
<br />
This section provides orientation for users wishing to run graphical applications on their system. See [[:Category:Graphical user interfaces]] for additional resources.<br />
<br />
=== Display server ===<br />
<br />
[[Xorg]] is the public, open-source implementation of the [[Wikipedia:X Window System|X Window System]] (commonly X11, or X). It is required for running applications with graphical user interfaces (GUIs), and the majority of users will want to install it.<br />
<br />
[[Wayland]] is a newer, alternative display server protocol and the Weston reference implementation is available.<br />
<br />
=== Display drivers ===<br />
<br />
The default ''modesetting'' display driver will work with most video cards, but performance may be improved and additional features harnessed by installing the appropriate driver for [[Xorg#AMD|AMD]] or [[NVIDIA]] products.<br />
<br />
=== Desktop environments ===<br />
<br />
Although Xorg provides the basic framework for building a graphical environment, additional components may be considered necessary for a complete user experience. [[Desktop environment]]s such as [[GNOME]], [[KDE]], [[LXDE]], and [[Xfce]] bundle together a wide range of ''X clients'', such as a window manager, panel, file manager, terminal emulator, text editor, icons, and other utilities. Users with less experience may wish to install a desktop environment for a more familiar environment. See [[:Category:Desktop environments]] for additional resources.<br />
<br />
=== Window managers ===<br />
<br />
A full-fledged desktop environment provides a complete and consistent graphical user interface, but tends to consume a considerable amount of system resources. Users seeking to maximize performance or otherwise simplify their environment may opt to install a [[window manager]] alone and hand-pick desired extras. Most desktop environments allow use of an alternative window manager as well. [[:Category:Dynamic WMs|Dynamic]], [[:Category:Stacking WMs|stacking]], and [[:Category:Tiling WMs|tiling]] window managers differ in their handling of window placement.<br />
<br />
=== Display manager ===<br />
<br />
Most desktop environments include a [[display manager]] for automatically starting the graphical environment and managing user logins. Users without a desktop environment can install one separately. Alternatively you may [[start X at login]] as a simple alternative to a display manager.<br />
<br />
=== User directories ===<br />
<br />
Well-known user directories like Downloads or Music are created by the {{ic|xdg-user-dirs-update.service}} user service, that is provided by {{Pkg|xdg-user-dirs}} and enabled by default upon install. If your desktop environment or window manager does not pull in the package, you can [[install]] it and run {{ic|xdg-user-dirs-update}} manually as per [[XDG user directories#Creating default directories]].<br />
<br />
== Power management ==<br />
<br />
This section may be of use to laptop owners or users otherwise seeking power management controls. See [[:Category:Power management]] for more.<br />
<br />
See [[Power management]] for more general overview.<br />
<br />
=== ACPI events ===<br />
<br />
Users can configure how the system reacts to ACPI events such as pressing the power button or closing a laptop's lid. For the new (recommended) method using [[systemd]], see [[Power management#Power management with systemd|Power management with systemd]]. For the old method, see [[acpid]].<br />
<br />
=== CPU frequency scaling ===<br />
<br />
Modern processors can decrease their frequency and voltage to reduce heat and power consumption. Less heat leads to more quiet system and prolongs the life of hardware. See [[CPU frequency scaling]] for details.<br />
<br />
=== Laptops ===<br />
<br />
For articles related to portable computing along with model-specific installation guides, please see [[:Category:Laptops]]. For a general overview of laptop-related articles and recommendations, see [[Laptop]].<br />
<br />
=== Suspend and hibernate ===<br />
<br />
See main article: [[Power management/Suspend and hibernate]].<br />
<br />
== Multimedia ==<br />
<br />
[[:Category:Multimedia]] includes additional resources.<br />
<br />
=== Sound system ===<br />
<br />
[[ALSA]] is a kernel [[sound system]] that should work out the box (it just needs to be [[Advanced Linux Sound Architecture#Unmuting the channels|unmuted]]). [[Sound server]]s such as [[PulseAudio]] and [[PipeWire]] can offer additional features and support more complex audio configuration.<br />
<br />
See [[Professional audio]] for advanced audio requirements.<br />
<br />
== Networking ==<br />
<br />
This section is confined to small networking procedures. See [[Network configuration]] for a full configuration guide and [[:Category:Networking]] for related articles.<br />
<br />
=== Clock synchronization ===<br />
<br />
The [[Wikipedia:Network Time Protocol|Network Time Protocol]] (NTP) is a protocol for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks. See [[Time synchronization]] for implementations of such protocol.<br />
<br />
=== DNS security ===<br />
<br />
For better security while browsing the web, paying online, connecting to [[SSH]] services and similar tasks consider using [[DNSSEC]]-enabled [[DNS resolver]] that can validate signed [[Wikipedia:Domain Name System|DNS]] records, and an encrypted protocol such as [[Wikipedia:DNS over TLS|DNS over TLS]], [[Wikipedia:DNS over HTTPS|DNS over HTTPS]] or [[Wikipedia:DNSCrypt|DNSCrypt]]. See [[Domain name resolution]] for details.<br />
<br />
=== Setting up a firewall ===<br />
<br />
A firewall can provide an extra layer of protection on top of the Linux networking stack. While the stock Arch kernel is capable of using [[Wikipedia:Netfilter|Netfilter]]'s [[iptables]] and [[nftables]], neither are enabled by default. It is highly recommended to set up some form of firewall. See [[:Category:Firewalls]] for available guides.<br />
<br />
=== Network shares ===<br />
<br />
To share files among the machines in a network, follow the [[NFS]] or the [[SSHFS]] article.<br />
<br />
Use [[Samba]] to join a Windows network. To configure the machine to use Active Directory for authentication, read [[Active Directory integration]].<br />
<br />
See also [[:Category:Network sharing]].<br />
<br />
== Input devices ==<br />
<br />
This section contains popular input device configuration tips. See [[:Category:Input devices]] for more.<br />
<br />
=== Keyboard layouts ===<br />
<br />
Non-English or otherwise non-standard keyboards may not function as expected by default. The necessary steps to configure the keymap are different for virtual console and [[Xorg]], they are described in [[Keyboard configuration in console]] and [[Keyboard configuration in Xorg]] respectively.<br />
<br />
=== Mouse buttons ===<br />
<br />
Owners of advanced or unusual mice may find that not all mouse buttons are recognized by default, or may wish to assign different actions for extra buttons. Instructions can be found in [[Mouse buttons]].<br />
<br />
=== Laptop touchpads ===<br />
<br />
Many laptops use [https://www.synaptics.com/ Synaptics] or [https://www.alps.com/ ALPS] "touchpad" pointing devices. For these, and several other touchpad models, you can use either the Synaptics input driver or libinput; see [[Touchpad Synaptics]] and [[libinput]] for installation and configuration details.<br />
<br />
=== TrackPoints ===<br />
<br />
See the [[TrackPoint]] article to configure your TrackPoint device.<br />
<br />
== Optimization ==<br />
<br />
This section aims to summarize tweaks, tools and available options useful to improve system and application performance.<br />
<br />
=== Benchmarking ===<br />
<br />
[[Benchmarking]] is the act of measuring performance and comparing the results to another system's results or a widely accepted standard through a unified procedure.<br />
<br />
=== Improving performance ===<br />
<br />
The [[Improving performance]] article gathers information and is a basic rundown about gaining performance in Arch Linux.<br />
<br />
=== Solid state drives ===<br />
<br />
The [[Solid State Drives]] article covers many aspects of solid state drives, including configuring them to maximize their lifetimes.<br />
<br />
== System services ==<br />
<br />
This section relates to [[daemons]].<br />
<br />
=== File index and search ===<br />
<br />
Most distributions have a ''locate'' command available to be able to quickly search files. Arch Linux provides several alternatives, see [[locate]] for details.<br />
<br />
[[List_of_applications/Utilities#File_searching|Desktop search engines]] provide a similar service, while better integrated into [[desktop environment]]s.<br />
<br />
=== Local mail delivery ===<br />
<br />
A default setup does not provide a way to synchronize mail. A list of mail delivery agents is available in the [[Mail server]] article.<br />
<br />
=== Printing ===<br />
<br />
[[CUPS]] is a standards-based, open source printing system developed by Apple. See [[:Category:Printers]] for printer-specific articles.<br />
<br />
== Appearance ==<br />
<br />
This section contains frequently-sought "eye candy" tweaks for an aesthetically pleasing Arch experience. See [[:Category:Eye candy]] for more.<br />
<br />
=== Fonts ===<br />
<br />
You may wish to install a set of TrueType fonts, as only unscalable bitmap fonts are included in a basic Arch system. There are several general-purpose [[Fonts#Families|font families]] providing large [[Wikipedia:Unicode|Unicode]] coverage and even [[Metric-compatible fonts|metric compatibility]] with fonts from other operating systems.<br />
<br />
A plethora of information on the subject can be found in the [[Fonts]] and [[Font configuration]] articles.<br />
<br />
If spending a significant amount of time working from the virtual console (i.e. outside an X server), users may wish to change the console font to improve readability; see [[Linux console#Fonts]].<br />
<br />
=== GTK and Qt themes ===<br />
<br />
A big part of the applications with a graphical interface for Linux systems are based on the [[GTK]] or the [[Qt]] toolkits. See those articles and [[Uniform look for Qt and GTK applications]] for ideas to improve the appearance of your installed programs and adapt it to your liking.<br />
<br />
== Console improvements ==<br />
<br />
This section applies to small modifications that improve console programs' practicality. See [[:Category:Command-line shells]] for more.<br />
<br />
=== Tab-completion enhancements ===<br />
<br />
It is recommended to properly set up extended [[Wikipedia:Command-line_completion|tab completion]] right away, as instructed in the article of your chosen shell.<br />
<br />
=== Aliases ===<br />
<br />
Aliasing a command, or a group thereof, is a way of saving time when using the console. This is specially helpful for repetitive tasks that do not need significant alteration to their parameters between executions. Common time-saving aliases can be found in [[Bash#Aliases]], which are easily portable to [[zsh]] as well.<br />
<br />
=== Alternative shells ===<br />
<br />
[[Bash]] is the shell that is installed by default in an Arch system. The live installation media, however, uses [[zsh]] with the {{Pkg|grml-zsh-config}} addon package. See [[Command-line shell#List of shells]] for more alternatives.<br />
<br />
=== Bash additions ===<br />
<br />
A list of miscellaneous Bash settings, history search and [[Readline]] macros is available in [[Bash#Tips and tricks]].<br />
<br />
=== Colored output ===<br />
<br />
This section is covered in [[Color output in console]].<br />
<br />
=== Compressed files ===<br />
<br />
Compressed files, or archives, are frequently encountered on a GNU/Linux system. [[Tar]] is one of the most commonly used archiving tools, and users should be familiar with its syntax (Arch Linux packages, for example, are simply {{Pkg|zstd}} compressed tarballs). See [[Archiving and compression]].<br />
<br />
=== Console prompt ===<br />
<br />
The console prompt ({{ic|PS1}}) can be customized to a great extent. See [[Bash/Prompt customization]] or [[Zsh#Prompts]] if using Bash or Zsh, respectively.<br />
<br />
=== Emacs shell ===<br />
<br />
Emacs is known for featuring options beyond the duties of regular text editing, one of these being a full shell replacement. Consult [[Emacs#Colored output issues]] for a fix regarding garbled characters that may result from enabling colored output.<br />
<br />
=== Mouse support ===<br />
<br />
Using a mouse with the console for copy-paste operations can be preferred over [[GNU Screen]]'s traditional copy mode. Refer to [[General purpose mouse]] for comprehensive directions. Note that you can already do this in [[terminal emulator]]s with the [[clipboard]].<br />
<br />
=== Session management ===<br />
<br />
Using terminal multiplexers like [[tmux]] or [[GNU Screen]], programs may be run under sessions composed of tabs and panes that can be detached at will, so when the user either kills the terminal emulator, terminates [[X]], or logs off, the programs associated with the session will continue to run in the background as long as the terminal multiplexer server is active. Interacting with the programs requires reattaching to the session.</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=User_talk:Aimilius&diff=530982User talk:Aimilius2018-07-25T20:29:32Z<p>Sudoforge: /* GnuPG */ add signature</p>
<hr />
<div>== GnuPG ==<br />
<br />
RE: https://wiki.archlinux.org/index.php?title=GnuPG&oldid=530641<br />
<br />
They were not detected on my system, which is why I included the bit I did. It was actually fairly difficult to find any documentation showing how to manually add the key.<br />
[[User:Sudoforge|Sudoforge]] ([[User talk:Sudoforge|talk]]) 20:29, 25 July 2018 (UTC)<br />
<br />
: I could not reproduce it, as my key is fine, it is not in sshcontrol and I use it regularly. Although if it works for you only after adding your keygrip to $GNUPGHOME/sshcontrol manually, it is worth adding that information.<br />
:[[User:Aimilius|Aimilius]] ([[User talk:Aimilius|talk]]) 18:57, 24 July 2018 (UTC)<br />
<br />
: After some digging in the GnuPG man pages, I found out that if you have your GnuPG key on a keycard (like me) the key is added implicitly to sshcontrol, so for me it works fine without anything in it. I assumed it would not matter how the user stores the key, but apparently it does. I added this information to the GnuPG page. Thanks for this information!<br />
: [[User:Aimilius|Aimilius]] ([[User talk:Aimilius|talk]]) 19:43, 25 July 2018 (UTC)<br />
<br />
: Yeah, I do not yet have a smartcard for my key, which is why it is not picked up automatically. I should be been explicit in explaining the reason behind my key not being added.<br />
: [[User:Sudoforge|Sudoforge]] ([[User talk:Sudoforge|talk]]) 19:53, 25 July 2018 (UTC)</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=User_talk:Aimilius&diff=530981User talk:Aimilius2018-07-25T20:28:58Z<p>Sudoforge: /* GnuPG */ remove extraneous newline</p>
<hr />
<div>== GnuPG ==<br />
<br />
RE: https://wiki.archlinux.org/index.php?title=GnuPG&oldid=530641<br />
<br />
They were not detected on my system, which is why I included the bit I did. It was actually fairly difficult to find any documentation showing how to manually add the key.<br />
<br />
{{Unsigned|02:38, 24 July 2018 (UTC)|Sudoforge}}<br />
<br />
: I could not reproduce it, as my key is fine, it is not in sshcontrol and I use it regularly. Although if it works for you only after adding your keygrip to $GNUPGHOME/sshcontrol manually, it is worth adding that information.<br />
:[[User:Aimilius|Aimilius]] ([[User talk:Aimilius|talk]]) 18:57, 24 July 2018 (UTC)<br />
<br />
: After some digging in the GnuPG man pages, I found out that if you have your GnuPG key on a keycard (like me) the key is added implicitly to sshcontrol, so for me it works fine without anything in it. I assumed it would not matter how the user stores the key, but apparently it does. I added this information to the GnuPG page. Thanks for this information!<br />
: [[User:Aimilius|Aimilius]] ([[User talk:Aimilius|talk]]) 19:43, 25 July 2018 (UTC)<br />
<br />
: Yeah, I do not yet have a smartcard for my key, which is why it is not picked up automatically. I should be been explicit in explaining the reason behind my key not being added.<br />
: [[User:Sudoforge|Sudoforge]] ([[User talk:Sudoforge|talk]]) 19:53, 25 July 2018 (UTC)</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=User_talk:Aimilius&diff=530970User talk:Aimilius2018-07-25T19:53:29Z<p>Sudoforge: /* GnuPG */ Fix signature indentation</p>
<hr />
<div>== GnuPG ==<br />
<br />
RE: https://wiki.archlinux.org/index.php?title=GnuPG&oldid=530641<br />
<br />
They were not detected on my system, which is why I included the bit I did. It was actually fairly difficult to find any documentation showing how to manually add the key.<br />
<br />
{{Unsigned|02:38, 24 July 2018 (UTC)|Sudoforge}}<br />
<br />
: I could not reproduce it, as my key is fine, it is not in sshcontrol and I use it regularly. Although if it works for you only after adding your keygrip to $GNUPGHOME/sshcontrol manually, it is worth adding that information.<br />
:[[User:Aimilius|Aimilius]] ([[User talk:Aimilius|talk]]) 18:57, 24 July 2018 (UTC)<br />
<br />
: After some digging in the GnuPG man pages, I found out that if you have your GnuPG key on a keycard (like me) the key is added implicitly to sshcontrol, so for me it works fine without anything in it. I assumed it would not matter how the user stores the key, but apparently it does. I added this information to the GnuPG page. Thanks for this information!<br />
: [[User:Aimilius|Aimilius]] ([[User talk:Aimilius|talk]]) 19:43, 25 July 2018 (UTC)<br />
<br />
<br />
: Yeah, I do not yet have a smartcard for my key, which is why it is not picked up automatically. I should be been explicit in explaining the reason behind my key not being added.<br />
: [[User:Sudoforge|Sudoforge]] ([[User talk:Sudoforge|talk]]) 19:53, 25 July 2018 (UTC)</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=User_talk:Aimilius&diff=530969User talk:Aimilius2018-07-25T19:53:01Z<p>Sudoforge: /* GnuPG */</p>
<hr />
<div>== GnuPG ==<br />
<br />
RE: https://wiki.archlinux.org/index.php?title=GnuPG&oldid=530641<br />
<br />
They were not detected on my system, which is why I included the bit I did. It was actually fairly difficult to find any documentation showing how to manually add the key.<br />
<br />
{{Unsigned|02:38, 24 July 2018 (UTC)|Sudoforge}}<br />
<br />
: I could not reproduce it, as my key is fine, it is not in sshcontrol and I use it regularly. Although if it works for you only after adding your keygrip to $GNUPGHOME/sshcontrol manually, it is worth adding that information.<br />
:[[User:Aimilius|Aimilius]] ([[User talk:Aimilius|talk]]) 18:57, 24 July 2018 (UTC)<br />
<br />
: After some digging in the GnuPG man pages, I found out that if you have your GnuPG key on a keycard (like me) the key is added implicitly to sshcontrol, so for me it works fine without anything in it. I assumed it would not matter how the user stores the key, but apparently it does. I added this information to the GnuPG page. Thanks for this information!<br />
: [[User:Aimilius|Aimilius]] ([[User talk:Aimilius|talk]]) 19:43, 25 July 2018 (UTC)<br />
<br />
<br />
: Yeah, I do not yet have a smartcard for my key, which is why it is not picked up automatically. I should be been explicit in explaining the reason behind my key not being added.<br />
<br />
[[User:Sudoforge|Sudoforge]] ([[User talk:Sudoforge|talk]]) 19:53, 25 July 2018 (UTC)</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=GnuPG&diff=530944GnuPG2018-07-25T14:42:10Z<p>Sudoforge: /* Using a PGP key for SSH authentication */ Re-add usage for enable-ssh-support because it exists nowhere else in the article.</p>
<hr />
<div>[[Category:Encryption]]<br />
[[es:GnuPG]]<br />
[[ja:GnuPG]]<br />
[[ru:GnuPG]]<br />
[[pl:GnuPG]]<br />
[[zh-hans:GnuPG]]<br />
[[zh-hant:GnuPG]]<br />
{{Related articles start}}<br />
{{Related|pacman/Package signing}}<br />
{{Related|Disk encryption}}<br />
{{Related|List of applications/Security#Encryption, signing, steganography}}<br />
{{Related articles end}}<br />
<br />
According to the [https://www.gnupg.org/ official website]:<br />
<br />
:GnuPG is a complete and free implementation of the [http://openpgp.org/about/ OpenPGP] standard as defined by [https://tools.ietf.org/html/rfc4880 RFC4880] (also known as PGP). GnuPG allows you to encrypt and sign your data and communication. It features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh).<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|gnupg}} package.<br />
<br />
This will also install {{Pkg|pinentry}}, a collection of simple PIN or passphrase entry dialogs which GnuPG uses for passphrase entry. The shell script {{ic|/usr/bin/pinentry}} determines which ''pinentry'' dialog is used, in the order described at [[#pinentry]].<br />
<br />
If you want to use a graphical frontend or program that integrates with GnuPG, see [[List of applications/Security#Encryption, signing, steganography]].<br />
<br />
== Configuration ==<br />
<br />
=== Directory location ===<br />
{{ic|$GNUPGHOME}} is used by GnuPG to point to the directory where its configuration files are stored. By default {{ic|$GNUPGHOME}} is not set and your {{ic|$HOME}} is used instead; thus, you will find a {{ic|~/.gnupg}} directory right after installation. <br />
<br />
To change the default location, either run gpg this way {{ic|$ gpg --homedir ''path/to/file''}} or set the {{ic|GNUPGHOME}} [[environment variable]].<br />
<br />
=== Configuration files ===<br />
<br />
The default configuration files are {{ic|~/.gnupg/gpg.conf}} and {{ic|~/.gnupg/dirmngr.conf}}. <br />
<br />
By default, the gnupg directory has its [[permissions]] set to {{ic|700}} and the files it contains have their permissions set to {{ic|600}}. Only the owner of the directory has permission to read, write, and access the files. This is for security purposes and should not be changed. In case this directory or any file inside it does not follow this security measure, you will get warnings about unsafe file and home directory permissions.<br />
<br />
Append to these files any long options you want. Do not write the two dashes, but simply the name of the option and required arguments. You will find skeleton files in {{ic|/usr/share/gnupg}}. These files are copied to {{ic|~/.gnupg}} the first time gpg is run if they do not exist there. Other examples are found in [[#See also]].<br />
<br />
Additionally, [[pacman]] uses a different set of configuration files for package signature verification. See [[Pacman/Package signing]] for details.<br />
<br />
=== Default options for new users ===<br />
<br />
If you want to setup some default options for new users, put configuration files in {{ic|/etc/skel/.gnupg/}}. When the new user is added in system, files from here will be copied to its GnuPG home directory. There is also a simple script called ''addgnupghome'' which you can use to create new GnuPG home directories for existing users:<br />
<br />
# addgnupghome user1 user2<br />
<br />
This will add the respective {{ic|/home/user1/.gnupg}} and {{ic|/home/user2/.gnupg}} and copy the files from the skeleton directory to it. Users with existing GnuPG home directory are simply skipped.<br />
<br />
== Usage ==<br />
<br />
{{Note|Whenever a ''{{ic|user-id}}'' is required in a command, it can be specified with your key ID, fingerprint, a part of your name or email address, etc. GnuPG is flexible on this.<br />
}}<br />
<br />
=== Create a key pair ===<br />
<br />
Generate a key pair by typing in a terminal:<br />
<br />
$ gpg --full-gen-key<br />
<br />
{{Tip|Use the {{ic|--expert}} option for getting alternative ciphers like [[wikipedia:Elliptic_curve_cryptography|ECC]].}}<br />
<br />
The command will prompt for answers to several questions. For general use most people will want: <br />
<br />
* the RSA (sign only) and a RSA (encrypt only) key.<br />
* a keysize of the default value (2048). A larger keysize of 4096 "gives us almost nothing, while costing us quite a lot"[https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096].<br />
* an expiration date. A period of a year is good enough for the average user. This way even if access is lost to the keyring, it will allow others to know that it is no longer valid. Later, if necessary, the expiration date can be extended without having to re-issue a new key.<br />
* your name and email address. You can add multiple identities to the same key later (''e.g.'', if you have multiple email addresses you want to associate with this key).<br />
* ''no'' optional comment. Since the semantics of the comment field are [https://lists.gnupg.org/pipermail/gnupg-devel/2015-July/030150.html not well-defined], it has limited value for identification.<br />
* [[Security#Choosing_secure_passwords|a secure passphrase]].<br />
<br />
{{Note|The name and email address you enter here will be seen by anybody who imports your key.}}<br />
<br />
=== List keys ===<br />
<br />
To list keys in your public key ring:<br />
<br />
$ gpg --list-keys<br />
<br />
To list keys in your secret key ring:<br />
<br />
$ gpg --list-secret-keys<br />
<br />
=== Export your public key ===<br />
<br />
gpg's main usage is to ensure confidentiality of exchanged messages via public-key cryptography. With it each user distributes the public key of their keyring, which can be be used by others to encrypt messages to the user. The private key must ''always'' be kept private, otherwise confidentiality is broken. See [[w:Public-key cryptography]] for examples about the message exchange. <br />
<br />
So, in order for others to send encrypted messages to you, they need your public key. <br />
<br />
To generate an ASCII version of a user's public key to file {{ic|''public.key''}} (e.g. to distribute it by e-mail):<br />
<br />
$ gpg --output ''public.key'' --armor --export ''user-id''<br />
<br />
Alternatively, or in addition, you can [[#Use a keyserver]] to share your key. <br />
<br />
{{Tip|Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.}}<br />
<br />
=== Import a public key ===<br />
<br />
In order to encrypt messages to others, as well as verify their signatures, you need their public key. To import a public key with file name {{ic|''public.key''}} to your public key ring:<br />
<br />
$ gpg --import ''public.key''<br />
<br />
Alternatively, [[#Use a keyserver]] to find a public key.<br />
<br />
=== Use a keyserver ===<br />
<br />
You can register your key with a public PGP key server, so that others can retrieve your key without having to contact you directly:<br />
<br />
$ gpg --send-keys ''user-id''<br />
<br />
{{Warning|Once a key has been submitted to a keyserver, it cannot be deleted from the server.[https://pgp.mit.edu/faq.html]}}<br />
<br />
To find out details of a key on the keyserver, without importing it, do:<br />
<br />
$ gpg --search-keys ''user-id''<br />
<br />
To import a key from a key server:<br />
<br />
$ gpg --recv-keys ''key-id''<br />
<br />
{{Warning|<br />
* You should verify the authenticity of the retrieved public key by comparing its fingerprint with one that the owner published on an independent source(s) (e.g., contacting the person directly). See [[Wikipedia:Public key fingerprint]] for more information.<br />
* Using a short ID may encounter collisions. All keys will be imported that have the short ID. To avoid this, use the full fingerprint or long key ID when receiving a key.[https://lkml.org/lkml/2016/8/15/445]}}<br />
{{Tip|<br />
* Adding {{ic|keyserver-options auto-key-retrieve}} to {{ic|gpg.conf}} will automatically fetch keys from the key server as needed. <br />
* An alternative key server is {{ic|pool.sks-keyservers.net}} and can be specified with {{ic|keyserver}} in {{ic|dirmngr.conf}}; see also [[wikipedia:Key server (cryptographic)#Keyserver examples]].<br />
* If your network blocks ports used for hkp/hkps, you may need to specify port 80, i.e. {{ic|pool.sks-keyservers.net:80}}<br />
* You can connect to the keyserver over [[Tor]] using {{ic|--use-tor}}. See this [https://gnupg.org/blog/20151224-gnupg-in-november-and-december.html GnuPG blog post] for more information.<br />
* You can connect to a keyserver using a proxy by setting the {{ic|http_proxy}} environment variable and setting {{ic|honor-http-proxy}} in {{ic|dirmngr.conf}}. Alternatively, set {{ic|http-proxy ''host[:port]''}} in {{ic|dirmngr.conf}}, overriding the {{ic|http_proxy}} environment variable. [[Restart]] the {{ic|dirmngr.service}} [[systemd/User|user service]] for the changes to take effect.<br />
* If you wish to import a key ID to install a specific Arch Linux package, see [[pacman/Package signing#Managing the keyring]] and [[Makepkg#Signature checking]].}}<br />
<br />
=== Encrypt and decrypt ===<br />
<br />
==== Asymmetric ====<br />
You need to [[#Import a public key]] of a user before encrypting (options {{ic|--encrypt}} or {{ic|-e}}) a file or message to that recipient (options {{ic|--recipient}} or {{ic|-r}}). Additionally you need to [[#Create a key pair]] if you have not already done so.<br />
<br />
To encrypt a file with the name ''doc'', use:<br />
<br />
$ gpg --recipient ''user-id'' --encrypt ''doc''<br />
<br />
To decrypt (option {{ic|--decrypt}} or {{ic|-d}}) a file with the name ''doc''.gpg encrypted with your public key, use:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
''gpg'' will prompt you for your passphrase and then decrypt and write the data from ''doc''.gpg to ''doc''. If you omit the {{ic|-o}} ({{ic|--output}}) option, ''gpg'' will write the decrypted data to stdout.<br />
<br />
{{Tip|<br />
* Add {{ic|--armor}} to encrypt a file using ASCII armor (suitable for copying and pasting a message in text format)<br />
* Use {{ic|-R ''user-id''}} or {{ic|--hidden-recipient ''user-id''}} instead of {{ic|-r}} to not put the recipient key IDs in the encrypted message. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis.<br />
* Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.<br />
* You can use gnupg to encrypt your sensitive documents by using your own user-id as recipient or by using the {{ic|--default-recipient-self}} flag instead; however, you can only do this one file at a time, although you can always tarball various files and then encrypt the tarball. See also [[Disk encryption#Available methods]] if you want to encrypt directories or a whole file-system.}}<br />
<br />
==== Symmetric ====<br />
Symmetric encryption does not require the generation of a key pair and can be used to simply encrypt data with a passphrase. Simply use {{ic|--symmetric}} or {{ic|-c}} to perform symmetic encryption:<br />
<br />
$ gpg -c ''doc''<br />
<br />
The following example:<br />
<br />
* Encrypts {{ic|''doc''}} with a symmetric cipher using a passphrase<br />
* Uses the AES-256 cipher algorithm to encrypt the passphrase<br />
* Uses the SHA-512 digest algorithm to mangle the passphrase<br />
* Mangles the passphrase for 65536 iterations<br />
<br />
$ gpg -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-count 65536 ''doc''<br />
<br />
To decrypt a symmetrically encrypted {{ic|''doc''.gpg}} using a passphrase and output decrypted contents into the same directory as {{ic|''doc''}} do:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
== Key maintenance ==<br />
<br />
=== Backup your private key ===<br />
<br />
To backup your private key do the following:<br />
<br />
$ gpg --export-secret-keys --armor ''<user-id>'' > ''privkey.asc''<br />
<br />
Note that ''gpg'' release 2.1 changed default behaviour so that the above command enforces a passphrase protection, even if you deliberately chose not to use one on key creation. This is because otherwise anyone who gains access to the above exported file would be able to encrypt and sign documents as if they were you ''without'' needing to know your passphrase. <br />
<br />
{{Warning|The passphrase is usually the weakest link in protecting your secret key. Place the private key in a safe place on a different system/device, such as a locked container or encrypted drive. It is the only safety you have to regain control to your keyring in case of, for example, a drive failure, theft or worse.}}<br />
<br />
To import the backup of your private key:<br />
$ gpg --import ''privkey.asc''<br />
<br />
=== Edit your key ===<br />
<br />
Running the {{ic|gpg --edit-key ''<user-id>''}} command will present a menu which enables you to do most of your key management related tasks.<br />
<br />
Some useful commands in the edit key sub menu:<br />
> passwd # change the passphrase<br />
> clean # compact any user ID that is no longer usable (e.g revoked or expired)<br />
> revkey # revoke a key<br />
> addkey # add a subkey to this key<br />
> expire # change the key expiration time<br />
<br />
Type {{ic|help}} in the edit key sub menu for more commands.<br />
<br />
{{Tip|If you have multiple email accounts you can add each one of them as an identity, using {{ic|adduid}} command. You can then set your favourite one as {{ic|primary}}.}}<br />
<br />
=== Exporting subkey ===<br />
<br />
If you plan to use the same key across multiple devices, you may want to strip out your master key and only keep the bare minimum encryption subkey on less secure systems.<br />
<br />
First, find out which subkey you want to export.<br />
<br />
$ gpg -K<br />
<br />
Select only that subkey to export.<br />
<br />
$ gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.gpg<br />
<br />
{{Warning|If you forget to add the !, all of your subkeys will be exported.}}<br />
<br />
At this point you could stop, but it is most likely a good idea to change the passphrase as well. Import the key into a temporary folder. <br />
<br />
$ gpg --homedir /tmp/gpg --import /tmp/subkey.gpg<br />
$ gpg --homedir /tmp/gpg --edit-key ''<user-id>''<br />
> passwd<br />
> save<br />
$ gpg --homedir /tmp/gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.altpass.gpg<br />
<br />
{{Note|You will get a warning that the master key was not available and the password was not changed, but that can safely be ignored as the subkey password was.}}<br />
<br />
At this point, you can now use {{ic|/tmp/subkey.altpass.gpg}} on your other devices.<br />
<br />
=== Rotating subkeys ===<br />
<br />
{{Warning|'''Never''' delete your expired or revoked subkeys unless you have a good reason. Doing so will cause you to lose the ability to decrypt files encrypted with the old subkey. Please '''only''' delete expired or revoked keys from other users to clean your keyring.}}<br />
<br />
If you have set your subkeys to expire after a set time, you can create new ones. Do this a few weeks in advance to allow others to update their keyring.<br />
<br />
{{Tip|You do not need to create a new key simply because it is expired. You can extend the expiration date.}}<br />
<br />
Create new subkey (repeat for both signing and encrypting key)<br />
<br />
$ gpg --edit-key ''<user-id>''<br />
> addkey<br />
<br />
And answer the following questions it asks (see [[#Create a key pair]] for suggested settings).<br />
<br />
Save changes<br />
<br />
> save<br />
<br />
Update it to a keyserver.<br />
<br />
$ gpg --keyserver pgp.mit.edu --send-keys ''<user-id>''<br />
<br />
{{Tip|Revoking expired subkeys is unnecessary and arguably bad form. If you are constantly revoking keys, it may cause others to lack confidence in you.}}<br />
<br />
== Signatures ==<br />
<br />
Signatures certify and timestamp documents. If the document is modified, verification of the signature will fail. Unlike encryption which uses public keys to encrypt a document, signatures are created with the user's private key. The recipient of a signed document then verifies the signature using the sender's public key.<br />
<br />
=== Create a signature ===<br />
<br />
==== Sign a file ====<br />
<br />
To sign a file use the {{ic|--sign}} or {{ic|-s}} flag:<br />
<br />
$ gpg --output ''doc''.sig --sign ''doc''<br />
<br />
{{ic|''doc''.sig}} contains both the compressed content of the original file {{ic|''doc''}} and the signature in a binary format, but the file is not encrypted. However, you can combine signing with [[#Encrypt and decrypt|encrypting]].<br />
<br />
==== Clearsign a file or message ====<br />
<br />
To sign a file without compressing it into binary format use:<br />
<br />
$ gpg --output ''doc''.sig --clearsign ''doc''<br />
<br />
Here both the content of the original file {{ic|''doc''}} and the signature are stored in human-readable form in {{ic|''doc''.sig}}.<br />
<br />
==== Make a detached signature ====<br />
<br />
To create a separate signature file to be distributed separately from the document or file itself, use the {{ic|--detach-sig}} flag:<br />
<br />
$ gpg --output ''doc''.sig --detach-sig ''doc''<br />
<br />
Here the signature is stored in {{ic|''doc''.sig}}, but the contents of {{ic|''doc''}} are not stored in it. This method is often used in distributing software projects to allow users to verify that the program has not been modified by a third party.<br />
<br />
=== Verify a signature ===<br />
<br />
To verify a signature use the {{ic|--verify}} flag:<br />
<br />
$ gpg --verify ''doc''.sig<br />
<br />
where {{ic|''doc''.sig}} is the signed file containing the signature you wish to verify.<br />
<br />
If you are verifying a detached signature, both the signed data file and the signature file must be present when verifying. For example, to verify Arch Linux's latest iso you would do:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig<br />
<br />
where {{ic|archlinux-''version''.iso}} must be located in the same directory.<br />
<br />
You can also specify the signed data file with a second argument:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig ''/path/to/''archlinux-''version''.iso<br />
<br />
If a file as been encrypted in addition to being signed, simply [[#Encrypt and decrypt|decrypt]] the file and its signature will also be verified.<br />
<br />
== gpg-agent ==<br />
<br />
''gpg-agent'' is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. {{Pkg|gnupg}} comes with [[systemd/User|systemd user]] sockets which are enabled by default. These sockets are {{ic|gpg-agent.socket}}, {{ic|gpg-agent-extra.socket}}, {{ic|gpg-agent-browser.socket}}, {{ic|gpg-agent-ssh.socket}}, and {{ic|dirmngr.socket}}.<br />
<br />
{{Expansion|Add {{ic|gpg-agent-browser.socket}} to the list.}}<br />
<br />
* The main {{ic|gpg-agent.socket}} is used by ''gpg'' to connect to the ''gpg-agent'' daemon.<br />
* The intended use for the {{ic|gpg-agent-extra.socket}} on a local system is to set up a Unix domain socket forwarding from a remote system. This enables to use ''gpg'' on the remote system without exposing the private keys to the remote system. See {{man|1|gpg-agent}} for details.<br />
* The {{ic|gpg-agent-ssh.socket}} can be used by [[SSH]] to cache [[SSH keys]] added by the ''ssh-add'' program. See [[#SSH agent]] for the necessary configuration.<br />
* The {{ic|dirmngr.socket}} starts a GnuPG daemon handling connections to keyservers.<br />
<br />
{{Note|If you use non-default GnuPG [[#Directory location]], you will need to [[edit]] all socket files to use the values of {{ic|gpgconf --list-dirs}}.}}<br />
<br />
=== Configuration ===<br />
<br />
gpg-agent can be configured via {{ic|~/.gnupg/gpg-agent.conf}} file. The configuration options are listed in {{man|1|gpg-agent}}. For example you can change cache ttl for unused keys:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl 3600<br />
}}<br />
<br />
{{Tip|To cache your passphrase for the whole session, please run the following command:<br />
$ /usr/lib/gnupg/gpg-preset-passphrase --preset XXXXXX<br />
<br />
where XXXX is the keygrip. You can get its value when running {{ic|gpg --with-keygrip -K}}. Passphrase will be stored until {{ic|gpg-agent}} is restarted. If you set up {{ic|default-cache-ttl}} value, it will take precedence.<br />
}}<br />
<br />
=== Reload the agent ===<br />
<br />
After changing the configuration, reload the agent using ''gpg-connect-agent'':<br />
<br />
$ gpg-connect-agent reloadagent /bye<br />
<br />
The command should print {{ic|OK}}.<br />
<br />
However in some cases only the restart may not be sufficient, like when {{ic|keep-screen}} has been added to the agent configuration.<br />
In this case you firstly need to kill the ongoing gpg-agent process and then you can restart it as was explained above.<br />
<br />
=== pinentry ===<br />
<br />
Finally, the agent needs to know how to ask the user for the password. This can be set in the gpg-agent configuration file.<br />
<br />
{{accuracy|On my KDE system, GnuPG tries to use {{ic|pinentry-curses}}, not {{ic|pinentry-qt}}. If I configure GnuPG to use pinentry-qt, it works fine. Also, all these pinentry dialogs are always installed, since they are all included in {{pkg|pinentry}}, which is a {{pkg|gnupg}} dependency.}} <br />
<br />
The default uses {{ic|/usr/bin/pinentry-gnome3}}, falling back to {{ic|/usr/bin/pinentry-qt}}, {{ic|/usr/bin/pinentry-gtk-2}} and at last {{ic|/usr/bin/pinentry-curses}} if none of the previous were functioning. However there are other options - see {{ic|info pinentry}}. To change the dialog implementation set {{ic|pinentry-program}} configuration option:<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
# pinentry-program /usr/bin/pinentry-gnome3<br />
# pinentry-program /usr/bin/pinentry-qt<br />
# pinentry-program /usr/bin/pinentry-curses<br />
# pinentry-program /usr/bin/pinentry-kwallet<br />
<br />
pinentry-program /usr/bin/pinentry-gtk-2<br />
}}<br />
<br />
{{Tip|For using {{ic|/usr/bin/pinentry-kwallet}} you have to install the {{AUR|kwalletcli}} package.}}<br />
<br />
After making this change, [[#Reload the agent]].<br />
<br />
=== Unattended passphrase ===<br />
<br />
Starting with GnuPG 2.1.0 the use of gpg-agent and pinentry is required, which may break backwards compatibility for passphrases piped in from STDIN using the {{ic|--passphrase-fd 0}} commandline option. In order to have the same type of functionality as the older releases two things must be done:<br />
<br />
First, edit the gpg-agent configuration to allow ''loopback'' pinentry mode:<br />
<br />
{{hc|1=~/.gnupg/gpg-agent.conf|2=<br />
allow-loopback-pinentry<br />
}}<br />
<br />
Restart the gpg-agent process if it is running to let the change take effect.<br />
<br />
Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:<br />
<br />
$ gpg --pinentry-mode loopback ...<br />
<br />
...or if this is not possible, add the option to the configuration:<br />
<br />
{{hc|1=~/.gnupg/gpg.conf|2=<br />
pinentry-mode loopback<br />
}}<br />
<br />
{{Note|The upstream author indicates setting {{ic|pinentry-mode loopback}} in {{ic|gpg.conf}} may break other usage, using the commandline option should be preferred if at all possible. [https://bugs.g10code.com/gnupg/issue1772]}}<br />
<br />
=== SSH agent ===<br />
<br />
''gpg-agent'' has OpenSSH agent emulation. If you already use the GnuPG suite, you might consider using its agent to also cache your [[SSH keys]]. Additionally, some users may prefer the PIN entry dialog GnuPG agent provides as part of its passphrase management.<br />
<br />
==== Set SSH_AUTH_SOCK ====<br />
<br />
You have to set {{ic|SSH_AUTH_SOCK}} so that SSH will use ''gpg-agent'' instead of ''ssh-agent''. To make sure each process can find your ''gpg-agent'' instance regardless of e.g. the type of shell it is child of use [[Environment_variables#Using_pam_env|pam_env]].<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
}}<br />
<br />
{{note|If you set your {{ic|SSH_AUTH_SOCK}} manually (such as in this pam_env example), keep in mind that your socket location may be different if you are using a custom {{ic|GNUPGHOME}}. You can use the following bash example, or change {{ic|SSH_AUTH_SOCK}} to the value of {{ic|gpgconf --list-dirs agent-ssh-socket}}.}}<br />
<br />
Alternatively, depend on Bash. This works for non-standard socket locations as well:<br />
<br />
{{hc|~/.bashrc|2=<br />
unset SSH_AGENT_PID<br />
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then<br />
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"<br />
fi<br />
}}<br />
<br />
{{Note|1=The test involving the {{ic|gnupg_SSH_AUTH_SOCK_by}} variable is for the case where the agent is started as {{ic|gpg-agent --daemon /bin/sh}}, in which case the shell inherits the {{ic|SSH_AUTH_SOCK}} variable from the parent, ''gpg-agent'' [http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/gpg-agent.c;hb=7bca3be65e510eda40572327b87922834ebe07eb#l1307].}}<br />
<br />
==== Configure pinentry to use the correct TTY ====<br />
<br />
Also set the GPG_TTY and refresh the TTY in case user has switched into an X session as stated in {{man|1|gpg-agent}}. For example:<br />
<br />
{{hc|~/.bashrc|2=<br />
export GPG_TTY=$(tty)<br />
gpg-connect-agent updatestartuptty /bye >/dev/null<br />
}}<br />
<br />
==== Add SSH keys ====<br />
<br />
Once ''gpg-agent'' is running you can use ''ssh-add'' to approve keys, following the same steps as for [[SSH keys#ssh-agent|ssh-agent]]. The list of approved keys is stored in the {{ic|~/.gnupg/sshcontrol}} file. <br />
<br />
Once your key is approved, you will get a ''pinentry'' dialog every time your passphrase is needed. You can control passphrase caching in the {{ic|~/.gnupg/gpg-agent.conf}} file. The following example would have ''gpg-agent'' cache your keys for 3 hours:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl-ssh 10800<br />
max-cache-ttl-ssh 10800<br />
}}<br />
<br />
==== Using a PGP key for SSH authentication ====<br />
<br />
You can also use your PGP key as an SSH key. This requires a key with the {{ic|Authentication}} capability (see [[#Custom capabilities]]). There are various benefits gained by using a PGP key for SSH authentication, including:<br />
<br />
* Reduced key maintenance, as you will no longer need to maintain an SSH key<br />
* The ability to store the authentication key on a smartcard. GnuPG will automatically detect the key when the card is available, and add it to the agent (check with {{ic|ssh-add -l}} or {{ic|ssh-add -L}}). The comment for the key should be something like: {{ic|openpgp:''key-id''}} or {{ic|cardno:''card-id''}}. <br />
<br />
To retrieve the public key part of your GPG/SSH key, run {{ic|gpg --export-ssh-key ''gpg-key''}}.<br />
<br />
In order for {{ic|openssh}} to use the key stored within GnuPG's {{ic|ssh-agent}}, you need to set the environment variable {{ic|SSH_AUTH_SOCK}}. You can let {{ic|gpg-agent}} do this for you by adding the {{ic|enable-ssh-agent}} to its configuration:<br />
<br />
$ echo "enable-ssh-agent" >> $GNUPGHOME/gpg-agent.conf<br />
$ gpg-connect-agent reloadagent /bye # reload the agent so the new configuration applies<br />
<br />
{{Note| Your key may not be added to {{ic|$GNUPGHOME/sshcontrol}}, which is where normal SSH keys are listed.}}<br />
<br />
If your key is not added to {{ic|$GNUPGHOME/sshcontrol}} automatically, you can add the keygrip for your key with the Authentication capability manually. You can get the keygrip of your key by executing {{ic|gpg --list-keys --with-keygrip}}, like so:<br />
<br />
$ gpg --list-keys --with-keygrip<br />
sub rsa4096/1234ABCD1234ABCD 2001-01-01 [A] [expires: 2002-01-01]<br />
Keygrip = < put this value on its own line in $GNUPGHOME/sshcontrol ><br />
<br />
Adding the keygrip to {{ic|$GNUPGHOME/sshcontrol}} is a one-time action; you will not need to edit the file again, unless you are adding additional keygrips.<br />
<br />
== Smartcards ==<br />
<br />
GnuPG uses ''scdaemon'' as an interface to your smartcard reader, please refer to the [[man page]] for details.<br />
<br />
=== GnuPG only setups ===<br />
<br />
{{Note| To allow scdaemon direct access to USB smarcard readers the optional dependency {{Pkg|libusb-compat}} have to be installed}}<br />
<br />
If you do not plan to use other cards but those based on GnuPG, you should check the {{Ic|reader-port}} parameter in {{ic|~/.gnupg/scdaemon.conf}}. The value '0' refers to the first available serial port reader and a value of '32768' (default) refers to the first USB reader.<br />
<br />
=== GnuPG with pcscd (PCSC Lite) ===<br />
<br />
{{Note|{{Pkg|pcsclite}} and {{Pkg|ccid}} have to be installed, and the contained [[systemd#Using units|systemd]] service {{ic|pcscd.service}} has to be running, or the socket {{ic|pcscd.socket}} has to be listening.}}<br />
<br />
pcscd is a daemon which handles access to smartcard (SCard API). If GnuPG's scdaemon fails to connect the smartcard directly (e.g. by using its integrated CCID support), it will fallback and try to find a smartcard using the PCSC Lite driver.<br />
<br />
==== Always use pcscd ====<br />
<br />
If you are using any smartcard with an opensc driver (e.g.: ID cards from some countries) you should pay some attention to GnuPG configuration. Out of the box you might receive a message like this when using {{Ic|gpg --card-status}}<br />
<br />
gpg: selecting openpgp failed: ec=6.108<br />
<br />
By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together. In order to point scdaemon to use pcscd you should remove {{Ic|reader-port}} from {{ic|~/.gnupg/scdaemon.conf}}, specify the location to {{ic|libpcsclite.so}} library and disable ccid so we make sure that we use pcscd:<br />
<br />
{{hc|~/.gnupg/scdaemon.conf|<nowiki><br />
pcsc-driver /usr/lib/libpcsclite.so<br />
card-timeout 5<br />
disable-ccid<br />
</nowiki>}}<br />
<br />
Please check {{man|1|scdaemon}} if you do not use OpenSC.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Different algorithm ===<br />
<br />
You may want to use stronger algorithms:<br />
<br />
{{hc|~/.gnupg/gpg.conf|<br />
...<br />
<br />
personal-digest-preferences SHA512<br />
cert-digest-algo SHA512<br />
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed<br />
personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES<br />
}}<br />
<br />
In the latest version of GnuPG, the default algorithms used are SHA256 and AES, both of which are secure enough for most people. However, if you are using a version of GnuPG older than 2.1, or if you want an even higher level of security, then you should follow the above step.<br />
<br />
=== Encrypt a password ===<br />
<br />
It can be useful to encrypt some password, so it will not be written in clear on a configuration file. A good example is your email password.<br />
<br />
First create a file with your password. You '''need''' to leave '''one''' empty line after the password, otherwise gpg will return an error message when evaluating the file.<br />
<br />
Then run:<br />
<br />
$ gpg -e -a -r ''<user-id>'' ''your_password_file''<br />
<br />
{{ic|-e}} is for encrypt, {{ic|-a}} for armor (ASCII output), {{ic|-r}} for recipient user ID.<br />
<br />
You will be left with a new {{ic|''your_password_file''.asc}} file.<br />
<br />
{{Tip|[[pass]] automates this process.}}<br />
<br />
=== Revoking a key ===<br />
<br />
{{Warning|<br />
*Anybody having access to your revocation certificate can revoke your key, rendering it useless.<br />
*Key revocation should only be performed if your key is compromised or lost, or you forget your passphrase.}}<br />
<br />
Revocation certificates are automatically generated for newly generated keys, although one can be generated manually by the user later. These are located at {{ic|~/.gnupg/openpgp-revocs.d/}}. The filename of the certificate is the fingerprint of the key it will revoke.<br />
<br />
To revoke your key, simply import the revocation certificate:<br />
<br />
$ gpg --import ''<fingerprint>''.rev<br />
<br />
Now update the keyserver:<br />
<br />
$ gpg --keyserver subkeys.pgp.net --send-keys ''<userid>''<br />
<br />
=== Change trust model ===<br />
<br />
By default GnuPG uses the [[Wikipedia::Web of Trust|Web of Trust]] as the trust model. You can change this to [[Wikipedia::Trust on first use|Trust on first use]] by adding {{ic|1=--trust-model=tofu}} when adding a key or adding this option to your GnuPG configuration file. More details are in [https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030341.html this email to the GnuPG list].<br />
<br />
=== Hide all recipient id's ===<br />
<br />
By default the recipient's key ID is in the encrypted message. This can be removed at encryption time for a recipient by using {{ic|hidden-recipient ''<user-id>''}}. To remove it for all recipients add {{ic|throw-keyids}} to your configuration file. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis. (Using a little social engineering anyone who is able to decrypt the message can check whether one of the other recipients is the one he suspects.) On the receiving side, it may slow down the decryption process because all available secret keys must be tried (''e.g.'' with {{ic|--try-secret-key ''<user-id>''}}).<br />
<br />
=== Using caff for keysigning parties ===<br />
<br />
To allow users to validate keys on the keyservers and in their keyrings (i.e. make sure they are from whom they claim to be), PGP/GPG uses the [[Wikipedia::Web of Trust|Web of Trust]]. Keysigning parties allow users to get together at a physical location to validate keys. The [[Wikipedia:Zimmermann–Sassaman key-signing protocol|Zimmermann-Sassaman]] key-signing protocol is a way of making these very effective. [http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html Here] you will find a how-to article.<br />
<br />
For an easier process of signing keys and sending signatures to the owners after a keysigning party, you can use the tool ''caff''. It can be installed from the AUR with the package {{AUR|caff-svn}}.<br />
<br />
To send the signatures to their owners you need a working [[Wikipedia:Message transfer agent|MTA]]. If you do not have already one, install [[msmtp]].<br />
<br />
=== Always show long ID's and fingerprints ===<br />
<br />
To always show long key ID's add {{ic|keyid-format 0xlong}} to your configuration file. To always show full fingerprints of keys, add {{ic|with-fingerprint}} to your configuration file.<br />
<br />
=== Custom capabilities ===<br />
<br />
For further customization also possible to set custom capabilities to your keys. The following capabilities are available:<br />
<br />
* Certify (only for master keys) - allows the key to create subkeys, mandatory for master keys.<br />
* Sign - allows the key to create cryptographic signatures that others can verify with the public key.<br />
* Encrypt - allows anyone to encrypt data with the public key, that only the private key can decrypt.<br />
* Authenticate - allows the key to authenticate with various non-GnuPG programs. The key can be used as e.g. an SSH key. <br />
<br />
It's possible to specify the capabilities of the master key, by running: <br />
<br />
$ gpg --full-generate-key --expert<br />
<br />
And select an option that allows you to set your own capabilities.<br />
<br />
Comparably, to specify custom capabilities for subkeys, add the {{ic|--expert}} flag to {{ic|gpg --edit-key}}, see [[#Edit your key]] for more information.<br />
<br />
=== Cache passwords ===<br />
<br />
To be asked for your GnuPG password only once per session, set {{ic|max-cache-ttl}} and {{ic|default-cache-ttl}} to something very high, for instance:<br />
<br />
{{hc|<br />
gpg-agent.conf|<br />
max-cache-ttl 60480000<br />
default-cache-ttl 60480000<br />
}}<br />
<br />
See [[#gpg-agent]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Not enough random bytes available ===<br />
When generating a key, gpg can run into this error:<br />
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy!<br />
To check the available entropy, check the kernel parameters:<br />
cat /proc/sys/kernel/random/entropy_avail<br />
A healthy Linux system with a lot of entropy available will have return close to the full 4,096 bits of entropy. If the value returned is less than 200, the system is running low on entropy. <br />
<br />
To solve it, remember you do not often need to create keys and best just do what the message suggests (e.g. create disk activity, move the mouse, edit the wiki - all will create entropy). If that does not help, check which service is using up the entropy and consider stopping it for the time. If that is no alternative, see [[Random number generation#Alternatives]].<br />
<br />
=== su ===<br />
<br />
When using {{Ic|pinentry}}, you must have the proper permissions of the terminal device (e.g. {{Ic|/dev/tty1}}) in use. However, with ''su'' (or ''sudo''), the ownership stays with the original user, not the new one. This means that pinentry will fail, even as root. The fix is to change the permissions of the device at some point before the use of pinentry (i.e. using gpg with an agent). If doing gpg as root, simply change the ownership to root right before using gpg:<br />
<br />
# chown root /dev/ttyN # where N is the current tty<br />
<br />
and then change it back after using gpg the first time. The equivalent is likely to be true with {{Ic|/dev/pts/}}.<br />
<br />
{{Note|The owner of tty ''must'' match with the user for which pinentry is running. Being part of the group {{Ic|tty}} '''is not''' enough.}}<br />
<br />
{{Tip|If you run gpg with {{ic|script}} it will use a new tty with the correct ownership:<br />
<br />
# script -q -c "gpg --gen-key" /dev/null<br />
}}<br />
<br />
=== Agent complains end of file ===<br />
<br />
The default pinentry program is {{ic|/usr/bin/pinentry-gnome3}}, which needs a DBus session bus to run properly. See [[General troubleshooting#Session permissions]] for details.<br />
<br />
Alternatively, you can use a variety of different options described in [[#pinentry]].<br />
<br />
=== KGpg configuration permissions ===<br />
<br />
There have been issues with {{Pkg|kgpg}} being able to access the {{ic|~/.gnupg/}} options. One issue might be a result of a deprecated ''options'' file, see the [https://bugs.kde.org/show_bug.cgi?id=290221 bug] report.<br />
<br />
=== GNOME on Wayland overrides SSH agent socket ===<br />
<br />
For Wayland sessions, {{Ic|gnome-session}} sets {{Ic|SSH_AUTH_SOCK}} to the standard gnome-keyring socket, {{Ic|$XDG_RUNTIME_DIR/keyring/ssh}}. This overrides any value set in {{Ic|~/.pam_environmment}} or systemd unit files.<br />
<br />
To disable this behavior, set the {{Ic|GSM_SKIP_AGENT_WORKAROUND}} variable:<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
GSM_SKIP_SSH_AGENT_WORKAROUND DEFAULT="true"<br />
}}<br />
<br />
=== mutt ===<br />
<br />
Mutt might not use ''gpg-agent'' correctly, you need to set an [[environment variable]] {{ic|GPG_AGENT_INFO}} (the content doesn't matter) when running mutt. Be also sure to enable password caching correctly, see [[#Cache passwords]].<br />
<br />
See [https://bbs.archlinux.org/viewtopic.php?pid=1490821#p1490821 this forum thread]<br />
<br />
=== "Lost" keys, upgrading to gnupg version 2.1 ===<br />
<br />
When {{ic|gpg --list-keys}} fails to show keys that used to be there, and applications complain about missing or invalid keys, some keys may not have been migrated to the new format.<br />
<br />
Please read [http://jo-ke.name/wp/?p=111 GnuPG invalid packet workaround]. Basically, it says that there is a bug with keys in the old {{ic|pubring.gpg}} and {{ic|secring.gpg}} files, which have now been superseded by the new {{ic|pubring.kbx}} file and the {{ic|private-keys-v1.d/}} subdirectory and files. Your missing keys can be recovered with the following commnads:<br />
<br />
$ cd<br />
$ cp -r .gnupg gnupgOLD<br />
$ gpg --export-ownertrust > otrust.txt<br />
$ gpg --import .gnupg/pubring.gpg<br />
$ gpg --import-ownertrust otrust.txt<br />
$ gpg --list-keys<br />
<br />
=== gpg hanged for all keyservers (when trying to receive keys) ===<br />
<br />
If gpg hanged with a certain keyserver when trying to receive keys, you might need to kill dirmngr in order to get access to other keyservers which are actually working, otherwise it might keeping hanging for all of them.<br />
<br />
=== Smartcard not detected ===<br />
<br />
Your user might not have the permission to access the smartcard which results in a {{ic|card error}} to be thrown, even though the card is correctly set up and inserted.<br />
<br />
One possible solution is to add a new group {{ic|scard}} including the users who need access to the smartcard.<br />
<br />
Then use [[udev rules]], similar to the following:<br />
{{hc|/etc/udev/rules.d/71-gnupg-ccid.rules|<nowiki><br />
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116|0111", MODE="660", GROUP="scard"<br />
</nowiki>}}<br />
One needs to adapt VENDOR and MODEL according to the {{ic|lsusb}} output, the above example is for a YubikeyNEO.<br />
<br />
=== gpg: WARNING: server 'gpg-agent' is older than us (x < y) ===<br />
<br />
This warning appears if {{ic|gnupg}} is upgraded and the old gpg-agent is still running. [[Restart]] the ''user'''s {{ic|gpg-agent.socket}} (i.e., use the {{ic|--user}} flag when restarting).<br />
<br />
=== gpg: ..., IPC connect call failed ===<br />
<br />
{{Accuracy|The {{ic|gpg-agent*.socket}} systemd sockets provided by the {{Pkg|gnupg}} package create the sockets in {{ic|/run/user/$UID/gnupg/}} which is guaranteed to be an appropriate file system.}}<br />
<br />
Make sure {{ic|gpg-agent}} and {{ic|dirmngr}} are not running with {{ic|killall gpg-agent dirmngr}} and the {{ic|$GNUPGHOME/crls.d/}} folder has permission set to {{ic|700}}.<br />
<br />
If your keyring is stored on a vFat filesystem (e.g. a USB drive), {{ic|gpg-agent}} will fail to create the required sockets (vFat does not support sockets), you can create redirects to a location that handles sockets, e.g. {{ic|/dev/shm}}:<br />
<br />
# export GNUPGHOME=/custom/gpg/home<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent\n' > $GNUPGHOME/S.gpg-agent<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.browser\n' > $GNUPGHOME/S.gpg-agent.browser<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.extra\n' > $GNUPGHOME/S.gpg-agent.extra<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.ssh\n' > $GNUPGHOME/S.gpg-agent.ssh<br />
<br />
Test that gpg-agent starts successfully with {{ic|gpg-agent --daemon}}.<br />
<br />
== See also ==<br />
<br />
* [https://gnupg.org/ GNU Privacy Guard Homepage]<br />
* [https://tools.ietf.org/html/rfc4880 RFC4880 "OpenPGP Message Format"]<br />
* [https://fedoraproject.org/wiki/Creating_GPG_Keys Creating GPG Keys (Fedora)]<br />
* [https://wiki.debian.org/Subkeys OpenPGP subkeys in Debian]<br />
* [https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/ A more comprehensive gpg Tutorial]<br />
* [https://help.riseup.net/en/security/message-security/openpgp/gpg-best-practices gpg.conf recommendations and best practices]<br />
* [https://github.com/ioerror/torbirdy/blob/master/gpg.conf Torbirdy gpg.conf]<br />
* [https://www.reddit.com/r/GPGpractice/ /r/GPGpractice - a subreddit to practice using GnuPG.]<br />
* [https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md Protecting code integrity with PGP]</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=GnuPG&diff=530943GnuPG2018-07-25T14:37:23Z<p>Sudoforge: /* Using a PGP key for SSH authentication */ use $GNUPGHOME instead of $HOME/.gnupg</p>
<hr />
<div>[[Category:Encryption]]<br />
[[es:GnuPG]]<br />
[[ja:GnuPG]]<br />
[[ru:GnuPG]]<br />
[[pl:GnuPG]]<br />
[[zh-hans:GnuPG]]<br />
[[zh-hant:GnuPG]]<br />
{{Related articles start}}<br />
{{Related|pacman/Package signing}}<br />
{{Related|Disk encryption}}<br />
{{Related|List of applications/Security#Encryption, signing, steganography}}<br />
{{Related articles end}}<br />
<br />
According to the [https://www.gnupg.org/ official website]:<br />
<br />
:GnuPG is a complete and free implementation of the [http://openpgp.org/about/ OpenPGP] standard as defined by [https://tools.ietf.org/html/rfc4880 RFC4880] (also known as PGP). GnuPG allows you to encrypt and sign your data and communication. It features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh).<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|gnupg}} package.<br />
<br />
This will also install {{Pkg|pinentry}}, a collection of simple PIN or passphrase entry dialogs which GnuPG uses for passphrase entry. The shell script {{ic|/usr/bin/pinentry}} determines which ''pinentry'' dialog is used, in the order described at [[#pinentry]].<br />
<br />
If you want to use a graphical frontend or program that integrates with GnuPG, see [[List of applications/Security#Encryption, signing, steganography]].<br />
<br />
== Configuration ==<br />
<br />
=== Directory location ===<br />
{{ic|$GNUPGHOME}} is used by GnuPG to point to the directory where its configuration files are stored. By default {{ic|$GNUPGHOME}} is not set and your {{ic|$HOME}} is used instead; thus, you will find a {{ic|~/.gnupg}} directory right after installation. <br />
<br />
To change the default location, either run gpg this way {{ic|$ gpg --homedir ''path/to/file''}} or set the {{ic|GNUPGHOME}} [[environment variable]].<br />
<br />
=== Configuration files ===<br />
<br />
The default configuration files are {{ic|~/.gnupg/gpg.conf}} and {{ic|~/.gnupg/dirmngr.conf}}. <br />
<br />
By default, the gnupg directory has its [[permissions]] set to {{ic|700}} and the files it contains have their permissions set to {{ic|600}}. Only the owner of the directory has permission to read, write, and access the files. This is for security purposes and should not be changed. In case this directory or any file inside it does not follow this security measure, you will get warnings about unsafe file and home directory permissions.<br />
<br />
Append to these files any long options you want. Do not write the two dashes, but simply the name of the option and required arguments. You will find skeleton files in {{ic|/usr/share/gnupg}}. These files are copied to {{ic|~/.gnupg}} the first time gpg is run if they do not exist there. Other examples are found in [[#See also]].<br />
<br />
Additionally, [[pacman]] uses a different set of configuration files for package signature verification. See [[Pacman/Package signing]] for details.<br />
<br />
=== Default options for new users ===<br />
<br />
If you want to setup some default options for new users, put configuration files in {{ic|/etc/skel/.gnupg/}}. When the new user is added in system, files from here will be copied to its GnuPG home directory. There is also a simple script called ''addgnupghome'' which you can use to create new GnuPG home directories for existing users:<br />
<br />
# addgnupghome user1 user2<br />
<br />
This will add the respective {{ic|/home/user1/.gnupg}} and {{ic|/home/user2/.gnupg}} and copy the files from the skeleton directory to it. Users with existing GnuPG home directory are simply skipped.<br />
<br />
== Usage ==<br />
<br />
{{Note|Whenever a ''{{ic|user-id}}'' is required in a command, it can be specified with your key ID, fingerprint, a part of your name or email address, etc. GnuPG is flexible on this.<br />
}}<br />
<br />
=== Create a key pair ===<br />
<br />
Generate a key pair by typing in a terminal:<br />
<br />
$ gpg --full-gen-key<br />
<br />
{{Tip|Use the {{ic|--expert}} option for getting alternative ciphers like [[wikipedia:Elliptic_curve_cryptography|ECC]].}}<br />
<br />
The command will prompt for answers to several questions. For general use most people will want: <br />
<br />
* the RSA (sign only) and a RSA (encrypt only) key.<br />
* a keysize of the default value (2048). A larger keysize of 4096 "gives us almost nothing, while costing us quite a lot"[https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096].<br />
* an expiration date. A period of a year is good enough for the average user. This way even if access is lost to the keyring, it will allow others to know that it is no longer valid. Later, if necessary, the expiration date can be extended without having to re-issue a new key.<br />
* your name and email address. You can add multiple identities to the same key later (''e.g.'', if you have multiple email addresses you want to associate with this key).<br />
* ''no'' optional comment. Since the semantics of the comment field are [https://lists.gnupg.org/pipermail/gnupg-devel/2015-July/030150.html not well-defined], it has limited value for identification.<br />
* [[Security#Choosing_secure_passwords|a secure passphrase]].<br />
<br />
{{Note|The name and email address you enter here will be seen by anybody who imports your key.}}<br />
<br />
=== List keys ===<br />
<br />
To list keys in your public key ring:<br />
<br />
$ gpg --list-keys<br />
<br />
To list keys in your secret key ring:<br />
<br />
$ gpg --list-secret-keys<br />
<br />
=== Export your public key ===<br />
<br />
gpg's main usage is to ensure confidentiality of exchanged messages via public-key cryptography. With it each user distributes the public key of their keyring, which can be be used by others to encrypt messages to the user. The private key must ''always'' be kept private, otherwise confidentiality is broken. See [[w:Public-key cryptography]] for examples about the message exchange. <br />
<br />
So, in order for others to send encrypted messages to you, they need your public key. <br />
<br />
To generate an ASCII version of a user's public key to file {{ic|''public.key''}} (e.g. to distribute it by e-mail):<br />
<br />
$ gpg --output ''public.key'' --armor --export ''user-id''<br />
<br />
Alternatively, or in addition, you can [[#Use a keyserver]] to share your key. <br />
<br />
{{Tip|Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.}}<br />
<br />
=== Import a public key ===<br />
<br />
In order to encrypt messages to others, as well as verify their signatures, you need their public key. To import a public key with file name {{ic|''public.key''}} to your public key ring:<br />
<br />
$ gpg --import ''public.key''<br />
<br />
Alternatively, [[#Use a keyserver]] to find a public key.<br />
<br />
=== Use a keyserver ===<br />
<br />
You can register your key with a public PGP key server, so that others can retrieve your key without having to contact you directly:<br />
<br />
$ gpg --send-keys ''user-id''<br />
<br />
{{Warning|Once a key has been submitted to a keyserver, it cannot be deleted from the server.[https://pgp.mit.edu/faq.html]}}<br />
<br />
To find out details of a key on the keyserver, without importing it, do:<br />
<br />
$ gpg --search-keys ''user-id''<br />
<br />
To import a key from a key server:<br />
<br />
$ gpg --recv-keys ''key-id''<br />
<br />
{{Warning|<br />
* You should verify the authenticity of the retrieved public key by comparing its fingerprint with one that the owner published on an independent source(s) (e.g., contacting the person directly). See [[Wikipedia:Public key fingerprint]] for more information.<br />
* Using a short ID may encounter collisions. All keys will be imported that have the short ID. To avoid this, use the full fingerprint or long key ID when receiving a key.[https://lkml.org/lkml/2016/8/15/445]}}<br />
{{Tip|<br />
* Adding {{ic|keyserver-options auto-key-retrieve}} to {{ic|gpg.conf}} will automatically fetch keys from the key server as needed. <br />
* An alternative key server is {{ic|pool.sks-keyservers.net}} and can be specified with {{ic|keyserver}} in {{ic|dirmngr.conf}}; see also [[wikipedia:Key server (cryptographic)#Keyserver examples]].<br />
* If your network blocks ports used for hkp/hkps, you may need to specify port 80, i.e. {{ic|pool.sks-keyservers.net:80}}<br />
* You can connect to the keyserver over [[Tor]] using {{ic|--use-tor}}. See this [https://gnupg.org/blog/20151224-gnupg-in-november-and-december.html GnuPG blog post] for more information.<br />
* You can connect to a keyserver using a proxy by setting the {{ic|http_proxy}} environment variable and setting {{ic|honor-http-proxy}} in {{ic|dirmngr.conf}}. Alternatively, set {{ic|http-proxy ''host[:port]''}} in {{ic|dirmngr.conf}}, overriding the {{ic|http_proxy}} environment variable. [[Restart]] the {{ic|dirmngr.service}} [[systemd/User|user service]] for the changes to take effect.<br />
* If you wish to import a key ID to install a specific Arch Linux package, see [[pacman/Package signing#Managing the keyring]] and [[Makepkg#Signature checking]].}}<br />
<br />
=== Encrypt and decrypt ===<br />
<br />
==== Asymmetric ====<br />
You need to [[#Import a public key]] of a user before encrypting (options {{ic|--encrypt}} or {{ic|-e}}) a file or message to that recipient (options {{ic|--recipient}} or {{ic|-r}}). Additionally you need to [[#Create a key pair]] if you have not already done so.<br />
<br />
To encrypt a file with the name ''doc'', use:<br />
<br />
$ gpg --recipient ''user-id'' --encrypt ''doc''<br />
<br />
To decrypt (option {{ic|--decrypt}} or {{ic|-d}}) a file with the name ''doc''.gpg encrypted with your public key, use:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
''gpg'' will prompt you for your passphrase and then decrypt and write the data from ''doc''.gpg to ''doc''. If you omit the {{ic|-o}} ({{ic|--output}}) option, ''gpg'' will write the decrypted data to stdout.<br />
<br />
{{Tip|<br />
* Add {{ic|--armor}} to encrypt a file using ASCII armor (suitable for copying and pasting a message in text format)<br />
* Use {{ic|-R ''user-id''}} or {{ic|--hidden-recipient ''user-id''}} instead of {{ic|-r}} to not put the recipient key IDs in the encrypted message. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis.<br />
* Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.<br />
* You can use gnupg to encrypt your sensitive documents by using your own user-id as recipient or by using the {{ic|--default-recipient-self}} flag instead; however, you can only do this one file at a time, although you can always tarball various files and then encrypt the tarball. See also [[Disk encryption#Available methods]] if you want to encrypt directories or a whole file-system.}}<br />
<br />
==== Symmetric ====<br />
Symmetric encryption does not require the generation of a key pair and can be used to simply encrypt data with a passphrase. Simply use {{ic|--symmetric}} or {{ic|-c}} to perform symmetic encryption:<br />
<br />
$ gpg -c ''doc''<br />
<br />
The following example:<br />
<br />
* Encrypts {{ic|''doc''}} with a symmetric cipher using a passphrase<br />
* Uses the AES-256 cipher algorithm to encrypt the passphrase<br />
* Uses the SHA-512 digest algorithm to mangle the passphrase<br />
* Mangles the passphrase for 65536 iterations<br />
<br />
$ gpg -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-count 65536 ''doc''<br />
<br />
To decrypt a symmetrically encrypted {{ic|''doc''.gpg}} using a passphrase and output decrypted contents into the same directory as {{ic|''doc''}} do:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
== Key maintenance ==<br />
<br />
=== Backup your private key ===<br />
<br />
To backup your private key do the following:<br />
<br />
$ gpg --export-secret-keys --armor ''<user-id>'' > ''privkey.asc''<br />
<br />
Note that ''gpg'' release 2.1 changed default behaviour so that the above command enforces a passphrase protection, even if you deliberately chose not to use one on key creation. This is because otherwise anyone who gains access to the above exported file would be able to encrypt and sign documents as if they were you ''without'' needing to know your passphrase. <br />
<br />
{{Warning|The passphrase is usually the weakest link in protecting your secret key. Place the private key in a safe place on a different system/device, such as a locked container or encrypted drive. It is the only safety you have to regain control to your keyring in case of, for example, a drive failure, theft or worse.}}<br />
<br />
To import the backup of your private key:<br />
$ gpg --import ''privkey.asc''<br />
<br />
=== Edit your key ===<br />
<br />
Running the {{ic|gpg --edit-key ''<user-id>''}} command will present a menu which enables you to do most of your key management related tasks.<br />
<br />
Some useful commands in the edit key sub menu:<br />
> passwd # change the passphrase<br />
> clean # compact any user ID that is no longer usable (e.g revoked or expired)<br />
> revkey # revoke a key<br />
> addkey # add a subkey to this key<br />
> expire # change the key expiration time<br />
<br />
Type {{ic|help}} in the edit key sub menu for more commands.<br />
<br />
{{Tip|If you have multiple email accounts you can add each one of them as an identity, using {{ic|adduid}} command. You can then set your favourite one as {{ic|primary}}.}}<br />
<br />
=== Exporting subkey ===<br />
<br />
If you plan to use the same key across multiple devices, you may want to strip out your master key and only keep the bare minimum encryption subkey on less secure systems.<br />
<br />
First, find out which subkey you want to export.<br />
<br />
$ gpg -K<br />
<br />
Select only that subkey to export.<br />
<br />
$ gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.gpg<br />
<br />
{{Warning|If you forget to add the !, all of your subkeys will be exported.}}<br />
<br />
At this point you could stop, but it is most likely a good idea to change the passphrase as well. Import the key into a temporary folder. <br />
<br />
$ gpg --homedir /tmp/gpg --import /tmp/subkey.gpg<br />
$ gpg --homedir /tmp/gpg --edit-key ''<user-id>''<br />
> passwd<br />
> save<br />
$ gpg --homedir /tmp/gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.altpass.gpg<br />
<br />
{{Note|You will get a warning that the master key was not available and the password was not changed, but that can safely be ignored as the subkey password was.}}<br />
<br />
At this point, you can now use {{ic|/tmp/subkey.altpass.gpg}} on your other devices.<br />
<br />
=== Rotating subkeys ===<br />
<br />
{{Warning|'''Never''' delete your expired or revoked subkeys unless you have a good reason. Doing so will cause you to lose the ability to decrypt files encrypted with the old subkey. Please '''only''' delete expired or revoked keys from other users to clean your keyring.}}<br />
<br />
If you have set your subkeys to expire after a set time, you can create new ones. Do this a few weeks in advance to allow others to update their keyring.<br />
<br />
{{Tip|You do not need to create a new key simply because it is expired. You can extend the expiration date.}}<br />
<br />
Create new subkey (repeat for both signing and encrypting key)<br />
<br />
$ gpg --edit-key ''<user-id>''<br />
> addkey<br />
<br />
And answer the following questions it asks (see [[#Create a key pair]] for suggested settings).<br />
<br />
Save changes<br />
<br />
> save<br />
<br />
Update it to a keyserver.<br />
<br />
$ gpg --keyserver pgp.mit.edu --send-keys ''<user-id>''<br />
<br />
{{Tip|Revoking expired subkeys is unnecessary and arguably bad form. If you are constantly revoking keys, it may cause others to lack confidence in you.}}<br />
<br />
== Signatures ==<br />
<br />
Signatures certify and timestamp documents. If the document is modified, verification of the signature will fail. Unlike encryption which uses public keys to encrypt a document, signatures are created with the user's private key. The recipient of a signed document then verifies the signature using the sender's public key.<br />
<br />
=== Create a signature ===<br />
<br />
==== Sign a file ====<br />
<br />
To sign a file use the {{ic|--sign}} or {{ic|-s}} flag:<br />
<br />
$ gpg --output ''doc''.sig --sign ''doc''<br />
<br />
{{ic|''doc''.sig}} contains both the compressed content of the original file {{ic|''doc''}} and the signature in a binary format, but the file is not encrypted. However, you can combine signing with [[#Encrypt and decrypt|encrypting]].<br />
<br />
==== Clearsign a file or message ====<br />
<br />
To sign a file without compressing it into binary format use:<br />
<br />
$ gpg --output ''doc''.sig --clearsign ''doc''<br />
<br />
Here both the content of the original file {{ic|''doc''}} and the signature are stored in human-readable form in {{ic|''doc''.sig}}.<br />
<br />
==== Make a detached signature ====<br />
<br />
To create a separate signature file to be distributed separately from the document or file itself, use the {{ic|--detach-sig}} flag:<br />
<br />
$ gpg --output ''doc''.sig --detach-sig ''doc''<br />
<br />
Here the signature is stored in {{ic|''doc''.sig}}, but the contents of {{ic|''doc''}} are not stored in it. This method is often used in distributing software projects to allow users to verify that the program has not been modified by a third party.<br />
<br />
=== Verify a signature ===<br />
<br />
To verify a signature use the {{ic|--verify}} flag:<br />
<br />
$ gpg --verify ''doc''.sig<br />
<br />
where {{ic|''doc''.sig}} is the signed file containing the signature you wish to verify.<br />
<br />
If you are verifying a detached signature, both the signed data file and the signature file must be present when verifying. For example, to verify Arch Linux's latest iso you would do:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig<br />
<br />
where {{ic|archlinux-''version''.iso}} must be located in the same directory.<br />
<br />
You can also specify the signed data file with a second argument:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig ''/path/to/''archlinux-''version''.iso<br />
<br />
If a file as been encrypted in addition to being signed, simply [[#Encrypt and decrypt|decrypt]] the file and its signature will also be verified.<br />
<br />
== gpg-agent ==<br />
<br />
''gpg-agent'' is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. {{Pkg|gnupg}} comes with [[systemd/User|systemd user]] sockets which are enabled by default. These sockets are {{ic|gpg-agent.socket}}, {{ic|gpg-agent-extra.socket}}, {{ic|gpg-agent-browser.socket}}, {{ic|gpg-agent-ssh.socket}}, and {{ic|dirmngr.socket}}.<br />
<br />
{{Expansion|Add {{ic|gpg-agent-browser.socket}} to the list.}}<br />
<br />
* The main {{ic|gpg-agent.socket}} is used by ''gpg'' to connect to the ''gpg-agent'' daemon.<br />
* The intended use for the {{ic|gpg-agent-extra.socket}} on a local system is to set up a Unix domain socket forwarding from a remote system. This enables to use ''gpg'' on the remote system without exposing the private keys to the remote system. See {{man|1|gpg-agent}} for details.<br />
* The {{ic|gpg-agent-ssh.socket}} can be used by [[SSH]] to cache [[SSH keys]] added by the ''ssh-add'' program. See [[#SSH agent]] for the necessary configuration.<br />
* The {{ic|dirmngr.socket}} starts a GnuPG daemon handling connections to keyservers.<br />
<br />
{{Note|If you use non-default GnuPG [[#Directory location]], you will need to [[edit]] all socket files to use the values of {{ic|gpgconf --list-dirs}}.}}<br />
<br />
=== Configuration ===<br />
<br />
gpg-agent can be configured via {{ic|~/.gnupg/gpg-agent.conf}} file. The configuration options are listed in {{man|1|gpg-agent}}. For example you can change cache ttl for unused keys:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl 3600<br />
}}<br />
<br />
{{Tip|To cache your passphrase for the whole session, please run the following command:<br />
$ /usr/lib/gnupg/gpg-preset-passphrase --preset XXXXXX<br />
<br />
where XXXX is the keygrip. You can get its value when running {{ic|gpg --with-keygrip -K}}. Passphrase will be stored until {{ic|gpg-agent}} is restarted. If you set up {{ic|default-cache-ttl}} value, it will take precedence.<br />
}}<br />
<br />
=== Reload the agent ===<br />
<br />
After changing the configuration, reload the agent using ''gpg-connect-agent'':<br />
<br />
$ gpg-connect-agent reloadagent /bye<br />
<br />
The command should print {{ic|OK}}.<br />
<br />
However in some cases only the restart may not be sufficient, like when {{ic|keep-screen}} has been added to the agent configuration.<br />
In this case you firstly need to kill the ongoing gpg-agent process and then you can restart it as was explained above.<br />
<br />
=== pinentry ===<br />
<br />
Finally, the agent needs to know how to ask the user for the password. This can be set in the gpg-agent configuration file.<br />
<br />
{{accuracy|On my KDE system, GnuPG tries to use {{ic|pinentry-curses}}, not {{ic|pinentry-qt}}. If I configure GnuPG to use pinentry-qt, it works fine. Also, all these pinentry dialogs are always installed, since they are all included in {{pkg|pinentry}}, which is a {{pkg|gnupg}} dependency.}} <br />
<br />
The default uses {{ic|/usr/bin/pinentry-gnome3}}, falling back to {{ic|/usr/bin/pinentry-qt}}, {{ic|/usr/bin/pinentry-gtk-2}} and at last {{ic|/usr/bin/pinentry-curses}} if none of the previous were functioning. However there are other options - see {{ic|info pinentry}}. To change the dialog implementation set {{ic|pinentry-program}} configuration option:<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
# pinentry-program /usr/bin/pinentry-gnome3<br />
# pinentry-program /usr/bin/pinentry-qt<br />
# pinentry-program /usr/bin/pinentry-curses<br />
# pinentry-program /usr/bin/pinentry-kwallet<br />
<br />
pinentry-program /usr/bin/pinentry-gtk-2<br />
}}<br />
<br />
{{Tip|For using {{ic|/usr/bin/pinentry-kwallet}} you have to install the {{AUR|kwalletcli}} package.}}<br />
<br />
After making this change, [[#Reload the agent]].<br />
<br />
=== Unattended passphrase ===<br />
<br />
Starting with GnuPG 2.1.0 the use of gpg-agent and pinentry is required, which may break backwards compatibility for passphrases piped in from STDIN using the {{ic|--passphrase-fd 0}} commandline option. In order to have the same type of functionality as the older releases two things must be done:<br />
<br />
First, edit the gpg-agent configuration to allow ''loopback'' pinentry mode:<br />
<br />
{{hc|1=~/.gnupg/gpg-agent.conf|2=<br />
allow-loopback-pinentry<br />
}}<br />
<br />
Restart the gpg-agent process if it is running to let the change take effect.<br />
<br />
Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:<br />
<br />
$ gpg --pinentry-mode loopback ...<br />
<br />
...or if this is not possible, add the option to the configuration:<br />
<br />
{{hc|1=~/.gnupg/gpg.conf|2=<br />
pinentry-mode loopback<br />
}}<br />
<br />
{{Note|The upstream author indicates setting {{ic|pinentry-mode loopback}} in {{ic|gpg.conf}} may break other usage, using the commandline option should be preferred if at all possible. [https://bugs.g10code.com/gnupg/issue1772]}}<br />
<br />
=== SSH agent ===<br />
<br />
''gpg-agent'' has OpenSSH agent emulation. If you already use the GnuPG suite, you might consider using its agent to also cache your [[SSH keys]]. Additionally, some users may prefer the PIN entry dialog GnuPG agent provides as part of its passphrase management.<br />
<br />
==== Set SSH_AUTH_SOCK ====<br />
<br />
You have to set {{ic|SSH_AUTH_SOCK}} so that SSH will use ''gpg-agent'' instead of ''ssh-agent''. To make sure each process can find your ''gpg-agent'' instance regardless of e.g. the type of shell it is child of use [[Environment_variables#Using_pam_env|pam_env]].<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
}}<br />
<br />
{{note|If you set your {{ic|SSH_AUTH_SOCK}} manually (such as in this pam_env example), keep in mind that your socket location may be different if you are using a custom {{ic|GNUPGHOME}}. You can use the following bash example, or change {{ic|SSH_AUTH_SOCK}} to the value of {{ic|gpgconf --list-dirs agent-ssh-socket}}.}}<br />
<br />
Alternatively, depend on Bash. This works for non-standard socket locations as well:<br />
<br />
{{hc|~/.bashrc|2=<br />
unset SSH_AGENT_PID<br />
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then<br />
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"<br />
fi<br />
}}<br />
<br />
{{Note|1=The test involving the {{ic|gnupg_SSH_AUTH_SOCK_by}} variable is for the case where the agent is started as {{ic|gpg-agent --daemon /bin/sh}}, in which case the shell inherits the {{ic|SSH_AUTH_SOCK}} variable from the parent, ''gpg-agent'' [http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/gpg-agent.c;hb=7bca3be65e510eda40572327b87922834ebe07eb#l1307].}}<br />
<br />
==== Configure pinentry to use the correct TTY ====<br />
<br />
Also set the GPG_TTY and refresh the TTY in case user has switched into an X session as stated in {{man|1|gpg-agent}}. For example:<br />
<br />
{{hc|~/.bashrc|2=<br />
export GPG_TTY=$(tty)<br />
gpg-connect-agent updatestartuptty /bye >/dev/null<br />
}}<br />
<br />
==== Add SSH keys ====<br />
<br />
Once ''gpg-agent'' is running you can use ''ssh-add'' to approve keys, following the same steps as for [[SSH keys#ssh-agent|ssh-agent]]. The list of approved keys is stored in the {{ic|~/.gnupg/sshcontrol}} file. <br />
<br />
Once your key is approved, you will get a ''pinentry'' dialog every time your passphrase is needed. You can control passphrase caching in the {{ic|~/.gnupg/gpg-agent.conf}} file. The following example would have ''gpg-agent'' cache your keys for 3 hours:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl-ssh 10800<br />
max-cache-ttl-ssh 10800<br />
}}<br />
<br />
==== Using a PGP key for SSH authentication ====<br />
<br />
You can also use your PGP key as an SSH key. This requires a key with the {{ic|Authentication}} capability (see [[#Custom capabilities]]). There are various benefits gained by using a PGP key for SSH authentication, including:<br />
<br />
* Reduced key maintenance, as you will no longer need to maintain an SSH key<br />
* The ability to store the authentication key on a smartcard. GnuPG will automatically detect the key when the card is available, and add it to the agent (check with {{ic|ssh-add -l}} or {{ic|ssh-add -L}}). The comment for the key should be something like: {{ic|openpgp:''key-id''}} or {{ic|cardno:''card-id''}}. <br />
<br />
To retrieve the public key part of your GPG/SSH key, run {{ic|gpg --export-ssh-key ''gpg-key''}}.<br />
<br />
{{Note| Your key may not be added to {{ic|$GNUPGHOME/sshcontrol}}, which is where normal SSH keys are listed.}}<br />
<br />
If your key is not added to {{ic|$GNUPGHOME/sshcontrol}} automatically, you can add the keygrip for your key with the Authentication capability manually. You can get the keygrip of your key by executing {{ic|gpg --list-keys --with-keygrip}}, like so:<br />
<br />
$ gpg --list-keys --with-keygrip<br />
sub rsa4096/1234ABCD1234ABCD 2001-01-01 [A] [expires: 2002-01-01]<br />
Keygrip = < put this value on its own line in $GNUPGHOME/sshcontrol ><br />
<br />
Adding the keygrip to {{ic|$GNUPGHOME/sshcontrol}} is a one-time action; you will not need to edit the file again, unless you are adding additional keygrips.<br />
<br />
== Smartcards ==<br />
<br />
GnuPG uses ''scdaemon'' as an interface to your smartcard reader, please refer to the [[man page]] for details.<br />
<br />
=== GnuPG only setups ===<br />
<br />
{{Note| To allow scdaemon direct access to USB smarcard readers the optional dependency {{Pkg|libusb-compat}} have to be installed}}<br />
<br />
If you do not plan to use other cards but those based on GnuPG, you should check the {{Ic|reader-port}} parameter in {{ic|~/.gnupg/scdaemon.conf}}. The value '0' refers to the first available serial port reader and a value of '32768' (default) refers to the first USB reader.<br />
<br />
=== GnuPG with pcscd (PCSC Lite) ===<br />
<br />
{{Note|{{Pkg|pcsclite}} and {{Pkg|ccid}} have to be installed, and the contained [[systemd#Using units|systemd]] service {{ic|pcscd.service}} has to be running, or the socket {{ic|pcscd.socket}} has to be listening.}}<br />
<br />
pcscd is a daemon which handles access to smartcard (SCard API). If GnuPG's scdaemon fails to connect the smartcard directly (e.g. by using its integrated CCID support), it will fallback and try to find a smartcard using the PCSC Lite driver.<br />
<br />
==== Always use pcscd ====<br />
<br />
If you are using any smartcard with an opensc driver (e.g.: ID cards from some countries) you should pay some attention to GnuPG configuration. Out of the box you might receive a message like this when using {{Ic|gpg --card-status}}<br />
<br />
gpg: selecting openpgp failed: ec=6.108<br />
<br />
By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together. In order to point scdaemon to use pcscd you should remove {{Ic|reader-port}} from {{ic|~/.gnupg/scdaemon.conf}}, specify the location to {{ic|libpcsclite.so}} library and disable ccid so we make sure that we use pcscd:<br />
<br />
{{hc|~/.gnupg/scdaemon.conf|<nowiki><br />
pcsc-driver /usr/lib/libpcsclite.so<br />
card-timeout 5<br />
disable-ccid<br />
</nowiki>}}<br />
<br />
Please check {{man|1|scdaemon}} if you do not use OpenSC.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Different algorithm ===<br />
<br />
You may want to use stronger algorithms:<br />
<br />
{{hc|~/.gnupg/gpg.conf|<br />
...<br />
<br />
personal-digest-preferences SHA512<br />
cert-digest-algo SHA512<br />
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed<br />
personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES<br />
}}<br />
<br />
In the latest version of GnuPG, the default algorithms used are SHA256 and AES, both of which are secure enough for most people. However, if you are using a version of GnuPG older than 2.1, or if you want an even higher level of security, then you should follow the above step.<br />
<br />
=== Encrypt a password ===<br />
<br />
It can be useful to encrypt some password, so it will not be written in clear on a configuration file. A good example is your email password.<br />
<br />
First create a file with your password. You '''need''' to leave '''one''' empty line after the password, otherwise gpg will return an error message when evaluating the file.<br />
<br />
Then run:<br />
<br />
$ gpg -e -a -r ''<user-id>'' ''your_password_file''<br />
<br />
{{ic|-e}} is for encrypt, {{ic|-a}} for armor (ASCII output), {{ic|-r}} for recipient user ID.<br />
<br />
You will be left with a new {{ic|''your_password_file''.asc}} file.<br />
<br />
{{Tip|[[pass]] automates this process.}}<br />
<br />
=== Revoking a key ===<br />
<br />
{{Warning|<br />
*Anybody having access to your revocation certificate can revoke your key, rendering it useless.<br />
*Key revocation should only be performed if your key is compromised or lost, or you forget your passphrase.}}<br />
<br />
Revocation certificates are automatically generated for newly generated keys, although one can be generated manually by the user later. These are located at {{ic|~/.gnupg/openpgp-revocs.d/}}. The filename of the certificate is the fingerprint of the key it will revoke.<br />
<br />
To revoke your key, simply import the revocation certificate:<br />
<br />
$ gpg --import ''<fingerprint>''.rev<br />
<br />
Now update the keyserver:<br />
<br />
$ gpg --keyserver subkeys.pgp.net --send-keys ''<userid>''<br />
<br />
=== Change trust model ===<br />
<br />
By default GnuPG uses the [[Wikipedia::Web of Trust|Web of Trust]] as the trust model. You can change this to [[Wikipedia::Trust on first use|Trust on first use]] by adding {{ic|1=--trust-model=tofu}} when adding a key or adding this option to your GnuPG configuration file. More details are in [https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030341.html this email to the GnuPG list].<br />
<br />
=== Hide all recipient id's ===<br />
<br />
By default the recipient's key ID is in the encrypted message. This can be removed at encryption time for a recipient by using {{ic|hidden-recipient ''<user-id>''}}. To remove it for all recipients add {{ic|throw-keyids}} to your configuration file. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis. (Using a little social engineering anyone who is able to decrypt the message can check whether one of the other recipients is the one he suspects.) On the receiving side, it may slow down the decryption process because all available secret keys must be tried (''e.g.'' with {{ic|--try-secret-key ''<user-id>''}}).<br />
<br />
=== Using caff for keysigning parties ===<br />
<br />
To allow users to validate keys on the keyservers and in their keyrings (i.e. make sure they are from whom they claim to be), PGP/GPG uses the [[Wikipedia::Web of Trust|Web of Trust]]. Keysigning parties allow users to get together at a physical location to validate keys. The [[Wikipedia:Zimmermann–Sassaman key-signing protocol|Zimmermann-Sassaman]] key-signing protocol is a way of making these very effective. [http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html Here] you will find a how-to article.<br />
<br />
For an easier process of signing keys and sending signatures to the owners after a keysigning party, you can use the tool ''caff''. It can be installed from the AUR with the package {{AUR|caff-svn}}.<br />
<br />
To send the signatures to their owners you need a working [[Wikipedia:Message transfer agent|MTA]]. If you do not have already one, install [[msmtp]].<br />
<br />
=== Always show long ID's and fingerprints ===<br />
<br />
To always show long key ID's add {{ic|keyid-format 0xlong}} to your configuration file. To always show full fingerprints of keys, add {{ic|with-fingerprint}} to your configuration file.<br />
<br />
=== Custom capabilities ===<br />
<br />
For further customization also possible to set custom capabilities to your keys. The following capabilities are available:<br />
<br />
* Certify (only for master keys) - allows the key to create subkeys, mandatory for master keys.<br />
* Sign - allows the key to create cryptographic signatures that others can verify with the public key.<br />
* Encrypt - allows anyone to encrypt data with the public key, that only the private key can decrypt.<br />
* Authenticate - allows the key to authenticate with various non-GnuPG programs. The key can be used as e.g. an SSH key. <br />
<br />
It's possible to specify the capabilities of the master key, by running: <br />
<br />
$ gpg --full-generate-key --expert<br />
<br />
And select an option that allows you to set your own capabilities.<br />
<br />
Comparably, to specify custom capabilities for subkeys, add the {{ic|--expert}} flag to {{ic|gpg --edit-key}}, see [[#Edit your key]] for more information.<br />
<br />
=== Cache passwords ===<br />
<br />
To be asked for your GnuPG password only once per session, set {{ic|max-cache-ttl}} and {{ic|default-cache-ttl}} to something very high, for instance:<br />
<br />
{{hc|<br />
gpg-agent.conf|<br />
max-cache-ttl 60480000<br />
default-cache-ttl 60480000<br />
}}<br />
<br />
See [[#gpg-agent]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Not enough random bytes available ===<br />
When generating a key, gpg can run into this error:<br />
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy!<br />
To check the available entropy, check the kernel parameters:<br />
cat /proc/sys/kernel/random/entropy_avail<br />
A healthy Linux system with a lot of entropy available will have return close to the full 4,096 bits of entropy. If the value returned is less than 200, the system is running low on entropy. <br />
<br />
To solve it, remember you do not often need to create keys and best just do what the message suggests (e.g. create disk activity, move the mouse, edit the wiki - all will create entropy). If that does not help, check which service is using up the entropy and consider stopping it for the time. If that is no alternative, see [[Random number generation#Alternatives]].<br />
<br />
=== su ===<br />
<br />
When using {{Ic|pinentry}}, you must have the proper permissions of the terminal device (e.g. {{Ic|/dev/tty1}}) in use. However, with ''su'' (or ''sudo''), the ownership stays with the original user, not the new one. This means that pinentry will fail, even as root. The fix is to change the permissions of the device at some point before the use of pinentry (i.e. using gpg with an agent). If doing gpg as root, simply change the ownership to root right before using gpg:<br />
<br />
# chown root /dev/ttyN # where N is the current tty<br />
<br />
and then change it back after using gpg the first time. The equivalent is likely to be true with {{Ic|/dev/pts/}}.<br />
<br />
{{Note|The owner of tty ''must'' match with the user for which pinentry is running. Being part of the group {{Ic|tty}} '''is not''' enough.}}<br />
<br />
{{Tip|If you run gpg with {{ic|script}} it will use a new tty with the correct ownership:<br />
<br />
# script -q -c "gpg --gen-key" /dev/null<br />
}}<br />
<br />
=== Agent complains end of file ===<br />
<br />
The default pinentry program is {{ic|/usr/bin/pinentry-gnome3}}, which needs a DBus session bus to run properly. See [[General troubleshooting#Session permissions]] for details.<br />
<br />
Alternatively, you can use a variety of different options described in [[#pinentry]].<br />
<br />
=== KGpg configuration permissions ===<br />
<br />
There have been issues with {{Pkg|kgpg}} being able to access the {{ic|~/.gnupg/}} options. One issue might be a result of a deprecated ''options'' file, see the [https://bugs.kde.org/show_bug.cgi?id=290221 bug] report.<br />
<br />
=== GNOME on Wayland overrides SSH agent socket ===<br />
<br />
For Wayland sessions, {{Ic|gnome-session}} sets {{Ic|SSH_AUTH_SOCK}} to the standard gnome-keyring socket, {{Ic|$XDG_RUNTIME_DIR/keyring/ssh}}. This overrides any value set in {{Ic|~/.pam_environmment}} or systemd unit files.<br />
<br />
To disable this behavior, set the {{Ic|GSM_SKIP_AGENT_WORKAROUND}} variable:<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
GSM_SKIP_SSH_AGENT_WORKAROUND DEFAULT="true"<br />
}}<br />
<br />
=== mutt ===<br />
<br />
Mutt might not use ''gpg-agent'' correctly, you need to set an [[environment variable]] {{ic|GPG_AGENT_INFO}} (the content doesn't matter) when running mutt. Be also sure to enable password caching correctly, see [[#Cache passwords]].<br />
<br />
See [https://bbs.archlinux.org/viewtopic.php?pid=1490821#p1490821 this forum thread]<br />
<br />
=== "Lost" keys, upgrading to gnupg version 2.1 ===<br />
<br />
When {{ic|gpg --list-keys}} fails to show keys that used to be there, and applications complain about missing or invalid keys, some keys may not have been migrated to the new format.<br />
<br />
Please read [http://jo-ke.name/wp/?p=111 GnuPG invalid packet workaround]. Basically, it says that there is a bug with keys in the old {{ic|pubring.gpg}} and {{ic|secring.gpg}} files, which have now been superseded by the new {{ic|pubring.kbx}} file and the {{ic|private-keys-v1.d/}} subdirectory and files. Your missing keys can be recovered with the following commnads:<br />
<br />
$ cd<br />
$ cp -r .gnupg gnupgOLD<br />
$ gpg --export-ownertrust > otrust.txt<br />
$ gpg --import .gnupg/pubring.gpg<br />
$ gpg --import-ownertrust otrust.txt<br />
$ gpg --list-keys<br />
<br />
=== gpg hanged for all keyservers (when trying to receive keys) ===<br />
<br />
If gpg hanged with a certain keyserver when trying to receive keys, you might need to kill dirmngr in order to get access to other keyservers which are actually working, otherwise it might keeping hanging for all of them.<br />
<br />
=== Smartcard not detected ===<br />
<br />
Your user might not have the permission to access the smartcard which results in a {{ic|card error}} to be thrown, even though the card is correctly set up and inserted.<br />
<br />
One possible solution is to add a new group {{ic|scard}} including the users who need access to the smartcard.<br />
<br />
Then use [[udev rules]], similar to the following:<br />
{{hc|/etc/udev/rules.d/71-gnupg-ccid.rules|<nowiki><br />
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116|0111", MODE="660", GROUP="scard"<br />
</nowiki>}}<br />
One needs to adapt VENDOR and MODEL according to the {{ic|lsusb}} output, the above example is for a YubikeyNEO.<br />
<br />
=== gpg: WARNING: server 'gpg-agent' is older than us (x < y) ===<br />
<br />
This warning appears if {{ic|gnupg}} is upgraded and the old gpg-agent is still running. [[Restart]] the ''user'''s {{ic|gpg-agent.socket}} (i.e., use the {{ic|--user}} flag when restarting).<br />
<br />
=== gpg: ..., IPC connect call failed ===<br />
<br />
{{Accuracy|The {{ic|gpg-agent*.socket}} systemd sockets provided by the {{Pkg|gnupg}} package create the sockets in {{ic|/run/user/$UID/gnupg/}} which is guaranteed to be an appropriate file system.}}<br />
<br />
Make sure {{ic|gpg-agent}} and {{ic|dirmngr}} are not running with {{ic|killall gpg-agent dirmngr}} and the {{ic|$GNUPGHOME/crls.d/}} folder has permission set to {{ic|700}}.<br />
<br />
If your keyring is stored on a vFat filesystem (e.g. a USB drive), {{ic|gpg-agent}} will fail to create the required sockets (vFat does not support sockets), you can create redirects to a location that handles sockets, e.g. {{ic|/dev/shm}}:<br />
<br />
# export GNUPGHOME=/custom/gpg/home<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent\n' > $GNUPGHOME/S.gpg-agent<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.browser\n' > $GNUPGHOME/S.gpg-agent.browser<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.extra\n' > $GNUPGHOME/S.gpg-agent.extra<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.ssh\n' > $GNUPGHOME/S.gpg-agent.ssh<br />
<br />
Test that gpg-agent starts successfully with {{ic|gpg-agent --daemon}}.<br />
<br />
== See also ==<br />
<br />
* [https://gnupg.org/ GNU Privacy Guard Homepage]<br />
* [https://tools.ietf.org/html/rfc4880 RFC4880 "OpenPGP Message Format"]<br />
* [https://fedoraproject.org/wiki/Creating_GPG_Keys Creating GPG Keys (Fedora)]<br />
* [https://wiki.debian.org/Subkeys OpenPGP subkeys in Debian]<br />
* [https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/ A more comprehensive gpg Tutorial]<br />
* [https://help.riseup.net/en/security/message-security/openpgp/gpg-best-practices gpg.conf recommendations and best practices]<br />
* [https://github.com/ioerror/torbirdy/blob/master/gpg.conf Torbirdy gpg.conf]<br />
* [https://www.reddit.com/r/GPGpractice/ /r/GPGpractice - a subreddit to practice using GnuPG.]<br />
* [https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md Protecting code integrity with PGP]</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=GnuPG&diff=530942GnuPG2018-07-25T14:35:57Z<p>Sudoforge: /* Using a PGP key for SSH authentication */ Move instructions for retrieving the public key part of a pgp key. Existing under the note regarding sshcontrol seems out of place.</p>
<hr />
<div>[[Category:Encryption]]<br />
[[es:GnuPG]]<br />
[[ja:GnuPG]]<br />
[[ru:GnuPG]]<br />
[[pl:GnuPG]]<br />
[[zh-hans:GnuPG]]<br />
[[zh-hant:GnuPG]]<br />
{{Related articles start}}<br />
{{Related|pacman/Package signing}}<br />
{{Related|Disk encryption}}<br />
{{Related|List of applications/Security#Encryption, signing, steganography}}<br />
{{Related articles end}}<br />
<br />
According to the [https://www.gnupg.org/ official website]:<br />
<br />
:GnuPG is a complete and free implementation of the [http://openpgp.org/about/ OpenPGP] standard as defined by [https://tools.ietf.org/html/rfc4880 RFC4880] (also known as PGP). GnuPG allows you to encrypt and sign your data and communication. It features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh).<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|gnupg}} package.<br />
<br />
This will also install {{Pkg|pinentry}}, a collection of simple PIN or passphrase entry dialogs which GnuPG uses for passphrase entry. The shell script {{ic|/usr/bin/pinentry}} determines which ''pinentry'' dialog is used, in the order described at [[#pinentry]].<br />
<br />
If you want to use a graphical frontend or program that integrates with GnuPG, see [[List of applications/Security#Encryption, signing, steganography]].<br />
<br />
== Configuration ==<br />
<br />
=== Directory location ===<br />
{{ic|$GNUPGHOME}} is used by GnuPG to point to the directory where its configuration files are stored. By default {{ic|$GNUPGHOME}} is not set and your {{ic|$HOME}} is used instead; thus, you will find a {{ic|~/.gnupg}} directory right after installation. <br />
<br />
To change the default location, either run gpg this way {{ic|$ gpg --homedir ''path/to/file''}} or set the {{ic|GNUPGHOME}} [[environment variable]].<br />
<br />
=== Configuration files ===<br />
<br />
The default configuration files are {{ic|~/.gnupg/gpg.conf}} and {{ic|~/.gnupg/dirmngr.conf}}. <br />
<br />
By default, the gnupg directory has its [[permissions]] set to {{ic|700}} and the files it contains have their permissions set to {{ic|600}}. Only the owner of the directory has permission to read, write, and access the files. This is for security purposes and should not be changed. In case this directory or any file inside it does not follow this security measure, you will get warnings about unsafe file and home directory permissions.<br />
<br />
Append to these files any long options you want. Do not write the two dashes, but simply the name of the option and required arguments. You will find skeleton files in {{ic|/usr/share/gnupg}}. These files are copied to {{ic|~/.gnupg}} the first time gpg is run if they do not exist there. Other examples are found in [[#See also]].<br />
<br />
Additionally, [[pacman]] uses a different set of configuration files for package signature verification. See [[Pacman/Package signing]] for details.<br />
<br />
=== Default options for new users ===<br />
<br />
If you want to setup some default options for new users, put configuration files in {{ic|/etc/skel/.gnupg/}}. When the new user is added in system, files from here will be copied to its GnuPG home directory. There is also a simple script called ''addgnupghome'' which you can use to create new GnuPG home directories for existing users:<br />
<br />
# addgnupghome user1 user2<br />
<br />
This will add the respective {{ic|/home/user1/.gnupg}} and {{ic|/home/user2/.gnupg}} and copy the files from the skeleton directory to it. Users with existing GnuPG home directory are simply skipped.<br />
<br />
== Usage ==<br />
<br />
{{Note|Whenever a ''{{ic|user-id}}'' is required in a command, it can be specified with your key ID, fingerprint, a part of your name or email address, etc. GnuPG is flexible on this.<br />
}}<br />
<br />
=== Create a key pair ===<br />
<br />
Generate a key pair by typing in a terminal:<br />
<br />
$ gpg --full-gen-key<br />
<br />
{{Tip|Use the {{ic|--expert}} option for getting alternative ciphers like [[wikipedia:Elliptic_curve_cryptography|ECC]].}}<br />
<br />
The command will prompt for answers to several questions. For general use most people will want: <br />
<br />
* the RSA (sign only) and a RSA (encrypt only) key.<br />
* a keysize of the default value (2048). A larger keysize of 4096 "gives us almost nothing, while costing us quite a lot"[https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096].<br />
* an expiration date. A period of a year is good enough for the average user. This way even if access is lost to the keyring, it will allow others to know that it is no longer valid. Later, if necessary, the expiration date can be extended without having to re-issue a new key.<br />
* your name and email address. You can add multiple identities to the same key later (''e.g.'', if you have multiple email addresses you want to associate with this key).<br />
* ''no'' optional comment. Since the semantics of the comment field are [https://lists.gnupg.org/pipermail/gnupg-devel/2015-July/030150.html not well-defined], it has limited value for identification.<br />
* [[Security#Choosing_secure_passwords|a secure passphrase]].<br />
<br />
{{Note|The name and email address you enter here will be seen by anybody who imports your key.}}<br />
<br />
=== List keys ===<br />
<br />
To list keys in your public key ring:<br />
<br />
$ gpg --list-keys<br />
<br />
To list keys in your secret key ring:<br />
<br />
$ gpg --list-secret-keys<br />
<br />
=== Export your public key ===<br />
<br />
gpg's main usage is to ensure confidentiality of exchanged messages via public-key cryptography. With it each user distributes the public key of their keyring, which can be be used by others to encrypt messages to the user. The private key must ''always'' be kept private, otherwise confidentiality is broken. See [[w:Public-key cryptography]] for examples about the message exchange. <br />
<br />
So, in order for others to send encrypted messages to you, they need your public key. <br />
<br />
To generate an ASCII version of a user's public key to file {{ic|''public.key''}} (e.g. to distribute it by e-mail):<br />
<br />
$ gpg --output ''public.key'' --armor --export ''user-id''<br />
<br />
Alternatively, or in addition, you can [[#Use a keyserver]] to share your key. <br />
<br />
{{Tip|Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.}}<br />
<br />
=== Import a public key ===<br />
<br />
In order to encrypt messages to others, as well as verify their signatures, you need their public key. To import a public key with file name {{ic|''public.key''}} to your public key ring:<br />
<br />
$ gpg --import ''public.key''<br />
<br />
Alternatively, [[#Use a keyserver]] to find a public key.<br />
<br />
=== Use a keyserver ===<br />
<br />
You can register your key with a public PGP key server, so that others can retrieve your key without having to contact you directly:<br />
<br />
$ gpg --send-keys ''user-id''<br />
<br />
{{Warning|Once a key has been submitted to a keyserver, it cannot be deleted from the server.[https://pgp.mit.edu/faq.html]}}<br />
<br />
To find out details of a key on the keyserver, without importing it, do:<br />
<br />
$ gpg --search-keys ''user-id''<br />
<br />
To import a key from a key server:<br />
<br />
$ gpg --recv-keys ''key-id''<br />
<br />
{{Warning|<br />
* You should verify the authenticity of the retrieved public key by comparing its fingerprint with one that the owner published on an independent source(s) (e.g., contacting the person directly). See [[Wikipedia:Public key fingerprint]] for more information.<br />
* Using a short ID may encounter collisions. All keys will be imported that have the short ID. To avoid this, use the full fingerprint or long key ID when receiving a key.[https://lkml.org/lkml/2016/8/15/445]}}<br />
{{Tip|<br />
* Adding {{ic|keyserver-options auto-key-retrieve}} to {{ic|gpg.conf}} will automatically fetch keys from the key server as needed. <br />
* An alternative key server is {{ic|pool.sks-keyservers.net}} and can be specified with {{ic|keyserver}} in {{ic|dirmngr.conf}}; see also [[wikipedia:Key server (cryptographic)#Keyserver examples]].<br />
* If your network blocks ports used for hkp/hkps, you may need to specify port 80, i.e. {{ic|pool.sks-keyservers.net:80}}<br />
* You can connect to the keyserver over [[Tor]] using {{ic|--use-tor}}. See this [https://gnupg.org/blog/20151224-gnupg-in-november-and-december.html GnuPG blog post] for more information.<br />
* You can connect to a keyserver using a proxy by setting the {{ic|http_proxy}} environment variable and setting {{ic|honor-http-proxy}} in {{ic|dirmngr.conf}}. Alternatively, set {{ic|http-proxy ''host[:port]''}} in {{ic|dirmngr.conf}}, overriding the {{ic|http_proxy}} environment variable. [[Restart]] the {{ic|dirmngr.service}} [[systemd/User|user service]] for the changes to take effect.<br />
* If you wish to import a key ID to install a specific Arch Linux package, see [[pacman/Package signing#Managing the keyring]] and [[Makepkg#Signature checking]].}}<br />
<br />
=== Encrypt and decrypt ===<br />
<br />
==== Asymmetric ====<br />
You need to [[#Import a public key]] of a user before encrypting (options {{ic|--encrypt}} or {{ic|-e}}) a file or message to that recipient (options {{ic|--recipient}} or {{ic|-r}}). Additionally you need to [[#Create a key pair]] if you have not already done so.<br />
<br />
To encrypt a file with the name ''doc'', use:<br />
<br />
$ gpg --recipient ''user-id'' --encrypt ''doc''<br />
<br />
To decrypt (option {{ic|--decrypt}} or {{ic|-d}}) a file with the name ''doc''.gpg encrypted with your public key, use:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
''gpg'' will prompt you for your passphrase and then decrypt and write the data from ''doc''.gpg to ''doc''. If you omit the {{ic|-o}} ({{ic|--output}}) option, ''gpg'' will write the decrypted data to stdout.<br />
<br />
{{Tip|<br />
* Add {{ic|--armor}} to encrypt a file using ASCII armor (suitable for copying and pasting a message in text format)<br />
* Use {{ic|-R ''user-id''}} or {{ic|--hidden-recipient ''user-id''}} instead of {{ic|-r}} to not put the recipient key IDs in the encrypted message. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis.<br />
* Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.<br />
* You can use gnupg to encrypt your sensitive documents by using your own user-id as recipient or by using the {{ic|--default-recipient-self}} flag instead; however, you can only do this one file at a time, although you can always tarball various files and then encrypt the tarball. See also [[Disk encryption#Available methods]] if you want to encrypt directories or a whole file-system.}}<br />
<br />
==== Symmetric ====<br />
Symmetric encryption does not require the generation of a key pair and can be used to simply encrypt data with a passphrase. Simply use {{ic|--symmetric}} or {{ic|-c}} to perform symmetic encryption:<br />
<br />
$ gpg -c ''doc''<br />
<br />
The following example:<br />
<br />
* Encrypts {{ic|''doc''}} with a symmetric cipher using a passphrase<br />
* Uses the AES-256 cipher algorithm to encrypt the passphrase<br />
* Uses the SHA-512 digest algorithm to mangle the passphrase<br />
* Mangles the passphrase for 65536 iterations<br />
<br />
$ gpg -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-count 65536 ''doc''<br />
<br />
To decrypt a symmetrically encrypted {{ic|''doc''.gpg}} using a passphrase and output decrypted contents into the same directory as {{ic|''doc''}} do:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
== Key maintenance ==<br />
<br />
=== Backup your private key ===<br />
<br />
To backup your private key do the following:<br />
<br />
$ gpg --export-secret-keys --armor ''<user-id>'' > ''privkey.asc''<br />
<br />
Note that ''gpg'' release 2.1 changed default behaviour so that the above command enforces a passphrase protection, even if you deliberately chose not to use one on key creation. This is because otherwise anyone who gains access to the above exported file would be able to encrypt and sign documents as if they were you ''without'' needing to know your passphrase. <br />
<br />
{{Warning|The passphrase is usually the weakest link in protecting your secret key. Place the private key in a safe place on a different system/device, such as a locked container or encrypted drive. It is the only safety you have to regain control to your keyring in case of, for example, a drive failure, theft or worse.}}<br />
<br />
To import the backup of your private key:<br />
$ gpg --import ''privkey.asc''<br />
<br />
=== Edit your key ===<br />
<br />
Running the {{ic|gpg --edit-key ''<user-id>''}} command will present a menu which enables you to do most of your key management related tasks.<br />
<br />
Some useful commands in the edit key sub menu:<br />
> passwd # change the passphrase<br />
> clean # compact any user ID that is no longer usable (e.g revoked or expired)<br />
> revkey # revoke a key<br />
> addkey # add a subkey to this key<br />
> expire # change the key expiration time<br />
<br />
Type {{ic|help}} in the edit key sub menu for more commands.<br />
<br />
{{Tip|If you have multiple email accounts you can add each one of them as an identity, using {{ic|adduid}} command. You can then set your favourite one as {{ic|primary}}.}}<br />
<br />
=== Exporting subkey ===<br />
<br />
If you plan to use the same key across multiple devices, you may want to strip out your master key and only keep the bare minimum encryption subkey on less secure systems.<br />
<br />
First, find out which subkey you want to export.<br />
<br />
$ gpg -K<br />
<br />
Select only that subkey to export.<br />
<br />
$ gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.gpg<br />
<br />
{{Warning|If you forget to add the !, all of your subkeys will be exported.}}<br />
<br />
At this point you could stop, but it is most likely a good idea to change the passphrase as well. Import the key into a temporary folder. <br />
<br />
$ gpg --homedir /tmp/gpg --import /tmp/subkey.gpg<br />
$ gpg --homedir /tmp/gpg --edit-key ''<user-id>''<br />
> passwd<br />
> save<br />
$ gpg --homedir /tmp/gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.altpass.gpg<br />
<br />
{{Note|You will get a warning that the master key was not available and the password was not changed, but that can safely be ignored as the subkey password was.}}<br />
<br />
At this point, you can now use {{ic|/tmp/subkey.altpass.gpg}} on your other devices.<br />
<br />
=== Rotating subkeys ===<br />
<br />
{{Warning|'''Never''' delete your expired or revoked subkeys unless you have a good reason. Doing so will cause you to lose the ability to decrypt files encrypted with the old subkey. Please '''only''' delete expired or revoked keys from other users to clean your keyring.}}<br />
<br />
If you have set your subkeys to expire after a set time, you can create new ones. Do this a few weeks in advance to allow others to update their keyring.<br />
<br />
{{Tip|You do not need to create a new key simply because it is expired. You can extend the expiration date.}}<br />
<br />
Create new subkey (repeat for both signing and encrypting key)<br />
<br />
$ gpg --edit-key ''<user-id>''<br />
> addkey<br />
<br />
And answer the following questions it asks (see [[#Create a key pair]] for suggested settings).<br />
<br />
Save changes<br />
<br />
> save<br />
<br />
Update it to a keyserver.<br />
<br />
$ gpg --keyserver pgp.mit.edu --send-keys ''<user-id>''<br />
<br />
{{Tip|Revoking expired subkeys is unnecessary and arguably bad form. If you are constantly revoking keys, it may cause others to lack confidence in you.}}<br />
<br />
== Signatures ==<br />
<br />
Signatures certify and timestamp documents. If the document is modified, verification of the signature will fail. Unlike encryption which uses public keys to encrypt a document, signatures are created with the user's private key. The recipient of a signed document then verifies the signature using the sender's public key.<br />
<br />
=== Create a signature ===<br />
<br />
==== Sign a file ====<br />
<br />
To sign a file use the {{ic|--sign}} or {{ic|-s}} flag:<br />
<br />
$ gpg --output ''doc''.sig --sign ''doc''<br />
<br />
{{ic|''doc''.sig}} contains both the compressed content of the original file {{ic|''doc''}} and the signature in a binary format, but the file is not encrypted. However, you can combine signing with [[#Encrypt and decrypt|encrypting]].<br />
<br />
==== Clearsign a file or message ====<br />
<br />
To sign a file without compressing it into binary format use:<br />
<br />
$ gpg --output ''doc''.sig --clearsign ''doc''<br />
<br />
Here both the content of the original file {{ic|''doc''}} and the signature are stored in human-readable form in {{ic|''doc''.sig}}.<br />
<br />
==== Make a detached signature ====<br />
<br />
To create a separate signature file to be distributed separately from the document or file itself, use the {{ic|--detach-sig}} flag:<br />
<br />
$ gpg --output ''doc''.sig --detach-sig ''doc''<br />
<br />
Here the signature is stored in {{ic|''doc''.sig}}, but the contents of {{ic|''doc''}} are not stored in it. This method is often used in distributing software projects to allow users to verify that the program has not been modified by a third party.<br />
<br />
=== Verify a signature ===<br />
<br />
To verify a signature use the {{ic|--verify}} flag:<br />
<br />
$ gpg --verify ''doc''.sig<br />
<br />
where {{ic|''doc''.sig}} is the signed file containing the signature you wish to verify.<br />
<br />
If you are verifying a detached signature, both the signed data file and the signature file must be present when verifying. For example, to verify Arch Linux's latest iso you would do:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig<br />
<br />
where {{ic|archlinux-''version''.iso}} must be located in the same directory.<br />
<br />
You can also specify the signed data file with a second argument:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig ''/path/to/''archlinux-''version''.iso<br />
<br />
If a file as been encrypted in addition to being signed, simply [[#Encrypt and decrypt|decrypt]] the file and its signature will also be verified.<br />
<br />
== gpg-agent ==<br />
<br />
''gpg-agent'' is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. {{Pkg|gnupg}} comes with [[systemd/User|systemd user]] sockets which are enabled by default. These sockets are {{ic|gpg-agent.socket}}, {{ic|gpg-agent-extra.socket}}, {{ic|gpg-agent-browser.socket}}, {{ic|gpg-agent-ssh.socket}}, and {{ic|dirmngr.socket}}.<br />
<br />
{{Expansion|Add {{ic|gpg-agent-browser.socket}} to the list.}}<br />
<br />
* The main {{ic|gpg-agent.socket}} is used by ''gpg'' to connect to the ''gpg-agent'' daemon.<br />
* The intended use for the {{ic|gpg-agent-extra.socket}} on a local system is to set up a Unix domain socket forwarding from a remote system. This enables to use ''gpg'' on the remote system without exposing the private keys to the remote system. See {{man|1|gpg-agent}} for details.<br />
* The {{ic|gpg-agent-ssh.socket}} can be used by [[SSH]] to cache [[SSH keys]] added by the ''ssh-add'' program. See [[#SSH agent]] for the necessary configuration.<br />
* The {{ic|dirmngr.socket}} starts a GnuPG daemon handling connections to keyservers.<br />
<br />
{{Note|If you use non-default GnuPG [[#Directory location]], you will need to [[edit]] all socket files to use the values of {{ic|gpgconf --list-dirs}}.}}<br />
<br />
=== Configuration ===<br />
<br />
gpg-agent can be configured via {{ic|~/.gnupg/gpg-agent.conf}} file. The configuration options are listed in {{man|1|gpg-agent}}. For example you can change cache ttl for unused keys:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl 3600<br />
}}<br />
<br />
{{Tip|To cache your passphrase for the whole session, please run the following command:<br />
$ /usr/lib/gnupg/gpg-preset-passphrase --preset XXXXXX<br />
<br />
where XXXX is the keygrip. You can get its value when running {{ic|gpg --with-keygrip -K}}. Passphrase will be stored until {{ic|gpg-agent}} is restarted. If you set up {{ic|default-cache-ttl}} value, it will take precedence.<br />
}}<br />
<br />
=== Reload the agent ===<br />
<br />
After changing the configuration, reload the agent using ''gpg-connect-agent'':<br />
<br />
$ gpg-connect-agent reloadagent /bye<br />
<br />
The command should print {{ic|OK}}.<br />
<br />
However in some cases only the restart may not be sufficient, like when {{ic|keep-screen}} has been added to the agent configuration.<br />
In this case you firstly need to kill the ongoing gpg-agent process and then you can restart it as was explained above.<br />
<br />
=== pinentry ===<br />
<br />
Finally, the agent needs to know how to ask the user for the password. This can be set in the gpg-agent configuration file.<br />
<br />
{{accuracy|On my KDE system, GnuPG tries to use {{ic|pinentry-curses}}, not {{ic|pinentry-qt}}. If I configure GnuPG to use pinentry-qt, it works fine. Also, all these pinentry dialogs are always installed, since they are all included in {{pkg|pinentry}}, which is a {{pkg|gnupg}} dependency.}} <br />
<br />
The default uses {{ic|/usr/bin/pinentry-gnome3}}, falling back to {{ic|/usr/bin/pinentry-qt}}, {{ic|/usr/bin/pinentry-gtk-2}} and at last {{ic|/usr/bin/pinentry-curses}} if none of the previous were functioning. However there are other options - see {{ic|info pinentry}}. To change the dialog implementation set {{ic|pinentry-program}} configuration option:<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
# pinentry-program /usr/bin/pinentry-gnome3<br />
# pinentry-program /usr/bin/pinentry-qt<br />
# pinentry-program /usr/bin/pinentry-curses<br />
# pinentry-program /usr/bin/pinentry-kwallet<br />
<br />
pinentry-program /usr/bin/pinentry-gtk-2<br />
}}<br />
<br />
{{Tip|For using {{ic|/usr/bin/pinentry-kwallet}} you have to install the {{AUR|kwalletcli}} package.}}<br />
<br />
After making this change, [[#Reload the agent]].<br />
<br />
=== Unattended passphrase ===<br />
<br />
Starting with GnuPG 2.1.0 the use of gpg-agent and pinentry is required, which may break backwards compatibility for passphrases piped in from STDIN using the {{ic|--passphrase-fd 0}} commandline option. In order to have the same type of functionality as the older releases two things must be done:<br />
<br />
First, edit the gpg-agent configuration to allow ''loopback'' pinentry mode:<br />
<br />
{{hc|1=~/.gnupg/gpg-agent.conf|2=<br />
allow-loopback-pinentry<br />
}}<br />
<br />
Restart the gpg-agent process if it is running to let the change take effect.<br />
<br />
Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:<br />
<br />
$ gpg --pinentry-mode loopback ...<br />
<br />
...or if this is not possible, add the option to the configuration:<br />
<br />
{{hc|1=~/.gnupg/gpg.conf|2=<br />
pinentry-mode loopback<br />
}}<br />
<br />
{{Note|The upstream author indicates setting {{ic|pinentry-mode loopback}} in {{ic|gpg.conf}} may break other usage, using the commandline option should be preferred if at all possible. [https://bugs.g10code.com/gnupg/issue1772]}}<br />
<br />
=== SSH agent ===<br />
<br />
''gpg-agent'' has OpenSSH agent emulation. If you already use the GnuPG suite, you might consider using its agent to also cache your [[SSH keys]]. Additionally, some users may prefer the PIN entry dialog GnuPG agent provides as part of its passphrase management.<br />
<br />
==== Set SSH_AUTH_SOCK ====<br />
<br />
You have to set {{ic|SSH_AUTH_SOCK}} so that SSH will use ''gpg-agent'' instead of ''ssh-agent''. To make sure each process can find your ''gpg-agent'' instance regardless of e.g. the type of shell it is child of use [[Environment_variables#Using_pam_env|pam_env]].<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
}}<br />
<br />
{{note|If you set your {{ic|SSH_AUTH_SOCK}} manually (such as in this pam_env example), keep in mind that your socket location may be different if you are using a custom {{ic|GNUPGHOME}}. You can use the following bash example, or change {{ic|SSH_AUTH_SOCK}} to the value of {{ic|gpgconf --list-dirs agent-ssh-socket}}.}}<br />
<br />
Alternatively, depend on Bash. This works for non-standard socket locations as well:<br />
<br />
{{hc|~/.bashrc|2=<br />
unset SSH_AGENT_PID<br />
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then<br />
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"<br />
fi<br />
}}<br />
<br />
{{Note|1=The test involving the {{ic|gnupg_SSH_AUTH_SOCK_by}} variable is for the case where the agent is started as {{ic|gpg-agent --daemon /bin/sh}}, in which case the shell inherits the {{ic|SSH_AUTH_SOCK}} variable from the parent, ''gpg-agent'' [http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/gpg-agent.c;hb=7bca3be65e510eda40572327b87922834ebe07eb#l1307].}}<br />
<br />
==== Configure pinentry to use the correct TTY ====<br />
<br />
Also set the GPG_TTY and refresh the TTY in case user has switched into an X session as stated in {{man|1|gpg-agent}}. For example:<br />
<br />
{{hc|~/.bashrc|2=<br />
export GPG_TTY=$(tty)<br />
gpg-connect-agent updatestartuptty /bye >/dev/null<br />
}}<br />
<br />
==== Add SSH keys ====<br />
<br />
Once ''gpg-agent'' is running you can use ''ssh-add'' to approve keys, following the same steps as for [[SSH keys#ssh-agent|ssh-agent]]. The list of approved keys is stored in the {{ic|~/.gnupg/sshcontrol}} file. <br />
<br />
Once your key is approved, you will get a ''pinentry'' dialog every time your passphrase is needed. You can control passphrase caching in the {{ic|~/.gnupg/gpg-agent.conf}} file. The following example would have ''gpg-agent'' cache your keys for 3 hours:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl-ssh 10800<br />
max-cache-ttl-ssh 10800<br />
}}<br />
<br />
==== Using a PGP key for SSH authentication ====<br />
<br />
You can also use your PGP key as an SSH key. This requires a key with the {{ic|Authentication}} capability (see [[#Custom capabilities]]). There are various benefits gained by using a PGP key for SSH authentication, including:<br />
<br />
* Reduced key maintenance, as you will no longer need to maintain an SSH key<br />
* The ability to store the authentication key on a smartcard. GnuPG will automatically detect the key when the card is available, and add it to the agent (check with {{ic|ssh-add -l}} or {{ic|ssh-add -L}}). The comment for the key should be something like: {{ic|openpgp:''key-id''}} or {{ic|cardno:''card-id''}}. <br />
<br />
To retrieve the public key part of your GPG/SSH key, run {{ic|gpg --export-ssh-key ''gpg-key''}}.<br />
<br />
{{Note| Your key may not be added to {{ic|$GNUPGHOME/sshcontrol}}, which is where normal SSH keys are listed.}}<br />
<br />
If your key is not added to {{ic|$GNUPGHOME/sshcontrol}} automatically, you can add the keygrip for your key with the Authentication capability manually. You can get the keygrip of your key by executing {{ic|gpg --list-keys --with-keygrip}}, like so:<br />
<br />
$ gpg --list-keys --with-keygrip<br />
sub rsa4096/1234ABCD1234ABCD 2001-01-01 [A] [expires: 2002-01-01]<br />
Keygrip = < put this value on its own line in $GNUPGHOME/sshcontrol ><br />
<br />
Adding the keygrip to {{ic|$HOME/.gnupg/sshcontrol}} is a one-time action; you will not need to edit the file again, unless you are adding additional keygrips.<br />
<br />
== Smartcards ==<br />
<br />
GnuPG uses ''scdaemon'' as an interface to your smartcard reader, please refer to the [[man page]] for details.<br />
<br />
=== GnuPG only setups ===<br />
<br />
{{Note| To allow scdaemon direct access to USB smarcard readers the optional dependency {{Pkg|libusb-compat}} have to be installed}}<br />
<br />
If you do not plan to use other cards but those based on GnuPG, you should check the {{Ic|reader-port}} parameter in {{ic|~/.gnupg/scdaemon.conf}}. The value '0' refers to the first available serial port reader and a value of '32768' (default) refers to the first USB reader.<br />
<br />
=== GnuPG with pcscd (PCSC Lite) ===<br />
<br />
{{Note|{{Pkg|pcsclite}} and {{Pkg|ccid}} have to be installed, and the contained [[systemd#Using units|systemd]] service {{ic|pcscd.service}} has to be running, or the socket {{ic|pcscd.socket}} has to be listening.}}<br />
<br />
pcscd is a daemon which handles access to smartcard (SCard API). If GnuPG's scdaemon fails to connect the smartcard directly (e.g. by using its integrated CCID support), it will fallback and try to find a smartcard using the PCSC Lite driver.<br />
<br />
==== Always use pcscd ====<br />
<br />
If you are using any smartcard with an opensc driver (e.g.: ID cards from some countries) you should pay some attention to GnuPG configuration. Out of the box you might receive a message like this when using {{Ic|gpg --card-status}}<br />
<br />
gpg: selecting openpgp failed: ec=6.108<br />
<br />
By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together. In order to point scdaemon to use pcscd you should remove {{Ic|reader-port}} from {{ic|~/.gnupg/scdaemon.conf}}, specify the location to {{ic|libpcsclite.so}} library and disable ccid so we make sure that we use pcscd:<br />
<br />
{{hc|~/.gnupg/scdaemon.conf|<nowiki><br />
pcsc-driver /usr/lib/libpcsclite.so<br />
card-timeout 5<br />
disable-ccid<br />
</nowiki>}}<br />
<br />
Please check {{man|1|scdaemon}} if you do not use OpenSC.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Different algorithm ===<br />
<br />
You may want to use stronger algorithms:<br />
<br />
{{hc|~/.gnupg/gpg.conf|<br />
...<br />
<br />
personal-digest-preferences SHA512<br />
cert-digest-algo SHA512<br />
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed<br />
personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES<br />
}}<br />
<br />
In the latest version of GnuPG, the default algorithms used are SHA256 and AES, both of which are secure enough for most people. However, if you are using a version of GnuPG older than 2.1, or if you want an even higher level of security, then you should follow the above step.<br />
<br />
=== Encrypt a password ===<br />
<br />
It can be useful to encrypt some password, so it will not be written in clear on a configuration file. A good example is your email password.<br />
<br />
First create a file with your password. You '''need''' to leave '''one''' empty line after the password, otherwise gpg will return an error message when evaluating the file.<br />
<br />
Then run:<br />
<br />
$ gpg -e -a -r ''<user-id>'' ''your_password_file''<br />
<br />
{{ic|-e}} is for encrypt, {{ic|-a}} for armor (ASCII output), {{ic|-r}} for recipient user ID.<br />
<br />
You will be left with a new {{ic|''your_password_file''.asc}} file.<br />
<br />
{{Tip|[[pass]] automates this process.}}<br />
<br />
=== Revoking a key ===<br />
<br />
{{Warning|<br />
*Anybody having access to your revocation certificate can revoke your key, rendering it useless.<br />
*Key revocation should only be performed if your key is compromised or lost, or you forget your passphrase.}}<br />
<br />
Revocation certificates are automatically generated for newly generated keys, although one can be generated manually by the user later. These are located at {{ic|~/.gnupg/openpgp-revocs.d/}}. The filename of the certificate is the fingerprint of the key it will revoke.<br />
<br />
To revoke your key, simply import the revocation certificate:<br />
<br />
$ gpg --import ''<fingerprint>''.rev<br />
<br />
Now update the keyserver:<br />
<br />
$ gpg --keyserver subkeys.pgp.net --send-keys ''<userid>''<br />
<br />
=== Change trust model ===<br />
<br />
By default GnuPG uses the [[Wikipedia::Web of Trust|Web of Trust]] as the trust model. You can change this to [[Wikipedia::Trust on first use|Trust on first use]] by adding {{ic|1=--trust-model=tofu}} when adding a key or adding this option to your GnuPG configuration file. More details are in [https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030341.html this email to the GnuPG list].<br />
<br />
=== Hide all recipient id's ===<br />
<br />
By default the recipient's key ID is in the encrypted message. This can be removed at encryption time for a recipient by using {{ic|hidden-recipient ''<user-id>''}}. To remove it for all recipients add {{ic|throw-keyids}} to your configuration file. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis. (Using a little social engineering anyone who is able to decrypt the message can check whether one of the other recipients is the one he suspects.) On the receiving side, it may slow down the decryption process because all available secret keys must be tried (''e.g.'' with {{ic|--try-secret-key ''<user-id>''}}).<br />
<br />
=== Using caff for keysigning parties ===<br />
<br />
To allow users to validate keys on the keyservers and in their keyrings (i.e. make sure they are from whom they claim to be), PGP/GPG uses the [[Wikipedia::Web of Trust|Web of Trust]]. Keysigning parties allow users to get together at a physical location to validate keys. The [[Wikipedia:Zimmermann–Sassaman key-signing protocol|Zimmermann-Sassaman]] key-signing protocol is a way of making these very effective. [http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html Here] you will find a how-to article.<br />
<br />
For an easier process of signing keys and sending signatures to the owners after a keysigning party, you can use the tool ''caff''. It can be installed from the AUR with the package {{AUR|caff-svn}}.<br />
<br />
To send the signatures to their owners you need a working [[Wikipedia:Message transfer agent|MTA]]. If you do not have already one, install [[msmtp]].<br />
<br />
=== Always show long ID's and fingerprints ===<br />
<br />
To always show long key ID's add {{ic|keyid-format 0xlong}} to your configuration file. To always show full fingerprints of keys, add {{ic|with-fingerprint}} to your configuration file.<br />
<br />
=== Custom capabilities ===<br />
<br />
For further customization also possible to set custom capabilities to your keys. The following capabilities are available:<br />
<br />
* Certify (only for master keys) - allows the key to create subkeys, mandatory for master keys.<br />
* Sign - allows the key to create cryptographic signatures that others can verify with the public key.<br />
* Encrypt - allows anyone to encrypt data with the public key, that only the private key can decrypt.<br />
* Authenticate - allows the key to authenticate with various non-GnuPG programs. The key can be used as e.g. an SSH key. <br />
<br />
It's possible to specify the capabilities of the master key, by running: <br />
<br />
$ gpg --full-generate-key --expert<br />
<br />
And select an option that allows you to set your own capabilities.<br />
<br />
Comparably, to specify custom capabilities for subkeys, add the {{ic|--expert}} flag to {{ic|gpg --edit-key}}, see [[#Edit your key]] for more information.<br />
<br />
=== Cache passwords ===<br />
<br />
To be asked for your GnuPG password only once per session, set {{ic|max-cache-ttl}} and {{ic|default-cache-ttl}} to something very high, for instance:<br />
<br />
{{hc|<br />
gpg-agent.conf|<br />
max-cache-ttl 60480000<br />
default-cache-ttl 60480000<br />
}}<br />
<br />
See [[#gpg-agent]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Not enough random bytes available ===<br />
When generating a key, gpg can run into this error:<br />
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy!<br />
To check the available entropy, check the kernel parameters:<br />
cat /proc/sys/kernel/random/entropy_avail<br />
A healthy Linux system with a lot of entropy available will have return close to the full 4,096 bits of entropy. If the value returned is less than 200, the system is running low on entropy. <br />
<br />
To solve it, remember you do not often need to create keys and best just do what the message suggests (e.g. create disk activity, move the mouse, edit the wiki - all will create entropy). If that does not help, check which service is using up the entropy and consider stopping it for the time. If that is no alternative, see [[Random number generation#Alternatives]].<br />
<br />
=== su ===<br />
<br />
When using {{Ic|pinentry}}, you must have the proper permissions of the terminal device (e.g. {{Ic|/dev/tty1}}) in use. However, with ''su'' (or ''sudo''), the ownership stays with the original user, not the new one. This means that pinentry will fail, even as root. The fix is to change the permissions of the device at some point before the use of pinentry (i.e. using gpg with an agent). If doing gpg as root, simply change the ownership to root right before using gpg:<br />
<br />
# chown root /dev/ttyN # where N is the current tty<br />
<br />
and then change it back after using gpg the first time. The equivalent is likely to be true with {{Ic|/dev/pts/}}.<br />
<br />
{{Note|The owner of tty ''must'' match with the user for which pinentry is running. Being part of the group {{Ic|tty}} '''is not''' enough.}}<br />
<br />
{{Tip|If you run gpg with {{ic|script}} it will use a new tty with the correct ownership:<br />
<br />
# script -q -c "gpg --gen-key" /dev/null<br />
}}<br />
<br />
=== Agent complains end of file ===<br />
<br />
The default pinentry program is {{ic|/usr/bin/pinentry-gnome3}}, which needs a DBus session bus to run properly. See [[General troubleshooting#Session permissions]] for details.<br />
<br />
Alternatively, you can use a variety of different options described in [[#pinentry]].<br />
<br />
=== KGpg configuration permissions ===<br />
<br />
There have been issues with {{Pkg|kgpg}} being able to access the {{ic|~/.gnupg/}} options. One issue might be a result of a deprecated ''options'' file, see the [https://bugs.kde.org/show_bug.cgi?id=290221 bug] report.<br />
<br />
=== GNOME on Wayland overrides SSH agent socket ===<br />
<br />
For Wayland sessions, {{Ic|gnome-session}} sets {{Ic|SSH_AUTH_SOCK}} to the standard gnome-keyring socket, {{Ic|$XDG_RUNTIME_DIR/keyring/ssh}}. This overrides any value set in {{Ic|~/.pam_environmment}} or systemd unit files.<br />
<br />
To disable this behavior, set the {{Ic|GSM_SKIP_AGENT_WORKAROUND}} variable:<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
GSM_SKIP_SSH_AGENT_WORKAROUND DEFAULT="true"<br />
}}<br />
<br />
=== mutt ===<br />
<br />
Mutt might not use ''gpg-agent'' correctly, you need to set an [[environment variable]] {{ic|GPG_AGENT_INFO}} (the content doesn't matter) when running mutt. Be also sure to enable password caching correctly, see [[#Cache passwords]].<br />
<br />
See [https://bbs.archlinux.org/viewtopic.php?pid=1490821#p1490821 this forum thread]<br />
<br />
=== "Lost" keys, upgrading to gnupg version 2.1 ===<br />
<br />
When {{ic|gpg --list-keys}} fails to show keys that used to be there, and applications complain about missing or invalid keys, some keys may not have been migrated to the new format.<br />
<br />
Please read [http://jo-ke.name/wp/?p=111 GnuPG invalid packet workaround]. Basically, it says that there is a bug with keys in the old {{ic|pubring.gpg}} and {{ic|secring.gpg}} files, which have now been superseded by the new {{ic|pubring.kbx}} file and the {{ic|private-keys-v1.d/}} subdirectory and files. Your missing keys can be recovered with the following commnads:<br />
<br />
$ cd<br />
$ cp -r .gnupg gnupgOLD<br />
$ gpg --export-ownertrust > otrust.txt<br />
$ gpg --import .gnupg/pubring.gpg<br />
$ gpg --import-ownertrust otrust.txt<br />
$ gpg --list-keys<br />
<br />
=== gpg hanged for all keyservers (when trying to receive keys) ===<br />
<br />
If gpg hanged with a certain keyserver when trying to receive keys, you might need to kill dirmngr in order to get access to other keyservers which are actually working, otherwise it might keeping hanging for all of them.<br />
<br />
=== Smartcard not detected ===<br />
<br />
Your user might not have the permission to access the smartcard which results in a {{ic|card error}} to be thrown, even though the card is correctly set up and inserted.<br />
<br />
One possible solution is to add a new group {{ic|scard}} including the users who need access to the smartcard.<br />
<br />
Then use [[udev rules]], similar to the following:<br />
{{hc|/etc/udev/rules.d/71-gnupg-ccid.rules|<nowiki><br />
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116|0111", MODE="660", GROUP="scard"<br />
</nowiki>}}<br />
One needs to adapt VENDOR and MODEL according to the {{ic|lsusb}} output, the above example is for a YubikeyNEO.<br />
<br />
=== gpg: WARNING: server 'gpg-agent' is older than us (x < y) ===<br />
<br />
This warning appears if {{ic|gnupg}} is upgraded and the old gpg-agent is still running. [[Restart]] the ''user'''s {{ic|gpg-agent.socket}} (i.e., use the {{ic|--user}} flag when restarting).<br />
<br />
=== gpg: ..., IPC connect call failed ===<br />
<br />
{{Accuracy|The {{ic|gpg-agent*.socket}} systemd sockets provided by the {{Pkg|gnupg}} package create the sockets in {{ic|/run/user/$UID/gnupg/}} which is guaranteed to be an appropriate file system.}}<br />
<br />
Make sure {{ic|gpg-agent}} and {{ic|dirmngr}} are not running with {{ic|killall gpg-agent dirmngr}} and the {{ic|$GNUPGHOME/crls.d/}} folder has permission set to {{ic|700}}.<br />
<br />
If your keyring is stored on a vFat filesystem (e.g. a USB drive), {{ic|gpg-agent}} will fail to create the required sockets (vFat does not support sockets), you can create redirects to a location that handles sockets, e.g. {{ic|/dev/shm}}:<br />
<br />
# export GNUPGHOME=/custom/gpg/home<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent\n' > $GNUPGHOME/S.gpg-agent<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.browser\n' > $GNUPGHOME/S.gpg-agent.browser<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.extra\n' > $GNUPGHOME/S.gpg-agent.extra<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.ssh\n' > $GNUPGHOME/S.gpg-agent.ssh<br />
<br />
Test that gpg-agent starts successfully with {{ic|gpg-agent --daemon}}.<br />
<br />
== See also ==<br />
<br />
* [https://gnupg.org/ GNU Privacy Guard Homepage]<br />
* [https://tools.ietf.org/html/rfc4880 RFC4880 "OpenPGP Message Format"]<br />
* [https://fedoraproject.org/wiki/Creating_GPG_Keys Creating GPG Keys (Fedora)]<br />
* [https://wiki.debian.org/Subkeys OpenPGP subkeys in Debian]<br />
* [https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/ A more comprehensive gpg Tutorial]<br />
* [https://help.riseup.net/en/security/message-security/openpgp/gpg-best-practices gpg.conf recommendations and best practices]<br />
* [https://github.com/ioerror/torbirdy/blob/master/gpg.conf Torbirdy gpg.conf]<br />
* [https://www.reddit.com/r/GPGpractice/ /r/GPGpractice - a subreddit to practice using GnuPG.]<br />
* [https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md Protecting code integrity with PGP]</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=GnuPG&diff=530890GnuPG2018-07-24T18:58:55Z<p>Sudoforge: /* Using a PGP key for SSH authentication */ Add information regarding manually adding a keygrip to sshcontrol (information originally added in rev.</p>
<hr />
<div>[[Category:Encryption]]<br />
[[es:GnuPG]]<br />
[[ja:GnuPG]]<br />
[[ru:GnuPG]]<br />
[[pl:GnuPG]]<br />
[[zh-hans:GnuPG]]<br />
[[zh-hant:GnuPG]]<br />
{{Related articles start}}<br />
{{Related|pacman/Package signing}}<br />
{{Related|Disk encryption}}<br />
{{Related|List of applications/Security#Encryption, signing, steganography}}<br />
{{Related articles end}}<br />
<br />
According to the [https://www.gnupg.org/ official website]:<br />
<br />
:GnuPG is a complete and free implementation of the [http://openpgp.org/about/ OpenPGP] standard as defined by [https://tools.ietf.org/html/rfc4880 RFC4880] (also known as PGP). GnuPG allows you to encrypt and sign your data and communication. It features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh).<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|gnupg}} package.<br />
<br />
This will also install {{Pkg|pinentry}}, a collection of simple PIN or passphrase entry dialogs which GnuPG uses for passphrase entry. The shell script {{ic|/usr/bin/pinentry}} determines which ''pinentry'' dialog is used, in the order described at [[#pinentry]].<br />
<br />
If you want to use a graphical frontend or program that integrates with GnuPG, see [[List of applications/Security#Encryption, signing, steganography]].<br />
<br />
== Configuration ==<br />
<br />
=== Directory location ===<br />
{{ic|$GNUPGHOME}} is used by GnuPG to point to the directory where its configuration files are stored. By default {{ic|$GNUPGHOME}} is not set and your {{ic|$HOME}} is used instead; thus, you will find a {{ic|~/.gnupg}} directory right after installation. <br />
<br />
To change the default location, either run gpg this way {{ic|$ gpg --homedir ''path/to/file''}} or set the {{ic|GNUPGHOME}} [[environment variable]].<br />
<br />
=== Configuration files ===<br />
<br />
The default configuration files are {{ic|~/.gnupg/gpg.conf}} and {{ic|~/.gnupg/dirmngr.conf}}. <br />
<br />
By default, the gnupg directory has its [[permissions]] set to {{ic|700}} and the files it contains have their permissions set to {{ic|600}}. Only the owner of the directory has permission to read, write, and access the files. This is for security purposes and should not be changed. In case this directory or any file inside it does not follow this security measure, you will get warnings about unsafe file and home directory permissions.<br />
<br />
Append to these files any long options you want. Do not write the two dashes, but simply the name of the option and required arguments. You will find skeleton files in {{ic|/usr/share/gnupg}}. These files are copied to {{ic|~/.gnupg}} the first time gpg is run if they do not exist there. Other examples are found in [[#See also]].<br />
<br />
Additionally, [[pacman]] uses a different set of configuration files for package signature verification. See [[Pacman/Package signing]] for details.<br />
<br />
=== Default options for new users ===<br />
<br />
If you want to setup some default options for new users, put configuration files in {{ic|/etc/skel/.gnupg/}}. When the new user is added in system, files from here will be copied to its GnuPG home directory. There is also a simple script called ''addgnupghome'' which you can use to create new GnuPG home directories for existing users:<br />
<br />
# addgnupghome user1 user2<br />
<br />
This will add the respective {{ic|/home/user1/.gnupg}} and {{ic|/home/user2/.gnupg}} and copy the files from the skeleton directory to it. Users with existing GnuPG home directory are simply skipped.<br />
<br />
== Usage ==<br />
<br />
{{Note|Whenever a ''{{ic|user-id}}'' is required in a command, it can be specified with your key ID, fingerprint, a part of your name or email address, etc. GnuPG is flexible on this.<br />
}}<br />
<br />
=== Create a key pair ===<br />
<br />
Generate a key pair by typing in a terminal:<br />
<br />
$ gpg --full-gen-key<br />
<br />
{{Tip|Use the {{ic|--expert}} option for getting alternative ciphers like [[wikipedia:Elliptic_curve_cryptography|ECC]].}}<br />
<br />
The command will prompt for answers to several questions. For general use most people will want: <br />
<br />
* the RSA (sign only) and a RSA (encrypt only) key.<br />
* a keysize of the default value (2048). A larger keysize of 4096 "gives us almost nothing, while costing us quite a lot"[https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096].<br />
* an expiration date. A period of a year is good enough for the average user. This way even if access is lost to the keyring, it will allow others to know that it is no longer valid. Later, if necessary, the expiration date can be extended without having to re-issue a new key.<br />
* your name and email address. You can add multiple identities to the same key later (''e.g.'', if you have multiple email addresses you want to associate with this key).<br />
* ''no'' optional comment. Since the semantics of the comment field are [https://lists.gnupg.org/pipermail/gnupg-devel/2015-July/030150.html not well-defined], it has limited value for identification.<br />
* [[Security#Choosing_secure_passwords|a secure passphrase]].<br />
<br />
{{Note|The name and email address you enter here will be seen by anybody who imports your key.}}<br />
<br />
=== List keys ===<br />
<br />
To list keys in your public key ring:<br />
<br />
$ gpg --list-keys<br />
<br />
To list keys in your secret key ring:<br />
<br />
$ gpg --list-secret-keys<br />
<br />
=== Export your public key ===<br />
<br />
gpg's main usage is to ensure confidentiality of exchanged messages via public-key cryptography. With it each user distributes the public key of their keyring, which can be be used by others to encrypt messages to the user. The private key must ''always'' be kept private, otherwise confidentiality is broken. See [[w:Public-key cryptography]] for examples about the message exchange. <br />
<br />
So, in order for others to send encrypted messages to you, they need your public key. <br />
<br />
To generate an ASCII version of a user's public key to file {{ic|''public.key''}} (e.g. to distribute it by e-mail):<br />
<br />
$ gpg --output ''public.key'' --armor --export ''user-id''<br />
<br />
Alternatively, or in addition, you can [[#Use a keyserver]] to share your key. <br />
<br />
{{Tip|Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.}}<br />
<br />
=== Import a public key ===<br />
<br />
In order to encrypt messages to others, as well as verify their signatures, you need their public key. To import a public key with file name {{ic|''public.key''}} to your public key ring:<br />
<br />
$ gpg --import ''public.key''<br />
<br />
Alternatively, [[#Use a keyserver]] to find a public key.<br />
<br />
=== Use a keyserver ===<br />
<br />
You can register your key with a public PGP key server, so that others can retrieve your key without having to contact you directly:<br />
<br />
$ gpg --send-keys ''user-id''<br />
<br />
{{Warning|Once a key has been submitted to a keyserver, it cannot be deleted from the server.[https://pgp.mit.edu/faq.html]}}<br />
<br />
To find out details of a key on the keyserver, without importing it, do:<br />
<br />
$ gpg --search-keys ''user-id''<br />
<br />
To import a key from a key server:<br />
<br />
$ gpg --recv-keys ''key-id''<br />
<br />
{{Warning|<br />
* You should verify the authenticity of the retrieved public key by comparing its fingerprint with one that the owner published on an independent source(s) (e.g., contacting the person directly). See [[Wikipedia:Public key fingerprint]] for more information.<br />
* Using a short ID may encounter collisions. All keys will be imported that have the short ID. To avoid this, use the full fingerprint or long key ID when receiving a key.[https://lkml.org/lkml/2016/8/15/445]}}<br />
{{Tip|<br />
* Adding {{ic|keyserver-options auto-key-retrieve}} to {{ic|gpg.conf}} will automatically fetch keys from the key server as needed. <br />
* An alternative key server is {{ic|pool.sks-keyservers.net}} and can be specified with {{ic|keyserver}} in {{ic|dirmngr.conf}}; see also [[wikipedia:Key server (cryptographic)#Keyserver examples]].<br />
* If your network blocks ports used for hkp/hkps, you may need to specify port 80, i.e. {{ic|pool.sks-keyservers.net:80}}<br />
* You can connect to the keyserver over [[Tor]] using {{ic|--use-tor}}. See this [https://gnupg.org/blog/20151224-gnupg-in-november-and-december.html GnuPG blog post] for more information.<br />
* You can connect to a keyserver using a proxy by setting the {{ic|http_proxy}} environment variable and setting {{ic|honor-http-proxy}} in {{ic|dirmngr.conf}}. Alternatively, set {{ic|http-proxy ''host[:port]''}} in {{ic|dirmngr.conf}}, overriding the {{ic|http_proxy}} environment variable. [[Restart]] the {{ic|dirmngr.service}} [[systemd/User|user service]] for the changes to take effect.<br />
* If you wish to import a key ID to install a specific Arch Linux package, see [[pacman/Package signing#Managing the keyring]] and [[Makepkg#Signature checking]].}}<br />
<br />
=== Encrypt and decrypt ===<br />
<br />
==== Asymmetric ====<br />
You need to [[#Import a public key]] of a user before encrypting (options {{ic|--encrypt}} or {{ic|-e}}) a file or message to that recipient (options {{ic|--recipient}} or {{ic|-r}}). Additionally you need to [[#Create a key pair]] if you have not already done so.<br />
<br />
To encrypt a file with the name ''doc'', use:<br />
<br />
$ gpg --recipient ''user-id'' --encrypt ''doc''<br />
<br />
To decrypt (option {{ic|--decrypt}} or {{ic|-d}}) a file with the name ''doc''.gpg encrypted with your public key, use:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
''gpg'' will prompt you for your passphrase and then decrypt and write the data from ''doc''.gpg to ''doc''. If you omit the {{ic|-o}} ({{ic|--output}}) option, ''gpg'' will write the decrypted data to stdout.<br />
<br />
{{Tip|<br />
* Add {{ic|--armor}} to encrypt a file using ASCII armor (suitable for copying and pasting a message in text format)<br />
* Use {{ic|-R ''user-id''}} or {{ic|--hidden-recipient ''user-id''}} instead of {{ic|-r}} to not put the recipient key IDs in the encrypted message. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis.<br />
* Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.<br />
* You can use gnupg to encrypt your sensitive documents by using your own user-id as recipient or by using the {{ic|--default-recipient-self}} flag instead; however, you can only do this one file at a time, although you can always tarball various files and then encrypt the tarball. See also [[Disk encryption#Available methods]] if you want to encrypt directories or a whole file-system.}}<br />
<br />
==== Symmetric ====<br />
Symmetric encryption does not require the generation of a key pair and can be used to simply encrypt data with a passphrase. Simply use {{ic|--symmetric}} or {{ic|-c}} to perform symmetic encryption:<br />
<br />
$ gpg -c ''doc''<br />
<br />
The following example:<br />
<br />
* Encrypts {{ic|''doc''}} with a symmetric cipher using a passphrase<br />
* Uses the AES-256 cipher algorithm to encrypt the passphrase<br />
* Uses the SHA-512 digest algorithm to mangle the passphrase<br />
* Mangles the passphrase for 65536 iterations<br />
<br />
$ gpg -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-count 65536 ''doc''<br />
<br />
To decrypt a symmetrically encrypted {{ic|''doc''.gpg}} using a passphrase and output decrypted contents into the same directory as {{ic|''doc''}} do:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
== Key maintenance ==<br />
<br />
=== Backup your private key ===<br />
<br />
To backup your private key do the following:<br />
<br />
$ gpg --export-secret-keys --armor ''<user-id>'' > ''privkey.asc''<br />
<br />
Note that ''gpg'' release 2.1 changed default behaviour so that the above command enforces a passphrase protection, even if you deliberately chose not to use one on key creation. This is because otherwise anyone who gains access to the above exported file would be able to encrypt and sign documents as if they were you ''without'' needing to know your passphrase. <br />
<br />
{{Warning|The passphrase is usually the weakest link in protecting your secret key. Place the private key in a safe place on a different system/device, such as a locked container or encrypted drive. It is the only safety you have to regain control to your keyring in case of, for example, a drive failure, theft or worse.}}<br />
<br />
To import the backup of your private key:<br />
$ gpg --import ''privkey.asc''<br />
<br />
=== Edit your key ===<br />
<br />
Running the {{ic|gpg --edit-key ''<user-id>''}} command will present a menu which enables you to do most of your key management related tasks.<br />
<br />
Some useful commands in the edit key sub menu:<br />
> passwd # change the passphrase<br />
> clean # compact any user ID that is no longer usable (e.g revoked or expired)<br />
> revkey # revoke a key<br />
> addkey # add a subkey to this key<br />
> expire # change the key expiration time<br />
<br />
Type {{ic|help}} in the edit key sub menu for more commands.<br />
<br />
{{Tip|If you have multiple email accounts you can add each one of them as an identity, using {{ic|adduid}} command. You can then set your favourite one as {{ic|primary}}.}}<br />
<br />
=== Exporting subkey ===<br />
<br />
If you plan to use the same key across multiple devices, you may want to strip out your master key and only keep the bare minimum encryption subkey on less secure systems.<br />
<br />
First, find out which subkey you want to export.<br />
<br />
$ gpg -K<br />
<br />
Select only that subkey to export.<br />
<br />
$ gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.gpg<br />
<br />
{{Warning|If you forget to add the !, all of your subkeys will be exported.}}<br />
<br />
At this point you could stop, but it is most likely a good idea to change the passphrase as well. Import the key into a temporary folder. <br />
<br />
$ gpg --homedir /tmp/gpg --import /tmp/subkey.gpg<br />
$ gpg --homedir /tmp/gpg --edit-key ''<user-id>''<br />
> passwd<br />
> save<br />
$ gpg --homedir /tmp/gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.altpass.gpg<br />
<br />
{{Note|You will get a warning that the master key was not available and the password was not changed, but that can safely be ignored as the subkey password was.}}<br />
<br />
At this point, you can now use {{ic|/tmp/subkey.altpass.gpg}} on your other devices.<br />
<br />
=== Rotating subkeys ===<br />
<br />
{{Warning|'''Never''' delete your expired or revoked subkeys unless you have a good reason. Doing so will cause you to lose the ability to decrypt files encrypted with the old subkey. Please '''only''' delete expired or revoked keys from other users to clean your keyring.}}<br />
<br />
If you have set your subkeys to expire after a set time, you can create new ones. Do this a few weeks in advance to allow others to update their keyring.<br />
<br />
{{Tip|You do not need to create a new key simply because it is expired. You can extend the expiration date.}}<br />
<br />
Create new subkey (repeat for both signing and encrypting key)<br />
<br />
$ gpg --edit-key ''<user-id>''<br />
> addkey<br />
<br />
And answer the following questions it asks (see [[#Create a key pair]] for suggested settings).<br />
<br />
Save changes<br />
<br />
> save<br />
<br />
Update it to a keyserver.<br />
<br />
$ gpg --keyserver pgp.mit.edu --send-keys ''<user-id>''<br />
<br />
{{Tip|Revoking expired subkeys is unnecessary and arguably bad form. If you are constantly revoking keys, it may cause others to lack confidence in you.}}<br />
<br />
== Signatures ==<br />
<br />
Signatures certify and timestamp documents. If the document is modified, verification of the signature will fail. Unlike encryption which uses public keys to encrypt a document, signatures are created with the user's private key. The recipient of a signed document then verifies the signature using the sender's public key.<br />
<br />
=== Create a signature ===<br />
<br />
==== Sign a file ====<br />
<br />
To sign a file use the {{ic|--sign}} or {{ic|-s}} flag:<br />
<br />
$ gpg --output ''doc''.sig --sign ''doc''<br />
<br />
{{ic|''doc''.sig}} contains both the compressed content of the original file {{ic|''doc''}} and the signature in a binary format, but the file is not encrypted. However, you can combine signing with [[#Encrypt and decrypt|encrypting]].<br />
<br />
==== Clearsign a file or message ====<br />
<br />
To sign a file without compressing it into binary format use:<br />
<br />
$ gpg --output ''doc''.sig --clearsign ''doc''<br />
<br />
Here both the content of the original file {{ic|''doc''}} and the signature are stored in human-readable form in {{ic|''doc''.sig}}.<br />
<br />
==== Make a detached signature ====<br />
<br />
To create a separate signature file to be distributed separately from the document or file itself, use the {{ic|--detach-sig}} flag:<br />
<br />
$ gpg --output ''doc''.sig --detach-sig ''doc''<br />
<br />
Here the signature is stored in {{ic|''doc''.sig}}, but the contents of {{ic|''doc''}} are not stored in it. This method is often used in distributing software projects to allow users to verify that the program has not been modified by a third party.<br />
<br />
=== Verify a signature ===<br />
<br />
To verify a signature use the {{ic|--verify}} flag:<br />
<br />
$ gpg --verify ''doc''.sig<br />
<br />
where {{ic|''doc''.sig}} is the signed file containing the signature you wish to verify.<br />
<br />
If you are verifying a detached signature, both the signed data file and the signature file must be present when verifying. For example, to verify Arch Linux's latest iso you would do:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig<br />
<br />
where {{ic|archlinux-''version''.iso}} must be located in the same directory.<br />
<br />
You can also specify the signed data file with a second argument:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig ''/path/to/''archlinux-''version''.iso<br />
<br />
If a file as been encrypted in addition to being signed, simply [[#Encrypt and decrypt|decrypt]] the file and its signature will also be verified.<br />
<br />
== gpg-agent ==<br />
<br />
''gpg-agent'' is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. {{Pkg|gnupg}} comes with [[systemd/User|systemd user]] sockets which are enabled by default. These sockets are {{ic|gpg-agent.socket}}, {{ic|gpg-agent-extra.socket}}, {{ic|gpg-agent-browser.socket}}, {{ic|gpg-agent-ssh.socket}}, and {{ic|dirmngr.socket}}.<br />
<br />
{{Expansion|Add {{ic|gpg-agent-browser.socket}} to the list.}}<br />
<br />
* The main {{ic|gpg-agent.socket}} is used by ''gpg'' to connect to the ''gpg-agent'' daemon.<br />
* The intended use for the {{ic|gpg-agent-extra.socket}} on a local system is to set up a Unix domain socket forwarding from a remote system. This enables to use ''gpg'' on the remote system without exposing the private keys to the remote system. See {{man|1|gpg-agent}} for details.<br />
* The {{ic|gpg-agent-ssh.socket}} can be used by [[SSH]] to cache [[SSH keys]] added by the ''ssh-add'' program. See [[#SSH agent]] for the necessary configuration.<br />
* The {{ic|dirmngr.socket}} starts a GnuPG daemon handling connections to keyservers.<br />
<br />
{{Note|If you use non-default GnuPG [[#Directory location]], you will need to [[edit]] all socket files to use the values of {{ic|gpgconf --list-dirs}}.}}<br />
<br />
=== Configuration ===<br />
<br />
gpg-agent can be configured via {{ic|~/.gnupg/gpg-agent.conf}} file. The configuration options are listed in {{man|1|gpg-agent}}. For example you can change cache ttl for unused keys:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl 3600<br />
}}<br />
<br />
{{Tip|To cache your passphrase for the whole session, please run the following command:<br />
$ /usr/lib/gnupg/gpg-preset-passphrase --preset XXXXXX<br />
<br />
where XXXX is the keygrip. You can get its value when running {{ic|gpg --with-keygrip -K}}. Passphrase will be stored until {{ic|gpg-agent}} is restarted. If you set up {{ic|default-cache-ttl}} value, it will take precedence.<br />
}}<br />
<br />
=== Reload the agent ===<br />
<br />
After changing the configuration, reload the agent using ''gpg-connect-agent'':<br />
<br />
$ gpg-connect-agent reloadagent /bye<br />
<br />
The command should print {{ic|OK}}.<br />
<br />
However in some cases only the restart may not be sufficient, like when {{ic|keep-screen}} has been added to the agent configuration.<br />
In this case you firstly need to kill the ongoing gpg-agent process and then you can restart it as was explained above.<br />
<br />
=== pinentry ===<br />
<br />
Finally, the agent needs to know how to ask the user for the password. This can be set in the gpg-agent configuration file.<br />
<br />
{{accuracy|On my KDE system, GnuPG tries to use {{ic|pinentry-curses}}, not {{ic|pinentry-qt}}. If I configure GnuPG to use pinentry-qt, it works fine. Also, all these pinentry dialogs are always installed, since they are all included in {{pkg|pinentry}}, which is a {{pkg|gnupg}} dependency.}} <br />
<br />
The default uses {{ic|/usr/bin/pinentry-gnome3}}, falling back to {{ic|/usr/bin/pinentry-qt}}, {{ic|/usr/bin/pinentry-gtk-2}} and at last {{ic|/usr/bin/pinentry-curses}} if none of the previous were functioning. However there are other options - see {{ic|info pinentry}}. To change the dialog implementation set {{ic|pinentry-program}} configuration option:<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
# pinentry-program /usr/bin/pinentry-gnome3<br />
# pinentry-program /usr/bin/pinentry-qt<br />
# pinentry-program /usr/bin/pinentry-curses<br />
# pinentry-program /usr/bin/pinentry-kwallet<br />
<br />
pinentry-program /usr/bin/pinentry-gtk-2<br />
}}<br />
<br />
{{Tip|For using {{ic|/usr/bin/pinentry-kwallet}} you have to install the {{AUR|kwalletcli}} package.}}<br />
<br />
After making this change, [[#Reload the agent]].<br />
<br />
=== Unattended passphrase ===<br />
<br />
Starting with GnuPG 2.1.0 the use of gpg-agent and pinentry is required, which may break backwards compatibility for passphrases piped in from STDIN using the {{ic|--passphrase-fd 0}} commandline option. In order to have the same type of functionality as the older releases two things must be done:<br />
<br />
First, edit the gpg-agent configuration to allow ''loopback'' pinentry mode:<br />
<br />
{{hc|1=~/.gnupg/gpg-agent.conf|2=<br />
allow-loopback-pinentry<br />
}}<br />
<br />
Restart the gpg-agent process if it is running to let the change take effect.<br />
<br />
Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:<br />
<br />
$ gpg --pinentry-mode loopback ...<br />
<br />
...or if this is not possible, add the option to the configuration:<br />
<br />
{{hc|1=~/.gnupg/gpg.conf|2=<br />
pinentry-mode loopback<br />
}}<br />
<br />
{{Note|The upstream author indicates setting {{ic|pinentry-mode loopback}} in {{ic|gpg.conf}} may break other usage, using the commandline option should be preferred if at all possible. [https://bugs.g10code.com/gnupg/issue1772]}}<br />
<br />
=== SSH agent ===<br />
<br />
''gpg-agent'' has OpenSSH agent emulation. If you already use the GnuPG suite, you might consider using its agent to also cache your [[SSH keys]]. Additionally, some users may prefer the PIN entry dialog GnuPG agent provides as part of its passphrase management.<br />
<br />
==== Set SSH_AUTH_SOCK ====<br />
<br />
You have to set {{ic|SSH_AUTH_SOCK}} so that SSH will use ''gpg-agent'' instead of ''ssh-agent''. To make sure each process can find your ''gpg-agent'' instance regardless of e.g. the type of shell it is child of use [[Environment_variables#Using_pam_env|pam_env]].<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
}}<br />
<br />
{{note|If you set your {{ic|SSH_AUTH_SOCK}} manually (such as in this pam_env example), keep in mind that your socket location may be different if you are using a custom {{ic|GNUPGHOME}}. You can use the following bash example, or change {{ic|SSH_AUTH_SOCK}} to the value of {{ic|gpgconf --list-dirs agent-ssh-socket}}.}}<br />
<br />
Alternatively, depend on Bash. This works for non-standard socket locations as well:<br />
<br />
{{hc|~/.bashrc|2=<br />
unset SSH_AGENT_PID<br />
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then<br />
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"<br />
fi<br />
}}<br />
<br />
{{Note|1=The test involving the {{ic|gnupg_SSH_AUTH_SOCK_by}} variable is for the case where the agent is started as {{ic|gpg-agent --daemon /bin/sh}}, in which case the shell inherits the {{ic|SSH_AUTH_SOCK}} variable from the parent, ''gpg-agent'' [http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/gpg-agent.c;hb=7bca3be65e510eda40572327b87922834ebe07eb#l1307].}}<br />
<br />
==== Configure pinentry to use the correct TTY ====<br />
<br />
Also set the GPG_TTY and refresh the TTY in case user has switched into an X session as stated in {{man|1|gpg-agent}}. For example:<br />
<br />
{{hc|~/.bashrc|2=<br />
export GPG_TTY=$(tty)<br />
gpg-connect-agent updatestartuptty /bye >/dev/null<br />
}}<br />
<br />
==== Add SSH keys ====<br />
<br />
Once ''gpg-agent'' is running you can use ''ssh-add'' to approve keys, following the same steps as for [[SSH keys#ssh-agent|ssh-agent]]. The list of approved keys is stored in the {{ic|~/.gnupg/sshcontrol}} file. <br />
<br />
Once your key is approved, you will get a ''pinentry'' dialog every time your passphrase is needed. You can control passphrase caching in the {{ic|~/.gnupg/gpg-agent.conf}} file. The following example would have ''gpg-agent'' cache your keys for 3 hours:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl-ssh 10800<br />
max-cache-ttl-ssh 10800<br />
}}<br />
<br />
==== Using a PGP key for SSH authentication ====<br />
<br />
If the {{ic|enable-ssh-agent}} option is enabled for {{ic|gpg-agent}}, you can use your PGP key as an SSH key. This requires a key with the {{ic|Authentication}} capability (see [[#Custom capabilities]]). There are various benefits gained by using a PGP key for SSH authentication, including:<br />
<br />
* Reduced key maintenance, as you will no longer need to maintain an SSH key<br />
* The ability to store the authentication key on a smartcard. GnuPG will automatically detect the key when the card is available, and add it to the agent (check with {{ic|ssh-add -l}} or {{ic|ssh-add -L}}). The comment for the key should be something like: {{ic|openpgp:''key-id''}} or {{ic|cardno:''card-id''}}. <br />
<br />
{{Note| Your key may not be added to {{ic|$GNUPGHOME/sshcontrol}}, which is where normal SSH keys are listed.}}<br />
<br />
If your key is not added to {{ic|$GNUPGHOME/sshcontrol}} automatically, you can add the keygrip for your key with the Authentication capability manually. You can get the keygrip of your key by executing {{ic|gpg --list-keys --with-keygrip}}, like so:<br />
<br />
$ gpg --list-keys --with-keygrip<br />
sub rsa4096/1234ABCD1234ABCD 2001-01-01 [A] [expires: 2002-01-01]<br />
Keygrip = < put this value on its own line in $GNUPGHOME/sshcontrol ><br />
<br />
Adding the keygrip to {{ic|$HOME/.gnupg/sshcontrol}} is a one-time action; you will not need to edit the file again, unless you are adding additional keygrips. You can retrieve the public key for your Authentication key by executing {{ic|ssh-add -L}}.<br />
<br />
== Smartcards ==<br />
<br />
GnuPG uses ''scdaemon'' as an interface to your smartcard reader, please refer to the [[man page]] for details.<br />
<br />
=== GnuPG only setups ===<br />
<br />
{{Note| To allow scdaemon direct access to USB smarcard readers the optional dependency {{Pkg|libusb-compat}} have to be installed}}<br />
<br />
If you do not plan to use other cards but those based on GnuPG, you should check the {{Ic|reader-port}} parameter in {{ic|~/.gnupg/scdaemon.conf}}. The value '0' refers to the first available serial port reader and a value of '32768' (default) refers to the first USB reader.<br />
<br />
=== GnuPG with pcscd (PCSC Lite) ===<br />
<br />
{{Note|{{Pkg|pcsclite}} and {{Pkg|ccid}} have to be installed, and the contained [[systemd#Using units|systemd]] service {{ic|pcscd.service}} has to be running, or the socket {{ic|pcscd.socket}} has to be listening.}}<br />
<br />
pcscd is a daemon which handles access to smartcard (SCard API). If GnuPG's scdaemon fails to connect the smartcard directly (e.g. by using its integrated CCID support), it will fallback and try to find a smartcard using the PCSC Lite driver.<br />
<br />
==== Always use pcscd ====<br />
<br />
If you are using any smartcard with an opensc driver (e.g.: ID cards from some countries) you should pay some attention to GnuPG configuration. Out of the box you might receive a message like this when using {{Ic|gpg --card-status}}<br />
<br />
gpg: selecting openpgp failed: ec=6.108<br />
<br />
By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together. In order to point scdaemon to use pcscd you should remove {{Ic|reader-port}} from {{ic|~/.gnupg/scdaemon.conf}}, specify the location to {{ic|libpcsclite.so}} library and disable ccid so we make sure that we use pcscd:<br />
<br />
{{hc|~/.gnupg/scdaemon.conf|<nowiki><br />
pcsc-driver /usr/lib/libpcsclite.so<br />
card-timeout 5<br />
disable-ccid<br />
</nowiki>}}<br />
<br />
Please check {{man|1|scdaemon}} if you do not use OpenSC.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Different algorithm ===<br />
<br />
You may want to use stronger algorithms:<br />
<br />
{{hc|~/.gnupg/gpg.conf|<br />
...<br />
<br />
personal-digest-preferences SHA512<br />
cert-digest-algo SHA512<br />
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed<br />
personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES<br />
}}<br />
<br />
In the latest version of GnuPG, the default algorithms used are SHA256 and AES, both of which are secure enough for most people. However, if you are using a version of GnuPG older than 2.1, or if you want an even higher level of security, then you should follow the above step.<br />
<br />
=== Encrypt a password ===<br />
<br />
It can be useful to encrypt some password, so it will not be written in clear on a configuration file. A good example is your email password.<br />
<br />
First create a file with your password. You '''need''' to leave '''one''' empty line after the password, otherwise gpg will return an error message when evaluating the file.<br />
<br />
Then run:<br />
<br />
$ gpg -e -a -r ''<user-id>'' ''your_password_file''<br />
<br />
{{ic|-e}} is for encrypt, {{ic|-a}} for armor (ASCII output), {{ic|-r}} for recipient user ID.<br />
<br />
You will be left with a new {{ic|''your_password_file''.asc}} file.<br />
<br />
{{Tip|[[pass]] automates this process.}}<br />
<br />
=== Revoking a key ===<br />
<br />
{{Warning|<br />
*Anybody having access to your revocation certificate can revoke your key, rendering it useless.<br />
*Key revocation should only be performed if your key is compromised or lost, or you forget your passphrase.}}<br />
<br />
Revocation certificates are automatically generated for newly generated keys, although one can be generated manually by the user later. These are located at {{ic|~/.gnupg/openpgp-revocs.d/}}. The filename of the certificate is the fingerprint of the key it will revoke.<br />
<br />
To revoke your key, simply import the revocation certificate:<br />
<br />
$ gpg --import ''<fingerprint>''.rev<br />
<br />
Now update the keyserver:<br />
<br />
$ gpg --keyserver subkeys.pgp.net --send-keys ''<userid>''<br />
<br />
=== Change trust model ===<br />
<br />
By default GnuPG uses the [[Wikipedia::Web of Trust|Web of Trust]] as the trust model. You can change this to [[Wikipedia::Trust on first use|Trust on first use]] by adding {{ic|1=--trust-model=tofu}} when adding a key or adding this option to your GnuPG configuration file. More details are in [https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030341.html this email to the GnuPG list].<br />
<br />
=== Hide all recipient id's ===<br />
<br />
By default the recipient's key ID is in the encrypted message. This can be removed at encryption time for a recipient by using {{ic|hidden-recipient ''<user-id>''}}. To remove it for all recipients add {{ic|throw-keyids}} to your configuration file. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis. (Using a little social engineering anyone who is able to decrypt the message can check whether one of the other recipients is the one he suspects.) On the receiving side, it may slow down the decryption process because all available secret keys must be tried (''e.g.'' with {{ic|--try-secret-key ''<user-id>''}}).<br />
<br />
=== Using caff for keysigning parties ===<br />
<br />
To allow users to validate keys on the keyservers and in their keyrings (i.e. make sure they are from whom they claim to be), PGP/GPG uses the [[Wikipedia::Web of Trust|Web of Trust]]. Keysigning parties allow users to get together at a physical location to validate keys. The [[Wikipedia:Zimmermann–Sassaman key-signing protocol|Zimmermann-Sassaman]] key-signing protocol is a way of making these very effective. [http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html Here] you will find a how-to article.<br />
<br />
For an easier process of signing keys and sending signatures to the owners after a keysigning party, you can use the tool ''caff''. It can be installed from the AUR with the package {{AUR|caff-svn}}.<br />
<br />
To send the signatures to their owners you need a working [[Wikipedia:Message transfer agent|MTA]]. If you do not have already one, install [[msmtp]].<br />
<br />
=== Always show long ID's and fingerprints ===<br />
<br />
To always show long key ID's add {{ic|keyid-format 0xlong}} to your configuration file. To always show full fingerprints of keys, add {{ic|with-fingerprint}} to your configuration file.<br />
<br />
=== Custom capabilities ===<br />
<br />
For further customization also possible to set custom capabilities to your keys. The following capabilities are available:<br />
<br />
* Certify (only for master keys) - allows the key to create subkeys, mandatory for master keys.<br />
* Sign - allows the key to create cryptographic signatures that others can verify with the public key.<br />
* Encrypt - allows anyone to encrypt data with the public key, that only the private key can decrypt.<br />
* Authenticate - allows the key to authenticate with various non-GnuPG programs. The key can be used as e.g. an SSH key. <br />
<br />
It's possible to specify the capabilities of the master key, by running: <br />
<br />
$ gpg --full-generate-key --expert<br />
<br />
And select an option that allows you to set your own capabilities.<br />
<br />
Comparably, to specify custom capabilities for subkeys, add the {{ic|--expert}} flag to {{ic|gpg --edit-key}}, see [[#Edit your key]] for more information.<br />
<br />
=== Cache passwords ===<br />
<br />
To be asked for your GnuPG password only once per session, set {{ic|max-cache-ttl}} and {{ic|default-cache-ttl}} to something very high, for instance:<br />
<br />
{{hc|<br />
gpg-agent.conf|<br />
max-cache-ttl 60480000<br />
default-cache-ttl 60480000<br />
}}<br />
<br />
See [[#gpg-agent]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Not enough random bytes available ===<br />
When generating a key, gpg can run into this error:<br />
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy!<br />
To check the available entropy, check the kernel parameters:<br />
cat /proc/sys/kernel/random/entropy_avail<br />
A healthy Linux system with a lot of entropy available will have return close to the full 4,096 bits of entropy. If the value returned is less than 200, the system is running low on entropy. <br />
<br />
To solve it, remember you do not often need to create keys and best just do what the message suggests (e.g. create disk activity, move the mouse, edit the wiki - all will create entropy). If that does not help, check which service is using up the entropy and consider stopping it for the time. If that is no alternative, see [[Random number generation#Alternatives]].<br />
<br />
=== su ===<br />
<br />
When using {{Ic|pinentry}}, you must have the proper permissions of the terminal device (e.g. {{Ic|/dev/tty1}}) in use. However, with ''su'' (or ''sudo''), the ownership stays with the original user, not the new one. This means that pinentry will fail, even as root. The fix is to change the permissions of the device at some point before the use of pinentry (i.e. using gpg with an agent). If doing gpg as root, simply change the ownership to root right before using gpg:<br />
<br />
# chown root /dev/ttyN # where N is the current tty<br />
<br />
and then change it back after using gpg the first time. The equivalent is likely to be true with {{Ic|/dev/pts/}}.<br />
<br />
{{Note|The owner of tty ''must'' match with the user for which pinentry is running. Being part of the group {{Ic|tty}} '''is not''' enough.}}<br />
<br />
{{Tip|If you run gpg with {{ic|script}} it will use a new tty with the correct ownership:<br />
<br />
# script -q -c "gpg --gen-key" /dev/null<br />
}}<br />
<br />
=== Agent complains end of file ===<br />
<br />
The default pinentry program is {{ic|/usr/bin/pinentry-gnome3}}, which needs a DBus session bus to run properly. See [[General troubleshooting#Session permissions]] for details.<br />
<br />
Alternatively, you can use a variety of different options described in [[#pinentry]].<br />
<br />
=== KGpg configuration permissions ===<br />
<br />
There have been issues with {{Pkg|kgpg}} being able to access the {{ic|~/.gnupg/}} options. One issue might be a result of a deprecated ''options'' file, see the [https://bugs.kde.org/show_bug.cgi?id=290221 bug] report.<br />
<br />
=== GNOME on Wayland overrides SSH agent socket ===<br />
<br />
For Wayland sessions, {{Ic|gnome-session}} sets {{Ic|SSH_AUTH_SOCK}} to the standard gnome-keyring socket, {{Ic|$XDG_RUNTIME_DIR/keyring/ssh}}. This overrides any value set in {{Ic|~/.pam_environmment}} or systemd unit files.<br />
<br />
To disable this behavior, set the {{Ic|GSM_SKIP_AGENT_WORKAROUND}} variable:<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
GSM_SKIP_SSH_AGENT_WORKAROUND DEFAULT="true"<br />
}}<br />
<br />
=== mutt ===<br />
<br />
Mutt might not use ''gpg-agent'' correctly, you need to set an [[environment variable]] {{ic|GPG_AGENT_INFO}} (the content doesn't matter) when running mutt. Be also sure to enable password caching correctly, see [[#Cache passwords]].<br />
<br />
See [https://bbs.archlinux.org/viewtopic.php?pid=1490821#p1490821 this forum thread]<br />
<br />
=== "Lost" keys, upgrading to gnupg version 2.1 ===<br />
<br />
When {{ic|gpg --list-keys}} fails to show keys that used to be there, and applications complain about missing or invalid keys, some keys may not have been migrated to the new format.<br />
<br />
Please read [http://jo-ke.name/wp/?p=111 GnuPG invalid packet workaround]. Basically, it says that there is a bug with keys in the old {{ic|pubring.gpg}} and {{ic|secring.gpg}} files, which have now been superseded by the new {{ic|pubring.kbx}} file and the {{ic|private-keys-v1.d/}} subdirectory and files. Your missing keys can be recovered with the following commnads:<br />
<br />
$ cd<br />
$ cp -r .gnupg gnupgOLD<br />
$ gpg --export-ownertrust > otrust.txt<br />
$ gpg --import .gnupg/pubring.gpg<br />
$ gpg --import-ownertrust otrust.txt<br />
$ gpg --list-keys<br />
<br />
=== gpg hanged for all keyservers (when trying to receive keys) ===<br />
<br />
If gpg hanged with a certain keyserver when trying to receive keys, you might need to kill dirmngr in order to get access to other keyservers which are actually working, otherwise it might keeping hanging for all of them.<br />
<br />
=== Smartcard not detected ===<br />
<br />
Your user might not have the permission to access the smartcard which results in a {{ic|card error}} to be thrown, even though the card is correctly set up and inserted.<br />
<br />
One possible solution is to add a new group {{ic|scard}} including the users who need access to the smartcard.<br />
<br />
Then use [[udev rules]], similar to the following:<br />
{{hc|/etc/udev/rules.d/71-gnupg-ccid.rules|<nowiki><br />
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116|0111", MODE="660", GROUP="scard"<br />
</nowiki>}}<br />
One needs to adapt VENDOR and MODEL according to the {{ic|lsusb}} output, the above example is for a YubikeyNEO.<br />
<br />
=== gpg: WARNING: server 'gpg-agent' is older than us (x < y) ===<br />
<br />
This warning appears if {{ic|gnupg}} is upgraded and the old gpg-agent is still running. [[Restart]] the ''user'''s {{ic|gpg-agent.socket}} (i.e., use the {{ic|--user}} flag when restarting).<br />
<br />
=== gpg: ..., IPC connect call failed ===<br />
<br />
{{Accuracy|The {{ic|gpg-agent*.socket}} systemd sockets provided by the {{Pkg|gnupg}} package create the sockets in {{ic|/run/user/$UID/gnupg/}} which is guaranteed to be an appropriate file system.}}<br />
<br />
Make sure {{ic|gpg-agent}} and {{ic|dirmngr}} are not running with {{ic|killall gpg-agent dirmngr}} and the {{ic|$GNUPGHOME/crls.d/}} folder has permission set to {{ic|700}}.<br />
<br />
If your keyring is stored on a vFat filesystem (e.g. a USB drive), {{ic|gpg-agent}} will fail to create the required sockets (vFat does not support sockets), you can create redirects to a location that handles sockets, e.g. {{ic|/dev/shm}}:<br />
<br />
# export GNUPGHOME=/custom/gpg/home<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent\n' > $GNUPGHOME/S.gpg-agent<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.browser\n' > $GNUPGHOME/S.gpg-agent.browser<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.extra\n' > $GNUPGHOME/S.gpg-agent.extra<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.ssh\n' > $GNUPGHOME/S.gpg-agent.ssh<br />
<br />
Test that gpg-agent starts successfully with {{ic|gpg-agent --daemon}}.<br />
<br />
== See also ==<br />
<br />
* [https://gnupg.org/ GNU Privacy Guard Homepage]<br />
* [https://tools.ietf.org/html/rfc4880 RFC4880 "OpenPGP Message Format"]<br />
* [https://fedoraproject.org/wiki/Creating_GPG_Keys Creating GPG Keys (Fedora)]<br />
* [https://wiki.debian.org/Subkeys OpenPGP subkeys in Debian]<br />
* [https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/ A more comprehensive gpg Tutorial]<br />
* [https://help.riseup.net/en/security/message-security/openpgp/gpg-best-practices gpg.conf recommendations and best practices]<br />
* [https://github.com/ioerror/torbirdy/blob/master/gpg.conf Torbirdy gpg.conf]<br />
* [https://www.reddit.com/r/GPGpractice/ /r/GPGpractice - a subreddit to practice using GnuPG.]<br />
* [https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md Protecting code integrity with PGP]</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=GnuPG&diff=530887GnuPG2018-07-24T18:52:21Z<p>Sudoforge: Undo revision 530885. Session must have reset and changed my edit from the appropriate section to the entire page.</p>
<hr />
<div>[[Category:Encryption]]<br />
[[es:GnuPG]]<br />
[[ja:GnuPG]]<br />
[[ru:GnuPG]]<br />
[[pl:GnuPG]]<br />
[[zh-hans:GnuPG]]<br />
[[zh-hant:GnuPG]]<br />
{{Related articles start}}<br />
{{Related|pacman/Package signing}}<br />
{{Related|Disk encryption}}<br />
{{Related|List of applications/Security#Encryption, signing, steganography}}<br />
{{Related articles end}}<br />
<br />
According to the [https://www.gnupg.org/ official website]:<br />
<br />
:GnuPG is a complete and free implementation of the [http://openpgp.org/about/ OpenPGP] standard as defined by [https://tools.ietf.org/html/rfc4880 RFC4880] (also known as PGP). GnuPG allows you to encrypt and sign your data and communication. It features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh).<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|gnupg}} package.<br />
<br />
This will also install {{Pkg|pinentry}}, a collection of simple PIN or passphrase entry dialogs which GnuPG uses for passphrase entry. The shell script {{ic|/usr/bin/pinentry}} determines which ''pinentry'' dialog is used, in the order described at [[#pinentry]].<br />
<br />
If you want to use a graphical frontend or program that integrates with GnuPG, see [[List of applications/Security#Encryption, signing, steganography]].<br />
<br />
== Configuration ==<br />
<br />
=== Directory location ===<br />
{{ic|$GNUPGHOME}} is used by GnuPG to point to the directory where its configuration files are stored. By default {{ic|$GNUPGHOME}} is not set and your {{ic|$HOME}} is used instead; thus, you will find a {{ic|~/.gnupg}} directory right after installation. <br />
<br />
To change the default location, either run gpg this way {{ic|$ gpg --homedir ''path/to/file''}} or set the {{ic|GNUPGHOME}} [[environment variable]].<br />
<br />
=== Configuration files ===<br />
<br />
The default configuration files are {{ic|~/.gnupg/gpg.conf}} and {{ic|~/.gnupg/dirmngr.conf}}. <br />
<br />
By default, the gnupg directory has its [[permissions]] set to {{ic|700}} and the files it contains have their permissions set to {{ic|600}}. Only the owner of the directory has permission to read, write, and access the files. This is for security purposes and should not be changed. In case this directory or any file inside it does not follow this security measure, you will get warnings about unsafe file and home directory permissions.<br />
<br />
Append to these files any long options you want. Do not write the two dashes, but simply the name of the option and required arguments. You will find skeleton files in {{ic|/usr/share/gnupg}}. These files are copied to {{ic|~/.gnupg}} the first time gpg is run if they do not exist there. Other examples are found in [[#See also]].<br />
<br />
Additionally, [[pacman]] uses a different set of configuration files for package signature verification. See [[Pacman/Package signing]] for details.<br />
<br />
=== Default options for new users ===<br />
<br />
If you want to setup some default options for new users, put configuration files in {{ic|/etc/skel/.gnupg/}}. When the new user is added in system, files from here will be copied to its GnuPG home directory. There is also a simple script called ''addgnupghome'' which you can use to create new GnuPG home directories for existing users:<br />
<br />
# addgnupghome user1 user2<br />
<br />
This will add the respective {{ic|/home/user1/.gnupg}} and {{ic|/home/user2/.gnupg}} and copy the files from the skeleton directory to it. Users with existing GnuPG home directory are simply skipped.<br />
<br />
== Usage ==<br />
<br />
{{Note|Whenever a ''{{ic|user-id}}'' is required in a command, it can be specified with your key ID, fingerprint, a part of your name or email address, etc. GnuPG is flexible on this.<br />
}}<br />
<br />
=== Create a key pair ===<br />
<br />
Generate a key pair by typing in a terminal:<br />
<br />
$ gpg --full-gen-key<br />
<br />
{{Tip|Use the {{ic|--expert}} option for getting alternative ciphers like [[wikipedia:Elliptic_curve_cryptography|ECC]].}}<br />
<br />
The command will prompt for answers to several questions. For general use most people will want: <br />
<br />
* the RSA (sign only) and a RSA (encrypt only) key.<br />
* a keysize of the default value (2048). A larger keysize of 4096 "gives us almost nothing, while costing us quite a lot"[https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096].<br />
* an expiration date. A period of a year is good enough for the average user. This way even if access is lost to the keyring, it will allow others to know that it is no longer valid. Later, if necessary, the expiration date can be extended without having to re-issue a new key.<br />
* your name and email address. You can add multiple identities to the same key later (''e.g.'', if you have multiple email addresses you want to associate with this key).<br />
* ''no'' optional comment. Since the semantics of the comment field are [https://lists.gnupg.org/pipermail/gnupg-devel/2015-July/030150.html not well-defined], it has limited value for identification.<br />
* [[Security#Choosing_secure_passwords|a secure passphrase]].<br />
<br />
{{Note|The name and email address you enter here will be seen by anybody who imports your key.}}<br />
<br />
=== List keys ===<br />
<br />
To list keys in your public key ring:<br />
<br />
$ gpg --list-keys<br />
<br />
To list keys in your secret key ring:<br />
<br />
$ gpg --list-secret-keys<br />
<br />
=== Export your public key ===<br />
<br />
gpg's main usage is to ensure confidentiality of exchanged messages via public-key cryptography. With it each user distributes the public key of their keyring, which can be be used by others to encrypt messages to the user. The private key must ''always'' be kept private, otherwise confidentiality is broken. See [[w:Public-key cryptography]] for examples about the message exchange. <br />
<br />
So, in order for others to send encrypted messages to you, they need your public key. <br />
<br />
To generate an ASCII version of a user's public key to file {{ic|''public.key''}} (e.g. to distribute it by e-mail):<br />
<br />
$ gpg --output ''public.key'' --armor --export ''user-id''<br />
<br />
Alternatively, or in addition, you can [[#Use a keyserver]] to share your key. <br />
<br />
{{Tip|Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.}}<br />
<br />
=== Import a public key ===<br />
<br />
In order to encrypt messages to others, as well as verify their signatures, you need their public key. To import a public key with file name {{ic|''public.key''}} to your public key ring:<br />
<br />
$ gpg --import ''public.key''<br />
<br />
Alternatively, [[#Use a keyserver]] to find a public key.<br />
<br />
=== Use a keyserver ===<br />
<br />
You can register your key with a public PGP key server, so that others can retrieve your key without having to contact you directly:<br />
<br />
$ gpg --send-keys ''user-id''<br />
<br />
{{Warning|Once a key has been submitted to a keyserver, it cannot be deleted from the server.[https://pgp.mit.edu/faq.html]}}<br />
<br />
To find out details of a key on the keyserver, without importing it, do:<br />
<br />
$ gpg --search-keys ''user-id''<br />
<br />
To import a key from a key server:<br />
<br />
$ gpg --recv-keys ''key-id''<br />
<br />
{{Warning|<br />
* You should verify the authenticity of the retrieved public key by comparing its fingerprint with one that the owner published on an independent source(s) (e.g., contacting the person directly). See [[Wikipedia:Public key fingerprint]] for more information.<br />
* Using a short ID may encounter collisions. All keys will be imported that have the short ID. To avoid this, use the full fingerprint or long key ID when receiving a key.[https://lkml.org/lkml/2016/8/15/445]}}<br />
{{Tip|<br />
* Adding {{ic|keyserver-options auto-key-retrieve}} to {{ic|gpg.conf}} will automatically fetch keys from the key server as needed. <br />
* An alternative key server is {{ic|pool.sks-keyservers.net}} and can be specified with {{ic|keyserver}} in {{ic|dirmngr.conf}}; see also [[wikipedia:Key server (cryptographic)#Keyserver examples]].<br />
* If your network blocks ports used for hkp/hkps, you may need to specify port 80, i.e. {{ic|pool.sks-keyservers.net:80}}<br />
* You can connect to the keyserver over [[Tor]] using {{ic|--use-tor}}. See this [https://gnupg.org/blog/20151224-gnupg-in-november-and-december.html GnuPG blog post] for more information.<br />
* You can connect to a keyserver using a proxy by setting the {{ic|http_proxy}} environment variable and setting {{ic|honor-http-proxy}} in {{ic|dirmngr.conf}}. Alternatively, set {{ic|http-proxy ''host[:port]''}} in {{ic|dirmngr.conf}}, overriding the {{ic|http_proxy}} environment variable. [[Restart]] the {{ic|dirmngr.service}} [[systemd/User|user service]] for the changes to take effect.<br />
* If you wish to import a key ID to install a specific Arch Linux package, see [[pacman/Package signing#Managing the keyring]] and [[Makepkg#Signature checking]].}}<br />
<br />
=== Encrypt and decrypt ===<br />
<br />
==== Asymmetric ====<br />
You need to [[#Import a public key]] of a user before encrypting (options {{ic|--encrypt}} or {{ic|-e}}) a file or message to that recipient (options {{ic|--recipient}} or {{ic|-r}}). Additionally you need to [[#Create a key pair]] if you have not already done so.<br />
<br />
To encrypt a file with the name ''doc'', use:<br />
<br />
$ gpg --recipient ''user-id'' --encrypt ''doc''<br />
<br />
To decrypt (option {{ic|--decrypt}} or {{ic|-d}}) a file with the name ''doc''.gpg encrypted with your public key, use:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
''gpg'' will prompt you for your passphrase and then decrypt and write the data from ''doc''.gpg to ''doc''. If you omit the {{ic|-o}} ({{ic|--output}}) option, ''gpg'' will write the decrypted data to stdout.<br />
<br />
{{Tip|<br />
* Add {{ic|--armor}} to encrypt a file using ASCII armor (suitable for copying and pasting a message in text format)<br />
* Use {{ic|-R ''user-id''}} or {{ic|--hidden-recipient ''user-id''}} instead of {{ic|-r}} to not put the recipient key IDs in the encrypted message. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis.<br />
* Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.<br />
* You can use gnupg to encrypt your sensitive documents by using your own user-id as recipient or by using the {{ic|--default-recipient-self}} flag instead; however, you can only do this one file at a time, although you can always tarball various files and then encrypt the tarball. See also [[Disk encryption#Available methods]] if you want to encrypt directories or a whole file-system.}}<br />
<br />
==== Symmetric ====<br />
Symmetric encryption does not require the generation of a key pair and can be used to simply encrypt data with a passphrase. Simply use {{ic|--symmetric}} or {{ic|-c}} to perform symmetic encryption:<br />
<br />
$ gpg -c ''doc''<br />
<br />
The following example:<br />
<br />
* Encrypts {{ic|''doc''}} with a symmetric cipher using a passphrase<br />
* Uses the AES-256 cipher algorithm to encrypt the passphrase<br />
* Uses the SHA-512 digest algorithm to mangle the passphrase<br />
* Mangles the passphrase for 65536 iterations<br />
<br />
$ gpg -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-count 65536 ''doc''<br />
<br />
To decrypt a symmetrically encrypted {{ic|''doc''.gpg}} using a passphrase and output decrypted contents into the same directory as {{ic|''doc''}} do:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
== Key maintenance ==<br />
<br />
=== Backup your private key ===<br />
<br />
To backup your private key do the following:<br />
<br />
$ gpg --export-secret-keys --armor ''<user-id>'' > ''privkey.asc''<br />
<br />
Note that ''gpg'' release 2.1 changed default behaviour so that the above command enforces a passphrase protection, even if you deliberately chose not to use one on key creation. This is because otherwise anyone who gains access to the above exported file would be able to encrypt and sign documents as if they were you ''without'' needing to know your passphrase. <br />
<br />
{{Warning|The passphrase is usually the weakest link in protecting your secret key. Place the private key in a safe place on a different system/device, such as a locked container or encrypted drive. It is the only safety you have to regain control to your keyring in case of, for example, a drive failure, theft or worse.}}<br />
<br />
To import the backup of your private key:<br />
$ gpg --import ''privkey.asc''<br />
<br />
=== Edit your key ===<br />
<br />
Running the {{ic|gpg --edit-key ''<user-id>''}} command will present a menu which enables you to do most of your key management related tasks.<br />
<br />
Some useful commands in the edit key sub menu:<br />
> passwd # change the passphrase<br />
> clean # compact any user ID that is no longer usable (e.g revoked or expired)<br />
> revkey # revoke a key<br />
> addkey # add a subkey to this key<br />
> expire # change the key expiration time<br />
<br />
Type {{ic|help}} in the edit key sub menu for more commands.<br />
<br />
{{Tip|If you have multiple email accounts you can add each one of them as an identity, using {{ic|adduid}} command. You can then set your favourite one as {{ic|primary}}.}}<br />
<br />
=== Exporting subkey ===<br />
<br />
If you plan to use the same key across multiple devices, you may want to strip out your master key and only keep the bare minimum encryption subkey on less secure systems.<br />
<br />
First, find out which subkey you want to export.<br />
<br />
$ gpg -K<br />
<br />
Select only that subkey to export.<br />
<br />
$ gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.gpg<br />
<br />
{{Warning|If you forget to add the !, all of your subkeys will be exported.}}<br />
<br />
At this point you could stop, but it is most likely a good idea to change the passphrase as well. Import the key into a temporary folder. <br />
<br />
$ gpg --homedir /tmp/gpg --import /tmp/subkey.gpg<br />
$ gpg --homedir /tmp/gpg --edit-key ''<user-id>''<br />
> passwd<br />
> save<br />
$ gpg --homedir /tmp/gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.altpass.gpg<br />
<br />
{{Note|You will get a warning that the master key was not available and the password was not changed, but that can safely be ignored as the subkey password was.}}<br />
<br />
At this point, you can now use {{ic|/tmp/subkey.altpass.gpg}} on your other devices.<br />
<br />
=== Rotating subkeys ===<br />
<br />
{{Warning|'''Never''' delete your expired or revoked subkeys unless you have a good reason. Doing so will cause you to lose the ability to decrypt files encrypted with the old subkey. Please '''only''' delete expired or revoked keys from other users to clean your keyring.}}<br />
<br />
If you have set your subkeys to expire after a set time, you can create new ones. Do this a few weeks in advance to allow others to update their keyring.<br />
<br />
{{Tip|You do not need to create a new key simply because it is expired. You can extend the expiration date.}}<br />
<br />
Create new subkey (repeat for both signing and encrypting key)<br />
<br />
$ gpg --edit-key ''<user-id>''<br />
> addkey<br />
<br />
And answer the following questions it asks (see [[#Create a key pair]] for suggested settings).<br />
<br />
Save changes<br />
<br />
> save<br />
<br />
Update it to a keyserver.<br />
<br />
$ gpg --keyserver pgp.mit.edu --send-keys ''<user-id>''<br />
<br />
{{Tip|Revoking expired subkeys is unnecessary and arguably bad form. If you are constantly revoking keys, it may cause others to lack confidence in you.}}<br />
<br />
== Signatures ==<br />
<br />
Signatures certify and timestamp documents. If the document is modified, verification of the signature will fail. Unlike encryption which uses public keys to encrypt a document, signatures are created with the user's private key. The recipient of a signed document then verifies the signature using the sender's public key.<br />
<br />
=== Create a signature ===<br />
<br />
==== Sign a file ====<br />
<br />
To sign a file use the {{ic|--sign}} or {{ic|-s}} flag:<br />
<br />
$ gpg --output ''doc''.sig --sign ''doc''<br />
<br />
{{ic|''doc''.sig}} contains both the compressed content of the original file {{ic|''doc''}} and the signature in a binary format, but the file is not encrypted. However, you can combine signing with [[#Encrypt and decrypt|encrypting]].<br />
<br />
==== Clearsign a file or message ====<br />
<br />
To sign a file without compressing it into binary format use:<br />
<br />
$ gpg --output ''doc''.sig --clearsign ''doc''<br />
<br />
Here both the content of the original file {{ic|''doc''}} and the signature are stored in human-readable form in {{ic|''doc''.sig}}.<br />
<br />
==== Make a detached signature ====<br />
<br />
To create a separate signature file to be distributed separately from the document or file itself, use the {{ic|--detach-sig}} flag:<br />
<br />
$ gpg --output ''doc''.sig --detach-sig ''doc''<br />
<br />
Here the signature is stored in {{ic|''doc''.sig}}, but the contents of {{ic|''doc''}} are not stored in it. This method is often used in distributing software projects to allow users to verify that the program has not been modified by a third party.<br />
<br />
=== Verify a signature ===<br />
<br />
To verify a signature use the {{ic|--verify}} flag:<br />
<br />
$ gpg --verify ''doc''.sig<br />
<br />
where {{ic|''doc''.sig}} is the signed file containing the signature you wish to verify.<br />
<br />
If you are verifying a detached signature, both the signed data file and the signature file must be present when verifying. For example, to verify Arch Linux's latest iso you would do:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig<br />
<br />
where {{ic|archlinux-''version''.iso}} must be located in the same directory.<br />
<br />
You can also specify the signed data file with a second argument:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig ''/path/to/''archlinux-''version''.iso<br />
<br />
If a file as been encrypted in addition to being signed, simply [[#Encrypt and decrypt|decrypt]] the file and its signature will also be verified.<br />
<br />
== gpg-agent ==<br />
<br />
''gpg-agent'' is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. {{Pkg|gnupg}} comes with [[systemd/User|systemd user]] sockets which are enabled by default. These sockets are {{ic|gpg-agent.socket}}, {{ic|gpg-agent-extra.socket}}, {{ic|gpg-agent-browser.socket}}, {{ic|gpg-agent-ssh.socket}}, and {{ic|dirmngr.socket}}.<br />
<br />
{{Expansion|Add {{ic|gpg-agent-browser.socket}} to the list.}}<br />
<br />
* The main {{ic|gpg-agent.socket}} is used by ''gpg'' to connect to the ''gpg-agent'' daemon.<br />
* The intended use for the {{ic|gpg-agent-extra.socket}} on a local system is to set up a Unix domain socket forwarding from a remote system. This enables to use ''gpg'' on the remote system without exposing the private keys to the remote system. See {{man|1|gpg-agent}} for details.<br />
* The {{ic|gpg-agent-ssh.socket}} can be used by [[SSH]] to cache [[SSH keys]] added by the ''ssh-add'' program. See [[#SSH agent]] for the necessary configuration.<br />
* The {{ic|dirmngr.socket}} starts a GnuPG daemon handling connections to keyservers.<br />
<br />
{{Note|If you use non-default GnuPG [[#Directory location]], you will need to [[edit]] all socket files to use the values of {{ic|gpgconf --list-dirs}}.}}<br />
<br />
=== Configuration ===<br />
<br />
gpg-agent can be configured via {{ic|~/.gnupg/gpg-agent.conf}} file. The configuration options are listed in {{man|1|gpg-agent}}. For example you can change cache ttl for unused keys:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl 3600<br />
}}<br />
<br />
{{Tip|To cache your passphrase for the whole session, please run the following command:<br />
$ /usr/lib/gnupg/gpg-preset-passphrase --preset XXXXXX<br />
<br />
where XXXX is the keygrip. You can get its value when running {{ic|gpg --with-keygrip -K}}. Passphrase will be stored until {{ic|gpg-agent}} is restarted. If you set up {{ic|default-cache-ttl}} value, it will take precedence.<br />
}}<br />
<br />
=== Reload the agent ===<br />
<br />
After changing the configuration, reload the agent using ''gpg-connect-agent'':<br />
<br />
$ gpg-connect-agent reloadagent /bye<br />
<br />
The command should print {{ic|OK}}.<br />
<br />
However in some cases only the restart may not be sufficient, like when {{ic|keep-screen}} has been added to the agent configuration.<br />
In this case you firstly need to kill the ongoing gpg-agent process and then you can restart it as was explained above.<br />
<br />
=== pinentry ===<br />
<br />
Finally, the agent needs to know how to ask the user for the password. This can be set in the gpg-agent configuration file.<br />
<br />
{{accuracy|On my KDE system, GnuPG tries to use {{ic|pinentry-curses}}, not {{ic|pinentry-qt}}. If I configure GnuPG to use pinentry-qt, it works fine. Also, all these pinentry dialogs are always installed, since they are all included in {{pkg|pinentry}}, which is a {{pkg|gnupg}} dependency.}} <br />
<br />
The default uses {{ic|/usr/bin/pinentry-gnome3}}, falling back to {{ic|/usr/bin/pinentry-qt}}, {{ic|/usr/bin/pinentry-gtk-2}} and at last {{ic|/usr/bin/pinentry-curses}} if none of the previous were functioning. However there are other options - see {{ic|info pinentry}}. To change the dialog implementation set {{ic|pinentry-program}} configuration option:<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
# pinentry-program /usr/bin/pinentry-gnome3<br />
# pinentry-program /usr/bin/pinentry-qt<br />
# pinentry-program /usr/bin/pinentry-curses<br />
# pinentry-program /usr/bin/pinentry-kwallet<br />
<br />
pinentry-program /usr/bin/pinentry-gtk-2<br />
}}<br />
<br />
{{Tip|For using {{ic|/usr/bin/pinentry-kwallet}} you have to install the {{AUR|kwalletcli}} package.}}<br />
<br />
After making this change, [[#Reload the agent]].<br />
<br />
=== Unattended passphrase ===<br />
<br />
Starting with GnuPG 2.1.0 the use of gpg-agent and pinentry is required, which may break backwards compatibility for passphrases piped in from STDIN using the {{ic|--passphrase-fd 0}} commandline option. In order to have the same type of functionality as the older releases two things must be done:<br />
<br />
First, edit the gpg-agent configuration to allow ''loopback'' pinentry mode:<br />
<br />
{{hc|1=~/.gnupg/gpg-agent.conf|2=<br />
allow-loopback-pinentry<br />
}}<br />
<br />
Restart the gpg-agent process if it is running to let the change take effect.<br />
<br />
Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:<br />
<br />
$ gpg --pinentry-mode loopback ...<br />
<br />
...or if this is not possible, add the option to the configuration:<br />
<br />
{{hc|1=~/.gnupg/gpg.conf|2=<br />
pinentry-mode loopback<br />
}}<br />
<br />
{{Note|The upstream author indicates setting {{ic|pinentry-mode loopback}} in {{ic|gpg.conf}} may break other usage, using the commandline option should be preferred if at all possible. [https://bugs.g10code.com/gnupg/issue1772]}}<br />
<br />
=== SSH agent ===<br />
<br />
''gpg-agent'' has OpenSSH agent emulation. If you already use the GnuPG suite, you might consider using its agent to also cache your [[SSH keys]]. Additionally, some users may prefer the PIN entry dialog GnuPG agent provides as part of its passphrase management.<br />
<br />
==== Set SSH_AUTH_SOCK ====<br />
<br />
You have to set {{ic|SSH_AUTH_SOCK}} so that SSH will use ''gpg-agent'' instead of ''ssh-agent''. To make sure each process can find your ''gpg-agent'' instance regardless of e.g. the type of shell it is child of use [[Environment_variables#Using_pam_env|pam_env]].<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
}}<br />
<br />
{{note|If you set your {{ic|SSH_AUTH_SOCK}} manually (such as in this pam_env example), keep in mind that your socket location may be different if you are using a custom {{ic|GNUPGHOME}}. You can use the following bash example, or change {{ic|SSH_AUTH_SOCK}} to the value of {{ic|gpgconf --list-dirs agent-ssh-socket}}.}}<br />
<br />
Alternatively, depend on Bash. This works for non-standard socket locations as well:<br />
<br />
{{hc|~/.bashrc|2=<br />
unset SSH_AGENT_PID<br />
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then<br />
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"<br />
fi<br />
}}<br />
<br />
{{Note|1=The test involving the {{ic|gnupg_SSH_AUTH_SOCK_by}} variable is for the case where the agent is started as {{ic|gpg-agent --daemon /bin/sh}}, in which case the shell inherits the {{ic|SSH_AUTH_SOCK}} variable from the parent, ''gpg-agent'' [http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/gpg-agent.c;hb=7bca3be65e510eda40572327b87922834ebe07eb#l1307].}}<br />
<br />
==== Configure pinentry to use the correct TTY ====<br />
<br />
Also set the GPG_TTY and refresh the TTY in case user has switched into an X session as stated in {{man|1|gpg-agent}}. For example:<br />
<br />
{{hc|~/.bashrc|2=<br />
export GPG_TTY=$(tty)<br />
gpg-connect-agent updatestartuptty /bye >/dev/null<br />
}}<br />
<br />
==== Add SSH keys ====<br />
<br />
Once ''gpg-agent'' is running you can use ''ssh-add'' to approve keys, following the same steps as for [[SSH keys#ssh-agent|ssh-agent]]. The list of approved keys is stored in the {{ic|~/.gnupg/sshcontrol}} file. <br />
<br />
Once your key is approved, you will get a ''pinentry'' dialog every time your passphrase is needed. You can control passphrase caching in the {{ic|~/.gnupg/gpg-agent.conf}} file. The following example would have ''gpg-agent'' cache your keys for 3 hours:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl-ssh 10800<br />
max-cache-ttl-ssh 10800<br />
}}<br />
<br />
==== Using a PGP key for SSH authentication ====<br />
<br />
If the {{ic|enable-ssh-agent}} option is enabled for {{ic|gpg-agent}}, you can use your PGP key as an SSH key. This requires a key with the {{ic|Authentication}} capability (see [[#Custom capabilities]]). There are various benefits gained by using a PGP key for SSH authentication, including:<br />
<br />
* Reduced key maintenance, as you will no longer need to maintain an SSH key<br />
* The ability to store the authentication key on a smartcard. GnuPG will automatically detect the key when the card is available, and add it to the agent (check with {{ic|ssh-add -l}} or {{ic|ssh-add -L}}). The comment for the key should be something like: {{ic|openpgp:''key-id''}} or {{ic|cardno:''card-id''}}. <br />
<br />
{{Note| Your key may not be added to {{ic|$GNUPGHOME/sshcontrol}}, which is where normal SSH keys are listed.}}<br />
<br />
== Smartcards ==<br />
<br />
GnuPG uses ''scdaemon'' as an interface to your smartcard reader, please refer to the [[man page]] for details.<br />
<br />
=== GnuPG only setups ===<br />
<br />
{{Note| To allow scdaemon direct access to USB smarcard readers the optional dependency {{Pkg|libusb-compat}} have to be installed}}<br />
<br />
If you do not plan to use other cards but those based on GnuPG, you should check the {{Ic|reader-port}} parameter in {{ic|~/.gnupg/scdaemon.conf}}. The value '0' refers to the first available serial port reader and a value of '32768' (default) refers to the first USB reader.<br />
<br />
=== GnuPG with pcscd (PCSC Lite) ===<br />
<br />
{{Note|{{Pkg|pcsclite}} and {{Pkg|ccid}} have to be installed, and the contained [[systemd#Using units|systemd]] service {{ic|pcscd.service}} has to be running, or the socket {{ic|pcscd.socket}} has to be listening.}}<br />
<br />
pcscd is a daemon which handles access to smartcard (SCard API). If GnuPG's scdaemon fails to connect the smartcard directly (e.g. by using its integrated CCID support), it will fallback and try to find a smartcard using the PCSC Lite driver.<br />
<br />
==== Always use pcscd ====<br />
<br />
If you are using any smartcard with an opensc driver (e.g.: ID cards from some countries) you should pay some attention to GnuPG configuration. Out of the box you might receive a message like this when using {{Ic|gpg --card-status}}<br />
<br />
gpg: selecting openpgp failed: ec=6.108<br />
<br />
By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together. In order to point scdaemon to use pcscd you should remove {{Ic|reader-port}} from {{ic|~/.gnupg/scdaemon.conf}}, specify the location to {{ic|libpcsclite.so}} library and disable ccid so we make sure that we use pcscd:<br />
<br />
{{hc|~/.gnupg/scdaemon.conf|<nowiki><br />
pcsc-driver /usr/lib/libpcsclite.so<br />
card-timeout 5<br />
disable-ccid<br />
</nowiki>}}<br />
<br />
Please check {{man|1|scdaemon}} if you do not use OpenSC.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Different algorithm ===<br />
<br />
You may want to use stronger algorithms:<br />
<br />
{{hc|~/.gnupg/gpg.conf|<br />
...<br />
<br />
personal-digest-preferences SHA512<br />
cert-digest-algo SHA512<br />
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed<br />
personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES<br />
}}<br />
<br />
In the latest version of GnuPG, the default algorithms used are SHA256 and AES, both of which are secure enough for most people. However, if you are using a version of GnuPG older than 2.1, or if you want an even higher level of security, then you should follow the above step.<br />
<br />
=== Encrypt a password ===<br />
<br />
It can be useful to encrypt some password, so it will not be written in clear on a configuration file. A good example is your email password.<br />
<br />
First create a file with your password. You '''need''' to leave '''one''' empty line after the password, otherwise gpg will return an error message when evaluating the file.<br />
<br />
Then run:<br />
<br />
$ gpg -e -a -r ''<user-id>'' ''your_password_file''<br />
<br />
{{ic|-e}} is for encrypt, {{ic|-a}} for armor (ASCII output), {{ic|-r}} for recipient user ID.<br />
<br />
You will be left with a new {{ic|''your_password_file''.asc}} file.<br />
<br />
{{Tip|[[pass]] automates this process.}}<br />
<br />
=== Revoking a key ===<br />
<br />
{{Warning|<br />
*Anybody having access to your revocation certificate can revoke your key, rendering it useless.<br />
*Key revocation should only be performed if your key is compromised or lost, or you forget your passphrase.}}<br />
<br />
Revocation certificates are automatically generated for newly generated keys, although one can be generated manually by the user later. These are located at {{ic|~/.gnupg/openpgp-revocs.d/}}. The filename of the certificate is the fingerprint of the key it will revoke.<br />
<br />
To revoke your key, simply import the revocation certificate:<br />
<br />
$ gpg --import ''<fingerprint>''.rev<br />
<br />
Now update the keyserver:<br />
<br />
$ gpg --keyserver subkeys.pgp.net --send-keys ''<userid>''<br />
<br />
=== Change trust model ===<br />
<br />
By default GnuPG uses the [[Wikipedia::Web of Trust|Web of Trust]] as the trust model. You can change this to [[Wikipedia::Trust on first use|Trust on first use]] by adding {{ic|1=--trust-model=tofu}} when adding a key or adding this option to your GnuPG configuration file. More details are in [https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030341.html this email to the GnuPG list].<br />
<br />
=== Hide all recipient id's ===<br />
<br />
By default the recipient's key ID is in the encrypted message. This can be removed at encryption time for a recipient by using {{ic|hidden-recipient ''<user-id>''}}. To remove it for all recipients add {{ic|throw-keyids}} to your configuration file. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis. (Using a little social engineering anyone who is able to decrypt the message can check whether one of the other recipients is the one he suspects.) On the receiving side, it may slow down the decryption process because all available secret keys must be tried (''e.g.'' with {{ic|--try-secret-key ''<user-id>''}}).<br />
<br />
=== Using caff for keysigning parties ===<br />
<br />
To allow users to validate keys on the keyservers and in their keyrings (i.e. make sure they are from whom they claim to be), PGP/GPG uses the [[Wikipedia::Web of Trust|Web of Trust]]. Keysigning parties allow users to get together at a physical location to validate keys. The [[Wikipedia:Zimmermann–Sassaman key-signing protocol|Zimmermann-Sassaman]] key-signing protocol is a way of making these very effective. [http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html Here] you will find a how-to article.<br />
<br />
For an easier process of signing keys and sending signatures to the owners after a keysigning party, you can use the tool ''caff''. It can be installed from the AUR with the package {{AUR|caff-svn}}.<br />
<br />
To send the signatures to their owners you need a working [[Wikipedia:Message transfer agent|MTA]]. If you do not have already one, install [[msmtp]].<br />
<br />
=== Always show long ID's and fingerprints ===<br />
<br />
To always show long key ID's add {{ic|keyid-format 0xlong}} to your configuration file. To always show full fingerprints of keys, add {{ic|with-fingerprint}} to your configuration file.<br />
<br />
=== Custom capabilities ===<br />
<br />
For further customization also possible to set custom capabilities to your keys. The following capabilities are available:<br />
<br />
* Certify (only for master keys) - allows the key to create subkeys, mandatory for master keys.<br />
* Sign - allows the key to create cryptographic signatures that others can verify with the public key.<br />
* Encrypt - allows anyone to encrypt data with the public key, that only the private key can decrypt.<br />
* Authenticate - allows the key to authenticate with various non-GnuPG programs. The key can be used as e.g. an SSH key. <br />
<br />
It's possible to specify the capabilities of the master key, by running: <br />
<br />
$ gpg --full-generate-key --expert<br />
<br />
And select an option that allows you to set your own capabilities.<br />
<br />
Comparably, to specify custom capabilities for subkeys, add the {{ic|--expert}} flag to {{ic|gpg --edit-key}}, see [[#Edit your key]] for more information.<br />
<br />
=== Cache passwords ===<br />
<br />
To be asked for your GnuPG password only once per session, set {{ic|max-cache-ttl}} and {{ic|default-cache-ttl}} to something very high, for instance:<br />
<br />
{{hc|<br />
gpg-agent.conf|<br />
max-cache-ttl 60480000<br />
default-cache-ttl 60480000<br />
}}<br />
<br />
See [[#gpg-agent]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Not enough random bytes available ===<br />
When generating a key, gpg can run into this error:<br />
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy!<br />
To check the available entropy, check the kernel parameters:<br />
cat /proc/sys/kernel/random/entropy_avail<br />
A healthy Linux system with a lot of entropy available will have return close to the full 4,096 bits of entropy. If the value returned is less than 200, the system is running low on entropy. <br />
<br />
To solve it, remember you do not often need to create keys and best just do what the message suggests (e.g. create disk activity, move the mouse, edit the wiki - all will create entropy). If that does not help, check which service is using up the entropy and consider stopping it for the time. If that is no alternative, see [[Random number generation#Alternatives]].<br />
<br />
=== su ===<br />
<br />
When using {{Ic|pinentry}}, you must have the proper permissions of the terminal device (e.g. {{Ic|/dev/tty1}}) in use. However, with ''su'' (or ''sudo''), the ownership stays with the original user, not the new one. This means that pinentry will fail, even as root. The fix is to change the permissions of the device at some point before the use of pinentry (i.e. using gpg with an agent). If doing gpg as root, simply change the ownership to root right before using gpg:<br />
<br />
# chown root /dev/ttyN # where N is the current tty<br />
<br />
and then change it back after using gpg the first time. The equivalent is likely to be true with {{Ic|/dev/pts/}}.<br />
<br />
{{Note|The owner of tty ''must'' match with the user for which pinentry is running. Being part of the group {{Ic|tty}} '''is not''' enough.}}<br />
<br />
{{Tip|If you run gpg with {{ic|script}} it will use a new tty with the correct ownership:<br />
<br />
# script -q -c "gpg --gen-key" /dev/null<br />
}}<br />
<br />
=== Agent complains end of file ===<br />
<br />
The default pinentry program is {{ic|/usr/bin/pinentry-gnome3}}, which needs a DBus session bus to run properly. See [[General troubleshooting#Session permissions]] for details.<br />
<br />
Alternatively, you can use a variety of different options described in [[#pinentry]].<br />
<br />
=== KGpg configuration permissions ===<br />
<br />
There have been issues with {{Pkg|kgpg}} being able to access the {{ic|~/.gnupg/}} options. One issue might be a result of a deprecated ''options'' file, see the [https://bugs.kde.org/show_bug.cgi?id=290221 bug] report.<br />
<br />
=== GNOME on Wayland overrides SSH agent socket ===<br />
<br />
For Wayland sessions, {{Ic|gnome-session}} sets {{Ic|SSH_AUTH_SOCK}} to the standard gnome-keyring socket, {{Ic|$XDG_RUNTIME_DIR/keyring/ssh}}. This overrides any value set in {{Ic|~/.pam_environmment}} or systemd unit files.<br />
<br />
To disable this behavior, set the {{Ic|GSM_SKIP_AGENT_WORKAROUND}} variable:<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
GSM_SKIP_SSH_AGENT_WORKAROUND DEFAULT="true"<br />
}}<br />
<br />
=== mutt ===<br />
<br />
Mutt might not use ''gpg-agent'' correctly, you need to set an [[environment variable]] {{ic|GPG_AGENT_INFO}} (the content doesn't matter) when running mutt. Be also sure to enable password caching correctly, see [[#Cache passwords]].<br />
<br />
See [https://bbs.archlinux.org/viewtopic.php?pid=1490821#p1490821 this forum thread]<br />
<br />
=== "Lost" keys, upgrading to gnupg version 2.1 ===<br />
<br />
When {{ic|gpg --list-keys}} fails to show keys that used to be there, and applications complain about missing or invalid keys, some keys may not have been migrated to the new format.<br />
<br />
Please read [http://jo-ke.name/wp/?p=111 GnuPG invalid packet workaround]. Basically, it says that there is a bug with keys in the old {{ic|pubring.gpg}} and {{ic|secring.gpg}} files, which have now been superseded by the new {{ic|pubring.kbx}} file and the {{ic|private-keys-v1.d/}} subdirectory and files. Your missing keys can be recovered with the following commnads:<br />
<br />
$ cd<br />
$ cp -r .gnupg gnupgOLD<br />
$ gpg --export-ownertrust > otrust.txt<br />
$ gpg --import .gnupg/pubring.gpg<br />
$ gpg --import-ownertrust otrust.txt<br />
$ gpg --list-keys<br />
<br />
=== gpg hanged for all keyservers (when trying to receive keys) ===<br />
<br />
If gpg hanged with a certain keyserver when trying to receive keys, you might need to kill dirmngr in order to get access to other keyservers which are actually working, otherwise it might keeping hanging for all of them.<br />
<br />
=== Smartcard not detected ===<br />
<br />
Your user might not have the permission to access the smartcard which results in a {{ic|card error}} to be thrown, even though the card is correctly set up and inserted.<br />
<br />
One possible solution is to add a new group {{ic|scard}} including the users who need access to the smartcard.<br />
<br />
Then use [[udev rules]], similar to the following:<br />
{{hc|/etc/udev/rules.d/71-gnupg-ccid.rules|<nowiki><br />
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116|0111", MODE="660", GROUP="scard"<br />
</nowiki>}}<br />
One needs to adapt VENDOR and MODEL according to the {{ic|lsusb}} output, the above example is for a YubikeyNEO.<br />
<br />
=== gpg: WARNING: server 'gpg-agent' is older than us (x < y) ===<br />
<br />
This warning appears if {{ic|gnupg}} is upgraded and the old gpg-agent is still running. [[Restart]] the ''user'''s {{ic|gpg-agent.socket}} (i.e., use the {{ic|--user}} flag when restarting).<br />
<br />
=== gpg: ..., IPC connect call failed ===<br />
<br />
{{Accuracy|The {{ic|gpg-agent*.socket}} systemd sockets provided by the {{Pkg|gnupg}} package create the sockets in {{ic|/run/user/$UID/gnupg/}} which is guaranteed to be an appropriate file system.}}<br />
<br />
Make sure {{ic|gpg-agent}} and {{ic|dirmngr}} are not running with {{ic|killall gpg-agent dirmngr}} and the {{ic|$GNUPGHOME/crls.d/}} folder has permission set to {{ic|700}}.<br />
<br />
If your keyring is stored on a vFat filesystem (e.g. a USB drive), {{ic|gpg-agent}} will fail to create the required sockets (vFat does not support sockets), you can create redirects to a location that handles sockets, e.g. {{ic|/dev/shm}}:<br />
<br />
# export GNUPGHOME=/custom/gpg/home<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent\n' > $GNUPGHOME/S.gpg-agent<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.browser\n' > $GNUPGHOME/S.gpg-agent.browser<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.extra\n' > $GNUPGHOME/S.gpg-agent.extra<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.ssh\n' > $GNUPGHOME/S.gpg-agent.ssh<br />
<br />
Test that gpg-agent starts successfully with {{ic|gpg-agent --daemon}}.<br />
<br />
== See also ==<br />
<br />
* [https://gnupg.org/ GNU Privacy Guard Homepage]<br />
* [https://tools.ietf.org/html/rfc4880 RFC4880 "OpenPGP Message Format"]<br />
* [https://fedoraproject.org/wiki/Creating_GPG_Keys Creating GPG Keys (Fedora)]<br />
* [https://wiki.debian.org/Subkeys OpenPGP subkeys in Debian]<br />
* [https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/ A more comprehensive gpg Tutorial]<br />
* [https://help.riseup.net/en/security/message-security/openpgp/gpg-best-practices gpg.conf recommendations and best practices]<br />
* [https://github.com/ioerror/torbirdy/blob/master/gpg.conf Torbirdy gpg.conf]<br />
* [https://www.reddit.com/r/GPGpractice/ /r/GPGpractice - a subreddit to practice using GnuPG.]<br />
* [https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md Protecting code integrity with PGP]</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=GnuPG&diff=530885GnuPG2018-07-24T18:50:22Z<p>Sudoforge: /* Using a PGP key for SSH authentication */ Add information regarding manually adding a keygrip to sshcontrol</p>
<hr />
<div>==== Using a PGP key for SSH authentication ====<br />
<br />
If the {{ic|enable-ssh-agent}} option is enabled for {{ic|gpg-agent}}, you can use your PGP key as an SSH key. This requires a key with the {{ic|Authentication}} capability (see [[#Custom capabilities]]). There are various benefits gained by using a PGP key for SSH authentication, including:<br />
<br />
* Reduced key maintenance, as you will no longer need to maintain an SSH key<br />
* The ability to store the authentication key on a smartcard. GnuPG will automatically detect the key when the card is available, and add it to the agent (check with {{ic|ssh-add -l}} or {{ic|ssh-add -L}}). The comment for the key should be something like: {{ic|openpgp:''key-id''}} or {{ic|cardno:''card-id''}}. <br />
<br />
{{Note| Your key may not be added to {{ic|$GNUPGHOME/sshcontrol}}, which is where normal SSH keys are listed.}}<br />
<br />
If your key is not added to {{ic|$GNUPGHOME/sshcontrol}} automatically, you can add the keygrip for your key with the Authentication capability manually. You can get the keygrip of your key by executing {{ic|gpg --list-keys --with-keygrip}}, like so:<br />
<br />
<br />
$ gpg --list-keys --with-keygrip<br />
sub rsa4096/1234ABCD1234ABCD 2001-01-01 [A] [expires: 2002-01-01]<br />
Keygrip = < put this value on its own line in $GNUPGHOME/sshcontrol ><br />
<br />
Adding the keygrip to {{ic|$HOME/.gnupg/sshcontrol}} is a one-time action; you will not need to edit the file again, unless you are adding additional keygrips. You can retrieve the public key for your Authentication key by executing {{ic|ssh-add -L}}.</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=User_talk:Aimilius&diff=530806User talk:Aimilius2018-07-24T02:40:20Z<p>Sudoforge: add context.</p>
<hr />
<div>RE: https://wiki.archlinux.org/index.php?title=GnuPG&oldid=530641<br />
<br />
They were not detected on my system, which is why I included the bit I did. It was actually fairly difficult to find any documentation showing how to manually add the key.</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=User_talk:Aimilius&diff=530805User talk:Aimilius2018-07-24T02:38:22Z<p>Sudoforge: Created page with "They were not detected on my system, which is why I included the bit I did. It was actually fairly difficult to find any documentation showing how to manually add the key."</p>
<hr />
<div>They were not detected on my system, which is why I included the bit I did. It was actually fairly difficult to find any documentation showing how to manually add the key.</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=GnuPG&diff=530314GnuPG2018-07-18T05:23:22Z<p>Sudoforge: /* Using a PGP key for SSH authentication */ add missing caret</p>
<hr />
<div>[[Category:Encryption]]<br />
[[es:GnuPG]]<br />
[[ja:GnuPG]]<br />
[[ru:GnuPG]]<br />
[[pl:GnuPG]]<br />
[[zh-hans:GnuPG]]<br />
[[zh-hant:GnuPG]]<br />
{{Related articles start}}<br />
{{Related|pacman/Package signing}}<br />
{{Related|Disk encryption}}<br />
{{Related|List of applications/Security#Encryption, signing, steganography}}<br />
{{Related articles end}}<br />
<br />
According to the [https://www.gnupg.org/ official website]:<br />
<br />
:GnuPG is a complete and free implementation of the [http://openpgp.org/about/ OpenPGP] standard as defined by [https://tools.ietf.org/html/rfc4880 RFC4880] (also known as PGP). GnuPG allows you to encrypt and sign your data and communication. It features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh).<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|gnupg}} package.<br />
<br />
This will also install {{Pkg|pinentry}}, a collection of simple PIN or passphrase entry dialogs which GnuPG uses for passphrase entry. The shell script {{ic|/usr/bin/pinentry}} determines which ''pinentry'' dialog is used, in the order described at [[#pinentry]].<br />
<br />
If you want to use a graphical frontend or program that integrates with GnuPG, see [[List of applications/Security#Encryption, signing, steganography]].<br />
<br />
== Configuration ==<br />
<br />
=== Directory location ===<br />
{{ic|$GNUPGHOME}} is used by GnuPG to point to the directory where its configuration files are stored. By default {{ic|$GNUPGHOME}} is not set and your {{ic|$HOME}} is used instead; thus, you will find a {{ic|~/.gnupg}} directory right after installation. <br />
<br />
To change the default location, either run gpg this way {{ic|$ gpg --homedir ''path/to/file''}} or set the {{ic|GNUPGHOME}} [[environment variable]].<br />
<br />
=== Configuration files ===<br />
<br />
The default configuration files are {{ic|~/.gnupg/gpg.conf}} and {{ic|~/.gnupg/dirmngr.conf}}. <br />
<br />
By default, the gnupg directory has its [[permissions]] set to {{ic|700}} and the files it contains have their permissions set to {{ic|600}}. Only the owner of the directory has permission to read, write, and access the files. This is for security purposes and should not be changed. In case this directory or any file inside it does not follow this security measure, you will get warnings about unsafe file and home directory permissions.<br />
<br />
Append to these files any long options you want. Do not write the two dashes, but simply the name of the option and required arguments. You will find skeleton files in {{ic|/usr/share/gnupg}}. These files are copied to {{ic|~/.gnupg}} the first time gpg is run if they do not exist there. Other examples are found in [[#See also]].<br />
<br />
Additionally, [[pacman]] uses a different set of configuration files for package signature verification. See [[Pacman/Package signing]] for details.<br />
<br />
=== Default options for new users ===<br />
<br />
If you want to setup some default options for new users, put configuration files in {{ic|/etc/skel/.gnupg/}}. When the new user is added in system, files from here will be copied to its GnuPG home directory. There is also a simple script called ''addgnupghome'' which you can use to create new GnuPG home directories for existing users:<br />
<br />
# addgnupghome user1 user2<br />
<br />
This will add the respective {{ic|/home/user1/.gnupg}} and {{ic|/home/user2/.gnupg}} and copy the files from the skeleton directory to it. Users with existing GnuPG home directory are simply skipped.<br />
<br />
== Usage ==<br />
<br />
{{Note|Whenever a ''{{ic|user-id}}'' is required in a command, it can be specified with your key ID, fingerprint, a part of your name or email address, etc. GnuPG is flexible on this.<br />
}}<br />
<br />
=== Create a key pair ===<br />
<br />
Generate a key pair by typing in a terminal:<br />
<br />
$ gpg --full-gen-key<br />
<br />
{{Tip|Use the {{ic|--expert}} option for getting alternative ciphers like [[wikipedia:Elliptic_curve_cryptography|ECC]].}}<br />
<br />
The command will prompt for answers to several questions. For general use most people will want: <br />
<br />
* the RSA (sign only) and a RSA (encrypt only) key.<br />
* a keysize of the default value (2048). A larger keysize of 4096 "gives us almost nothing, while costing us quite a lot"[https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096].<br />
* an expiration date. A period of a year is good enough for the average user. This way even if access is lost to the keyring, it will allow others to know that it is no longer valid. Later, if necessary, the expiration date can be extended without having to re-issue a new key.<br />
* your name and email address. You can add multiple identities to the same key later (''e.g.'', if you have multiple email addresses you want to associate with this key).<br />
* ''no'' optional comment. Since the semantics of the comment field are [https://lists.gnupg.org/pipermail/gnupg-devel/2015-July/030150.html not well-defined], it has limited value for identification.<br />
* [[Security#Choosing_secure_passwords|a secure passphrase]].<br />
<br />
{{Note|The name and email address you enter here will be seen by anybody who imports your key.}}<br />
<br />
=== List keys ===<br />
<br />
To list keys in your public key ring:<br />
<br />
$ gpg --list-keys<br />
<br />
To list keys in your secret key ring:<br />
<br />
$ gpg --list-secret-keys<br />
<br />
=== Export your public key ===<br />
<br />
gpg's main usage is to ensure confidentiality of exchanged messages via public-key cryptography. With it each user distributes the public key of their keyring, which can be be used by others to encrypt messages to the user. The private key must ''always'' be kept private, otherwise confidentiality is broken. See [[w:Public-key cryptography]] for examples about the message exchange. <br />
<br />
So, in order for others to send encrypted messages to you, they need your public key. <br />
<br />
To generate an ASCII version of a user's public key to file {{ic|''public.key''}} (e.g. to distribute it by e-mail):<br />
<br />
$ gpg --output ''public.key'' --armor --export ''user-id''<br />
<br />
Alternatively, or in addition, you can [[#Use a keyserver]] to share your key. <br />
<br />
{{Tip|Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.}}<br />
<br />
=== Import a public key ===<br />
<br />
In order to encrypt messages to others, as well as verify their signatures, you need their public key. To import a public key with file name {{ic|''public.key''}} to your public key ring:<br />
<br />
$ gpg --import ''public.key''<br />
<br />
Alternatively, [[#Use a keyserver]] to find a public key.<br />
<br />
=== Use a keyserver ===<br />
<br />
You can register your key with a public PGP key server, so that others can retrieve your key without having to contact you directly:<br />
<br />
$ gpg --send-keys ''user-id''<br />
<br />
{{Warning|Once a key has been submitted to a keyserver, it cannot be deleted from the server.[https://pgp.mit.edu/faq.html]}}<br />
<br />
To find out details of a key on the keyserver, without importing it, do:<br />
<br />
$ gpg --search-keys ''user-id''<br />
<br />
To import a key from a key server:<br />
<br />
$ gpg --recv-keys ''key-id''<br />
<br />
{{Warning|<br />
* You should verify the authenticity of the retrieved public key by comparing its fingerprint with one that the owner published on an independent source(s) (e.g., contacting the person directly). See [[Wikipedia:Public key fingerprint]] for more information.<br />
* Using a short ID may encounter collisions. All keys will be imported that have the short ID. To avoid this, use the full fingerprint or long key ID when receiving a key.[https://lkml.org/lkml/2016/8/15/445]}}<br />
{{Tip|<br />
* Adding {{ic|keyserver-options auto-key-retrieve}} to {{ic|gpg.conf}} will automatically fetch keys from the key server as needed. <br />
* An alternative key server is {{ic|pool.sks-keyservers.net}} and can be specified with {{ic|keyserver}} in {{ic|dirmngr.conf}}; see also [[wikipedia:Key server (cryptographic)#Keyserver examples]].<br />
* If your network blocks ports used for hkp/hkps, you may need to specify port 80, i.e. {{ic|pool.sks-keyservers.net:80}}<br />
* You can connect to the keyserver over [[Tor]] using {{ic|--use-tor}}. See this [https://gnupg.org/blog/20151224-gnupg-in-november-and-december.html GnuPG blog post] for more information.<br />
* You can connect to a keyserver using a proxy by setting the {{ic|http_proxy}} environment variable and setting {{ic|honor-http-proxy}} in {{ic|dirmngr.conf}}. Alternatively, set {{ic|http-proxy ''host[:port]''}} in {{ic|dirmngr.conf}}, overriding the {{ic|http_proxy}} environment variable. [[Restart]] the {{ic|dirmngr.service}} [[systemd/User|user service]] for the changes to take effect.<br />
* If you wish to import a key ID to install a specific Arch Linux package, see [[pacman/Package signing#Managing the keyring]] and [[Makepkg#Signature checking]].}}<br />
<br />
=== Encrypt and decrypt ===<br />
<br />
==== Asymmetric ====<br />
You need to [[#Import a public key]] of a user before encrypting (options {{ic|--encrypt}} or {{ic|-e}}) a file or message to that recipient (options {{ic|--recipient}} or {{ic|-r}}). Additionally you need to [[#Create a key pair]] if you have not already done so.<br />
<br />
To encrypt a file with the name ''doc'', use:<br />
<br />
$ gpg --recipient ''user-id'' --encrypt ''doc''<br />
<br />
To decrypt (option {{ic|--decrypt}} or {{ic|-d}}) a file with the name ''doc''.gpg encrypted with your public key, use:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
''gpg'' will prompt you for your passphrase and then decrypt and write the data from ''doc''.gpg to ''doc''. If you omit the {{ic|-o}} ({{ic|--output}}) option, ''gpg'' will write the decrypted data to stdout.<br />
<br />
{{Tip|<br />
* Add {{ic|--armor}} to encrypt a file using ASCII armor (suitable for copying and pasting a message in text format)<br />
* Use {{ic|-R ''user-id''}} or {{ic|--hidden-recipient ''user-id''}} instead of {{ic|-r}} to not put the recipient key IDs in the encrypted message. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis.<br />
* Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.<br />
* You can use gnupg to encrypt your sensitive documents by using your own user-id as recipient or by using the {{ic|--default-recipient-self}} flag instead; however, you can only do this one file at a time, although you can always tarball various files and then encrypt the tarball. See also [[Disk encryption#Available methods]] if you want to encrypt directories or a whole file-system.}}<br />
<br />
==== Symmetric ====<br />
Symmetric encryption does not require the generation of a key pair and can be used to simply encrypt data with a passphrase. Simply use {{ic|--symmetric}} or {{ic|-c}} to perform symmetic encryption:<br />
<br />
$ gpg -c ''doc''<br />
<br />
The following example:<br />
<br />
* Encrypts {{ic|''doc''}} with a symmetric cipher using a passphrase<br />
* Uses the AES-256 cipher algorithm to encrypt the passphrase<br />
* Uses the SHA-512 digest algorithm to mangle the passphrase<br />
* Mangles the passphrase for 65536 iterations<br />
<br />
$ gpg -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-count 65536 ''doc''<br />
<br />
To decrypt a symmetrically encrypted {{ic|''doc''.gpg}} using a passphrase and output decrypted contents into the same directory as {{ic|''doc''}} do:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
== Key maintenance ==<br />
<br />
=== Backup your private key ===<br />
<br />
To backup your private key do the following:<br />
<br />
$ gpg --export-secret-keys --armor ''<user-id>'' > ''privkey.asc''<br />
<br />
Note that ''gpg'' release 2.1 changed default behaviour so that the above command enforces a passphrase protection, even if you deliberately chose not to use one on key creation. This is because otherwise anyone who gains access to the above exported file would be able to encrypt and sign documents as if they were you ''without'' needing to know your passphrase. <br />
<br />
{{Warning|The passphrase is usually the weakest link in protecting your secret key. Place the private key in a safe place on a different system/device, such as a locked container or encrypted drive. It is the only safety you have to regain control to your keyring in case of, for example, a drive failure, theft or worse.}}<br />
<br />
To import the backup of your private key:<br />
$ gpg --import ''privkey.asc''<br />
<br />
=== Edit your key ===<br />
<br />
Running the {{ic|gpg --edit-key ''<user-id>''}} command will present a menu which enables you to do most of your key management related tasks.<br />
<br />
Some useful commands in the edit key sub menu:<br />
> passwd # change the passphrase<br />
> clean # compact any user ID that is no longer usable (e.g revoked or expired)<br />
> revkey # revoke a key<br />
> addkey # add a subkey to this key<br />
> expire # change the key expiration time<br />
<br />
Type {{ic|help}} in the edit key sub menu for more commands.<br />
<br />
{{Tip|If you have multiple email accounts you can add each one of them as an identity, using {{ic|adduid}} command. You can then set your favourite one as {{ic|primary}}.}}<br />
<br />
=== Exporting subkey ===<br />
<br />
If you plan to use the same key across multiple devices, you may want to strip out your master key and only keep the bare minimum encryption subkey on less secure systems.<br />
<br />
First, find out which subkey you want to export.<br />
<br />
$ gpg -K<br />
<br />
Select only that subkey to export.<br />
<br />
$ gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.gpg<br />
<br />
{{Warning|If you forget to add the !, all of your subkeys will be exported.}}<br />
<br />
At this point you could stop, but it is most likely a good idea to change the passphrase as well. Import the key into a temporary folder. <br />
<br />
$ gpg --homedir /tmp/gpg --import /tmp/subkey.gpg<br />
$ gpg --homedir /tmp/gpg --edit-key ''<user-id>''<br />
> passwd<br />
> save<br />
$ gpg --homedir /tmp/gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.altpass.gpg<br />
<br />
{{Note|You will get a warning that the master key was not available and the password was not changed, but that can safely be ignored as the subkey password was.}}<br />
<br />
At this point, you can now use {{ic|/tmp/subkey.altpass.gpg}} on your other devices.<br />
<br />
=== Rotating subkeys ===<br />
<br />
{{Warning|'''Never''' delete your expired or revoked subkeys unless you have a good reason. Doing so will cause you to lose the ability to decrypt files encrypted with the old subkey. Please '''only''' delete expired or revoked keys from other users to clean your keyring.}}<br />
<br />
If you have set your subkeys to expire after a set time, you can create new ones. Do this a few weeks in advance to allow others to update their keyring.<br />
<br />
{{Tip|You do not need to create a new key simply because it is expired. You can extend the expiration date.}}<br />
<br />
Create new subkey (repeat for both signing and encrypting key)<br />
<br />
$ gpg --edit-key ''<user-id>''<br />
> addkey<br />
<br />
And answer the following questions it asks (see [[#Create a key pair]] for suggested settings).<br />
<br />
Save changes<br />
<br />
> save<br />
<br />
Update it to a keyserver.<br />
<br />
$ gpg --keyserver pgp.mit.edu --send-keys ''<user-id>''<br />
<br />
{{Tip|Revoking expired subkeys is unnecessary and arguably bad form. If you are constantly revoking keys, it may cause others to lack confidence in you.}}<br />
<br />
== Signatures ==<br />
<br />
Signatures certify and timestamp documents. If the document is modified, verification of the signature will fail. Unlike encryption which uses public keys to encrypt a document, signatures are created with the user's private key. The recipient of a signed document then verifies the signature using the sender's public key.<br />
<br />
=== Create a signature ===<br />
<br />
==== Sign a file ====<br />
<br />
To sign a file use the {{ic|--sign}} or {{ic|-s}} flag:<br />
<br />
$ gpg --output ''doc''.sig --sign ''doc''<br />
<br />
{{ic|''doc''.sig}} contains both the compressed content of the original file {{ic|''doc''}} and the signature in a binary format, but the file is not encrypted. However, you can combine signing with [[#Encrypt and decrypt|encrypting]].<br />
<br />
==== Clearsign a file or message ====<br />
<br />
To sign a file without compressing it into binary format use:<br />
<br />
$ gpg --output ''doc''.sig --clearsign ''doc''<br />
<br />
Here both the content of the original file {{ic|''doc''}} and the signature are stored in human-readable form in {{ic|''doc''.sig}}.<br />
<br />
==== Make a detached signature ====<br />
<br />
To create a separate signature file to be distributed separately from the document or file itself, use the {{ic|--detach-sig}} flag:<br />
<br />
$ gpg --output ''doc''.sig --detach-sig ''doc''<br />
<br />
Here the signature is stored in {{ic|''doc''.sig}}, but the contents of {{ic|''doc''}} are not stored in it. This method is often used in distributing software projects to allow users to verify that the program has not been modified by a third party.<br />
<br />
=== Verify a signature ===<br />
<br />
To verify a signature use the {{ic|--verify}} flag:<br />
<br />
$ gpg --verify ''doc''.sig<br />
<br />
where {{ic|''doc''.sig}} is the signed file containing the signature you wish to verify.<br />
<br />
If you are verifying a detached signature, both the signed data file and the signature file must be present when verifying. For example, to verify Arch Linux's latest iso you would do:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig<br />
<br />
where {{ic|archlinux-''version''.iso}} must be located in the same directory.<br />
<br />
You can also specify the signed data file with a second argument:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig ''/path/to/''archlinux-''version''.iso<br />
<br />
If a file as been encrypted in addition to being signed, simply [[#Encrypt and decrypt|decrypt]] the file and its signature will also be verified.<br />
<br />
== gpg-agent ==<br />
<br />
''gpg-agent'' is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. {{Pkg|gnupg}} comes with [[systemd/User|systemd user]] sockets which are enabled by default. These sockets are {{ic|gpg-agent.socket}}, {{ic|gpg-agent-extra.socket}}, {{ic|gpg-agent-browser.socket}}, {{ic|gpg-agent-ssh.socket}}, and {{ic|dirmngr.socket}}.<br />
<br />
{{Expansion|Add {{ic|gpg-agent-browser.socket}} to the list.}}<br />
<br />
* The main {{ic|gpg-agent.socket}} is used by ''gpg'' to connect to the ''gpg-agent'' daemon.<br />
* The intended use for the {{ic|gpg-agent-extra.socket}} on a local system is to set up a Unix domain socket forwarding from a remote system. This enables to use ''gpg'' on the remote system without exposing the private keys to the remote system. See {{man|1|gpg-agent}} for details.<br />
* The {{ic|gpg-agent-ssh.socket}} can be used by [[SSH]] to cache [[SSH keys]] added by the ''ssh-add'' program. See [[#SSH agent]] for the necessary configuration.<br />
* The {{ic|dirmngr.socket}} starts a GnuPG daemon handling connections to keyservers.<br />
<br />
{{Note|If you use non-default GnuPG [[#Directory location]], you will need to [[edit]] all socket files to use the values of {{ic|gpgconf --list-dirs}}.}}<br />
<br />
=== Configuration ===<br />
<br />
gpg-agent can be configured via {{ic|~/.gnupg/gpg-agent.conf}} file. The configuration options are listed in {{man|1|gpg-agent}}. For example you can change cache ttl for unused keys:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl 3600<br />
}}<br />
<br />
{{Tip|To cache your passphrase for the whole session, please run the following command:<br />
$ /usr/lib/gnupg/gpg-preset-passphrase --preset XXXXXX<br />
<br />
where XXXX is the keygrip. You can get its value when running {{ic|gpg --with-keygrip -K}}. Passphrase will be stored until {{ic|gpg-agent}} is restarted. If you set up {{ic|default-cache-ttl}} value, it will take precedence.<br />
}}<br />
<br />
=== Reload the agent ===<br />
<br />
After changing the configuration, reload the agent using ''gpg-connect-agent'':<br />
<br />
$ gpg-connect-agent reloadagent /bye<br />
<br />
The command should print {{ic|OK}}.<br />
<br />
However in some cases only the restart may not be sufficient, like when {{ic|keep-screen}} has been added to the agent configuration.<br />
In this case you firstly need to kill the ongoing gpg-agent process and then you can restart it as was explained above.<br />
<br />
=== pinentry ===<br />
<br />
Finally, the agent needs to know how to ask the user for the password. This can be set in the gpg-agent configuration file.<br />
<br />
The default uses {{ic|/usr/bin/pinentry-gnome3}}, falling back to {{ic|/usr/bin/pinentry-qt}}, {{ic|/usr/bin/pinentry-gtk-2}} and at last {{ic|/usr/bin/pinentry-curses}} if none of the previous were functioning. However there are other options - see {{ic|info pinentry}}. To change the dialog implementation set {{ic|pinentry-program}} configuration option:<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
<br />
# PIN entry program<br />
# pinentry-program /usr/bin/pinentry-gnome3<br />
# pinentry-program /usr/bin/pinentry-qt<br />
# pinentry-program /usr/bin/pinentry-curses<br />
# pinentry-program /usr/bin/pinentry-kwallet<br />
<br />
pinentry-program /usr/bin/pinentry-gtk-2<br />
}}<br />
<br />
{{Tip|For using {{ic|/usr/bin/pinentry-kwallet}} you have to install the {{AUR|kwalletcli}} package.}}<br />
<br />
After making this change, reload the gpg-agent.<br />
<br />
=== Unattended passphrase ===<br />
<br />
Starting with GnuPG 2.1.0 the use of gpg-agent and pinentry is required, which may break backwards compatibility for passphrases piped in from STDIN using the {{ic|--passphrase-fd 0}} commandline option. In order to have the same type of functionality as the older releases two things must be done:<br />
<br />
First, edit the gpg-agent configuration to allow ''loopback'' pinentry mode:<br />
<br />
{{hc|1=~/.gnupg/gpg-agent.conf|2=<br />
allow-loopback-pinentry<br />
}}<br />
<br />
Restart the gpg-agent process if it is running to let the change take effect.<br />
<br />
Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:<br />
<br />
$ gpg --pinentry-mode loopback ...<br />
<br />
...or if this is not possible, add the option to the configuration:<br />
<br />
{{hc|1=~/.gnupg/gpg.conf|2=<br />
pinentry-mode loopback<br />
}}<br />
<br />
{{Note|The upstream author indicates setting {{ic|pinentry-mode loopback}} in {{ic|gpg.conf}} may break other usage, using the commandline option should be preferred if at all possible. [https://bugs.g10code.com/gnupg/issue1772]}}<br />
<br />
=== SSH agent ===<br />
<br />
''gpg-agent'' has OpenSSH agent emulation. If you already use the GnuPG suite, you might consider using its agent to also cache your [[SSH keys]]. Additionally, some users may prefer the PIN entry dialog GnuPG agent provides as part of its passphrase management.<br />
<br />
==== Set SSH_AUTH_SOCK ====<br />
<br />
You have to set {{ic|SSH_AUTH_SOCK}} so that SSH will use ''gpg-agent'' instead of ''ssh-agent''. To make sure each process can find your ''gpg-agent'' instance regardless of e.g. the type of shell it is child of use [[Environment_variables#Using_pam_env|pam_env]].<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
}}<br />
<br />
{{note|If you set your {{ic|SSH_AUTH_SOCK}} manually (such as in this pam_env example), keep in mind that your socket location may be different if you are using a custom {{ic|GNUPGHOME}}. You can use the following bash example, or change {{ic|SSH_AUTH_SOCK}} to the value of {{ic|gpgconf --list-dirs agent-ssh-socket}}.}}<br />
<br />
Alternatively, depend on Bash. This works for non-standard socket locations as well:<br />
<br />
{{hc|~/.bashrc|2=<br />
unset SSH_AGENT_PID<br />
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then<br />
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"<br />
fi<br />
}}<br />
<br />
{{Note|1=The test involving the {{ic|gnupg_SSH_AUTH_SOCK_by}} variable is for the case where the agent is started as {{ic|gpg-agent --daemon /bin/sh}}, in which case the shell inherits the {{ic|SSH_AUTH_SOCK}} variable from the parent, ''gpg-agent'' [http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/gpg-agent.c;hb=7bca3be65e510eda40572327b87922834ebe07eb#l1307].}}<br />
<br />
==== Configure pinentry to use the correct TTY ====<br />
<br />
Also set the GPG_TTY and refresh the TTY in case user has switched into an X session as stated in {{man|1|gpg-agent}}. For example:<br />
<br />
{{hc|~/.bashrc|<nowiki><br />
# Set GPG TTY<br />
export GPG_TTY=$(tty)<br />
<br />
# Refresh gpg-agent tty in case user switches into an X session<br />
gpg-connect-agent updatestartuptty /bye >/dev/null<br />
</nowiki>}}<br />
<br />
==== Add SSH keys ====<br />
<br />
Once ''gpg-agent'' is running you can use ''ssh-add'' to approve keys, following the same steps as for [[SSH keys#ssh-agent|ssh-agent]]. The list of approved keys is stored in the {{ic|~/.gnupg/sshcontrol}} file. <br />
<br />
Once your key is approved, you will get a ''pinentry'' dialog every time your passphrase is needed. You can control passphrase caching in the {{ic|~/.gnupg/gpg-agent.conf}} file. The following example would have ''gpg-agent'' cache your keys for 3 hours:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl-ssh 10800<br />
max-cache-ttl-ssh 10800<br />
}}<br />
<br />
==== Using a PGP key for SSH authentication ====<br />
<br />
If the {{ic|enable-ssh-agent}} option is enabled for {{ic|gpg-agent}}, you can use your PGP key as an SSH key. This requires a key with the {{ic|Authentication}} capability (see [[#Custom capabilities]]). There are various benefits gained by using a PGP key for SSH authentication, including:<br />
<br />
* Reduced key maintenance, as you will no longer need to maintain an SSH key<br />
* The ability to store the authentication key on a smartcard. GnuPG will automatically detect the key when the card is available, and add it to the agent (check with {{ic|ssh-add -l}} or {{ic|ssh-add -L}}). The comment for the key should be something like: {{ic|openpgp:''key-id''}} or {{ic|cardno:''card-id''}}. Note that your key may not be added to {{ic|$HOME/.gnupg/sshcontrol}}, which is where normal SSH keys are listed.<br />
<br />
To add your key to the agent for the first time, you need to add the keygrip for your key with the Authentication capability to {{ic|$HOME/.gnupg/sshcontrol}}. You can get the keygrip of your key by executing {{ic|gpg --list-keys --with-keygrip}}, like so:<br />
<br />
$ gpg --list-keys --with-keygrip<br />
sub rsa4096/1234ABCD1234ABCD 2001-01-01 [A] [expires: 2002-01-01]<br />
Keygrip = < put this value on its own line in $HOME/.gnupg/sshcontrol ><br />
<br />
Adding the keygrip to {{ic|$HOME/.gnupg/sshcontrol}} is a one-time action; you will not need to edit the file again, unless you are adding additional keygrips. You can retrieve the public key for your Authentication key by executing {{ic|ssh-add -L}}.<br />
<br />
== Smartcards ==<br />
<br />
GnuPG uses ''scdaemon'' as an interface to your smartcard reader, please refer to the [[man page]] for details.<br />
<br />
=== GnuPG only setups ===<br />
<br />
{{Note| To allow scdaemon direct access to USB smarcard readers the optional dependency {{Pkg|libusb-compat}} have to be installed}}<br />
<br />
If you do not plan to use other cards but those based on GnuPG, you should check the {{Ic|reader-port}} parameter in {{ic|~/.gnupg/scdaemon.conf}}. The value '0' refers to the first available serial port reader and a value of '32768' (default) refers to the first USB reader.<br />
<br />
=== GnuPG with pcscd (PCSC Lite) ===<br />
<br />
{{Note|{{Pkg|pcsclite}} and {{Pkg|ccid}} have to be installed, and the contained [[systemd#Using units|systemd]] service {{ic|pcscd.service}} has to be running, or the socket {{ic|pcscd.socket}} has to be listening.}}<br />
<br />
pcscd is a daemon which handles access to smartcard (SCard API). If GnuPG's scdaemon fails to connect the smartcard directly (e.g. by using its integrated CCID support), it will fallback and try to find a smartcard using the PCSC Lite driver.<br />
<br />
==== Always use pcscd ====<br />
<br />
If you are using any smartcard with an opensc driver (e.g.: ID cards from some countries) you should pay some attention to GnuPG configuration. Out of the box you might receive a message like this when using {{Ic|gpg --card-status}}<br />
<br />
gpg: selecting openpgp failed: ec=6.108<br />
<br />
By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together. In order to point scdaemon to use pcscd you should remove {{Ic|reader-port}} from {{ic|~/.gnupg/scdaemon.conf}}, specify the location to {{ic|libpcsclite.so}} library and disable ccid so we make sure that we use pcscd:<br />
<br />
{{hc|~/.gnupg/scdaemon.conf|<nowiki><br />
pcsc-driver /usr/lib/libpcsclite.so<br />
card-timeout 5<br />
disable-ccid<br />
</nowiki>}}<br />
<br />
Please check {{man|1|scdaemon}} if you do not use OpenSC.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Different algorithm ===<br />
<br />
You may want to use stronger algorithms:<br />
<br />
{{hc|~/.gnupg/gpg.conf|<br />
...<br />
<br />
personal-digest-preferences SHA512<br />
cert-digest-algo SHA512<br />
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed<br />
personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES<br />
}}<br />
<br />
In the latest version of GnuPG, the default algorithms used are SHA256 and AES, both of which are secure enough for most people. However, if you are using a version of GnuPG older than 2.1, or if you want an even higher level of security, then you should follow the above step.<br />
<br />
=== Encrypt a password ===<br />
<br />
It can be useful to encrypt some password, so it will not be written in clear on a configuration file. A good example is your email password.<br />
<br />
First create a file with your password. You '''need''' to leave '''one''' empty line after the password, otherwise gpg will return an error message when evaluating the file.<br />
<br />
Then run:<br />
<br />
$ gpg -e -a -r ''<user-id>'' ''your_password_file''<br />
<br />
{{ic|-e}} is for encrypt, {{ic|-a}} for armor (ASCII output), {{ic|-r}} for recipient user ID.<br />
<br />
You will be left with a new {{ic|''your_password_file''.asc}} file.<br />
<br />
{{Tip|[[pass]] automates this process.}}<br />
<br />
=== Revoking a key ===<br />
<br />
{{Warning|<br />
*Anybody having access to your revocation certificate can revoke your key, rendering it useless.<br />
*Key revocation should only be performed if your key is compromised or lost, or you forget your passphrase.}}<br />
<br />
Revocation certificates are automatically generated for newly generated keys, although one can be generated manually by the user later. These are located at {{ic|~/.gnupg/openpgp-revocs.d/}}. The filename of the certificate is the fingerprint of the key it will revoke.<br />
<br />
To revoke your key, simply import the revocation certificate:<br />
<br />
$ gpg --import ''<fingerprint>''.rev<br />
<br />
Now update the keyserver:<br />
<br />
$ gpg --keyserver subkeys.pgp.net --send-keys ''<userid>''<br />
<br />
=== Change trust model ===<br />
<br />
By default GnuPG uses the [[Wikipedia::Web of Trust|Web of Trust]] as the trust model. You can change this to [[Wikipedia::Trust on first use|Trust on first use]] by adding {{ic|1=--trust-model=tofu}} when adding a key or adding this option to your GnuPG configuration file. More details are in [https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030341.html this email to the GnuPG list].<br />
<br />
=== Hide all recipient id's ===<br />
<br />
By default the recipient's key ID is in the encrypted message. This can be removed at encryption time for a recipient by using {{ic|hidden-recipient ''<user-id>''}}. To remove it for all recipients add {{ic|throw-keyids}} to your configuration file. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis. (Using a little social engineering anyone who is able to decrypt the message can check whether one of the other recipients is the one he suspects.) On the receiving side, it may slow down the decryption process because all available secret keys must be tried (''e.g.'' with {{ic|--try-secret-key ''<user-id>''}}).<br />
<br />
=== Using caff for keysigning parties ===<br />
<br />
To allow users to validate keys on the keyservers and in their keyrings (i.e. make sure they are from whom they claim to be), PGP/GPG uses the [[Wikipedia::Web of Trust|Web of Trust]]. Keysigning parties allow users to get together at a physical location to validate keys. The [[Wikipedia:Zimmermann–Sassaman key-signing protocol|Zimmermann-Sassaman]] key-signing protocol is a way of making these very effective. [http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html Here] you will find a how-to article.<br />
<br />
For an easier process of signing keys and sending signatures to the owners after a keysigning party, you can use the tool ''caff''. It can be installed from the AUR with the package {{AUR|caff-svn}}.<br />
<br />
To send the signatures to their owners you need a working [[Wikipedia:Message transfer agent|MTA]]. If you do not have already one, install [[msmtp]].<br />
<br />
=== Always show long ID's and fingerprints ===<br />
<br />
To always show long key ID's add {{ic|keyid-format 0xlong}} to your configuration file. To always show full fingerprints of keys, add {{ic|with-fingerprint}} to your configuration file.<br />
<br />
=== Custom capabilities ===<br />
<br />
For further customization also possible to set custom capabilities to your keys. The following capabilities are available:<br />
<br />
* Certify (only for master keys) - allows the key to create subkeys, mandatory for master keys.<br />
* Sign - allows the key to create cryptographic signatures that others can verify with the public key.<br />
* Encrypt - allows anyone to encrypt data with the public key, that only the private key can decrypt.<br />
* Authenticate - allows the key to authenticate with various non-GnuPG programs. The key can be used as e.g. an SSH key. <br />
<br />
It's possible to specify the capabilities of the master key, by running: <br />
<br />
$ gpg --full-generate-key --expert<br />
<br />
And select an option that allows you to set your own capabilities.<br />
<br />
Comparably, to specify custom capabilities for subkeys, add the {{ic|--expert}} flag to {{ic|gpg --edit-key}}, see [[#Edit your key]] for more information.<br />
<br />
=== Cache passwords ===<br />
<br />
To be asked for your GnuPG password only once per session, set {{ic|max-cache-ttl}} and {{ic|default-cache-ttl}} to something very high, for instance:<br />
<br />
{{hc|<br />
gpg-agent.conf|<br />
max-cache-ttl 60480000<br />
default-cache-ttl 60480000<br />
}}<br />
<br />
See [[#gpg-agent]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Not enough random bytes available ===<br />
When generating a key, gpg can run into this error:<br />
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy!<br />
To check the available entropy, check the kernel parameters:<br />
cat /proc/sys/kernel/random/entropy_avail<br />
A healthy Linux system with a lot of entropy available will have return close to the full 4,096 bits of entropy. If the value returned is less than 200, the system is running low on entropy. <br />
<br />
To solve it, remember you do not often need to create keys and best just do what the message suggests (e.g. create disk activity, move the mouse, edit the wiki - all will create entropy). If that does not help, check which service is using up the entropy and consider stopping it for the time. If that is no alternative, see [[Random number generation#Alternatives]].<br />
<br />
=== su ===<br />
<br />
When using {{Ic|pinentry}}, you must have the proper permissions of the terminal device (e.g. {{Ic|/dev/tty1}}) in use. However, with ''su'' (or ''sudo''), the ownership stays with the original user, not the new one. This means that pinentry will fail, even as root. The fix is to change the permissions of the device at some point before the use of pinentry (i.e. using gpg with an agent). If doing gpg as root, simply change the ownership to root right before using gpg:<br />
<br />
# chown root /dev/ttyN # where N is the current tty<br />
<br />
and then change it back after using gpg the first time. The equivalent is likely to be true with {{Ic|/dev/pts/}}.<br />
<br />
{{Note|The owner of tty ''must'' match with the user for which pinentry is running. Being part of the group {{Ic|tty}} '''is not''' enough.}}<br />
<br />
{{Tip|If you run gpg with {{ic|script}} it will use a new tty with the correct ownership:<br />
<br />
# script -q -c "gpg --gen-key" /dev/null<br />
}}<br />
<br />
=== Agent complains end of file ===<br />
<br />
The default pinentry program is {{ic|/usr/bin/pinentry-gnome3}}, which needs a DBus session bus to run properly. See [[General troubleshooting#Session permissions]] for details.<br />
<br />
Alternatively, you can use a variety of different options described in [[#pinentry]].<br />
<br />
=== KGpg configuration permissions ===<br />
<br />
There have been issues with {{Pkg|kgpg}} being able to access the {{ic|~/.gnupg/}} options. One issue might be a result of a deprecated ''options'' file, see the [https://bugs.kde.org/show_bug.cgi?id=290221 bug] report.<br />
<br />
=== GNOME on Wayland overrides SSH agent socket ===<br />
<br />
For Wayland sessions, {{Ic|gnome-session}} sets {{Ic|SSH_AUTH_SOCK}} to the standard gnome-keyring socket, {{Ic|$XDG_RUNTIME_DIR/keyring/ssh}}. This overrides any value set in {{Ic|~/.pam_environmment}} or systemd unit files.<br />
<br />
To disable this behavior, set the {{Ic|GSM_SKIP_AGENT_WORKAROUND}} variable:<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
GSM_SKIP_SSH_AGENT_WORKAROUND DEFAULT="true"<br />
}}<br />
<br />
=== mutt ===<br />
<br />
Mutt might not use ''gpg-agent'' correctly, you need to set an [[environment variable]] {{ic|GPG_AGENT_INFO}} (the content doesn't matter) when running mutt. Be also sure to enable password caching correctly, see [[#Cache passwords]].<br />
<br />
See [https://bbs.archlinux.org/viewtopic.php?pid=1490821#p1490821 this forum thread]<br />
<br />
=== "Lost" keys, upgrading to gnupg version 2.1 ===<br />
<br />
When {{ic|gpg --list-keys}} fails to show keys that used to be there, and applications complain about missing or invalid keys, some keys may not have been migrated to the new format.<br />
<br />
Please read [http://jo-ke.name/wp/?p=111 GnuPG invalid packet workaround]. Basically, it says that there is a bug with keys in the old {{ic|pubring.gpg}} and {{ic|secring.gpg}} files, which have now been superseded by the new {{ic|pubring.kbx}} file and the {{ic|private-keys-v1.d/}} subdirectory and files. Your missing keys can be recovered with the following commnads:<br />
<br />
$ cd<br />
$ cp -r .gnupg gnupgOLD<br />
$ gpg --export-ownertrust > otrust.txt<br />
$ gpg --import .gnupg/pubring.gpg<br />
$ gpg --import-ownertrust otrust.txt<br />
$ gpg --list-keys<br />
<br />
=== gpg hanged for all keyservers (when trying to receive keys) ===<br />
<br />
If gpg hanged with a certain keyserver when trying to receive keys, you might need to kill dirmngr in order to get access to other keyservers which are actually working, otherwise it might keeping hanging for all of them.<br />
<br />
=== Smartcard not detected ===<br />
<br />
Your user might not have the permission to access the smartcard which results in a {{ic|card error}} to be thrown, even though the card is correctly set up and inserted.<br />
<br />
One possible solution is to add a new group {{ic|scard}} including the users who need access to the smartcard.<br />
<br />
Then use an [[Udev#Writing_udev_rules|udev]]{{Broken section link}} rule, similar to the following:<br />
{{hc|/etc/udev/rules.d/71-gnupg-ccid.rules|<nowiki><br />
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116|0111", MODE="660", GROUP="scard"<br />
</nowiki>}}<br />
One needs to adapt VENDOR and MODEL according to the {{ic|lsusb}} output, the above example is for a YubikeyNEO.<br />
<br />
=== gpg: WARNING: server 'gpg-agent' is older than us (x < y) ===<br />
<br />
This warning appears if {{ic|gnupg}} is upgraded and the old gpg-agent is still running. [[Restart]] the ''user'''s {{ic|gpg-agent.socket}} (i.e., use the {{ic|--user}} flag when restarting).<br />
<br />
=== gpg: ..., IPC connect call failed ===<br />
<br />
{{Accuracy|The {{ic|gpg-agent*.socket}} systemd sockets provided by the {{Pkg|gnupg}} package create the sockets in {{ic|/run/user/$UID/gnupg/}} which is guaranteed to be an appropriate file system.}}<br />
<br />
Make sure {{ic|gpg-agent}} and {{ic|dirmngr}} are not running with {{ic|killall gpg-agent dirmngr}} and the {{ic|$GNUPGHOME/crls.d/}} folder has permission set to {{ic|700}}.<br />
<br />
If your keyring is stored on a vFat filesystem (e.g. a USB drive), {{ic|gpg-agent}} will fail to create the required sockets (vFat does not support sockets), you can create redirects to a location that handles sockets, e.g. {{ic|/dev/shm}}:<br />
<br />
# export GNUPGHOME=/custom/gpg/home<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent\n' > $GNUPGHOME/S.gpg-agent<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.browser\n' > $GNUPGHOME/S.gpg-agent.browser<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.extra\n' > $GNUPGHOME/S.gpg-agent.extra<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.ssh\n' > $GNUPGHOME/S.gpg-agent.ssh<br />
<br />
Test that gpg-agent starts successfully with {{ic|gpg-agent --daemon}}.<br />
<br />
== See also ==<br />
<br />
* [https://gnupg.org/ GNU Privacy Guard Homepage]<br />
* [https://tools.ietf.org/html/rfc4880 RFC4880 "OpenPGP Message Format"]<br />
* [https://fedoraproject.org/wiki/Creating_GPG_Keys Creating GPG Keys (Fedora)]<br />
* [https://wiki.debian.org/Subkeys OpenPGP subkeys in Debian]<br />
* [https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/ A more comprehensive gpg Tutorial]<br />
* [https://help.riseup.net/en/security/message-security/openpgp/gpg-best-practices gpg.conf recommendations and best practices]<br />
* [https://github.com/ioerror/torbirdy/blob/master/gpg.conf Torbirdy gpg.conf]<br />
* [https://www.reddit.com/r/GPGpractice/ /r/GPGpractice - a subreddit to practice using GnuPG.]<br />
* [https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md Protecting code integrity with PGP]</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=GnuPG&diff=530313GnuPG2018-07-18T05:16:05Z<p>Sudoforge: /* Use GPG key as SSH key */ Add more information regarding intial steps needed for adding a PGP key to GnuPG's ssh-agent.</p>
<hr />
<div>[[Category:Encryption]]<br />
[[es:GnuPG]]<br />
[[ja:GnuPG]]<br />
[[ru:GnuPG]]<br />
[[pl:GnuPG]]<br />
[[zh-hans:GnuPG]]<br />
[[zh-hant:GnuPG]]<br />
{{Related articles start}}<br />
{{Related|pacman/Package signing}}<br />
{{Related|Disk encryption}}<br />
{{Related|List of applications/Security#Encryption, signing, steganography}}<br />
{{Related articles end}}<br />
<br />
According to the [https://www.gnupg.org/ official website]:<br />
<br />
:GnuPG is a complete and free implementation of the [http://openpgp.org/about/ OpenPGP] standard as defined by [https://tools.ietf.org/html/rfc4880 RFC4880] (also known as PGP). GnuPG allows you to encrypt and sign your data and communication. It features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh).<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|gnupg}} package.<br />
<br />
This will also install {{Pkg|pinentry}}, a collection of simple PIN or passphrase entry dialogs which GnuPG uses for passphrase entry. The shell script {{ic|/usr/bin/pinentry}} determines which ''pinentry'' dialog is used, in the order described at [[#pinentry]].<br />
<br />
If you want to use a graphical frontend or program that integrates with GnuPG, see [[List of applications/Security#Encryption, signing, steganography]].<br />
<br />
== Configuration ==<br />
<br />
=== Directory location ===<br />
{{ic|$GNUPGHOME}} is used by GnuPG to point to the directory where its configuration files are stored. By default {{ic|$GNUPGHOME}} is not set and your {{ic|$HOME}} is used instead; thus, you will find a {{ic|~/.gnupg}} directory right after installation. <br />
<br />
To change the default location, either run gpg this way {{ic|$ gpg --homedir ''path/to/file''}} or set the {{ic|GNUPGHOME}} [[environment variable]].<br />
<br />
=== Configuration files ===<br />
<br />
The default configuration files are {{ic|~/.gnupg/gpg.conf}} and {{ic|~/.gnupg/dirmngr.conf}}. <br />
<br />
By default, the gnupg directory has its [[permissions]] set to {{ic|700}} and the files it contains have their permissions set to {{ic|600}}. Only the owner of the directory has permission to read, write, and access the files. This is for security purposes and should not be changed. In case this directory or any file inside it does not follow this security measure, you will get warnings about unsafe file and home directory permissions.<br />
<br />
Append to these files any long options you want. Do not write the two dashes, but simply the name of the option and required arguments. You will find skeleton files in {{ic|/usr/share/gnupg}}. These files are copied to {{ic|~/.gnupg}} the first time gpg is run if they do not exist there. Other examples are found in [[#See also]].<br />
<br />
Additionally, [[pacman]] uses a different set of configuration files for package signature verification. See [[Pacman/Package signing]] for details.<br />
<br />
=== Default options for new users ===<br />
<br />
If you want to setup some default options for new users, put configuration files in {{ic|/etc/skel/.gnupg/}}. When the new user is added in system, files from here will be copied to its GnuPG home directory. There is also a simple script called ''addgnupghome'' which you can use to create new GnuPG home directories for existing users:<br />
<br />
# addgnupghome user1 user2<br />
<br />
This will add the respective {{ic|/home/user1/.gnupg}} and {{ic|/home/user2/.gnupg}} and copy the files from the skeleton directory to it. Users with existing GnuPG home directory are simply skipped.<br />
<br />
== Usage ==<br />
<br />
{{Note|Whenever a ''{{ic|user-id}}'' is required in a command, it can be specified with your key ID, fingerprint, a part of your name or email address, etc. GnuPG is flexible on this.<br />
}}<br />
<br />
=== Create a key pair ===<br />
<br />
Generate a key pair by typing in a terminal:<br />
<br />
$ gpg --full-gen-key<br />
<br />
{{Tip|Use the {{ic|--expert}} option for getting alternative ciphers like [[wikipedia:Elliptic_curve_cryptography|ECC]].}}<br />
<br />
The command will prompt for answers to several questions. For general use most people will want: <br />
<br />
* the RSA (sign only) and a RSA (encrypt only) key.<br />
* a keysize of the default value (2048). A larger keysize of 4096 "gives us almost nothing, while costing us quite a lot"[https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096].<br />
* an expiration date. A period of a year is good enough for the average user. This way even if access is lost to the keyring, it will allow others to know that it is no longer valid. Later, if necessary, the expiration date can be extended without having to re-issue a new key.<br />
* your name and email address. You can add multiple identities to the same key later (''e.g.'', if you have multiple email addresses you want to associate with this key).<br />
* ''no'' optional comment. Since the semantics of the comment field are [https://lists.gnupg.org/pipermail/gnupg-devel/2015-July/030150.html not well-defined], it has limited value for identification.<br />
* [[Security#Choosing_secure_passwords|a secure passphrase]].<br />
<br />
{{Note|The name and email address you enter here will be seen by anybody who imports your key.}}<br />
<br />
=== List keys ===<br />
<br />
To list keys in your public key ring:<br />
<br />
$ gpg --list-keys<br />
<br />
To list keys in your secret key ring:<br />
<br />
$ gpg --list-secret-keys<br />
<br />
=== Export your public key ===<br />
<br />
gpg's main usage is to ensure confidentiality of exchanged messages via public-key cryptography. With it each user distributes the public key of their keyring, which can be be used by others to encrypt messages to the user. The private key must ''always'' be kept private, otherwise confidentiality is broken. See [[w:Public-key cryptography]] for examples about the message exchange. <br />
<br />
So, in order for others to send encrypted messages to you, they need your public key. <br />
<br />
To generate an ASCII version of a user's public key to file {{ic|''public.key''}} (e.g. to distribute it by e-mail):<br />
<br />
$ gpg --output ''public.key'' --armor --export ''user-id''<br />
<br />
Alternatively, or in addition, you can [[#Use a keyserver]] to share your key. <br />
<br />
{{Tip|Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.}}<br />
<br />
=== Import a public key ===<br />
<br />
In order to encrypt messages to others, as well as verify their signatures, you need their public key. To import a public key with file name {{ic|''public.key''}} to your public key ring:<br />
<br />
$ gpg --import ''public.key''<br />
<br />
Alternatively, [[#Use a keyserver]] to find a public key.<br />
<br />
=== Use a keyserver ===<br />
<br />
You can register your key with a public PGP key server, so that others can retrieve your key without having to contact you directly:<br />
<br />
$ gpg --send-keys ''user-id''<br />
<br />
{{Warning|Once a key has been submitted to a keyserver, it cannot be deleted from the server.[https://pgp.mit.edu/faq.html]}}<br />
<br />
To find out details of a key on the keyserver, without importing it, do:<br />
<br />
$ gpg --search-keys ''user-id''<br />
<br />
To import a key from a key server:<br />
<br />
$ gpg --recv-keys ''key-id''<br />
<br />
{{Warning|<br />
* You should verify the authenticity of the retrieved public key by comparing its fingerprint with one that the owner published on an independent source(s) (e.g., contacting the person directly). See [[Wikipedia:Public key fingerprint]] for more information.<br />
* Using a short ID may encounter collisions. All keys will be imported that have the short ID. To avoid this, use the full fingerprint or long key ID when receiving a key.[https://lkml.org/lkml/2016/8/15/445]}}<br />
{{Tip|<br />
* Adding {{ic|keyserver-options auto-key-retrieve}} to {{ic|gpg.conf}} will automatically fetch keys from the key server as needed. <br />
* An alternative key server is {{ic|pool.sks-keyservers.net}} and can be specified with {{ic|keyserver}} in {{ic|dirmngr.conf}}; see also [[wikipedia:Key server (cryptographic)#Keyserver examples]].<br />
* If your network blocks ports used for hkp/hkps, you may need to specify port 80, i.e. {{ic|pool.sks-keyservers.net:80}}<br />
* You can connect to the keyserver over [[Tor]] using {{ic|--use-tor}}. See this [https://gnupg.org/blog/20151224-gnupg-in-november-and-december.html GnuPG blog post] for more information.<br />
* You can connect to a keyserver using a proxy by setting the {{ic|http_proxy}} environment variable and setting {{ic|honor-http-proxy}} in {{ic|dirmngr.conf}}. Alternatively, set {{ic|http-proxy ''host[:port]''}} in {{ic|dirmngr.conf}}, overriding the {{ic|http_proxy}} environment variable. [[Restart]] the {{ic|dirmngr.service}} [[systemd/User|user service]] for the changes to take effect.<br />
* If you wish to import a key ID to install a specific Arch Linux package, see [[pacman/Package signing#Managing the keyring]] and [[Makepkg#Signature checking]].}}<br />
<br />
=== Encrypt and decrypt ===<br />
<br />
==== Asymmetric ====<br />
You need to [[#Import a public key]] of a user before encrypting (options {{ic|--encrypt}} or {{ic|-e}}) a file or message to that recipient (options {{ic|--recipient}} or {{ic|-r}}). Additionally you need to [[#Create a key pair]] if you have not already done so.<br />
<br />
To encrypt a file with the name ''doc'', use:<br />
<br />
$ gpg --recipient ''user-id'' --encrypt ''doc''<br />
<br />
To decrypt (option {{ic|--decrypt}} or {{ic|-d}}) a file with the name ''doc''.gpg encrypted with your public key, use:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
''gpg'' will prompt you for your passphrase and then decrypt and write the data from ''doc''.gpg to ''doc''. If you omit the {{ic|-o}} ({{ic|--output}}) option, ''gpg'' will write the decrypted data to stdout.<br />
<br />
{{Tip|<br />
* Add {{ic|--armor}} to encrypt a file using ASCII armor (suitable for copying and pasting a message in text format)<br />
* Use {{ic|-R ''user-id''}} or {{ic|--hidden-recipient ''user-id''}} instead of {{ic|-r}} to not put the recipient key IDs in the encrypted message. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis.<br />
* Add {{ic|--no-emit-version}} to avoid printing the version number, or add the corresponding setting to your configuration file.<br />
* You can use gnupg to encrypt your sensitive documents by using your own user-id as recipient or by using the {{ic|--default-recipient-self}} flag instead; however, you can only do this one file at a time, although you can always tarball various files and then encrypt the tarball. See also [[Disk encryption#Available methods]] if you want to encrypt directories or a whole file-system.}}<br />
<br />
==== Symmetric ====<br />
Symmetric encryption does not require the generation of a key pair and can be used to simply encrypt data with a passphrase. Simply use {{ic|--symmetric}} or {{ic|-c}} to perform symmetic encryption:<br />
<br />
$ gpg -c ''doc''<br />
<br />
The following example:<br />
<br />
* Encrypts {{ic|''doc''}} with a symmetric cipher using a passphrase<br />
* Uses the AES-256 cipher algorithm to encrypt the passphrase<br />
* Uses the SHA-512 digest algorithm to mangle the passphrase<br />
* Mangles the passphrase for 65536 iterations<br />
<br />
$ gpg -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-count 65536 ''doc''<br />
<br />
To decrypt a symmetrically encrypted {{ic|''doc''.gpg}} using a passphrase and output decrypted contents into the same directory as {{ic|''doc''}} do:<br />
<br />
$ gpg --output ''doc'' --decrypt ''doc''.gpg<br />
<br />
== Key maintenance ==<br />
<br />
=== Backup your private key ===<br />
<br />
To backup your private key do the following:<br />
<br />
$ gpg --export-secret-keys --armor ''<user-id>'' > ''privkey.asc''<br />
<br />
Note that ''gpg'' release 2.1 changed default behaviour so that the above command enforces a passphrase protection, even if you deliberately chose not to use one on key creation. This is because otherwise anyone who gains access to the above exported file would be able to encrypt and sign documents as if they were you ''without'' needing to know your passphrase. <br />
<br />
{{Warning|The passphrase is usually the weakest link in protecting your secret key. Place the private key in a safe place on a different system/device, such as a locked container or encrypted drive. It is the only safety you have to regain control to your keyring in case of, for example, a drive failure, theft or worse.}}<br />
<br />
To import the backup of your private key:<br />
$ gpg --import ''privkey.asc''<br />
<br />
=== Edit your key ===<br />
<br />
Running the {{ic|gpg --edit-key ''<user-id>''}} command will present a menu which enables you to do most of your key management related tasks.<br />
<br />
Some useful commands in the edit key sub menu:<br />
> passwd # change the passphrase<br />
> clean # compact any user ID that is no longer usable (e.g revoked or expired)<br />
> revkey # revoke a key<br />
> addkey # add a subkey to this key<br />
> expire # change the key expiration time<br />
<br />
Type {{ic|help}} in the edit key sub menu for more commands.<br />
<br />
{{Tip|If you have multiple email accounts you can add each one of them as an identity, using {{ic|adduid}} command. You can then set your favourite one as {{ic|primary}}.}}<br />
<br />
=== Exporting subkey ===<br />
<br />
If you plan to use the same key across multiple devices, you may want to strip out your master key and only keep the bare minimum encryption subkey on less secure systems.<br />
<br />
First, find out which subkey you want to export.<br />
<br />
$ gpg -K<br />
<br />
Select only that subkey to export.<br />
<br />
$ gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.gpg<br />
<br />
{{Warning|If you forget to add the !, all of your subkeys will be exported.}}<br />
<br />
At this point you could stop, but it is most likely a good idea to change the passphrase as well. Import the key into a temporary folder. <br />
<br />
$ gpg --homedir /tmp/gpg --import /tmp/subkey.gpg<br />
$ gpg --homedir /tmp/gpg --edit-key ''<user-id>''<br />
> passwd<br />
> save<br />
$ gpg --homedir /tmp/gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.altpass.gpg<br />
<br />
{{Note|You will get a warning that the master key was not available and the password was not changed, but that can safely be ignored as the subkey password was.}}<br />
<br />
At this point, you can now use {{ic|/tmp/subkey.altpass.gpg}} on your other devices.<br />
<br />
=== Rotating subkeys ===<br />
<br />
{{Warning|'''Never''' delete your expired or revoked subkeys unless you have a good reason. Doing so will cause you to lose the ability to decrypt files encrypted with the old subkey. Please '''only''' delete expired or revoked keys from other users to clean your keyring.}}<br />
<br />
If you have set your subkeys to expire after a set time, you can create new ones. Do this a few weeks in advance to allow others to update their keyring.<br />
<br />
{{Tip|You do not need to create a new key simply because it is expired. You can extend the expiration date.}}<br />
<br />
Create new subkey (repeat for both signing and encrypting key)<br />
<br />
$ gpg --edit-key ''<user-id>''<br />
> addkey<br />
<br />
And answer the following questions it asks (see [[#Create a key pair]] for suggested settings).<br />
<br />
Save changes<br />
<br />
> save<br />
<br />
Update it to a keyserver.<br />
<br />
$ gpg --keyserver pgp.mit.edu --send-keys ''<user-id>''<br />
<br />
{{Tip|Revoking expired subkeys is unnecessary and arguably bad form. If you are constantly revoking keys, it may cause others to lack confidence in you.}}<br />
<br />
== Signatures ==<br />
<br />
Signatures certify and timestamp documents. If the document is modified, verification of the signature will fail. Unlike encryption which uses public keys to encrypt a document, signatures are created with the user's private key. The recipient of a signed document then verifies the signature using the sender's public key.<br />
<br />
=== Create a signature ===<br />
<br />
==== Sign a file ====<br />
<br />
To sign a file use the {{ic|--sign}} or {{ic|-s}} flag:<br />
<br />
$ gpg --output ''doc''.sig --sign ''doc''<br />
<br />
{{ic|''doc''.sig}} contains both the compressed content of the original file {{ic|''doc''}} and the signature in a binary format, but the file is not encrypted. However, you can combine signing with [[#Encrypt and decrypt|encrypting]].<br />
<br />
==== Clearsign a file or message ====<br />
<br />
To sign a file without compressing it into binary format use:<br />
<br />
$ gpg --output ''doc''.sig --clearsign ''doc''<br />
<br />
Here both the content of the original file {{ic|''doc''}} and the signature are stored in human-readable form in {{ic|''doc''.sig}}.<br />
<br />
==== Make a detached signature ====<br />
<br />
To create a separate signature file to be distributed separately from the document or file itself, use the {{ic|--detach-sig}} flag:<br />
<br />
$ gpg --output ''doc''.sig --detach-sig ''doc''<br />
<br />
Here the signature is stored in {{ic|''doc''.sig}}, but the contents of {{ic|''doc''}} are not stored in it. This method is often used in distributing software projects to allow users to verify that the program has not been modified by a third party.<br />
<br />
=== Verify a signature ===<br />
<br />
To verify a signature use the {{ic|--verify}} flag:<br />
<br />
$ gpg --verify ''doc''.sig<br />
<br />
where {{ic|''doc''.sig}} is the signed file containing the signature you wish to verify.<br />
<br />
If you are verifying a detached signature, both the signed data file and the signature file must be present when verifying. For example, to verify Arch Linux's latest iso you would do:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig<br />
<br />
where {{ic|archlinux-''version''.iso}} must be located in the same directory.<br />
<br />
You can also specify the signed data file with a second argument:<br />
<br />
$ gpg --verify archlinux-''version''.iso.sig ''/path/to/''archlinux-''version''.iso<br />
<br />
If a file as been encrypted in addition to being signed, simply [[#Encrypt and decrypt|decrypt]] the file and its signature will also be verified.<br />
<br />
== gpg-agent ==<br />
<br />
''gpg-agent'' is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. {{Pkg|gnupg}} comes with [[systemd/User|systemd user]] sockets which are enabled by default. These sockets are {{ic|gpg-agent.socket}}, {{ic|gpg-agent-extra.socket}}, {{ic|gpg-agent-browser.socket}}, {{ic|gpg-agent-ssh.socket}}, and {{ic|dirmngr.socket}}.<br />
<br />
{{Expansion|Add {{ic|gpg-agent-browser.socket}} to the list.}}<br />
<br />
* The main {{ic|gpg-agent.socket}} is used by ''gpg'' to connect to the ''gpg-agent'' daemon.<br />
* The intended use for the {{ic|gpg-agent-extra.socket}} on a local system is to set up a Unix domain socket forwarding from a remote system. This enables to use ''gpg'' on the remote system without exposing the private keys to the remote system. See {{man|1|gpg-agent}} for details.<br />
* The {{ic|gpg-agent-ssh.socket}} can be used by [[SSH]] to cache [[SSH keys]] added by the ''ssh-add'' program. See [[#SSH agent]] for the necessary configuration.<br />
* The {{ic|dirmngr.socket}} starts a GnuPG daemon handling connections to keyservers.<br />
<br />
{{Note|If you use non-default GnuPG [[#Directory location]], you will need to [[edit]] all socket files to use the values of {{ic|gpgconf --list-dirs}}.}}<br />
<br />
=== Configuration ===<br />
<br />
gpg-agent can be configured via {{ic|~/.gnupg/gpg-agent.conf}} file. The configuration options are listed in {{man|1|gpg-agent}}. For example you can change cache ttl for unused keys:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl 3600<br />
}}<br />
<br />
{{Tip|To cache your passphrase for the whole session, please run the following command:<br />
$ /usr/lib/gnupg/gpg-preset-passphrase --preset XXXXXX<br />
<br />
where XXXX is the keygrip. You can get its value when running {{ic|gpg --with-keygrip -K}}. Passphrase will be stored until {{ic|gpg-agent}} is restarted. If you set up {{ic|default-cache-ttl}} value, it will take precedence.<br />
}}<br />
<br />
=== Reload the agent ===<br />
<br />
After changing the configuration, reload the agent using ''gpg-connect-agent'':<br />
<br />
$ gpg-connect-agent reloadagent /bye<br />
<br />
The command should print {{ic|OK}}.<br />
<br />
However in some cases only the restart may not be sufficient, like when {{ic|keep-screen}} has been added to the agent configuration.<br />
In this case you firstly need to kill the ongoing gpg-agent process and then you can restart it as was explained above.<br />
<br />
=== pinentry ===<br />
<br />
Finally, the agent needs to know how to ask the user for the password. This can be set in the gpg-agent configuration file.<br />
<br />
The default uses {{ic|/usr/bin/pinentry-gnome3}}, falling back to {{ic|/usr/bin/pinentry-qt}}, {{ic|/usr/bin/pinentry-gtk-2}} and at last {{ic|/usr/bin/pinentry-curses}} if none of the previous were functioning. However there are other options - see {{ic|info pinentry}}. To change the dialog implementation set {{ic|pinentry-program}} configuration option:<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
<br />
# PIN entry program<br />
# pinentry-program /usr/bin/pinentry-gnome3<br />
# pinentry-program /usr/bin/pinentry-qt<br />
# pinentry-program /usr/bin/pinentry-curses<br />
# pinentry-program /usr/bin/pinentry-kwallet<br />
<br />
pinentry-program /usr/bin/pinentry-gtk-2<br />
}}<br />
<br />
{{Tip|For using {{ic|/usr/bin/pinentry-kwallet}} you have to install the {{AUR|kwalletcli}} package.}}<br />
<br />
After making this change, reload the gpg-agent.<br />
<br />
=== Unattended passphrase ===<br />
<br />
Starting with GnuPG 2.1.0 the use of gpg-agent and pinentry is required, which may break backwards compatibility for passphrases piped in from STDIN using the {{ic|--passphrase-fd 0}} commandline option. In order to have the same type of functionality as the older releases two things must be done:<br />
<br />
First, edit the gpg-agent configuration to allow ''loopback'' pinentry mode:<br />
<br />
{{hc|1=~/.gnupg/gpg-agent.conf|2=<br />
allow-loopback-pinentry<br />
}}<br />
<br />
Restart the gpg-agent process if it is running to let the change take effect.<br />
<br />
Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:<br />
<br />
$ gpg --pinentry-mode loopback ...<br />
<br />
...or if this is not possible, add the option to the configuration:<br />
<br />
{{hc|1=~/.gnupg/gpg.conf|2=<br />
pinentry-mode loopback<br />
}}<br />
<br />
{{Note|The upstream author indicates setting {{ic|pinentry-mode loopback}} in {{ic|gpg.conf}} may break other usage, using the commandline option should be preferred if at all possible. [https://bugs.g10code.com/gnupg/issue1772]}}<br />
<br />
=== SSH agent ===<br />
<br />
''gpg-agent'' has OpenSSH agent emulation. If you already use the GnuPG suite, you might consider using its agent to also cache your [[SSH keys]]. Additionally, some users may prefer the PIN entry dialog GnuPG agent provides as part of its passphrase management.<br />
<br />
==== Set SSH_AUTH_SOCK ====<br />
<br />
You have to set {{ic|SSH_AUTH_SOCK}} so that SSH will use ''gpg-agent'' instead of ''ssh-agent''. To make sure each process can find your ''gpg-agent'' instance regardless of e.g. the type of shell it is child of use [[Environment_variables#Using_pam_env|pam_env]].<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
}}<br />
<br />
{{note|If you set your {{ic|SSH_AUTH_SOCK}} manually (such as in this pam_env example), keep in mind that your socket location may be different if you are using a custom {{ic|GNUPGHOME}}. You can use the following bash example, or change {{ic|SSH_AUTH_SOCK}} to the value of {{ic|gpgconf --list-dirs agent-ssh-socket}}.}}<br />
<br />
Alternatively, depend on Bash. This works for non-standard socket locations as well:<br />
<br />
{{hc|~/.bashrc|2=<br />
unset SSH_AGENT_PID<br />
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then<br />
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"<br />
fi<br />
}}<br />
<br />
{{Note|1=The test involving the {{ic|gnupg_SSH_AUTH_SOCK_by}} variable is for the case where the agent is started as {{ic|gpg-agent --daemon /bin/sh}}, in which case the shell inherits the {{ic|SSH_AUTH_SOCK}} variable from the parent, ''gpg-agent'' [http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/gpg-agent.c;hb=7bca3be65e510eda40572327b87922834ebe07eb#l1307].}}<br />
<br />
==== Configure pinentry to use the correct TTY ====<br />
<br />
Also set the GPG_TTY and refresh the TTY in case user has switched into an X session as stated in {{man|1|gpg-agent}}. For example:<br />
<br />
{{hc|~/.bashrc|<nowiki><br />
# Set GPG TTY<br />
export GPG_TTY=$(tty)<br />
<br />
# Refresh gpg-agent tty in case user switches into an X session<br />
gpg-connect-agent updatestartuptty /bye >/dev/null<br />
</nowiki>}}<br />
<br />
==== Add SSH keys ====<br />
<br />
Once ''gpg-agent'' is running you can use ''ssh-add'' to approve keys, following the same steps as for [[SSH keys#ssh-agent|ssh-agent]]. The list of approved keys is stored in the {{ic|~/.gnupg/sshcontrol}} file. <br />
<br />
Once your key is approved, you will get a ''pinentry'' dialog every time your passphrase is needed. You can control passphrase caching in the {{ic|~/.gnupg/gpg-agent.conf}} file. The following example would have ''gpg-agent'' cache your keys for 3 hours:<br />
<br />
{{hc|~/.gnupg/gpg-agent.conf|<br />
default-cache-ttl-ssh 10800<br />
max-cache-ttl-ssh 10800<br />
}}<br />
<br />
==== Using a PGP key for SSH authentication ====<br />
<br />
If the {{ic|enable-ssh-agent}} option is enabled for {{ic|gpg-agent}}, you can use your PGP key as an SSH key. This requires a key with the {{ic|Authentication}} capability (see [[#Custom capabilities]]). There are various benefits gained by using a PGP key for SSH authentication, including:<br />
<br />
* Reduced key maintenance, as you will no longer need to maintain an SSH key<br />
* The ability to store the authentication key on a smartcard. GnuPG will automatically detect the key when the card is available, and add it to the agent (check with {{ic|ssh-add -l}} or {{ic|ssh-add -L}}). The comment for the key should be something like: {{ic|openpgp:''key-id''}} or {{ic|cardno:''card-id''}}. Note that your key may not be added to {{ic|$HOME/.gnupg/sshcontrol}}, which is where normal SSH keys are listed.<br />
<br />
To add your key to the agent for the first time, you need to add the keygrip for your key with the Authentication capability to {{ic|$HOME/.gnupg/sshcontrol}}. You can get the keygrip of your key by executing {{ic|gpg --list-keys --with-keygrip}}, like so:<br />
<br />
$ gpg --list-keys --with-keygrip<br />
sub rsa4096/1234ABCD1234ABCD 2001-01-01 [A] [expires: 2002-01-01]<br />
Keygrip = < put this value on its own line in $HOME/.gnupg/sshcontrol<br />
<br />
Adding the keygrip to {{ic|$HOME/.gnupg/sshcontrol}} is a one-time action; you will not need to edit the file again, unless you are adding additional keygrips. You can retrieve the public key for your Authentication key by executing {{ic|ssh-add -L}}.<br />
<br />
== Smartcards ==<br />
<br />
GnuPG uses ''scdaemon'' as an interface to your smartcard reader, please refer to the [[man page]] for details.<br />
<br />
=== GnuPG only setups ===<br />
<br />
{{Note| To allow scdaemon direct access to USB smarcard readers the optional dependency {{Pkg|libusb-compat}} have to be installed}}<br />
<br />
If you do not plan to use other cards but those based on GnuPG, you should check the {{Ic|reader-port}} parameter in {{ic|~/.gnupg/scdaemon.conf}}. The value '0' refers to the first available serial port reader and a value of '32768' (default) refers to the first USB reader.<br />
<br />
=== GnuPG with pcscd (PCSC Lite) ===<br />
<br />
{{Note|{{Pkg|pcsclite}} and {{Pkg|ccid}} have to be installed, and the contained [[systemd#Using units|systemd]] service {{ic|pcscd.service}} has to be running, or the socket {{ic|pcscd.socket}} has to be listening.}}<br />
<br />
pcscd is a daemon which handles access to smartcard (SCard API). If GnuPG's scdaemon fails to connect the smartcard directly (e.g. by using its integrated CCID support), it will fallback and try to find a smartcard using the PCSC Lite driver.<br />
<br />
==== Always use pcscd ====<br />
<br />
If you are using any smartcard with an opensc driver (e.g.: ID cards from some countries) you should pay some attention to GnuPG configuration. Out of the box you might receive a message like this when using {{Ic|gpg --card-status}}<br />
<br />
gpg: selecting openpgp failed: ec=6.108<br />
<br />
By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together. In order to point scdaemon to use pcscd you should remove {{Ic|reader-port}} from {{ic|~/.gnupg/scdaemon.conf}}, specify the location to {{ic|libpcsclite.so}} library and disable ccid so we make sure that we use pcscd:<br />
<br />
{{hc|~/.gnupg/scdaemon.conf|<nowiki><br />
pcsc-driver /usr/lib/libpcsclite.so<br />
card-timeout 5<br />
disable-ccid<br />
</nowiki>}}<br />
<br />
Please check {{man|1|scdaemon}} if you do not use OpenSC.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Different algorithm ===<br />
<br />
You may want to use stronger algorithms:<br />
<br />
{{hc|~/.gnupg/gpg.conf|<br />
...<br />
<br />
personal-digest-preferences SHA512<br />
cert-digest-algo SHA512<br />
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed<br />
personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES<br />
}}<br />
<br />
In the latest version of GnuPG, the default algorithms used are SHA256 and AES, both of which are secure enough for most people. However, if you are using a version of GnuPG older than 2.1, or if you want an even higher level of security, then you should follow the above step.<br />
<br />
=== Encrypt a password ===<br />
<br />
It can be useful to encrypt some password, so it will not be written in clear on a configuration file. A good example is your email password.<br />
<br />
First create a file with your password. You '''need''' to leave '''one''' empty line after the password, otherwise gpg will return an error message when evaluating the file.<br />
<br />
Then run:<br />
<br />
$ gpg -e -a -r ''<user-id>'' ''your_password_file''<br />
<br />
{{ic|-e}} is for encrypt, {{ic|-a}} for armor (ASCII output), {{ic|-r}} for recipient user ID.<br />
<br />
You will be left with a new {{ic|''your_password_file''.asc}} file.<br />
<br />
{{Tip|[[pass]] automates this process.}}<br />
<br />
=== Revoking a key ===<br />
<br />
{{Warning|<br />
*Anybody having access to your revocation certificate can revoke your key, rendering it useless.<br />
*Key revocation should only be performed if your key is compromised or lost, or you forget your passphrase.}}<br />
<br />
Revocation certificates are automatically generated for newly generated keys, although one can be generated manually by the user later. These are located at {{ic|~/.gnupg/openpgp-revocs.d/}}. The filename of the certificate is the fingerprint of the key it will revoke.<br />
<br />
To revoke your key, simply import the revocation certificate:<br />
<br />
$ gpg --import ''<fingerprint>''.rev<br />
<br />
Now update the keyserver:<br />
<br />
$ gpg --keyserver subkeys.pgp.net --send-keys ''<userid>''<br />
<br />
=== Change trust model ===<br />
<br />
By default GnuPG uses the [[Wikipedia::Web of Trust|Web of Trust]] as the trust model. You can change this to [[Wikipedia::Trust on first use|Trust on first use]] by adding {{ic|1=--trust-model=tofu}} when adding a key or adding this option to your GnuPG configuration file. More details are in [https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030341.html this email to the GnuPG list].<br />
<br />
=== Hide all recipient id's ===<br />
<br />
By default the recipient's key ID is in the encrypted message. This can be removed at encryption time for a recipient by using {{ic|hidden-recipient ''<user-id>''}}. To remove it for all recipients add {{ic|throw-keyids}} to your configuration file. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis. (Using a little social engineering anyone who is able to decrypt the message can check whether one of the other recipients is the one he suspects.) On the receiving side, it may slow down the decryption process because all available secret keys must be tried (''e.g.'' with {{ic|--try-secret-key ''<user-id>''}}).<br />
<br />
=== Using caff for keysigning parties ===<br />
<br />
To allow users to validate keys on the keyservers and in their keyrings (i.e. make sure they are from whom they claim to be), PGP/GPG uses the [[Wikipedia::Web of Trust|Web of Trust]]. Keysigning parties allow users to get together at a physical location to validate keys. The [[Wikipedia:Zimmermann–Sassaman key-signing protocol|Zimmermann-Sassaman]] key-signing protocol is a way of making these very effective. [http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html Here] you will find a how-to article.<br />
<br />
For an easier process of signing keys and sending signatures to the owners after a keysigning party, you can use the tool ''caff''. It can be installed from the AUR with the package {{AUR|caff-svn}}.<br />
<br />
To send the signatures to their owners you need a working [[Wikipedia:Message transfer agent|MTA]]. If you do not have already one, install [[msmtp]].<br />
<br />
=== Always show long ID's and fingerprints ===<br />
<br />
To always show long key ID's add {{ic|keyid-format 0xlong}} to your configuration file. To always show full fingerprints of keys, add {{ic|with-fingerprint}} to your configuration file.<br />
<br />
=== Custom capabilities ===<br />
<br />
For further customization also possible to set custom capabilities to your keys. The following capabilities are available:<br />
<br />
* Certify (only for master keys) - allows the key to create subkeys, mandatory for master keys.<br />
* Sign - allows the key to create cryptographic signatures that others can verify with the public key.<br />
* Encrypt - allows anyone to encrypt data with the public key, that only the private key can decrypt.<br />
* Authenticate - allows the key to authenticate with various non-GnuPG programs. The key can be used as e.g. an SSH key. <br />
<br />
It's possible to specify the capabilities of the master key, by running: <br />
<br />
$ gpg --full-generate-key --expert<br />
<br />
And select an option that allows you to set your own capabilities.<br />
<br />
Comparably, to specify custom capabilities for subkeys, add the {{ic|--expert}} flag to {{ic|gpg --edit-key}}, see [[#Edit your key]] for more information.<br />
<br />
=== Cache passwords ===<br />
<br />
To be asked for your GnuPG password only once per session, set {{ic|max-cache-ttl}} and {{ic|default-cache-ttl}} to something very high, for instance:<br />
<br />
{{hc|<br />
gpg-agent.conf|<br />
max-cache-ttl 60480000<br />
default-cache-ttl 60480000<br />
}}<br />
<br />
See [[#gpg-agent]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Not enough random bytes available ===<br />
When generating a key, gpg can run into this error:<br />
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy!<br />
To check the available entropy, check the kernel parameters:<br />
cat /proc/sys/kernel/random/entropy_avail<br />
A healthy Linux system with a lot of entropy available will have return close to the full 4,096 bits of entropy. If the value returned is less than 200, the system is running low on entropy. <br />
<br />
To solve it, remember you do not often need to create keys and best just do what the message suggests (e.g. create disk activity, move the mouse, edit the wiki - all will create entropy). If that does not help, check which service is using up the entropy and consider stopping it for the time. If that is no alternative, see [[Random number generation#Alternatives]].<br />
<br />
=== su ===<br />
<br />
When using {{Ic|pinentry}}, you must have the proper permissions of the terminal device (e.g. {{Ic|/dev/tty1}}) in use. However, with ''su'' (or ''sudo''), the ownership stays with the original user, not the new one. This means that pinentry will fail, even as root. The fix is to change the permissions of the device at some point before the use of pinentry (i.e. using gpg with an agent). If doing gpg as root, simply change the ownership to root right before using gpg:<br />
<br />
# chown root /dev/ttyN # where N is the current tty<br />
<br />
and then change it back after using gpg the first time. The equivalent is likely to be true with {{Ic|/dev/pts/}}.<br />
<br />
{{Note|The owner of tty ''must'' match with the user for which pinentry is running. Being part of the group {{Ic|tty}} '''is not''' enough.}}<br />
<br />
{{Tip|If you run gpg with {{ic|script}} it will use a new tty with the correct ownership:<br />
<br />
# script -q -c "gpg --gen-key" /dev/null<br />
}}<br />
<br />
=== Agent complains end of file ===<br />
<br />
The default pinentry program is {{ic|/usr/bin/pinentry-gnome3}}, which needs a DBus session bus to run properly. See [[General troubleshooting#Session permissions]] for details.<br />
<br />
Alternatively, you can use a variety of different options described in [[#pinentry]].<br />
<br />
=== KGpg configuration permissions ===<br />
<br />
There have been issues with {{Pkg|kgpg}} being able to access the {{ic|~/.gnupg/}} options. One issue might be a result of a deprecated ''options'' file, see the [https://bugs.kde.org/show_bug.cgi?id=290221 bug] report.<br />
<br />
=== GNOME on Wayland overrides SSH agent socket ===<br />
<br />
For Wayland sessions, {{Ic|gnome-session}} sets {{Ic|SSH_AUTH_SOCK}} to the standard gnome-keyring socket, {{Ic|$XDG_RUNTIME_DIR/keyring/ssh}}. This overrides any value set in {{Ic|~/.pam_environmment}} or systemd unit files.<br />
<br />
To disable this behavior, set the {{Ic|GSM_SKIP_AGENT_WORKAROUND}} variable:<br />
<br />
{{hc|~/.pam_environment|2=<br />
SSH_AGENT_PID DEFAULT=<br />
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"<br />
GSM_SKIP_SSH_AGENT_WORKAROUND DEFAULT="true"<br />
}}<br />
<br />
=== mutt ===<br />
<br />
Mutt might not use ''gpg-agent'' correctly, you need to set an [[environment variable]] {{ic|GPG_AGENT_INFO}} (the content doesn't matter) when running mutt. Be also sure to enable password caching correctly, see [[#Cache passwords]].<br />
<br />
See [https://bbs.archlinux.org/viewtopic.php?pid=1490821#p1490821 this forum thread]<br />
<br />
=== "Lost" keys, upgrading to gnupg version 2.1 ===<br />
<br />
When {{ic|gpg --list-keys}} fails to show keys that used to be there, and applications complain about missing or invalid keys, some keys may not have been migrated to the new format.<br />
<br />
Please read [http://jo-ke.name/wp/?p=111 GnuPG invalid packet workaround]. Basically, it says that there is a bug with keys in the old {{ic|pubring.gpg}} and {{ic|secring.gpg}} files, which have now been superseded by the new {{ic|pubring.kbx}} file and the {{ic|private-keys-v1.d/}} subdirectory and files. Your missing keys can be recovered with the following commnads:<br />
<br />
$ cd<br />
$ cp -r .gnupg gnupgOLD<br />
$ gpg --export-ownertrust > otrust.txt<br />
$ gpg --import .gnupg/pubring.gpg<br />
$ gpg --import-ownertrust otrust.txt<br />
$ gpg --list-keys<br />
<br />
=== gpg hanged for all keyservers (when trying to receive keys) ===<br />
<br />
If gpg hanged with a certain keyserver when trying to receive keys, you might need to kill dirmngr in order to get access to other keyservers which are actually working, otherwise it might keeping hanging for all of them.<br />
<br />
=== Smartcard not detected ===<br />
<br />
Your user might not have the permission to access the smartcard which results in a {{ic|card error}} to be thrown, even though the card is correctly set up and inserted.<br />
<br />
One possible solution is to add a new group {{ic|scard}} including the users who need access to the smartcard.<br />
<br />
Then use an [[Udev#Writing_udev_rules|udev]]{{Broken section link}} rule, similar to the following:<br />
{{hc|/etc/udev/rules.d/71-gnupg-ccid.rules|<nowiki><br />
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116|0111", MODE="660", GROUP="scard"<br />
</nowiki>}}<br />
One needs to adapt VENDOR and MODEL according to the {{ic|lsusb}} output, the above example is for a YubikeyNEO.<br />
<br />
=== gpg: WARNING: server 'gpg-agent' is older than us (x < y) ===<br />
<br />
This warning appears if {{ic|gnupg}} is upgraded and the old gpg-agent is still running. [[Restart]] the ''user'''s {{ic|gpg-agent.socket}} (i.e., use the {{ic|--user}} flag when restarting).<br />
<br />
=== gpg: ..., IPC connect call failed ===<br />
<br />
{{Accuracy|The {{ic|gpg-agent*.socket}} systemd sockets provided by the {{Pkg|gnupg}} package create the sockets in {{ic|/run/user/$UID/gnupg/}} which is guaranteed to be an appropriate file system.}}<br />
<br />
Make sure {{ic|gpg-agent}} and {{ic|dirmngr}} are not running with {{ic|killall gpg-agent dirmngr}} and the {{ic|$GNUPGHOME/crls.d/}} folder has permission set to {{ic|700}}.<br />
<br />
If your keyring is stored on a vFat filesystem (e.g. a USB drive), {{ic|gpg-agent}} will fail to create the required sockets (vFat does not support sockets), you can create redirects to a location that handles sockets, e.g. {{ic|/dev/shm}}:<br />
<br />
# export GNUPGHOME=/custom/gpg/home<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent\n' > $GNUPGHOME/S.gpg-agent<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.browser\n' > $GNUPGHOME/S.gpg-agent.browser<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.extra\n' > $GNUPGHOME/S.gpg-agent.extra<br />
# printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent.ssh\n' > $GNUPGHOME/S.gpg-agent.ssh<br />
<br />
Test that gpg-agent starts successfully with {{ic|gpg-agent --daemon}}.<br />
<br />
== See also ==<br />
<br />
* [https://gnupg.org/ GNU Privacy Guard Homepage]<br />
* [https://tools.ietf.org/html/rfc4880 RFC4880 "OpenPGP Message Format"]<br />
* [https://fedoraproject.org/wiki/Creating_GPG_Keys Creating GPG Keys (Fedora)]<br />
* [https://wiki.debian.org/Subkeys OpenPGP subkeys in Debian]<br />
* [https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/ A more comprehensive gpg Tutorial]<br />
* [https://help.riseup.net/en/security/message-security/openpgp/gpg-best-practices gpg.conf recommendations and best practices]<br />
* [https://github.com/ioerror/torbirdy/blob/master/gpg.conf Torbirdy gpg.conf]<br />
* [https://www.reddit.com/r/GPGpractice/ /r/GPGpractice - a subreddit to practice using GnuPG.]<br />
* [https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md Protecting code integrity with PGP]</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=AMDGPU&diff=527129AMDGPU2018-06-20T22:04:15Z<p>Sudoforge: /* Installation */ clarity update; add the word "package" so the sentence makes sense</p>
<hr />
<div>[[Category:Graphics]]<br />
[[Category:X server]]<br />
[[ja:AMDGPU]]<br />
[[ru:AMDGPU]]<br />
{{Related articles start}}<br />
{{Related|AMD Catalyst}}<br />
{{Related|ATI}}<br />
{{Related|Xorg}}<br />
{{Related|Vulkan}}<br />
{{Related articles end}}<br />
<br />
'''amdgpu''' is the open source graphics driver for the latest AMD Radeon graphics cards.<br />
<br />
At the moment there is support for [https://www.x.org/wiki/RadeonFeature/ Volcanic Islands (VI) and newer] and experimental support for [https://www.phoronix.com/scan.php?page=news_item&px=AMD-AMDGPU-Released Sea Islands (CI)] and [https://www.phoronix.com/scan.php?page=news_item&px=AMDGPU-SI-Experimental-Code Southern Islands (SI)] cards. AMD has absolutely no plans for supporting the pre-GCN GPUs.<br />
<br />
Owners of unsupported AMD/ATI video cards may use the [[ATI|Radeon open source]] or [[AMD Catalyst|AMD's proprietary]] driver instead.<br />
<br />
== Selecting the right driver ==<br />
<br />
Depending on the card you have, find the right driver in [[Xorg#AMD]]. This page has instructions for '''AMDGPU''' and '''AMDGPU PRO'''.<br />
<br />
== Installation ==<br />
<br />
{{Note|If coming from the proprietary Catalyst driver, see [[AMD Catalyst#Uninstallation]] first.}}<br />
<br />
[[Install]] the {{Pkg|mesa}} package, which provides the DRI driver for 3D acceleration.<br />
<br />
* For 32-bit application support, also install the {{Pkg|lib32-mesa}} package from the [[multilib]] repostory.<br />
* For the DDX driver (which provides 2D acceleration in [[Xorg]]), install the {{Pkg|xf86-video-amdgpu}} package.<br />
* For [[Vulkan]] support, install the {{Pkg|vulkan-radeon}} package. Optionally install the {{Pkg|lib32-vulkan-radeon}} package for 32-bit application support.<br />
<br />
Support for [[#Enabling video acceleration|accelerated video decoding]] is provided by {{Pkg|libva-mesa-driver}} and {{Pkg|lib32-libva-mesa-driver}} or {{Pkg|libva-vdpau-driver}} for VA-API and {{Pkg|mesa-vdpau}} and {{Pkg|lib32-mesa-vdpau}} packages for VDPAU.<br />
<br />
=== Enable Southern Islands (SI) and Sea Islands (CIK) support ===<br />
The {{Pkg|linux}} package enables AMDGPU support for cards of the Southern Islands (SI) and Sea Islands (CIK). When building or compiling a [[kernel]], {{ic|1=CONFIG_DRM_AMDGPU_SI=Y}} and/or {{ic|1=CONFIG_DRM_AMDGPU_CIK=Y}} should be be set in the config.<br />
<br />
Even when AMDGPU support for SI/CIK has been enabled by the kernel, the [[radeon]] driver may be used instead of the AMDGPU driver.<br />
<br />
The following workarounds are available:<br />
* Set {{ic|amdgpu}} as first to load in the [[Mkinitcpio#MODULES]] array, e.g. {{ic|1=MODULES=(amdgpu radeon)}}.<br />
* [[Blacklist]] the {{ic|radeon}} module.<br />
<br />
Also, since kernel 4.13, adding the {{ic|1=amdgpu.si_support=1 radeon.si_support=0}} or {{ic|1=amdgpu.cik_support=1 radeon.cik_support=0}} [[kernel parameter]] is [http://www.phoronix.com/scan.php?page=article&item=linux-413-gcn101&num=1 required]. Otherwise, AMDGPU will not start and you will end up with either radeon being used instead or the display being frozen during the boot.<br />
<br />
=== AMD DC ===<br />
AMD DC (display code), introduced in {{Pkg|linux}} 4.15-4.17, is a new display stack that brings support for atomic mode-setting and HDMI/DP audio.<br />
For more info about AMDGPU-DC, see [https://www.phoronix.com/scan.php?page=news_item&px=AMDGPU-DC-Accepted this article].<br />
<br />
It is enabled by default for GCN2/CIK cards and newer. The GCN1/SI chipset is not supported.<br />
<br />
=== AMDGPU PRO ===<br />
{{Warning|Arch Linux is officially not supported.}}<br />
{{Note|<br />
*To use the proprietary OpenCL component without AMDGPU PRO, [[install]] {{AUR|opencl-amd}} instead.<br />
*A [[downgrade]] of the {{pkg|linux}} (4.9) and [[Xorg]] (1.18) packages is required to use AMDGPU PRO 17.10.<br />
}}<br />
<br />
AMD provides a proprietary, binary userland driver called ''AMDGPU PRO'', which works on top of the open-source AMDGPU kernel driver. The driver provides OpenGL, [[OpenCL]], [[Vulkan]] and [[VDPAU]] support (although this is also supported by the open-source driver). For some workloads it provides better performance than the open-source driver ([https://www.phoronix.com/scan.php?page=news_item&px=AMDGPU-PRO-16.40-Deus-MD example benchmark]), while for others it is true the contrary ([https://openbenchmarking.org/prospect/1610315-TA-AMDGPUPRO08/998ba9b677230564e0fbca342a8e1b9a7e85b6ab example benchmark]).<br />
<br />
See the [https://support.amd.com/en-us/kb-articles/Pages/AMDGPU-PRO-Driver-for-Linux-Release-Notes.aspx release notes] and the [https://www.phoronix.com/forums/forum/linux-graphics-x-org-drivers/amd-linux/855699-amd-representative-says-their-vulkan-linux-driver-will-be-here-soon/page6 announcement at the Phoronix forum] for more information.<br />
<br />
A patched version of the official AMDGPU PRO driver is available as {{AUR|amdgpu-pro}} in [[AUR]].<br />
<br />
== Loading ==<br />
<br />
The {{ic|amdgpu}} kernel module should load fine automatically on system boot.<br />
<br />
If it does not happen, then:<br />
<br />
* Make sure you have the latest {{Pkg|linux-firmware}} package installed. This driver requires the latest firmware for each model to successfully boot.<br />
* Make sure you do '''not''' have {{ic|nomodeset}} or {{ic|1=vga=}} as a [[kernel parameter]], since {{ic|amdgpu}} requires [[KMS]].<br />
* Also, check that you have not disabled {{ic|amdgpu}} by using any [[Kernel_modules#Blacklisting|kernel module blacklisting]].<br />
<br />
=== Enable early KMS ===<br />
<br />
{{Tip|If you have problems with the resolution, [[Kernel mode setting#Forcing modes and EDID]] may help.}}<br />
<br />
[[Kernel mode setting]] (KMS) is supported by the amdgpu driver and is mandatory and enabled by default. <br />
<br />
KMS is typically initialized after the [[Arch boot process#initramfs|initramfs stage]]. It is possible, however, to enable KMS during the initramfs stage. To do this, add the {{ic|amdgpu}} module to the {{ic|MODULES}} line in {{ic|/etc/mkinitcpio.conf}}:<br />
<br />
MODULES=(amdgpu)<br />
<br />
Now, regenerate the initramfs:<br />
<br />
# mkinitcpio -p linux<br />
<br />
The change takes effect at the next reboot.<br />
<br />
== Xorg configuration ==<br />
<br />
[[Xorg]] will automatically load the driver and it will use your monitor's EDID to set the native resolution. Configuration is only required for tuning the driver.<br />
<br />
If you want manual configuration, create {{ic|/etc/X11/xorg.conf.d/20-amdgpu.conf}}, and add the following:<br />
<br />
{{hc|/etc/X11/xorg.conf.d/20-amdgpu.conf|2=<br />
Section "Device"<br />
Identifier "AMD"<br />
Driver "amdgpu"<br />
EndSection<br />
}}<br />
<br />
Using this section, you can enable features and tweak the driver settings.<br />
<br />
== Performance tuning ==<br />
=== Enabling video acceleration ===<br />
<br />
See [[Hardware video acceleration]].<br />
<br />
=== Driver options ===<br />
The following options apply to {{ic|/etc/X11/xorg.conf.d/'''20-amdgpu.conf'''}}.<br />
<br />
Please read {{man|4|amdgpu}} first before setting driver options.<br />
<br />
'''DRI''' sets the maximum level of DRI to enable. Valid values are ''2'' for DRI2 or ''3'' for DRI3. The default is ''3'' for DRI3 if the Xorg version is >= 1.18.3, otherwise DRI2 is used:<br />
<br />
Option "DRI" "3" <br />
<br />
'''TearFree''' controls tearing prevention using the hardware page flipping mechanism. If this option is set, the default value of the property is set to ''auto'', which means that TearFree is on for outputs with rotation or other RandR transforms:<br />
<br />
Option "TearFree" "true"<br />
<br />
== Enable GPU display scaling ==<br />
<br />
{{Move|xrandr|Not specific to AMDGPU.|section=Moving "Enable GPU display scaling" to xrandr}}<br />
<br />
To avoid the usage of the scaler which is built in the display, and use the GPU own scaler instead, when not using the native resolution of the monitor, execute:<br />
$ xrandr --output "<output>" --set "scaling mode" "<scaling mode>"<br />
Possible values for {{ic|"scaling mode"}} are: {{ic|None, Full, Center, Full aspect}}<br />
<br />
* To show the available outputs and settings, execute:<br />
$ xrandr --prop<br />
<br />
* To set {{ic|1=scaling mode = Full aspect}} for just every available output, execute:<br />
$ for output in $(xrandr --prop | grep -E -o -i "^[A-Z\-]+-[0-9]+"); do xrandr --output "$output" --set "scaling mode" "Full aspect"; done<br />
<br />
== Troubleshooting ==<br />
<br />
=== Xorg or applications won't start ===<br />
<br />
* "(EE) AMDGPU(0): [DRI2] DRI2SwapBuffers: drawable has no back or front?" error after opening glxgears, can open Xorg server but OpenGL apps crash.<br />
* "(EE) AMDGPU(0): Given depth (32) is not supported by amdgpu driver" error, Xorg won't start.<br />
<br />
Setting the screen's depth under Xorg to 16 or 32 will cause problems/crash. To avoid that, you should use a standard screen depth of 24 by adding this to your "screen" section (assuming you have one; if you don't, add this to {{ic|/etc/X11/xorg.conf.d/10-screen.conf}}).<br />
<br />
Section "Screen"<br />
Identifier "Screen"<br />
DefaultDepth 24<br />
SubSection "Display"<br />
Depth 24<br />
EndSubSection<br />
EndSection<br />
<br />
=== Screen artifacts and frequency problem ===<br />
<br />
If you have screen artifacts when setting your screen frequency up to 120+Hz your "Memory Clock" and "GPU Clock" are certainly too low to handle the screen request.<br />
<br />
A workaround [https://bugs.freedesktop.org/show_bug.cgi?id=96868#c13] is saving {{ic|high}} or {{ic|low}} in {{ic|/sys/class/drm/card0/device/power_dpm_force_performance_level}}.<br />
<br />
There is a GUI solution [https://github.com/marazmista/radeon-profile] where you can manage the "power_dpm" with {{aur|radeon-profile-git}} and {{aur|radeon-profile-daemon-git}}.<br />
<br />
=== Screen flickering ===<br />
<br />
If you experience flickering [https://bugzilla.kernel.org/show_bug.cgi?id=199101] add {{ic|1=amdgpu.dc=0}} to your kernel parameters.<br />
<br />
=== R9 390 series Poor Performance and/or Instability ===<br />
<br />
If you experience issues [https://bugs.freedesktop.org/show_bug.cgi?id=91880] with a AMD R9 390 series graphics card, add {{ic|1=amdgpu.dpm=1}} to your kernel parameters.</div>Sudoforgehttps://wiki.archlinux.org/index.php?title=AMDGPU&diff=527128AMDGPU2018-06-20T22:02:42Z<p>Sudoforge: /* Installation */ suggest installing lib32-vulkan-radeon</p>
<hr />
<div>[[Category:Graphics]]<br />
[[Category:X server]]<br />
[[ja:AMDGPU]]<br />
[[ru:AMDGPU]]<br />
{{Related articles start}}<br />
{{Related|AMD Catalyst}}<br />
{{Related|ATI}}<br />
{{Related|Xorg}}<br />
{{Related|Vulkan}}<br />
{{Related articles end}}<br />
<br />
'''amdgpu''' is the open source graphics driver for the latest AMD Radeon graphics cards.<br />
<br />
At the moment there is support for [https://www.x.org/wiki/RadeonFeature/ Volcanic Islands (VI) and newer] and experimental support for [https://www.phoronix.com/scan.php?page=news_item&px=AMD-AMDGPU-Released Sea Islands (CI)] and [https://www.phoronix.com/scan.php?page=news_item&px=AMDGPU-SI-Experimental-Code Southern Islands (SI)] cards. AMD has absolutely no plans for supporting the pre-GCN GPUs.<br />
<br />
Owners of unsupported AMD/ATI video cards may use the [[ATI|Radeon open source]] or [[AMD Catalyst|AMD's proprietary]] driver instead.<br />
<br />
== Selecting the right driver ==<br />
<br />
Depending on the card you have, find the right driver in [[Xorg#AMD]]. This page has instructions for '''AMDGPU''' and '''AMDGPU PRO'''.<br />
<br />
== Installation ==<br />
<br />
{{Note|If coming from the proprietary Catalyst driver, see [[AMD Catalyst#Uninstallation]] first.}}<br />
<br />
[[Install]] the {{Pkg|mesa}} package, which provides the DRI driver for 3D acceleration.<br />
<br />
* For 32-bit application support, also install the {{Pkg|lib32-mesa}} package from the [[multilib]] repostory.<br />
* For the DDX driver (which provides 2D acceleration in [[Xorg]]), install the {{Pkg|xf86-video-amdgpu}} package.<br />
* For [[Vulkan]] support, install the {{Pkg|vulkan-radeon}} package. Optionally install the {{Pkg|lib32-vulkan-radeon}} for 32-bit application support.<br />
<br />
Support for [[#Enabling video acceleration|accelerated video decoding]] is provided by {{Pkg|libva-mesa-driver}} and {{Pkg|lib32-libva-mesa-driver}} or {{Pkg|libva-vdpau-driver}} for VA-API and {{Pkg|mesa-vdpau}} and {{Pkg|lib32-mesa-vdpau}} packages for VDPAU.<br />
<br />
=== Enable Southern Islands (SI) and Sea Islands (CIK) support ===<br />
The {{Pkg|linux}} package enables AMDGPU support for cards of the Southern Islands (SI) and Sea Islands (CIK). When building or compiling a [[kernel]], {{ic|1=CONFIG_DRM_AMDGPU_SI=Y}} and/or {{ic|1=CONFIG_DRM_AMDGPU_CIK=Y}} should be be set in the config.<br />
<br />
Even when AMDGPU support for SI/CIK has been enabled by the kernel, the [[radeon]] driver may be used instead of the AMDGPU driver.<br />
<br />
The following workarounds are available:<br />
* Set {{ic|amdgpu}} as first to load in the [[Mkinitcpio#MODULES]] array, e.g. {{ic|1=MODULES=(amdgpu radeon)}}.<br />
* [[Blacklist]] the {{ic|radeon}} module.<br />
<br />
Also, since kernel 4.13, adding the {{ic|1=amdgpu.si_support=1 radeon.si_support=0}} or {{ic|1=amdgpu.cik_support=1 radeon.cik_support=0}} [[kernel parameter]] is [http://www.phoronix.com/scan.php?page=article&item=linux-413-gcn101&num=1 required]. Otherwise, AMDGPU will not start and you will end up with either radeon being used instead or the display being frozen during the boot.<br />
<br />
=== AMD DC ===<br />
AMD DC (display code), introduced in {{Pkg|linux}} 4.15-4.17, is a new display stack that brings support for atomic mode-setting and HDMI/DP audio.<br />
For more info about AMDGPU-DC, see [https://www.phoronix.com/scan.php?page=news_item&px=AMDGPU-DC-Accepted this article].<br />
<br />
It is enabled by default for GCN2/CIK cards and newer. The GCN1/SI chipset is not supported.<br />
<br />
=== AMDGPU PRO ===<br />
{{Warning|Arch Linux is officially not supported.}}<br />
{{Note|<br />
*To use the proprietary OpenCL component without AMDGPU PRO, [[install]] {{AUR|opencl-amd}} instead.<br />
*A [[downgrade]] of the {{pkg|linux}} (4.9) and [[Xorg]] (1.18) packages is required to use AMDGPU PRO 17.10.<br />
}}<br />
<br />
AMD provides a proprietary, binary userland driver called ''AMDGPU PRO'', which works on top of the open-source AMDGPU kernel driver. The driver provides OpenGL, [[OpenCL]], [[Vulkan]] and [[VDPAU]] support (although this is also supported by the open-source driver). For some workloads it provides better performance than the open-source driver ([https://www.phoronix.com/scan.php?page=news_item&px=AMDGPU-PRO-16.40-Deus-MD example benchmark]), while for others it is true the contrary ([https://openbenchmarking.org/prospect/1610315-TA-AMDGPUPRO08/998ba9b677230564e0fbca342a8e1b9a7e85b6ab example benchmark]).<br />
<br />
See the [https://support.amd.com/en-us/kb-articles/Pages/AMDGPU-PRO-Driver-for-Linux-Release-Notes.aspx release notes] and the [https://www.phoronix.com/forums/forum/linux-graphics-x-org-drivers/amd-linux/855699-amd-representative-says-their-vulkan-linux-driver-will-be-here-soon/page6 announcement at the Phoronix forum] for more information.<br />
<br />
A patched version of the official AMDGPU PRO driver is available as {{AUR|amdgpu-pro}} in [[AUR]].<br />
<br />
== Loading ==<br />
<br />
The {{ic|amdgpu}} kernel module should load fine automatically on system boot.<br />
<br />
If it does not happen, then:<br />
<br />
* Make sure you have the latest {{Pkg|linux-firmware}} package installed. This driver requires the latest firmware for each model to successfully boot.<br />
* Make sure you do '''not''' have {{ic|nomodeset}} or {{ic|1=vga=}} as a [[kernel parameter]], since {{ic|amdgpu}} requires [[KMS]].<br />
* Also, check that you have not disabled {{ic|amdgpu}} by using any [[Kernel_modules#Blacklisting|kernel module blacklisting]].<br />
<br />
=== Enable early KMS ===<br />
<br />
{{Tip|If you have problems with the resolution, [[Kernel mode setting#Forcing modes and EDID]] may help.}}<br />
<br />
[[Kernel mode setting]] (KMS) is supported by the amdgpu driver and is mandatory and enabled by default. <br />
<br />
KMS is typically initialized after the [[Arch boot process#initramfs|initramfs stage]]. It is possible, however, to enable KMS during the initramfs stage. To do this, add the {{ic|amdgpu}} module to the {{ic|MODULES}} line in {{ic|/etc/mkinitcpio.conf}}:<br />
<br />
MODULES=(amdgpu)<br />
<br />
Now, regenerate the initramfs:<br />
<br />
# mkinitcpio -p linux<br />
<br />
The change takes effect at the next reboot.<br />
<br />
== Xorg configuration ==<br />
<br />
[[Xorg]] will automatically load the driver and it will use your monitor's EDID to set the native resolution. Configuration is only required for tuning the driver.<br />
<br />
If you want manual configuration, create {{ic|/etc/X11/xorg.conf.d/20-amdgpu.conf}}, and add the following:<br />
<br />
{{hc|/etc/X11/xorg.conf.d/20-amdgpu.conf|2=<br />
Section "Device"<br />
Identifier "AMD"<br />
Driver "amdgpu"<br />
EndSection<br />
}}<br />
<br />
Using this section, you can enable features and tweak the driver settings.<br />
<br />
== Performance tuning ==<br />
=== Enabling video acceleration ===<br />
<br />
See [[Hardware video acceleration]].<br />
<br />
=== Driver options ===<br />
The following options apply to {{ic|/etc/X11/xorg.conf.d/'''20-amdgpu.conf'''}}.<br />
<br />
Please read {{man|4|amdgpu}} first before setting driver options.<br />
<br />
'''DRI''' sets the maximum level of DRI to enable. Valid values are ''2'' for DRI2 or ''3'' for DRI3. The default is ''3'' for DRI3 if the Xorg version is >= 1.18.3, otherwise DRI2 is used:<br />
<br />
Option "DRI" "3" <br />
<br />
'''TearFree''' controls tearing prevention using the hardware page flipping mechanism. If this option is set, the default value of the property is set to ''auto'', which means that TearFree is on for outputs with rotation or other RandR transforms:<br />
<br />
Option "TearFree" "true"<br />
<br />
== Enable GPU display scaling ==<br />
<br />
{{Move|xrandr|Not specific to AMDGPU.|section=Moving "Enable GPU display scaling" to xrandr}}<br />
<br />
To avoid the usage of the scaler which is built in the display, and use the GPU own scaler instead, when not using the native resolution of the monitor, execute:<br />
$ xrandr --output "<output>" --set "scaling mode" "<scaling mode>"<br />
Possible values for {{ic|"scaling mode"}} are: {{ic|None, Full, Center, Full aspect}}<br />
<br />
* To show the available outputs and settings, execute:<br />
$ xrandr --prop<br />
<br />
* To set {{ic|1=scaling mode = Full aspect}} for just every available output, execute:<br />
$ for output in $(xrandr --prop | grep -E -o -i "^[A-Z\-]+-[0-9]+"); do xrandr --output "$output" --set "scaling mode" "Full aspect"; done<br />
<br />
== Troubleshooting ==<br />
<br />
=== Xorg or applications won't start ===<br />
<br />
* "(EE) AMDGPU(0): [DRI2] DRI2SwapBuffers: drawable has no back or front?" error after opening glxgears, can open Xorg server but OpenGL apps crash.<br />
* "(EE) AMDGPU(0): Given depth (32) is not supported by amdgpu driver" error, Xorg won't start.<br />
<br />
Setting the screen's depth under Xorg to 16 or 32 will cause problems/crash. To avoid that, you should use a standard screen depth of 24 by adding this to your "screen" section (assuming you have one; if you don't, add this to {{ic|/etc/X11/xorg.conf.d/10-screen.conf}}).<br />
<br />
Section "Screen"<br />
Identifier "Screen"<br />
DefaultDepth 24<br />
SubSection "Display"<br />
Depth 24<br />
EndSubSection<br />
EndSection<br />
<br />
=== Screen artifacts and frequency problem ===<br />
<br />
If you have screen artifacts when setting your screen frequency up to 120+Hz your "Memory Clock" and "GPU Clock" are certainly too low to handle the screen request.<br />
<br />
A workaround [https://bugs.freedesktop.org/show_bug.cgi?id=96868#c13] is saving {{ic|high}} or {{ic|low}} in {{ic|/sys/class/drm/card0/device/power_dpm_force_performance_level}}.<br />
<br />
There is a GUI solution [https://github.com/marazmista/radeon-profile] where you can manage the "power_dpm" with {{aur|radeon-profile-git}} and {{aur|radeon-profile-daemon-git}}.<br />
<br />
=== Screen flickering ===<br />
<br />
If you experience flickering [https://bugzilla.kernel.org/show_bug.cgi?id=199101] add {{ic|1=amdgpu.dc=0}} to your kernel parameters.<br />
<br />
=== R9 390 series Poor Performance and/or Instability ===<br />
<br />
If you experience issues [https://bugs.freedesktop.org/show_bug.cgi?id=91880] with a AMD R9 390 series graphics card, add {{ic|1=amdgpu.dpm=1}} to your kernel parameters.</div>Sudoforge