Difference between revisions of "GnuPG"

From ArchWiki
Jump to: navigation, search
m (Added Installation section, for completeness)
(Started sction)
Line 9: Line 9:
 
If not, type as root in a terminal:
 
If not, type as root in a terminal:
 
  # pacman -S gnupg
 
  # pacman -S gnupg
 +
 +
== Basic keys management ==
 +
 +
=== Create key ===
 +
 +
* Generate a private key by typing in a terminal:
 +
# gpg --gen-key
 +
 +
You’ll have to answer a bunch of questions but generally, you can accept the defaults.
 +
 +
* Generate an ASCII version of your public key (e.g. to distribute it by e-mail):
 +
# gpg --armor --output public.key --export 'Your Name'
 +
 +
* Register your key with a public PGP key server, so that others can retrieve your key without having to contact you directly:
 +
# gpg --send-keys 'Your Name' --keyserver hkp://subkeys.pgp.net
 +
 +
=== Import key ===
 +
 +
* Import a public key to your public key ring:
 +
# gpg --import public.key
 +
 +
* Import a private key to your secret key ring:
 +
# gpg --allow-secret-key-import --import private.key
 +
 +
=== List keys ===
 +
 +
* Keys in your public key ring:
 +
# gpg --list-keys
 +
 +
* Keys in your secret key ring:
 +
# gpg --list-secret-keys
  
 
== Basic usage ==
 
== Basic usage ==
  
You can use gnupg to encrypt your sensitive documents, but only individual files at a time, if you want to encrypt directories or a whole file-system you should consider use [[truecrypt|Truecrypt]], though you can always tarball various files and then encrypt them.
+
You can use gnupg to encrypt your sensitive documents, but only individual files at a time.
 +
 
 +
For example, to decrypt a file data, use:
 +
# gpg -d secret.tar.gpg
 +
 
 +
You'll be prompted to enter your passphrase.
 +
 
 +
If you want to encrypt directories or a whole file-system you should consider use [[truecrypt|Truecrypt]], though you can always tarball various files and then encrypt them.
  
 
=== Symmetric Encryption ===
 
=== Symmetric Encryption ===

Revision as of 23:05, 8 June 2012

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

GnuPG can be used to sign and encrypt files or mails.

Installation

Ensure you have the latest version of gnupg installed. If not, type as root in a terminal:

# pacman -S gnupg

Basic keys management

Create key

  • Generate a private key by typing in a terminal:
# gpg --gen-key

You’ll have to answer a bunch of questions but generally, you can accept the defaults.

  • Generate an ASCII version of your public key (e.g. to distribute it by e-mail):
# gpg --armor --output public.key --export 'Your Name'
  • Register your key with a public PGP key server, so that others can retrieve your key without having to contact you directly:
# gpg --send-keys 'Your Name' --keyserver hkp://subkeys.pgp.net

Import key

  • Import a public key to your public key ring:
# gpg --import public.key
  • Import a private key to your secret key ring:
# gpg --allow-secret-key-import --import private.key

List keys

  • Keys in your public key ring:
# gpg --list-keys
  • Keys in your secret key ring:
# gpg --list-secret-keys

Basic usage

You can use gnupg to encrypt your sensitive documents, but only individual files at a time.

For example, to decrypt a file data, use:

# gpg -d secret.tar.gpg

You'll be prompted to enter your passphrase.

If you want to encrypt directories or a whole file-system you should consider use Truecrypt, though you can always tarball various files and then encrypt them.

Symmetric Encryption

gpg-agent

gpg-agent is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. It can be activated by adding following line in ~/.gnupg/gpg.conf:

use-agent

This tells GnuPG to use the agent whenever it needs the password. However, the agent needs to run already. To autostart it, create the following file and make it executable:

/etc/profile.d/gpg-agent.sh
#!/bin/sh

envfile="${HOME}/.gnupg/gpg-agent.env"
if test -f "$envfile" && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
    eval "$(cat "$envfile")"
else
    eval "$(gpg-agent --daemon --write-env-file "$envfile")"
fi
export GPG_AGENT_INFO  # the env file does not contain the export statement

If you would like to use gpg-agent to manage your SSH keys see SSH Keys#GnuPG Agent.

Finally, the agent needs to know how to ask the user for the password. This can be set in ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/bin/pinentry-gtk-2

For more options see man gpg-agent.

Smartcards

GnuPG uses scdaemon as an interface to your smartcard reader, please refer to scdaemon man page for details.

GnuPG only setups

If you do not plan to use other cards but those based on GnuPG, you should check the reader-port parameter in ~/.gnupg/scdaemon.conf. The value '0' refers to the first available serial port reader and a value of '32768' (default) refers to the first USB reader.

GnuPG together with OpenSC

If you are using any smartcard with an opensc driver (e.g.: ID cards from some countries) you should pay some attention to GnuPG configuration. Out of the box you might receive a message like this when using gpg --card-status

gpg: selecting openpgp failed: ec=6.108

By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together. In order to point scdaemon to use pcscd you should remove reader-port from ~/gnupg/scdaemon.conf, specify the location to libpcsclite.so library and disable ccid so we make sure that we use pcscd.

~/scdaemon.conf
pcsc-driver /usr/lib/libpcsclite.so 
card-timeout 5
disable-ccid

Please check man scdaemon if you do not use OpenSC.

Troubleshooting

Su

When using pinentry, you must have the proper permisions of the terminal device (e.g. /dev/tty1) in use. However, with su (or sudo), the ownership stays with the original user, not the new one. This means that pinentry will fail, even as root. The fix is to change the permissions of the device at some point before the use of pinentry (i.e. using gpg with an agent). If doing gpg as root, simply change the ownership to root right before using gpg

chown root /dev/ttyN  # where N is the current tty

and then change it back after using gpg the first time. The equivalent is likely to be true with /dev/pts/.

Note: being part of the group tty does not seem to alleviate the issue, at least as root. (Please confirm with non-superusers)

Agent complains end of file

The default pinetry program is pinetry-gtk-2, which needs a DBus session bus to run properly. Check $DBUS_SESSION_BUS_ADDRESS, if that's missing you can run

 eval $(dbus-launch --sh-syntax --exit-with-session)

to provide the bus. dbus-launch as available in dbus.

Alternatively you can use the qt pinetry.

# ln -sf /usr/bin/pinetry-qt4 /usr/bin/pinetry