Creating and Managing a GPG Key Pair
We'll go over how to create, edit, set a passphrase, revoke, export, backup and restore a GPG key pair.
You can use your GPG key pair to encrypt files, sign your git commits, use it as an encryption strategy for various password managers like pass and more.
This video is going to focus on getting your key pair set up and go over the 90% of what you may encounter in your day to day when wanting to manage your key pair.
# Going Over Everything
Timestamps
- 0:47 – Using your gpg key for encrypting files, signing commits & password managers
- 1:58 – Installing the gpg command line tool
- 2:27 – Customizing your gnupg home directory (only for the sake of this video)
- 3:18 – Checking to see if you already have a gpg key pair
- 3:52 – Generating a secure gpg key pair with an expiration date
- 7:56 – Editing your key, specifically updating your expiration date
- 10:13 – Changing your gpg passphrase and keeping it safe
- 11:35 – Creating a revoke certificate to maybe revoke your key pair on demand
- 16:34 – Backing up and restoring your key pair and associated files
- 18:09 – Exporting your gpg public key so you can share it with others
- 19:51 – Configuring your gpg agent to cache your passphrase for a week
- 21:42 – Recap
Reference Links
# Cheatsheet
Here’s a reference to the commands run on video:
Install GnuPG on Debian / Ubuntu
sudo apt-get install gnupg
# Fix your gnupg home directory's permissions.
chmod 0700 ~/.gnupg/
# Optionally customize your gpg home directory (I only did it for the sake of the video).
export GNUPGHOME=/tmp/gnupg
List your GPG keys
gpg --list-keys
Generate a new GPG key pair
gpg --full-generate-key
# Pick RSA / RSA (1), 4096 bits and choose an expiration date.
Edit your GPG key’s expiration date
gpg --edit-key nick@example.com
# key 0
# expire [pick a new exp date]
# key 1
# expire [pick a new exp date]
# save
Here’s a list of other things you can edit: https://www.gnupg.org/gph/en/manual/r899.html
Change your GPG key’s passphrase
gpg --passwd nick@example.com
Generate and import a GPG revoke certificate
# You can skip this step if you're using GnuPG version 2.1 or above.
gpg --output revoke-nickexample.asc --gen-revoke nick@example.com
# Revoke the GPG key.
gpg --import revoke-nickexample.asc
Export your GPG public key
# Echo your public key to stdout.
gpg --export --armor nick@example.com
# Write your public key to a file.
gpp --export --armor --output nickexample.gpg.pub nick@example.com
Backup and restore your GPG key pair
You can backup the entire ~/.gnupg/
directory and restore it as needed. This
is beneficial because it includes your GPG key pair, trust ring, gpg
configuration and everything else that GnuPG needs to work.
Alternatively you can run this command to backup just your private key, which includes your public key too:
gpg --export-secret-keys --output --armor nickexample.gpg nick@example.com
You should never share this directory or private key with anyone.
Export your GPG public key
# Echo your public key to stdout.
gpg --export --armor nick@example.com
# Write your public key to a file.
gpg --export --armor --output nickexample.gpg.pub nick@example.com
This public key is safe to share with others.
Were you able to get your GPG key pair set up? Let me know below.