diff --git a/data/gpg.md b/data/gpg.md index 2e489b6..75dff3f 100644 --- a/data/gpg.md +++ b/data/gpg.md @@ -1,7 +1,146 @@ --- -title: "gpg" -tags: [ "data", "gpg" ] +title: "GPG Basics" +tags: [ "data", "GPG" ] --- +# Making keys + +Generate keys: + +```sh +gpg --full-generate-key +``` + +Follow the guide. + +# Encrypting a file + +```sh +gpg -r malinfreeborn@posteo.net -e file +``` + +`-r` specifies the recipient. + +Check you have an encrypted version of your file. + +# Changing Expiration Dates + + +```sh +gpg --list-keys +# or... +gpg -k +``` + +... and then use the second part of 'pub', which is the ID. But that's not appearing here so... on with gpg2? + +# Making encrypted files with a local password + +Make a password with a password (cypher encryption). + +```sh +gpg -c --output passwords.txt +``` + +or + +```sh +gpg -c > passwords.txt +``` + +Put in a password. + +Write message then stop with Ctrl+d. + +Get the message back out the file with: + +```sh +gpg -d passwords.txt +``` + +# Circles of Trust + +Search for a key at any key store: + +```sh +gpg --search-keys nestorv +``` + +Once you've made a decision about someone: + +```sh +gpg --list-keys +``` + +You get something like this: + +``` +pub rsa3072 2021-08-15 [SC] [expires: 2023-08-15] + CD30421FD825696BD95F1FF644C62C57B790D3CF +uid [ultimate] Malin Freeborn +sub rsa3072 2021-08-15 [E] [expires: after-forever] + +``` + +Notice the long, ugly, string - `CD30421FD825696BD95F1FF644C62C57B790D3CF` - and how horribly ugly it is. +This is a fingerprint. + +You can now decide the trust level (this stays on your computer). + +```sh +gpg --edit-key CD30421FD825696BD95F1FF644C62C57B790D3CF +``` + +Once you're in the interface, type `trust`. + +```sh +gpg --sign-key alice@posteo.net +``` + +# Swapping Keys + +This system relies on a ring of people swapping key information. + +## Sending + +Send those trusted keys up to a server, so people can see you have verified them: + +```sh +gpg --send-keys 024C6B1C84449BD1CB4DF7A152295D2377F4D70F +``` + +## Upload Your Keys + +## Add More Key Servers + +Key servers often swap keys, but it's best to just send to multiple places immediately. +You can add key servers by adding this to `~/.gnupg/gpg.conf`. + +``` +keyserver hkps://keys.openpgp.org +keyserver hkps://mail-api.proton.me +keyserver hkps://keys.mailvelope.com +``` + +# Refresh Keys + +Refreshing keys will tell you if some key you have contains a signature from someone you already trust, or if someone has published a revocation certificate (meaning their key should not be trusted any more). + +```sh +gpg --refresh-keys +``` + +You can use the [crontab](../../system/cron.md) to refresh keys, but this will mostly fail, since keyservers often don't hold the right data. + +# Export + +Your public key: + +```sh +gpg --output me.gpg --armor --export +``` +Alternatively: + +```sh +gpg --export -a person@email.tld > my_key.pub +``` -- [Setup](gpg/basics.md) -- [Extras](gpg/extras.md) diff --git a/data/gpg/basics.md b/data/gpg/basics.md deleted file mode 100644 index 75dff3f..0000000 --- a/data/gpg/basics.md +++ /dev/null @@ -1,146 +0,0 @@ ---- -title: "GPG Basics" -tags: [ "data", "GPG" ] ---- -# Making keys - -Generate keys: - -```sh -gpg --full-generate-key -``` - -Follow the guide. - -# Encrypting a file - -```sh -gpg -r malinfreeborn@posteo.net -e file -``` - -`-r` specifies the recipient. - -Check you have an encrypted version of your file. - -# Changing Expiration Dates - - -```sh -gpg --list-keys -# or... -gpg -k -``` - -... and then use the second part of 'pub', which is the ID. But that's not appearing here so... on with gpg2? - -# Making encrypted files with a local password - -Make a password with a password (cypher encryption). - -```sh -gpg -c --output passwords.txt -``` - -or - -```sh -gpg -c > passwords.txt -``` - -Put in a password. - -Write message then stop with Ctrl+d. - -Get the message back out the file with: - -```sh -gpg -d passwords.txt -``` - -# Circles of Trust - -Search for a key at any key store: - -```sh -gpg --search-keys nestorv -``` - -Once you've made a decision about someone: - -```sh -gpg --list-keys -``` - -You get something like this: - -``` -pub rsa3072 2021-08-15 [SC] [expires: 2023-08-15] - CD30421FD825696BD95F1FF644C62C57B790D3CF -uid [ultimate] Malin Freeborn -sub rsa3072 2021-08-15 [E] [expires: after-forever] - -``` - -Notice the long, ugly, string - `CD30421FD825696BD95F1FF644C62C57B790D3CF` - and how horribly ugly it is. -This is a fingerprint. - -You can now decide the trust level (this stays on your computer). - -```sh -gpg --edit-key CD30421FD825696BD95F1FF644C62C57B790D3CF -``` - -Once you're in the interface, type `trust`. - -```sh -gpg --sign-key alice@posteo.net -``` - -# Swapping Keys - -This system relies on a ring of people swapping key information. - -## Sending - -Send those trusted keys up to a server, so people can see you have verified them: - -```sh -gpg --send-keys 024C6B1C84449BD1CB4DF7A152295D2377F4D70F -``` - -## Upload Your Keys - -## Add More Key Servers - -Key servers often swap keys, but it's best to just send to multiple places immediately. -You can add key servers by adding this to `~/.gnupg/gpg.conf`. - -``` -keyserver hkps://keys.openpgp.org -keyserver hkps://mail-api.proton.me -keyserver hkps://keys.mailvelope.com -``` - -# Refresh Keys - -Refreshing keys will tell you if some key you have contains a signature from someone you already trust, or if someone has published a revocation certificate (meaning their key should not be trusted any more). - -```sh -gpg --refresh-keys -``` - -You can use the [crontab](../../system/cron.md) to refresh keys, but this will mostly fail, since keyservers often don't hold the right data. - -# Export - -Your public key: - -```sh -gpg --output me.gpg --armor --export -``` -Alternatively: - -```sh -gpg --export -a person@email.tld > my_key.pub -``` - diff --git a/data/gpg/extras.md b/data/gpg/gpg_pinentry.md similarity index 55% rename from data/gpg/extras.md rename to data/gpg/gpg_pinentry.md index f9ba512..11b048d 100644 --- a/data/gpg/extras.md +++ b/data/gpg/gpg_pinentry.md @@ -1,16 +1,9 @@ --- -title: "gpg with vim" -tags: [ "vim", "data", "GPG" ] +title: "GPG Password Entry" +tags: [ "vim", "secrets", "TUI" ] requires: [ "GPG Basics", "vim basics" ] --- -The `vim-gnupg` plugin lets vim edit gpg-encrypted files as if they were unencrypted. - -It's probably in your package manager. -If not, you'll need to endure the faff of following the [instructions](http://www.vim.org/scripts/script.php?script_id=3645). - - -## Prompt for password in terminal Check your current gpg-agent configuration: diff --git a/data/gpg/vim_decryption.md b/data/gpg/vim_decryption.md new file mode 100644 index 0000000..37c2ef5 --- /dev/null +++ b/data/gpg/vim_decryption.md @@ -0,0 +1,12 @@ +--- +title: "gpg with vim" +tags: [ "vim", "data", "GPG" ] +requires: [ "GPG Basics", "vim basics" ] +--- + +The `vim-gnupg` plugin lets vim edit gpg-encrypted files as if they were unencrypted. + +It's probably in your package manager. +If not, you'll need to endure the faff of following the [instructions](http://www.vim.org/scripts/script.php?script_id=3645). + +