Hiddenden/Knowledge-Base
2
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Knowledge-Base/20 - Knowledge/security/gpg-basics.md

2.9 KiB
Raw Permalink Blame History

title, description, tags, category, created, updated
title description tags category created updated
GPG Basics Overview of core GnuPG concepts, key management, and common operational workflows
security
gpg
encryption
security 2026-03-14 2026-03-14

GPG Basics

Introduction

GPG, implemented by GnuPG, is used for public-key encryption, signing, and verification. It remains common for signing Git commits and tags, exchanging encrypted files, and maintaining long-term personal or team keys.

Purpose

This document covers:

  • What GPG keys and subkeys are
  • Common encryption and signing workflows
  • Key management practices that matter operationally

Architecture Overview

A practical GPG setup often includes:

  • Primary key: used mainly for certification and identity management
  • Subkeys: used for signing, encryption, or authentication
  • Revocation certificate: lets you invalidate a lost or compromised key
  • Public key distribution: keyserver, WKD, or direct sharing

The primary key should be treated as more sensitive than everyday-use subkeys.

Core Workflows

Generate a key

Interactive generation:

gpg --full-generate-key

List keys:

gpg --list-secret-keys --keyid-format=long

Export the public key

gpg --armor --export KEYID

Encrypt a file for a recipient

gpg --encrypt --recipient KEYID secrets.txt

Sign a file

gpg --detach-sign --armor release.tar.gz

Verify a signature

gpg --verify release.tar.gz.asc release.tar.gz

Configuration Example

Export a revocation certificate after key creation:

gpg --output revoke-KEYID.asc --gen-revoke KEYID

Store that revocation certificate offline in a secure location.

Troubleshooting Tips

Encryption works but trust warnings appear

  • Confirm you imported the correct public key
  • Verify fingerprints out of band before marking a key as trusted
  • Do not treat keyserver availability as proof of identity

Git signing fails

  • Check that Git points to the expected key ID
  • Confirm the GPG agent is running
  • Verify terminal pinentry integration on the local system

Lost laptop or corrupted keyring

  • Restore from secure backups
  • Revoke compromised keys if needed
  • Reissue or rotate subkeys while keeping identity documentation current

Best Practices

  • Keep the primary key offline when practical and use subkeys day to day
  • Generate and safely store a revocation certificate immediately
  • Verify key fingerprints through a trusted secondary channel
  • Back up secret keys securely before relying on them operationally
  • Use GPG where it fits existing tooling; do not force it into workflows that are better served by simpler modern tools

References

Reference in New Issue View Git Blame Copy Permalink