2.9 KiB
2.9 KiB
title, description, tags, category, created, updated
| title | description | tags | category | created | updated | |||
|---|---|---|---|---|---|---|---|---|
| GPG Basics | Overview of core GnuPG concepts, key management, and common operational workflows |
|
security | 2026-03-14 | 2026-03-14 |
GPG Basics
Introduction
GPG, implemented by GnuPG, is used for public-key encryption, signing, and verification. It remains common for signing Git commits and tags, exchanging encrypted files, and maintaining long-term personal or team keys.
Purpose
This document covers:
- What GPG keys and subkeys are
- Common encryption and signing workflows
- Key management practices that matter operationally
Architecture Overview
A practical GPG setup often includes:
- Primary key: used mainly for certification and identity management
- Subkeys: used for signing, encryption, or authentication
- Revocation certificate: lets you invalidate a lost or compromised key
- Public key distribution: keyserver, WKD, or direct sharing
The primary key should be treated as more sensitive than everyday-use subkeys.
Core Workflows
Generate a key
Interactive generation:
gpg --full-generate-key
List keys:
gpg --list-secret-keys --keyid-format=long
Export the public key
gpg --armor --export KEYID
Encrypt a file for a recipient
gpg --encrypt --recipient KEYID secrets.txt
Sign a file
gpg --detach-sign --armor release.tar.gz
Verify a signature
gpg --verify release.tar.gz.asc release.tar.gz
Configuration Example
Export a revocation certificate after key creation:
gpg --output revoke-KEYID.asc --gen-revoke KEYID
Store that revocation certificate offline in a secure location.
Troubleshooting Tips
Encryption works but trust warnings appear
- Confirm you imported the correct public key
- Verify fingerprints out of band before marking a key as trusted
- Do not treat keyserver availability as proof of identity
Git signing fails
- Check that Git points to the expected key ID
- Confirm the GPG agent is running
- Verify terminal pinentry integration on the local system
Lost laptop or corrupted keyring
- Restore from secure backups
- Revoke compromised keys if needed
- Reissue or rotate subkeys while keeping identity documentation current
Best Practices
- Keep the primary key offline when practical and use subkeys day to day
- Generate and safely store a revocation certificate immediately
- Verify key fingerprints through a trusted secondary channel
- Back up secret keys securely before relying on them operationally
- Use GPG where it fits existing tooling; do not force it into workflows that are better served by simpler modern tools