# kaashif's blog

Programming, software freedom and Unix

## Why am I writing this?

I have looked up “how to use gpg” so many times, on so many websites, and have found every guide to be focused on something I don’t use or worded in such a way that I get confused and revoke all of my keys (that hasn’t actually happened…yet). I thought I’d whip up a quick guide

that could serve as a reference for future Kaashif, who may not remember anything about GPG other than gpg -ear and gpg -d.

## Installing GPG

This is easy. Most distros come with it, for package signing among other things. The ones that don’t have it easily installable from their package repos as either “gpg”, “gpg2”, “gnupg” or “gnupg2”. While GPG and GPG 2 are actually different programs, many distros don’t make the distinction, since hardly anyone uses GPG1 anymore.

## Generating a key

gpg --gen-key You have to be an idiot to get this wrong. Defaults are fine, unless someone has broken RSA with quantum magic. Make sure the email is right.

Two things:

Go to a keyserver, like pgp.mit.edu. You should also submit your public key there by invoking gpg --send-keys --keyserver pgp.mit.edu $KEY. The key will propagate to other servers, so you cannot delete or edit a key once it’s there. Make sure everything is correct and backed up. Don’t search my name, I don’t want to be embarrassed. If you must, my key is the most up to date one, I lost the old one, and revoked the other one…due to losing it. Do what I say, not what I do. ## Summary gpg -ear$KEY - Encrypt plaintext from stdin

gpg -d - Decrypt plaintext from stdin

gpg --export -a $KEY - Export ASCII-armoured key to stdout gpg --import$FILE - Import key from a file

gpg --clearsign - Sign a message from stdin, leaving the message human-readable

gpg --detach-sig $SIGFILE$FILE - Sign a file and create a detached signature in another file

gpg --some-sort-of-command --output \$FILE - Do something, then output to a file