Managing OpenPGP Keys

Use a Password-Safe

Store your GnuPG passphrases in a password-safe, like KeePassXC.

See the section KeePassXC on how to set it up.

Gnu Privacy Guard Configuration

Let GnuPG know which key you normally use:

 1#
 2# Options for gpg (GnuPG) 2.2.12
 3# See the 'OPTIONS' section of 'man gpg'
 4#   https://manpages.ubuntu.com/manpages/bionic/man1/gpg.1.html#options
 5
 6
 7#--------------------------------------
 8# Default Private Key
 9#--------------------------------------
10
11# Use name as the default key to sign with. If this option is not used, the
12# default key is the first key found in the secret keyring. Note that -u or
13# --local-user overrides this option. This option may be given multiple times.
14# In this case, the last key for which a secret key is available is used. If
15# there is no secret key available for any of the specified values, GnuPG will
16# not emit an error message but continue as if this option wasn't given.
17default-key 0x0123456789ABCDEF
18
19# Use name as default recipient if option --recipient is not used and don't ask
20# if this is a valid one. name must be non-empty.
21#default-recipient name
22
23# Use the default key as default recipient if option --recipient is not used and
24# don't ask if this is a valid one. The default key is the first one from the
25# secret keyring or the one set with --default-key.
26default-recipient-self

Bash User Environment

The following lines should be added to your local profile settings file ~/.profile:

# Let GnuPG know which key you normally use
export GPGKEY=0x0123456789ABCDEF

This comes in handy for you to, you can use the $GPGKEY environment variable on the command-line and in scripts. In fact most of the PGP-related commands in this guide assume, that this variable is correctly set.

Backup Your Keys!

Backup is very important. If you lose your private key or the passphrase for it, everything encrypted will not be recoverable.

Backups of your private keys and key-rings should be stored on a encrypted USB drive along with other important and protected files, like your KeepassXC password database, your personal TLS certificates and SSH private keys.

The following steps assume, your safe storage is mounted on /media/$USER/SafeStorage:

# Create a backup directory on the safe storage::
$ mkdir /media/${USER}/SafeStorage/OpenPGP

# Which key you wnat to backup
export GPGKEY=0x0123456789ABCDEF

# Export your Private Key
$ gpg --verbose --export-options backup --armor \
    --output /media/${USER}/SafeStorage/OpenPGP/${$GPGKEY}.private.asc \
    --export-secret-keys $GPGKEY

# Export your public key
gpg --verbose --export-options backup --armor \
    --output /media/${USER}/SafeStorage/OpenPGP/${$GPGKEY}.asc \
     --export $GPGKEY

# Export your personal trust settings, towards other peoples keys
$ gpg --verbose --export-ownertrust \
    > /media/${USER}/SafeStorage/OpenPGP/OwnerTrust.db

# Backup your revocation certificates
$ cp --archive --verbose --interactive \
     ~/.gnupg/openpgp-revocs.d /media/${USER}/SafeStorage/OpenPGP/

Restoring Private and Public Keys

The following steps assume, your safe storage is mounted on /media/$USER/SafeStorage:

# Which key you wnat to restore
export GPGKEY=0x0123456789ABCDEF

# Import your public key
gpg --verbose --import-options restore --armor \
    --import /media/${USER}/SafeStorage/OpenPGP/${$GPGKEY}.asc \

# Import your private key
$ gpg --verbose --import-options restore --armor \
    --import /media/${USER}/SafeStorage/OpenPGP/${$GPGKEY}.private.asc \

# Import your personal trust settings
$ gpg --verbose --import-ownertrust \
    < /media/${USER}/SafeStorage/OpenPGP/OwnerTrust.db
$ gpg --verbose --check-trustdb

# Set your own key as ulimatetly trusted
$ gpg --edit-key $GPGKEY