Creating and Managing a GPG Key Pair
Вставка
- Опубліковано 16 лип 2024
- See how to create, edit, revoke, export, backup and restore a GPG key pair.
Hit the subscribe button to receive more videos like this!
---
Timestamps:
0:00 -- What we're going to cover in this video
0:47 -- Using your gpg key for encrypting files, signing commits and password managers
1:58 -- Installing the gpg command line tool
2:27 -- Customizing your gnupg home directory (only for the sake of this video)
3:18 -- Checking to see if you already have a gpg key pair
3:52 -- Generating a secure gpg key pair with an expiration date
7:56 -- Editing your key, specifically updating your expiration date
10:13 -- Changing your gpg passphrase and keeping it safe
11:35 -- Creating a revoke certificate to maybe revoke your key pair on demand
16:34 -- Backing up and restoring your key pair and associated files
18:09 -- Exporting your gpg public key so you can share it with others
19:51 -- Configuring your gpg agent to cache your passphrase for a week
21:42 -- Recap
Cheatsheet:
nickjanetakis.com/blog/creatin...
Reference links:
www.passwordstore.org/
---
Follow along?
Personal Website: nickjanetakis.com
Twitter: / nickjanetakis
thank you youtube algorithm for always finding the best videos for me
I've been using gpg for years and I still refer back to your videos. Good work, Sir!
Thanks a lot.
I think this will now be my official go-to guide for GPG keys! Thanks a lot for making this really in-depth GPG management tutorial! Took me a couple weeks to figure out how to use GPG keypairs properly, and I would so often think it be "that" disposable as like SSH keys, but I only realised how important these are, and how much are they maintained, when I simply deleted my old GPG key, and it left a bad scar on some of my github commits, with unverified commits scattered among some of my repos. I really learned my lesson, and again, thank you for this guide!
Awesome, happy to hear you liked it. Thanks for watching!
@@NickJanetakis yee! Hi! i do have a question. Would you explain more on those 4 other files preceding with `S.gpg-agent`, and how to configure them?
@@cindrmon They are empty files on my machine. I haven't configured them but you may want to Google each of them individually.
Wonderful introduction to GnuPG - thank you!
Thanks for the detailed explanation. Appreciate it!
Thank you so much!!! This is such a detailed, easy to follow explanation. I am new to linux and I was wondering how to setup KDE Wallet. Your video helped me to achieve that and to get a general understanding about how it works. Thank you so much!
No problem, happy it helped.
Thank you very much, very well explained, very useful video.
Great video! Thanks for the detailed explanation
a terrific overview. thanks!
Subscribed! I'm creating a backup script with GPG and SSH, this tutorial helped a lot!
Man your content is great, I hope more people will watch you videos
Thanks a lot, I really appreciate it.
This is amazing 👍🌟. I just love the over simplification, it offers a very good general overview of the superficial workings of GPG, a piece of software that has bothered me for weeks. 😃
Thanks, happy to hear it helped!
Thanks Nick.... great video!!! 👍👍👍
Thanks a million 😊!
A must watch for beginners like us to understand different gpg commands and their usage!!
I guess im randomly asking but does someone know a way to log back into an instagram account??
I was dumb lost my account password. I would appreciate any assistance you can offer me.
@Lane Kolton instablaster =)
@Nicholas Titan i really appreciate your reply. I got to the site on google and Im trying it out now.
Looks like it's gonna take quite some time so I will get back to you later when my account password hopefully is recovered.
@Nicholas Titan It worked and I now got access to my account again. Im so happy!
Thanks so much you saved my account!
@Lane Kolton no problem =)
This was a fantastic and helpful video. Thank you!
No problem, thanks for watching!
Great video! Thanks!
very detailed , thx!
Thanks for your video so inspiring
Great tutorial.
excellent tutorial, thanx
this is a really good guide...
Very informative.
The best video I've ever seen on GPG
Thanks a lot, I really appreciate it.
I got that 2020 reference. Never forget.
Amazing. TY
Outstanding video! Any chance you could make a video talking about additional topics such as keyservers, subkeys, etc.?
Thanks. Sure I can add a subkey video. Probably not one on creating a keyserver since I haven't set that up personally.
Hi, Nick. I've been watching a number of UA-cam videos about creating and managing GPG keys, and I must say that your explanations are by far the clearest.
A question: If I choose to update/change the password for my GPG key at some point, will that have any impact on the GPG keys themselves? In other words, will they have a new fingerprint or undergo any other changes?
Thanks. If you change your passphrase everything will continue to work. It won't have an impact on your encrypted content. If you were ultra paranoid about it potentially breaking things you can generate a new test key with a specific phrase, encrypt something, update your phrase and then encrypt something else. You should be able to decrypt both files with that key.
@@NickJanetakis I meant the underlying public and private keys, not the encrypted content.
@@zoliky If you change your key's passphrase it won't prevent you from decrypting content where the same key was used to encrypt it with a different passphrase.
Your passphrase is 1 extra layer of defense to stop an unwanted person from using your key.
Thanks a lot for this!
Can you please make a video on pass?
No problem. Yep I can make a video on that, I added it to my queue.
I added a video about it this week: ua-cam.com/video/w34xAnNdliE/v-deo.html
Thanks man ... How do you decrypt though
18:49
"which is pretty long"
that's what she said 💀
🖤🖤
Brilliant thanks Nick. Did I miss a bit explaining how to use the agent?
No problem. I don't think so. I didn't cover messing around too much with the agent itself. It was mainly focused on using the CLI tool.
@@NickJanetakis Oh right. Does it just magically work then? (as opposed to ssh-agent where you have to explicitly run and add keys, afaik)
@@_maxt You still need to add the public keys of folks you want to interact with. This video I have around signing git commits goes over adding keys: ua-cam.com/video/4166ExAnxmo/v-deo.html
@@NickJanetakis Nice one, first started that video actually, still half way :) Thanks a lot for your help.
@MindTheRoms It's hard to say without more details. Are you using macos? stackoverflow.com/questions/39494631/gpg-failed-to-sign-the-data-fatal-failed-to-write-commit-object-git-2-10-0 , I would Google for the error. That's how I found that SO page.
Im wondering. If you DID want to digitally store your passphrase, you could create a text file on a flash drive with the password. Then use GPG to encrypt it with AES-256 using an easier password to remember. Then store it to something like a CD, securely erase everything on the flash drive, and reboot your system. That stored in a lockbox or bank safety box would be extremely frustrating for someone to deal with, unlike a piece of paper. Not only would they have to get your keys from your computer, and steal the CD or flash drive, they would have to waste time trying to decrypt the password text file. It would definitely not be worth it, hehe.
Or, just make a database with KeePassXC and put it on a flash drive or CD. That's really easier than the more low-tech process above, and wont result in the plaintext possibly still being on your hard drive.
If you wanted to go the hardware route you may want to check out www.yubico.com/. But it's only as good as you are when it comes to protecting your system. If you always leave it connected then anyone who has access to your machine has access to using it, although you can enable a PIN confirmation to use it but that can get tedious.
This is why I like physical paper stored in a secure way with no context on what it is. It's not meant to be actively used. It's there just in case you forget your password. Also I'd be careful with flash drives. I've had some become unreadable after sitting around for a few months uninterrupted.
Question.
If you have backed up your GPG key and have it on multiple machines and one machine gets compromised, what's to stop the compromised machine from using the non-revoked GPG key because you have only revoked it locally on your machine.
Nothing, but if you publish the revoked key on machine A and try to sign something from the compromised machine B with the non-revoked version of it and sign "something" (a git commit, a package, etc.), folks who have the latest copy of your key will see it's been revoked since machine A published the revoked state.
Excuse me for sayin', but I think you should post more code
for the segments in the timeline/description.
It is difficult sometimes to copy text from a gui screen.
There is a link to a blog post in the description that has everything: nickjanetakis.com/blog/creating-and-managing-a-gpg-key-pair#cheatsheet
in the event you revoke your gpg key, and you are using that key for your password manager
will you get locked out of your password manager, since the key is now compromised?
Yeah once it's been revoked that specific key won't be usable anymore by default. While I've never done it, as long as you haven't pushed your key to a keyserver you might be able to un-revoke it by following sites.google.com/view/chewkeanho/guides/gnupg/unrevoke-primary-key.
GPG keys can be distributed through key servers, which is mainly why things like revoking and expirations exist. For example after revoking your key you could send it to 1 of many different public key servers and now others will be able to see it's been revoked. The same can be said for editing your key. I didn't include publishing keys in this video because it's one of those things where you're probably not going to use that feature until you know you need to, in which case you'll know what to look up.
@@NickJanetakis thank you, very interesting
Thanks Nick, the video was very useful. Quick question on caching passphrase. I created gpg-agent.conf file and added the variable for caching. But after an hour or so it still asks me for passphrase. Do you think any thing else needs to be setup ? I'm unix Linux Ec2 container on AWS and trying to use Pass Password manager. Need to automate some process read passwords from Pass Utility. Please comment.
You might need to restart the gpg agent. Try running gpgconf --kill gpg-agent which should kill the current agent and start a new one. But honestly I'm not even sure if you need to restart the daemon after making config changes. Worth a shot as a first try tho.
@@NickJanetakis Thanks for your response. I ran few more commands like "gpg-agent --options ~/.gnupg/gpg-agent.conf" & "gpg-agent --default-cache-ttl 604800". And now able to see the cache set to 7 days. "gpgconf --list-options gpg-agent" command to see the variables. Thanks again Nick. You're awesome!
@@amitgtk No problem. I think if you would have rebooted the config would have taken effect too, but I can see wanting to run that command the first time you set up the config. It slipped my mind during the video. Although in your case, I would expect the default cache would be set from the config without having to set the config option from the command line too?
When the terminal asks for a password I get a GUI version of some passphrase application. How do I get a similar setup to yours? Is it through the pass command?
You might have a specific gpg-agent installed, that's the thing that controls this dialog box. I have pinentry-curses installed, I think there might be variants of that which launch a GUI. You may need to uninstall those variants.
why does nobody show how to send a gpg encrypted file to a reciever, how do they open it
8:20 seems like a year in the future, we are still alive
Confirmed alive!
can you do the same tutorial, but for ssh keys instead?
Sure no problem.
how is this different from keychain / ssh agent? in the end it all feels like a private key manager system.
ssh keys and gpg keys serve different purposes. gpg keys are often used to encrypt text and files (and also for signing things to prove your digital identity) where as ssh keys are commonly used to authenticate with a system, such as when you pull a private git repo or log into a server.
How do i export sub and ssd separately from the keyring? So, i know its not intended normally(because you cannot sign the public sub to proofe the pub is from yourself to another), but i wanna use split-gpg. Do i have to edit the keyflag of the key for split gpg or not?(i can use --list-key -verbose to view al packets etc. etc. . Can you please give me the command for this to print output to a File? I have heard that if you want to use the key as example on another vm with other gpg2 client you dont have to armor the key for human readable format - is that right? Im completely NOOB so sorry if i annoy but i need help...
I'm not familiar with that workflow sorry.
I'm a little bit lost. How does the revoke system work?
What if someone steals my keypair and knows my password? How does revoking work? Is GPG connected to the internet or?.. I mean what stops the adversary from just not connecting to the internet so GPG can't revoke it?
The gpg tool isn't connected to the internet in a sense that it's always sync'd somewhere automatically but you can use it to upload and download keys from various key-servers.
If you knew your keypair were compromised you could revoke it and publish that event to a key-server. This can happen independently of an attacker because you should hopefully still have a copy of your keypair (that's one reason why it's very important to back them up).
Let's say you and I were both working on a project together, since you revoked your key and published that to a key-server I could know on my end that you revoked it and that would alarm me at a human level to know not to trust anything signed by you because it was revoked.
@@NickJanetakis That makes sense, but only >if< I published my key to a keyserver. I was more wondering how revorking works if I didn't upload them.
I assume revoking only works with keyservers? This really makes getting your "offline" keys stolen really, really, dangerous.
@@aiden7279 If you don't publish or directly send your key to someone then they won't be able to do anything related to what you're signing. You can revoke your key and not publish it and see that your key is revoked, but this knowledge won't leave your machine.
This is a very good video but I need help understanding something. You create a revoke key for the event that your laptop for example gets stolen. How are you supposed to import the revoke key if you dont have acces to your hardware? The thief still has acces to your unrevoked key. Or if just the key got stolen and I import the revoke-key this only makes my key unusable and not the one which got stolen. Am I missing something? Because I dont see a use case for the revoke key otherwise.
Hi, you'd back up your revoke key somewhere off your laptop, the video briefly covers this around the idea of where you could back this up. Then you could send your revoked key to various keyservers.
@@NickJanetakis Thank you for your reply! I'm pretty new to GPG and this was one of the first videos I've watched about it. I didn't know about these servers. Does that mean that as soon as the stolen device syncs to a key server the key would get revoked there as well?
@@saubockmcgiver9743 Keys aren't sync'd by default, they operate offline until you push / sync them to a remote keyserver that other folks use. But in a perfect world you'd have both your regular key and revoke key backed up so you can push the revoked or updated status. So even though your device got compromised, you still control the key.
But yes, the idea there is if someone on the stolen device used the key after you revoked it, it would come up as revoked to anyone who tried to download your key and validate it came from you (it would fail since it would be revoked).
@@NickJanetakis That is very helpful, thanks for explaining.
How can i delete the key and make a new one?
You can revoke your key using the steps in this video and then run gpg --delete-secret-key [KEY_ID] to delete your key, then you can make a new one by following this video.
Hello guys, i've been working on this yubikey (smartcard) for almost 2 weeks and i'm struggling to figure this out, i'm quite inexperience and still very new to all this so bare with me
I'm trying to ssh from command prompt with my yubikey to my remote server
with gpg keys that i have generated in the yubikey, what i ultimately want is for the remote server to read the private keys in my yubikey that way i can ssh passwordlessly
i have searched for all possible documentations online, and youtube videos but i cant seem to get it right
Can someone help me please to anyone who has knowledge in ssh authentication/publickey/privatekey/ssh-agent/gpg-agent forwarding?
much appreciated....
if you can make a video on regarding this topic, that was be amazing thanks
Also i have no configuration file for my gpg client. Why is that so?
Greetings Alex
You have to create it initially. That's mentioned very briefly at 20:22.
What? Is there a reason I would want the GPG directory in ~/ ? I was iffy when you said that it would be created there, but changing the mode is a deal breaker. I have a 2-year-old system that has thousands of files and dozens of home-baked utility apps that depend on my home environment in order not to break, so its not an option. My filesystem is currently like a game of Jenga, and the game is almost over...
Besides, I don't keep most of my files in ~/ anymore. I realized a while ago that ~/.local/ on Ubuntu is more or less a pre-made build environment for developers, so my first command of the day is often to cd there.
Using that directory was a decision made by the creators of the GPG tool. You can customize the directory path if you want within the gpg config file. Setting a more strict mode is for your benefit to reduce access to the files sitting in that directory.
2' 56'' "(See the man page for a..." Are you serious??? "the man page"???
Yes, the man page aka the manual www.gnupg.org/gph/de/manual/r1023.html, or running `man gpg` from the terminal.
@@NickJanetakis Sorry than for my comment... so uncommon word *term) for me... noot the best short I mean. "Manual ' should not be "man page" imho.
@@YaNykyta It's ok. That term in the context of computers has been around since 1971 en.wikipedia.org/wiki/Man_page.
I wish he would just get to the meat and potatoes. I really don't care about why or what. Just tell us what to do. Because of that, I am going to watch some other video. I don't even know what program he is using. He really needs to focus instead of explaining things that go off subject. I have no idea what program he is using, and for that reason, I am out.
No problem! There's time stamps in the timeline to jump around if you don't care about the why btw. The program being used is explained within 2 minutes and shown on video as well as described in the timestamps as "1:58 installing the gpg command line tool".
I have placed the gpg-agent.conf file in my user/.gnupg/ folder but I'm still being prompted to enter my passphrase every time.
Did you fully logout / login? What did you put in the file?
@@NickJanetakis Tank you for your response!
my /.gnupg/ directory includes two files at the moment, a pubring.kbx file and the gpg-agent.conf.
The gpg-agent.conf file is a verbatim copy of what you show in 20:29, the file contains two lines first one has `default-cache-ttl 604800` and the second has `max-cache-ttl 604800`.
I don't fully understand what you mean by logout / login. I am on windows do you mean logout / login of my OS user account? If so yes, as I have restarted my PC multiple times. If instead you mean logout / login from GPG then I'm afraid the answer is no, and I must confess I'm not entirely sure on how to do it.
Thanks again! For your response but also for your video on the topic!
@@ja.ortiz0 Rebooting would have the same effect as logging in and out of your OS account. I'm surprised it doesn't work.
Can you try adding this to to the bottom of your ~/.bashrc file:
export GPG_TTY="$(tty)"
Then save the file and open a new terminal, do something that would ask you for your password -- it shouldn't ask you again for your password until the cache expires.