GPG
Export keys on old machine
Export all public keys.
gpg -a --export > pubkeys.asc
Export all private keys with corresponding public keys.
gpg -a --export-secret-keys > seckeys.asc
Optionally, export trust database of gpg.
gpg --export-ownertrust > otrust.txt
Import keys on new machine
Transfer these files to the new computer and import them.
gpg --import pubkeys.asc
gpg --import seckeys.asc
Verify (list) the imported public keys with gpg -k
and the imported
private keys with gpg -K
.
Optionally, import the trust database.
gpg --import-ownertrust otrust.txt
If you did not export your trust database, you have to manually trust
your key(s) again. For instance, if you copied your .password-store
as
well, pass
will not work before you do that.
gpg --edit-key <KEY_ID>
gpg> trust
# e.g. select level 5.
gpg> quit
No Password Dialog with Thunderbird
I'm not sure anymore if I had this problem only with Gnome or i3 as well. Currently, with sway everything works out of the box.
With Gnome put the following in ~/.gnupg/gpg-agent.conf
so that thunderbird
actually uses a graphical prompt to display the request for the password of the
key. Otherwise thunderbird fails silently.
pinentry-program /usr/bin/pinentry-gnome3
Thunderbird with external GPG keys
Why? Because I don't like to manage two different gpg stores. If I make changes via the gpg command line tool, they should show up in thunderbird immediately. And have you heard of the Primary password feature in Thunderbird? If you give Thunderbird your private key, you should definitely use that feature.
At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. The same automatic password will be used for all OpenPGP secret keys managed by Thunderbird. You should use the Thunderbird feature to set a Primary Password. Without a Primary Password, your OpenPGP keys in your profile directory are unprotected.
Open the config editor in Thunderbird and allow the external use of gpg and
change the path to whatever which gpg
evaluates to.
mail.openpgp.allow_external_gnupg -> TRUE
mail.openpgp.alternative_gpg_path -> /usr/bin/gpg
- Go the the account settings of the mail account, select the End-To-End Encryption tab and press the Add Key button.
- Then select Use your external key through GnuGPG.
- Copy and paste your key ID into the field (in a terminal you can use
gpg --list-secret-keys
to find your key ID)
Then open the OpenPGP Key Manager and import your own public key (e.g.
File → Import public key) and set it to Accepted in the import prompt (you can
export your public key via gpg --export --armor --output public.asc <keyid>
).
Lastly, restart Thunderbird.
Storage and backup
Optional: Make archive of folder
tar czf gpg-backup.tgz gpg-backup
Encrypt it symmetrically with gpg
gpg -o gpg-backup.tgz.gpg --symmetric gpg-backup.tgz
This can be decrypted by running the following command and entering the password used for the symmetric encryption.
gpg gpg-backup.tgz.gpg
Keys
Meaning of shortcuts:
sec => 'SECret key'
ssb => 'Secret SuBkey'
pub => 'PUBlic key'
sub => 'public SUBkey'
List Keys Cached by gpg-agent
All keys that have a 1
in the 7th column are cached keys. Remember the
keygrip in that line.
$ gpg-connect-agent 'keyinfo --list'
S KEYINFO AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA D - - 1 P - - - <-this one is cached
S KEYINFO BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB D - - - P - - -
Then list your secret gpg keys with the keygrip to figure out to what key that keygrip belongs to.
$ gpg --list-secret-keys --with-keygrip
sec rsa4096 2100-00-00 [SC]
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Keygrip = XXXXOTHERKEYGRIPOFTHISKEYZZZZZZZZZZZZZZZ
uid [ultimate] something <something@example.com>
ssb rsa4096 2100-00-00 [E] <- belongs to this secret sub key <----.
Keygrip = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <- here is the matching keygrip |