Lines Matching refs:key
99 of caching the private key passphrase. There are two options you should
102 - ``default-cache-ttl`` (seconds): If you use the same key again before
106 the key since initial passphrase entry, if the maximum time-to-live
138 Protect your master PGP key
141 This guide assumes that you already have a PGP key that you use for Linux
146 You should also make a new key if your current one is weaker than 2048 bits
149 Master key vs. Subkeys
153 key using certifying key signatures (certificates). It is important to
156 1. There are no technical differences between the "master key" and "subkeys."
157 2. At creation time, we assign functional limitations to each key by
159 3. A PGP key can have 4 capabilities:
161 - **[S]** key can be used for signing
162 - **[E]** key can be used for encryption
163 - **[A]** key can be used for authentication
164 - **[C]** key can be used for certifying other keys
166 4. A single key may have multiple capabilities.
167 5. A subkey is fully independent from the master key. A message
168 encrypted to a subkey cannot be decrypted with the master key. If you
169 lose your private subkey, it cannot be recreated from the master key
172 The key carrying the **[C]** (certify) capability is considered the
173 "master" key because it is the only key that can be used to indicate
174 relationship with other keys. Only the **[C]** key can be used to:
177 - add, change or revoke identities (uids) associated with the key
183 - A master key carrying both Certify and Sign capabilities (**[SC]**)
186 If you used the default parameters when generating your key, then that
195 Any key carrying the **[C]** capability is your master key, regardless
198 The long line under the ``sec`` entry is your key fingerprint --
218 Our goal is to protect your master key by moving it to offline media, so
219 if you only have a combined **[SC]** key, then you should create a separate
227 $ gpg --send-key [fpr]
247 Back up your master key for disaster recovery
250 The more signatures you have on your PGP key from other developers, the
254 The best way to create a printable hardcopy of your private key is by
261 key::
263 $ gpg --export-secret-key [fpr] | paperkey -o /tmp/key-backup.txt
267 strongly recommended** because the key printout is still encrypted with
281 change the passphrase on your master key immediately after you are
294 on these external copies whenever you need to use your Certify key --
295 such as when making changes to your own key or signing other people's
303 master key.
313 $ gpg --homedir=/media/disk/foo/gnupg-backup --list-key [fpr]
322 Remove the master key from your homedir
334 Protecting your key with a good passphrase greatly helps reduce the risk
337 recommended setup is to remove your master key from your home directory
344 render your key useless if you do not have a usable backup!
346 First, identify the keygrip of your master key::
348 $ gpg --with-keygrip --list-key [fpr]
362 master key fingerprint). This will correspond directly to a file in your
367 1111000000000000000000000000000000000000.key
368 2222000000000000000000000000000000000000.key
369 3333000000000000000000000000000000000000.key
371 All you have to do is simply remove the .key file that corresponds to
375 $ rm 1111000000000000000000000000000000000000.key
378 the master key is missing (the ``#`` indicates it is not available)::
395 GnuPG v1. Making any changes to your key, such as changing the
407 Even though the master key is now safe from being leaked or stolen, the
423 itself. Because the key contents never leave the smartcard, the
428 operating system is able to access the private key contents.
517 your subkeys onto the smartcard. You will need both your PGP key
520 $ gpg --edit-key [fpr]
535 Using ``--edit-key`` puts us into the menu mode again, and you will
536 notice that the key listing is a little different. From here on, all
539 First, let's select the key we'll be putting onto the card -- you do
540 this by typing ``key 1`` (it's the first one in the listing, the **[E]**
543 gpg> key 1
545 In the output, you should now see ``ssb*`` on the **[E]** key. The ``*``
546 indicates which key is currently "selected." It works as a *toggle*,
547 meaning that if you type ``key 1`` again, the ``*`` will disappear and
548 the key will not be selected any more.
550 Now, let's move that key onto the smartcard::
553 Please select where to store the key:
554 (2) Encryption key
557 Since it's our **[E]** key, it makes sense to put it into the Encryption
559 your PGP key passphrase, and then for the admin PIN. If the command
560 returns without an error, your key has been moved.
562 **Important**: Now type ``key 1`` again to unselect the first key, and
563 ``key 2`` to select the **[S]** key::
565 gpg> key 1
566 gpg> key 2
568 Please select where to store the key:
569 (1) Signature key
570 (3) Authentication key
573 You can use the **[S]** key both for Signature and Authentication, but
601 ``.key`` files there have been replaced with stubs::
604 $ strings *.key | grep 'private-key'
606 The output should contain ``shadowed-private-key`` to indicate that
628 with your PGP key.
630 Mounting your master key offline storage
633 You will need your master key for any of the operations below, so you
641 output (the ``#`` means the key is not available and you're still using
644 Extending key expiration date
647 The master key has the default expiration date of 2 years from the date
651 To extend the expiration on your key by a year from current date, just
661 Remember to send the updated key back to keyservers::
663 $ gpg --send-key [fpr]
668 After you make any changes to your key using the offline storage, you will
711 Configure git to use your PGP key
714 If you only have one secret key in your keyring, then you don't really
715 need to do anything extra, as it becomes your default key. However, if
716 you happen to have multiple secret keys, you can tell git which key
717 should be used (``[fpr]`` is the fingerprint of your key)::
762 import their PGP key. Please refer to the
835 that the key used to sign something belongs to the actual kernel
838 Configure auto-key-retrieval using WKD and DANE
843 on key auto-discovery and auto-retrieval. GnuPG can piggyback on other
850 auto-key-locate wkd,dane,local
851 auto-key-retrieve
869 UID to your key`_ to make WKD more useful to other kernel developers.
871 .. _`add the kernel.org UID to your key`: https://korg.wiki.kernel.org/userdoc/mail#adding_a_kernel…
887 to a remote system, its key fingerprint is recorded and remembered. If
888 the key changes in the future, the SSH client will alert you and refuse
890 trust the changed key or not. Similarly, the first time you import
891 someone's PGP key, it is assumed to be valid. If at any point in the
892 future GnuPG comes across another key with the same identity, both the
893 previously imported key and the new key will be marked as invalid and
905 If you get a "No public key" error when trying to validate someone's
906 tag, then you should attempt to lookup that key using a keyserver. It is
908 key you retrieve from PGP keyservers belongs to the actual person --
910 establish key validity.
916 importing a malicious key.
919 an error saying the key is not found::
923 gpg: using RSA key DA73759BF8619E484E5A3B47389A54219C0F2430
925 gpg: Can't check signature: No public key
927 Let's query the keyserver for more info about that key fingerprint (the
929 without finding out the ID of the master key it is associated with)::
934 4096 bit RSA key C94035C21B4F2AEB, created: 2017-03-14, expires: 2019-03-15
937 Locate the ID of the master key in the output, in our example
938 ``C94035C21B4F2AEB``. Now display the key of Linus Torvalds that you
941 $ gpg --list-key torvalds@kernel.org
947 Next, find a trust path from Linus Torvalds to the key-id you found via ``gpg
948 --search`` of the unknown key. For this, you can use several tools including
954 that it is a valid key. You can add it to your keyring from the
957 $ gpg --recv-key C94035C21B4F2AEB