GPG

GNU Privacy Guard (GPG) keys are used for encrypting, decrypting, and digitally signing data to ensure confidentiality, integrity, and authenticity. A GPG key pair also includes a public key (shared with others for encryption/verification) and a private key (kept secret for decryption/signing).

The key itself has two parts.

In the GPG world, it’s standard practice to have a master identity (ed25519) that signs a separate key (cv25519) to do the heavy lifting of encrypting files. This way, if your encryption subkey is compromised, you can rotate it without having to throw away your main identity.

In Alpine Linux gitlab, GPG keys allow one to verify signed commits.

Integration with SSH

Not working

GPG keys can indirectly manage ssh keys through the gpg-agent, which can act as a replacement for ssh-agent. This allows users to use a single GPG passphrase to unlock both their GPG keys and their SSH keys, which are then stored and managed by gpg-agent. This can offer a more centralized and potentially more secure way to handle multiple cryptographic keys.

To make this work, you need to add the “Keygrip” of your GPG authentication subkey to the file ~/.gnupg/sshcontrol

gpg --list-keys --with-keygrip

If authentication subkey is not available, add it with the following steps:

gpg --expert --edit-key 25F06E8D4E4D9B0C
   Type addkey.
   Look for Option (11): It should now appear as (11) ECC (set your own capabilities).
       Select 11.
   The Toggle Menu: Now you should see a menu like this:
        Possible actions for a ECDSA/EdDSA key: Sign Authenticate
        Current allowed actions: Sign
    Toggle them:
        Type S and hit Enter (to turn off Signing).
        Type A and hit Enter (to turn on Authentication).
        The "Current allowed actions" should now say Authenticate.
    Type Q to quit the toggle menu.
    Select (1) Curve 25519.
    Set your expiration (3y) and then type save.

Find Your Key ID:

First, identify the ID of the key you want to upload. You can list all keys on your keyring to find the ID:

gpg --list-keys
pub   ed25519 2024-05-14 [SC] [expires: 2027-05-14]
      7A438AC8533C6993AD1C9BA425F06E8D4E4D9B0C
uid           [ultimate] Prabu Anand Kalivaradhan <kprabuanand@gmail.com>
sub   cv25519 2024-05-14 [E] [expires: 2027-05-14]

  gpg --list-keys --keyid-format LONG
  /home/prabu/.gnupg/pubring.kbx
------------------------------
pub   ed25519/25F06E8D4E4D9B0C 2024-05-14 [SC] [expires: 2029-02-26]
      7A438AC8533C6993AD1C9BA425F06E8D4E4D9B0C
uid                 [ultimate] Prabu Anand Kalivaradhan <kprabuanand@gmail.com>
sub   cv25519/5BB1663D6AC03B85 2024-05-14 [E] [expires: 2029-02-26]

Exporting Keys

Note down the ID (usually an 8-character hexadecimal string) of the key you want to upload.

Export Your Public Key (Optional): Export your public key if you haven’t already done so. This step is optional but can be useful if you want to share your key manually:


  gpg --output mykey.asc --armor --export [KEY_ID]
prabu@homepc2 ~/.gnupg> gpg --output mykey.asc --armor --export 7A438AC8533C6993AD1C9BA425F06E8D4E4D9B0C
prabu@homepc2 ~/.gnupg> ls mykey.asc
mykey.asc
prabu@homepc2 ~/.gnupg> cat mykey.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZkMlEBYJKwYBBAHaRw8BAQdAMnFcNo5Ffm4m5Km0j6rYdg9eMVF4OGA/2BYa
Grtz6sK0MFByYWJ1IEFuYW5kIEthbGl2YXJhZGhhbiA8a3ByYWJ1YW5hbmRAZ21h
aWwuY29tPoiZBBMWCgBBFiEEekOKyFM8aZOtHJukJfBujU5NmwwFAmZDJRACGwMF
CQWjmoAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQJfBujU5NmwwYbQD9
EqPnFOfl4dGQl7zLvwSMeCJPhUhJo4rMaCxGabUJgq0BAL88b+d9Sr+nxsDgN+O/
3dONDd6r/xN6n7zRadIOzHoAuDgEZkMlEBIKKwYBBAGXVQEFAQEHQLiwYhdOpggx
jtJQXB9YCAsStJ0TP/4lAlE5Z1sSHtIyAwEIB4h+BBgWCgAmFiEEekOKyFM8aZOt
HJukJfBujU5NmwwFAmZDJRACGwwFCQWjmoAACgkQJfBujU5NmwzdRwD/cjjqPQoq
lLpQKOWA0exVvlFRSWQ5AbFM2PEWxbzOSRoA+gN1XrTsR3dOM4QlYsVmGNBeCjK7
J4his91oECFnkcwN
=z3So
-----END PGP PUBLIC KEY BLOCK-----

Replace [KEY_ID] with your actual key ID.

Upload Your Key

By uploading your OpenPGP keys to a keyserver, others can find and use them.

Use gpg –send-keys to upload your key to a keyserver. By default, it uploads the key to the configured keyserver in your gpg.conf: If you want to upload your key to a specific keyserver, you can specify it with the –keyserver option:


gpg --send-keys [KEY_ID]
gpg --keyserver hkp://keys.openpgp.org --send-keys [KEY_ID]

As usaul, the command line did not work..

Upload the key file: Go to keys.openpgp.org. Click “Browse” and select the mykey.asc file just created. Then, click “Upload.”

Verify ownership (optional): keys.openpgp.org will send you instructions via email to verify ownership of the key. This step is optional but recommended as it makes your key more searchable by email address.

Verify Upload

After uploading, you can verify that your key is available on the keyserver. You can search for your key using the key ID or other identifiers:


$ gpg --keyserver hkp://keys.openpgp.org --search-keys [SEARCH_TERM]

Replace [SEARCH_TERM] with your key ID or email associated with the key.

$ gpg --keyserver hkp://keys.openpgp.org --search-keys kprabuanand@gmail.com
gpg: data source: http://keys.openpgp.org:11371
(1)	Prabu Anand Kalivaradhan <kprabuanand@gmail.com>
     256 bit EDDSA key 25F06E8D4E4D9B0C, created: 2024-05-14
Keys 1-1 of 1 for "kprabuanand@gmail.com".  Enter number(s), N)ext, or Q)uit > 1
gpg: key 25F06E8D4E4D9B0C: "Prabu Anand Kalivaradhan <kprabuanand@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Publicize Your Key: To make it easier for others to find your key, consider sharing your key ID or fingerprint along with your email address on your website, in email signatures, or in public forums where encryption is used.

Tips:

Backup Your Keys:

Always keep a secure backup of your private key in a safe place separate from your computer.

$ gpg --export-secret-keys [KEY_ID] > myprivatekey.asc

Create a revocation certificate

Create a revocation certificate. This revocation certificate is needed in case your private key is compromised or lost.

gpg --output revoke.asc --gen-revoke  [KEY_ID]

Trust and Verification:

When uploading your key, consider the trust you place in the keyserver and the trust others might place in your key. Key verification through face-to-face meetings (Web of Trust) can enhance security.

By following these steps, you can successfully upload your OpenPGP key to a keyserver, making it available for others to use for encryption, verification, and authentication purposes.

Deleting Keys

Deleting others keys

Regular cleaning of unwanted keys keeps the list of keys manageable. To delete keys of others, the following command can be used.

$ gpg --delete-key [KEY_ID]
$ gpg --delete-key 409394E9568EDFB7D07BD2A1FA8DE4DCD91C2E88

Deleting own key

Warning: Deleting a secret key without a backup is permanent. If you have files encrypted with that key, they will be lost forever.

For deleting one’s own expired gpg key, the following extra step is required. Only after this step, the public key can be deleted.

$ gpg --delete-secret-key [KEY_ID]
$ gpg --delete-secret-key 409394E9568EDFB7D07BD2A1FA8DE4DCD91C2E88

Extending the validity of key

When extending the validity, extend both the primary key and subkey. Both of those keys have their own expiration dates. If you only extend the pub (primary) but not the sub (subkey), you’ll still be able to sign things, but you won’t be able to encrypt or decrypt files after original expiration date.

prabu@homepc2 ~/.gnupg [2]> gpg --edit-key 25F06E8D4E4D9B0C
gpg (GnuPG) 2.4.9; Copyright (C) 2025 g10 Code GmbH
Secret key is available.

sec  ed25519/25F06E8D4E4D9B0C
     created: 2024-05-14  expires: 2027-05-14  usage: SC
     trust: ultimate      validity: ultimate
ssb  cv25519/5BB1663D6AC03B85
     created: 2024-05-14  expires: 2027-05-14  usage: E
[ultimate] (1). Prabu Anand Kalivaradhan <kprabuanand@gmail.com>

gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at Mon Feb 26 21:38:17 2029 IST
Is this correct? (y/N) y

sec  ed25519/25F06E8D4E4D9B0C
     created: 2024-05-14  expires: 2029-02-26  usage: SC
     trust: ultimate      validity: ultimate
ssb  cv25519/5BB1663D6AC03B85
     created: 2024-05-14  expires: 2027-05-14  usage: E
[ultimate] (1). Prabu Anand Kalivaradhan <kprabuanand@gmail.com>

gpg> key 1

sec  ed25519/25F06E8D4E4D9B0C
     created: 2024-05-14  expires: 2029-02-26  usage: SC
     trust: ultimate      validity: ultimate
ssb* cv25519/5BB1663D6AC03B85
     created: 2024-05-14  expires: 2027-05-14  usage: E
[ultimate] (1). Prabu Anand Kalivaradhan <kprabuanand@gmail.com>

gpg> expire
Changing expiration time for a subkey.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at Mon Feb 26 21:40:44 2029 IST
Is this correct? (y/N) y

sec  ed25519/25F06E8D4E4D9B0C
     created: 2024-05-14  expires: 2029-02-26  usage: SC
     trust: ultimate      validity: ultimate
ssb* cv25519/5BB1663D6AC03B85
     created: 2024-05-14  expires: 2029-02-26  usage: E
[ultimate] (1). Prabu Anand Kalivaradhan <kprabuanand@gmail.com>

gpg> save

Update the keyserver database about the validity extension.

  gpg --keyserver hkp://keys.openpgp.org --send-keys 25F06E8D4E4D9B0C
gpg: sending key 25F06E8D4E4D9B0C to hkp://keys.openpgp.org

Do an export of both your public key and private key as above after validity extension.

Housekeeping

Sometimes, GPG doesn’t trigger that TrustDB check automatically. If you ever feel like your keys are acting “stale,” you can force GPG to re-calculate everything with this command:

gpg --check-trustdb

It’s like refreshing a web page, but for your security certificates.

© Prabu Anand K 2020-2026