The GNU Privacy Guard (GPG)

Introduction

You can find on this page a few notes about the configuration of the GNU Privacy Guard (the gpg command). My main use of this software is for encryption of a part of my data on my Debian GNU/Linux box. I also happen to use it to verify the authenticity of a downloaded Debian installer image, as described in my Debian base installation notes (”Getting an installation CD”).

There is nothing here about the use the GNU Privacy Guard. You may want to read the good Tutonics guide.

Selecting the pinentry version

Pinentry is the dialog program invoked by GPG to read a passphrase. It exists in multiple versions. On my system, two versions are installed: pinentry-curses and pinentry-gnome3. On a Debian system, you can select the pinentry version using the Debian alternatives system (as root):

update-alternatives --config pinentry # As root.

List the pinentry versions available on a Debian system with:

apt-cache search pinentry|grep ^pinentry

Pinentry may not work if you don’t own the tty (e.g. when you have changed user with su). In such cases, one solution is to invoke gpg with the --pinentry-mode loopback option.

Configuring the passphrase caching time

Depending on the configuration, GPG does not ask again for a passphrase if you have already given it a short (configurable) time ago. This is very practical in my use case and I even have increased the time by specifying the default-cache-ttl and max-cache-ttl parameters in the ~/.gnupg/gpg-agent.conf file:

default-cache-ttl 14400

max-cache-ttl 28800

Note that you have to stop gpg-agent after editing ~/.gnupg/gpg-agent.conf, otherwise your changes are not taken into account:

gpgconf --kill gpg-agent

gpg-agent is restarted automatically by GPG when needed.

Deleting a key without confirmation prompt

I have once mistakenly imported a whole keyring. The --delete-key option of GPG makes it possible to delete a key:

gpg --delete-key <key_id>

But this prompts you for confirmation. If you want to run a big number of such commands (in a script), you may not want to be prompted for confirmation. Use the --batch --yes options for that:

gpg --batch --yes --delete-key <key_id>

Configuring a default recipient

You can configure a default recipient for gpg --encrypt commands by adding a line like the following in the ~/.gnupg/gpg.conf file:

default-recipient <key_id>

Extension of the expiration date of a key

To extend the expiration date of a key, just follow the instructions on this G-Loaded Journal article.

Other resources

• Tutonics GPG Encryption Guide - Part 1

• Tutonics GPG Encryption Guide - Part 2

• Tutonics GPG Encryption Guide - Part 3

• Tutonics GPG Encryption Guide - Part 4