Creating and Managing a GPG Key Pair
Рет қаралды 67,673
Күн бұрынSee how to create, edit, revoke, export, backup and restore a GPG key pair.
Hit the subscribe button to receive more videos like this!
---
Timestamps:
0:00 -- What we're going to cover in this video
0:47 -- Using your gpg key for encrypting files, signing commits and password managers
1:58 -- Installing the gpg command line tool
2:27 -- Customizing your gnupg home directory (only for the sake of this video)
3:18 -- Checking to see if you already have a gpg key pair
3:52 -- Generating a secure gpg key pair with an expiration date
7:56 -- Editing your key, specifically updating your expiration date
10:13 -- Changing your gpg passphrase and keeping it safe
11:35 -- Creating a revoke certificate to maybe revoke your key pair on demand
16:34 -- Backing up and restoring your key pair and associated files
18:09 -- Exporting your gpg public key so you can share it with others
19:51 -- Configuring your gpg agent to cache your passphrase for a week
21:42 -- Recap
Cheatsheet:
nickjanetakis.com/blog/creatin...
Reference links:
www.passwordstore.org/
---
Follow along?
Personal Website: nickjanetakis.com
Twitter: / nickjanetakis
@elrisitas8508 3 жыл бұрын
thank you youtube algorithm for always finding the best videos for me
@cindrmon 3 жыл бұрын
I think this will now be my official go-to guide for GPG keys! Thanks a lot for making this really in-depth GPG management tutorial! Took me a couple weeks to figure out how to use GPG keypairs properly, and I would so often think it be "that" disposable as like SSH keys, but I only realised how important these are, and how much are they maintained, when I simply deleted my old GPG key, and it left a bad scar on some of my github commits, with unverified commits scattered among some of my repos. I really learned my lesson, and again, thank you for this guide!
@NickJanetakis 3 жыл бұрын
Awesome, happy to hear you liked it. Thanks for watching!
@cindrmon 3 жыл бұрын
@@NickJanetakis yee! Hi! i do have a question. Would you explain more on those 4 other files preceding with `S.gpg-agent`, and how to configure them?
@NickJanetakis 3 жыл бұрын
@@cindrmon They are empty files on my machine. I haven't configured them but you may want to Google each of them individually.
@Jordan-hz1wr 8 ай бұрын
I've been using gpg for years and I still refer back to your videos. Good work, Sir!
@NickJanetakis 8 ай бұрын
Thanks a lot.
@lstellway 7 ай бұрын
Wonderful introduction to GnuPG - thank you!
@aakupsp 3 жыл бұрын
Thanks for the detailed explanation. Appreciate it!
@guillaumeturgeon9915 3 жыл бұрын
Great video! Thanks for the detailed explanation
@simonnjoroge933 8 ай бұрын
This is amazing 👍🌟. I just love the over simplification, it offers a very good general overview of the superficial workings of GPG, a piece of software that has bothered me for weeks. 😃
@NickJanetakis 8 ай бұрын
Thanks, happy to hear it helped!
@raulalegre2 3 жыл бұрын
Thank you very much, very well explained, very useful video.
@scottmusician 2 жыл бұрын
a terrific overview. thanks!
@MatteoCeccarini 2 жыл бұрын
Thank you so much!!! This is such a detailed, easy to follow explanation. I am new to linux and I was wondering how to setup KDE Wallet. Your video helped me to achieve that and to get a general understanding about how it works. Thank you so much!
@NickJanetakis 2 жыл бұрын
No problem, happy it helped.
@debasisnath9916 2 жыл бұрын
Thanks Nick.... great video!!! 👍👍👍
@atpx 3 жыл бұрын
very detailed , thx!
@ARPIT2729 3 жыл бұрын
Thanks a million 😊! A must watch for beginners like us to understand different gpg commands and their usage!!
@lanekolton3181 2 жыл бұрын
I guess im randomly asking but does someone know a way to log back into an instagram account?? I was dumb lost my account password. I would appreciate any assistance you can offer me.
@nicholastitan2881 2 жыл бұрын
@Lane Kolton instablaster =)
@lanekolton3181 2 жыл бұрын
@Nicholas Titan i really appreciate your reply. I got to the site on google and Im trying it out now. Looks like it's gonna take quite some time so I will get back to you later when my account password hopefully is recovered.
@lanekolton3181 2 жыл бұрын
@Nicholas Titan It worked and I now got access to my account again. Im so happy! Thanks so much you saved my account!
@nicholastitan2881 2 жыл бұрын
@Lane Kolton no problem =)
@persmultimediadesigntutori1293 3 жыл бұрын
excellent tutorial, thanx
@edwinrosales6322 3 жыл бұрын
Great video! Thanks!
@ArmandoCalderon 3 жыл бұрын
Great tutorial.
@dhruvpatel8570 3 жыл бұрын
Man your content is great, I hope more people will watch you videos
@NickJanetakis 3 жыл бұрын
Thanks a lot, I really appreciate it.
@Lucas-md8gg Жыл бұрын
Subscribed! I'm creating a backup script with GPG and SSH, this tutorial helped a lot!
@iGarrettt Жыл бұрын
This was a fantastic and helpful video. Thank you!
@NickJanetakis Жыл бұрын
No problem, thanks for watching!
@Abdul-dy7om 5 ай бұрын
Thanks for your video so inspiring
@et_phonehome_2822 Жыл бұрын
The best video I've ever seen on GPG
@NickJanetakis Жыл бұрын
Thanks a lot, I really appreciate it.
@user-df1gs1kf8w 2 жыл бұрын
I got that 2020 reference. Never forget.
@notigor325 Жыл бұрын
this is a really good guide...
@Marinate305 Жыл бұрын
Very informative.
@flyingisawol 2 ай бұрын
Amazing. TY
@vim_usr2753 3 жыл бұрын
Outstanding video! Any chance you could make a video talking about additional topics such as keyservers, subkeys, etc.?
@NickJanetakis 3 жыл бұрын
Thanks. Sure I can add a subkey video. Probably not one on creating a keyserver since I haven't set that up personally.
@ojasbhagavath5484 Жыл бұрын
Thanks a lot for this! Can you please make a video on pass?
@NickJanetakis Жыл бұрын
No problem. Yep I can make a video on that, I added it to my queue.
@NickJanetakis Жыл бұрын
I added a video about it this week: kzbin.info/www/bejne/rWSXqXSkg8mfn6c
@peterlineaqua80 3 жыл бұрын
Thanks man ... How do you decrypt though
@zoliky 10 ай бұрын
Hi, Nick. I've been watching a number of KZbin videos about creating and managing GPG keys, and I must say that your explanations are by far the clearest. A question: If I choose to update/change the password for my GPG key at some point, will that have any impact on the GPG keys themselves? In other words, will they have a new fingerprint or undergo any other changes?
@NickJanetakis 10 ай бұрын
Thanks. If you change your passphrase everything will continue to work. It won't have an impact on your encrypted content. If you were ultra paranoid about it potentially breaking things you can generate a new test key with a specific phrase, encrypt something, update your phrase and then encrypt something else. You should be able to decrypt both files with that key.
@zoliky 10 ай бұрын
@@NickJanetakis I meant the underlying public and private keys, not the encrypted content.
@NickJanetakis 10 ай бұрын
@@zoliky If you change your key's passphrase it won't prevent you from decrypting content where the same key was used to encrypt it with a different passphrase. Your passphrase is 1 extra layer of defense to stop an unwanted person from using your key.
@amitgtk 3 жыл бұрын
Thanks Nick, the video was very useful. Quick question on caching passphrase. I created gpg-agent.conf file and added the variable for caching. But after an hour or so it still asks me for passphrase. Do you think any thing else needs to be setup ? I'm unix Linux Ec2 container on AWS and trying to use Pass Password manager. Need to automate some process read passwords from Pass Utility. Please comment.
@NickJanetakis 3 жыл бұрын
You might need to restart the gpg agent. Try running gpgconf --kill gpg-agent which should kill the current agent and start a new one. But honestly I'm not even sure if you need to restart the daemon after making config changes. Worth a shot as a first try tho.
@amitgtk 3 жыл бұрын
@@NickJanetakis Thanks for your response. I ran few more commands like "gpg-agent --options ~/.gnupg/gpg-agent.conf" & "gpg-agent --default-cache-ttl 604800". And now able to see the cache set to 7 days. "gpgconf --list-options gpg-agent" command to see the variables. Thanks again Nick. You're awesome!
@NickJanetakis 3 жыл бұрын
@@amitgtk No problem. I think if you would have rebooted the config would have taken effect too, but I can see wanting to run that command the first time you set up the config. It slipped my mind during the video. Although in your case, I would expect the default cache would be set from the config without having to set the config option from the command line too?
@_maxt 2 жыл бұрын
Brilliant thanks Nick. Did I miss a bit explaining how to use the agent?
@NickJanetakis 2 жыл бұрын
No problem. I don't think so. I didn't cover messing around too much with the agent itself. It was mainly focused on using the CLI tool.
@_maxt 2 жыл бұрын
@@NickJanetakis Oh right. Does it just magically work then? (as opposed to ssh-agent where you have to explicitly run and add keys, afaik)
@NickJanetakis 2 жыл бұрын
@@_maxt You still need to add the public keys of folks you want to interact with. This video I have around signing git commits goes over adding keys: kzbin.info/www/bejne/amKZZ3iudtOro9E
@_maxt 2 жыл бұрын
@@NickJanetakis Nice one, first started that video actually, still half way :) Thanks a lot for your help.
@NickJanetakis 2 жыл бұрын
@MindTheRoms It's hard to say without more details. Are you using macos? stackoverflow.com/questions/39494631/gpg-failed-to-sign-the-data-fatal-failed-to-write-commit-object-git-2-10-0 , I would Google for the error. That's how I found that SO page.
@johnnystaccata Жыл бұрын
Excuse me for sayin', but I think you should post more code for the segments in the timeline/description. It is difficult sometimes to copy text from a gui screen.
@NickJanetakis Жыл бұрын
There is a link to a blog post in the description that has everything: nickjanetakis.com/blog/creating-and-managing-a-gpg-key-pair#cheatsheet
@hedgeearthridge6807 3 жыл бұрын
Im wondering. If you DID want to digitally store your passphrase, you could create a text file on a flash drive with the password. Then use GPG to encrypt it with AES-256 using an easier password to remember. Then store it to something like a CD, securely erase everything on the flash drive, and reboot your system. That stored in a lockbox or bank safety box would be extremely frustrating for someone to deal with, unlike a piece of paper. Not only would they have to get your keys from your computer, and steal the CD or flash drive, they would have to waste time trying to decrypt the password text file. It would definitely not be worth it, hehe. Or, just make a database with KeePassXC and put it on a flash drive or CD. That's really easier than the more low-tech process above, and wont result in the plaintext possibly still being on your hard drive.
@NickJanetakis 3 жыл бұрын
If you wanted to go the hardware route you may want to check out www.yubico.com/. But it's only as good as you are when it comes to protecting your system. If you always leave it connected then anyone who has access to your machine has access to using it, although you can enable a PIN confirmation to use it but that can get tedious. This is why I like physical paper stored in a secure way with no context on what it is. It's not meant to be actively used. It's there just in case you forget your password. Also I'd be careful with flash drives. I've had some become unreadable after sitting around for a few months uninterrupted.
@mustafasalih5328 3 жыл бұрын
🖤🖤
@DevinBidwell Жыл бұрын
Question. If you have backed up your GPG key and have it on multiple machines and one machine gets compromised, what's to stop the compromised machine from using the non-revoked GPG key because you have only revoked it locally on your machine.
@NickJanetakis Жыл бұрын
Nothing, but if you publish the revoked key on machine A and try to sign something from the compromised machine B with the non-revoked version of it and sign "something" (a git commit, a package, etc.), folks who have the latest copy of your key will see it's been revoked since machine A published the revoked state.
@elrisitas8508 3 жыл бұрын
in the event you revoke your gpg key, and you are using that key for your password manager will you get locked out of your password manager, since the key is now compromised?
@NickJanetakis 3 жыл бұрын
Yeah once it's been revoked that specific key won't be usable anymore by default. While I've never done it, as long as you haven't pushed your key to a keyserver you might be able to un-revoke it by following sites.google.com/view/chewkeanho/guides/gnupg/unrevoke-primary-key. GPG keys can be distributed through key servers, which is mainly why things like revoking and expirations exist. For example after revoking your key you could send it to 1 of many different public key servers and now others will be able to see it's been revoked. The same can be said for editing your key. I didn't include publishing keys in this video because it's one of those things where you're probably not going to use that feature until you know you need to, in which case you'll know what to look up.
@elrisitas8508 3 жыл бұрын
@@NickJanetakis thank you, very interesting
@user-wr7fe4mj8s Жыл бұрын
When the terminal asks for a password I get a GUI version of some passphrase application. How do I get a similar setup to yours? Is it through the pass command?
@NickJanetakis Жыл бұрын
You might have a specific gpg-agent installed, that's the thing that controls this dialog box. I have pinentry-curses installed, I think there might be variants of that which launch a GUI. You may need to uninstall those variants.
@alexanderreseneder4563 3 жыл бұрын
How do i export sub and ssd separately from the keyring? So, i know its not intended normally(because you cannot sign the public sub to proofe the pub is from yourself to another), but i wanna use split-gpg. Do i have to edit the keyflag of the key for split gpg or not?(i can use --list-key -verbose to view al packets etc. etc. . Can you please give me the command for this to print output to a File? I have heard that if you want to use the key as example on another vm with other gpg2 client you dont have to armor the key for human readable format - is that right? Im completely NOOB so sorry if i annoy but i need help...
@NickJanetakis 3 жыл бұрын
I'm not familiar with that workflow sorry.
@wChris_ 2 жыл бұрын
can you do the same tutorial, but for ssh keys instead?
@NickJanetakis 2 жыл бұрын
Sure no problem.
@jayshah5695 Жыл бұрын
how is this different from keychain / ssh agent? in the end it all feels like a private key manager system.
@NickJanetakis Жыл бұрын
ssh keys and gpg keys serve different purposes. gpg keys are often used to encrypt text and files (and also for signing things to prove your digital identity) where as ssh keys are commonly used to authenticate with a system, such as when you pull a private git repo or log into a server.
@maxakn 2 жыл бұрын
8:20 seems like a year in the future, we are still alive
@NickJanetakis 2 жыл бұрын
Confirmed alive!
@mush_mouf 3 жыл бұрын
why does nobody show how to send a gpg encrypted file to a reciever, how do they open it
@saubockmcgiver9743 Жыл бұрын
This is a very good video but I need help understanding something. You create a revoke key for the event that your laptop for example gets stolen. How are you supposed to import the revoke key if you dont have acces to your hardware? The thief still has acces to your unrevoked key. Or if just the key got stolen and I import the revoke-key this only makes my key unusable and not the one which got stolen. Am I missing something? Because I dont see a use case for the revoke key otherwise.
@NickJanetakis Жыл бұрын
Hi, you'd back up your revoke key somewhere off your laptop, the video briefly covers this around the idea of where you could back this up. Then you could send your revoked key to various keyservers.
@saubockmcgiver9743 Жыл бұрын
@@NickJanetakis Thank you for your reply! I'm pretty new to GPG and this was one of the first videos I've watched about it. I didn't know about these servers. Does that mean that as soon as the stolen device syncs to a key server the key would get revoked there as well?
@NickJanetakis Жыл бұрын
@@saubockmcgiver9743 Keys aren't sync'd by default, they operate offline until you push / sync them to a remote keyserver that other folks use. But in a perfect world you'd have both your regular key and revoke key backed up so you can push the revoked or updated status. So even though your device got compromised, you still control the key. But yes, the idea there is if someone on the stolen device used the key after you revoked it, it would come up as revoked to anyone who tried to download your key and validate it came from you (it would fail since it would be revoked).
@saubockmcgiver9743 Жыл бұрын
@@NickJanetakis That is very helpful, thanks for explaining.
@1ens 10 ай бұрын
18:49 "which is pretty long" that's what she said 💀
@aiden7279 2 жыл бұрын
I'm a little bit lost. How does the revoke system work? What if someone steals my keypair and knows my password? How does revoking work? Is GPG connected to the internet or?.. I mean what stops the adversary from just not connecting to the internet so GPG can't revoke it?
@NickJanetakis 2 жыл бұрын
The gpg tool isn't connected to the internet in a sense that it's always sync'd somewhere automatically but you can use it to upload and download keys from various key-servers. If you knew your keypair were compromised you could revoke it and publish that event to a key-server. This can happen independently of an attacker because you should hopefully still have a copy of your keypair (that's one reason why it's very important to back them up). Let's say you and I were both working on a project together, since you revoked your key and published that to a key-server I could know on my end that you revoked it and that would alarm me at a human level to know not to trust anything signed by you because it was revoked.
@aiden7279 2 жыл бұрын
@@NickJanetakis That makes sense, but only >if< I published my key to a keyserver. I was more wondering how revorking works if I didn't upload them. I assume revoking only works with keyservers? This really makes getting your "offline" keys stolen really, really, dangerous.
@NickJanetakis 2 жыл бұрын
@@aiden7279 If you don't publish or directly send your key to someone then they won't be able to do anything related to what you're signing. You can revoke your key and not publish it and see that your key is revoked, but this knowledge won't leave your machine.
@alexanderreseneder4563 3 жыл бұрын
Also i have no configuration file for my gpg client. Why is that so? Greetings Alex
@NickJanetakis 3 жыл бұрын
You have to create it initially. That's mentioned very briefly at 20:22.
@maa3nmassri739 2 жыл бұрын
How can i delete the key and make a new one?
@NickJanetakis 2 жыл бұрын
You can revoke your key using the steps in this video and then run gpg --delete-secret-key [KEY_ID] to delete your key, then you can make a new one by following this video.
@nathantoulbert4406 2 жыл бұрын
What? Is there a reason I would want the GPG directory in ~/ ? I was iffy when you said that it would be created there, but changing the mode is a deal breaker. I have a 2-year-old system that has thousands of files and dozens of home-baked utility apps that depend on my home environment in order not to break, so its not an option. My filesystem is currently like a game of Jenga, and the game is almost over... Besides, I don't keep most of my files in ~/ anymore. I realized a while ago that ~/.local/ on Ubuntu is more or less a pre-made build environment for developers, so my first command of the day is often to cd there.
@NickJanetakis 2 жыл бұрын
Using that directory was a decision made by the creators of the GPG tool. You can customize the directory path if you want within the gpg config file. Setting a more strict mode is for your benefit to reduce access to the files sitting in that directory.
@ethanweatherhead4087 2 жыл бұрын
Hello guys, i've been working on this yubikey (smartcard) for almost 2 weeks and i'm struggling to figure this out, i'm quite inexperience and still very new to all this so bare with me I'm trying to ssh from command prompt with my yubikey to my remote server with gpg keys that i have generated in the yubikey, what i ultimately want is for the remote server to read the private keys in my yubikey that way i can ssh passwordlessly i have searched for all possible documentations online, and youtube videos but i cant seem to get it right Can someone help me please to anyone who has knowledge in ssh authentication/publickey/privatekey/ssh-agent/gpg-agent forwarding? much appreciated....
@ethanweatherhead4087 2 жыл бұрын
if you can make a video on regarding this topic, that was be amazing thanks
@YaNykyta Жыл бұрын
2' 56'' "(See the man page for a..." Are you serious??? "the man page"???
@NickJanetakis Жыл бұрын
Yes, the man page aka the manual www.gnupg.org/gph/de/manual/r1023.html, or running `man gpg` from the terminal.
@YaNykyta Жыл бұрын
@@NickJanetakis Sorry than for my comment... so uncommon word *term) for me... noot the best short I mean. "Manual ' should not be "man page" imho.
@NickJanetakis Жыл бұрын
@@YaNykyta It's ok. That term in the context of computers has been around since 1971 en.wikipedia.org/wiki/Man_page.
@paullambert1981 3 жыл бұрын
I wish he would just get to the meat and potatoes. I really don't care about why or what. Just tell us what to do. Because of that, I am going to watch some other video. I don't even know what program he is using. He really needs to focus instead of explaining things that go off subject. I have no idea what program he is using, and for that reason, I am out.
@NickJanetakis 3 жыл бұрын
No problem! There's time stamps in the timeline to jump around if you don't care about the why btw. The program being used is explained within 2 minutes and shown on video as well as described in the timestamps as "1:58 installing the gpg command line tool".
@ja.ortiz0 Жыл бұрын
I have placed the gpg-agent.conf file in my user/.gnupg/ folder but I'm still being prompted to enter my passphrase every time.
@NickJanetakis Жыл бұрын
Did you fully logout / login? What did you put in the file?
@ja.ortiz0 Жыл бұрын
@@NickJanetakis Tank you for your response! my /.gnupg/ directory includes two files at the moment, a pubring.kbx file and the gpg-agent.conf. The gpg-agent.conf file is a verbatim copy of what you show in 20:29, the file contains two lines first one has `default-cache-ttl 604800` and the second has `max-cache-ttl 604800`. I don't fully understand what you mean by logout / login. I am on windows do you mean logout / login of my OS user account? If so yes, as I have restarted my PC multiple times. If instead you mean logout / login from GPG then I'm afraid the answer is no, and I must confess I'm not entirely sure on how to do it. Thanks again! For your response but also for your video on the topic!
@NickJanetakis Жыл бұрын
@@ja.ortiz0 Rebooting would have the same effect as logging in and out of your OS account. I'm surprised it doesn't work. Can you try adding this to to the bottom of your ~/.bashrc file: export GPG_TTY="$(tty)" Then save the file and open a new terminal, do something that would ask you for your password -- it shouldn't ask you again for your password until the cache expires.
Poly Holy Yow Spanish
Рет қаралды 25 МЛН
Bon Bon Media
Рет қаралды 23 МЛН
Luke Smith
Рет қаралды 66 М.