razzi.abuissa.net

Razzi's guide to gpg

I only use gpg in the context of pass.

However to make the gpg key stay unlocked for longer so pass prompts less, I configure gpg as follows:

~/.gnupg/gpg-agent.conf:

default-cache-ttl 28800
max-cache-ttl 28800

Then reload the config as follows:

$ gpgconf --kill gpg-agent

This keeps your gpg key unlocked for 8 hours (8 hours * 60 minutes / hour * 60 seconds / minute).

exporting and importing secret key

The other reason I interact with gpg directly is to export and import my secret key.

Here’s what I use to export:

$ gpg --export-secret-keys --armor > gpg.txt

And to import (after copying to the new device):

$ gpg --import gpg.txt
# (it will prompt for you to unlock the key here)
...
gpg:   secret keys imported: 1

You’ll also have to trust it:

$ gpg --edit-key razzi@abuissa.net
...
gpg> trust
...
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

After you’ve imported the gpg key it’s a good idea to remove the gpg.txt.

I also have an expect script for automating the trusting of the key, trust_gpg.exp:

set key_name [lindex $argv 0];

if { $key_name eq "" } {
        puts "Usage: expect trust_gpg.exp KEYNAME"
        exit 1
}

spawn gpg --edit-key $key_name

expect "gpg> "

send "trust\n"

expect "Your decision? "

send "5\n"

expect "Do you really want to set this key to ultimate trust? (y/N) "

send "y\n"

expect "gpg> "

send "quit\n"

expect eof

It can be invoked with:

$ expect trust_gpg.exp razzi@abuissa.net