2.3 KiB
2.3 KiB
gpg setup
#
#
Introduction
Setting up GPG to avoid needing plaintext passwords in certain configuration files.
Originally introduced this when configuring mbsync for email setup.
Links
https://rzetterberg.github.io/yubikey-gpg-nixos.html GPG+nixos setup with a Yubikey
Install GPG via Nix
$ nix-env -i gnupg
Generate Keypair
Here (afaict) email address is the key-name for a signing authority
$ gpg --gen-key Real username: Alice Exampleton Email address: replacewithsomething@somewhere.com
This will populate files under ~/.gnupg
View public keys:
$ gpg -k
/home/roland/.gnupg/pubring.kbx
-------------------------------
pub rsa3072 2024-01-11 [SC] [expires: 2026-01-10]
158495DF3E604E65D12B85D4F1C0105549B5F0D1
uid [ultimate] Alice Exampleton <replacewithsomething@somewhere.com>
sub rsa3072 2024-01-11 [E] [expires: 2026-01-10]
Encrypt Secret
Using this to encrypt an email server password:
$ gpg --recipient replacewithsomething@somewhere.com -a -o .hushmail.gpg --encrypt replacewithpassword
Resulting in encrypted file like:
$ cat .hushmail.gpg -----BEGIN PGP MESSAGE----- hQGMA47kE/R9+tnNAQwA0EHQ11186CQ6tPPhQTidm4i1XBa2hdYi1xsh13jcJsod ... OlLUNkVxGMF3y2hM8sHNOtFKOW9I3qoViqCEufGJD8m/x9Ev9whgx59c20xSkGg= =9dw5 -----END PGP MESSAGE-----
Decrypt Secret
Recover secret like this:
$ gpg -q --for-your-eyes-only --no-tty -d .hushmail.gpg replacewithpassword