org-howto/env/gpg-setup.org
2024-03-06 18:25:13 -05:00

2.3 KiB

gpg setup

#

#

Introduction

Setting up GPG to avoid needing plaintext passwords in certain configuration files. Originally introduced this when configuring mbsync for email setup.

Links

Install GPG via Nix

  $ nix-env -i gnupg

Generate Keypair

Here (afaict) email address is the key-name for a signing authority

  $ gpg --gen-key
  Real username: Alice Exampleton
  Email address: replacewithsomething@somewhere.com

This will populate files under ~/.gnupg

View public keys:

  $ gpg -k
  /home/roland/.gnupg/pubring.kbx
  -------------------------------
  pub   rsa3072 2024-01-11 [SC] [expires: 2026-01-10]
        158495DF3E604E65D12B85D4F1C0105549B5F0D1
  uid           [ultimate] Alice Exampleton <replacewithsomething@somewhere.com>
  sub   rsa3072 2024-01-11 [E] [expires: 2026-01-10]

Encrypt Secret

Using this to encrypt an email server password:

  $ gpg --recipient replacewithsomething@somewhere.com -a -o .hushmail.gpg --encrypt
  replacewithpassword

Resulting in encrypted file like:

  $ cat .hushmail.gpg
  -----BEGIN PGP MESSAGE-----

  hQGMA47kE/R9+tnNAQwA0EHQ11186CQ6tPPhQTidm4i1XBa2hdYi1xsh13jcJsod
  ...
  OlLUNkVxGMF3y2hM8sHNOtFKOW9I3qoViqCEufGJD8m/x9Ev9whgx59c20xSkGg=
  =9dw5
  -----END PGP MESSAGE-----

Decrypt Secret

Recover secret like this:

  $ gpg -q --for-your-eyes-only --no-tty -d .hushmail.gpg
  replacewithpassword