Managing GPG keys is one of those things that’s far too easy to forget to keep on top of. Having Keybase as part of your toolset can save you from yourself.
- Managing GPG keys with Keybase
Managing GPG keys with Keybase
The recent acquisition of Keybase by Zoom might send some people running. If you’re one of those people, save yourself a few minutes and skip this one.
Download, and install Keybase. Explore, get yourself mildly comfortable with them.
The desktop apps are quite nice to have, but steps in this document require that you have installed the command-line client.
You’ll need to install a
gpg command-line client otherwise you won’t get far
at all with the whole process.
Importing Existing Key(s)
This is what you will want to do when you’re on a new machine to import your existing key(s) from Keybase. If you’re starting from scratch, skip this and jump to the key creation instructions.
This is essentially an export from Keybase piped into a gpg import:
You only need
-q keyId if you have multiple keys.
keybase pgp export -q keyId |gpg --import
keybase pgp export -q keyID --secret |gpg --import --allow-secret-key-import
❯ keybase pgp export -q 24C5369983FB95FB |gpg --import gpg: key 24C5369983FB95FB: "Blog Demo <email@example.com>" 1 new signature gpg: Total number processed: 1 gpg: new signatures: 1 ❯ keybase pgp export -q 24C5369983FB95FB --secret |gpg --import --allow-secret-key-import gpg: key 24C5369983FB95FB: "Blog Demo <firstname.lastname@example.org>" not changed gpg: key 24C5369983FB95FB: secret key imported gpg: Total number processed: 1 gpg: unchanged: 1 gpg: secret keys read: 1 gpg: secret keys unchanged: 1
Starting From Scratch
Create New GPG Key
If this is your first time with GPG you’ll need a key to work with.
Just follow the prompts and you’ll be fine. Slighty edited output for brevity:
❯ gpg --gen-key GnuPG needs to construct a user ID to identify your key. Real name: Blog Demo Email address: email@example.com You selected this USER-ID: "Blog Demo <firstname.lastname@example.org>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? o gpg: key 24C5369983FB95FB marked as ultimately trusted gpg: directory '/path/to/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/path/to/.gnupg/openpgp-revocs.d/E06DDC6B8B12BE971C82CD9924C5369983FB95FB.rev' public and secret key created and signed. pub rsa2048 2020-07-03 [SC] [expires: 2022-07-03] E06DDC6B8B12BE971C82CD9924C5369983FB95FB uid Blog Demo <email@example.com> sub rsa2048 2020-07-03 [E] [expires: 2022-07-03]
Verify Key Exists Locally
You should take a moment to verify that you really have created a new gpg key.
First check public keys:
❯ gpg --list-keys pub rsa2048 2020-07-03 [SC] [expires: 2022-07-03] E06DDC6B8B12BE971C82CD9924C5369983FB95FB uid [ultimate] Blog Demo <firstname.lastname@example.org> sub rsa2048 2020-07-03 [E] [expires: 2022-07-03]
Next make sure you have your private key:
❯ gpg --list-secret-keys --keyid-format LONG /path/to/.gnupg/pubring.kbx -------------------------------- sec rsa2048/24C5369983FB95FB 2020-07-03 [SC] [expires: 2022-07-03] E06DDC6B8B12BE971C82CD9924C5369983FB95FB uid [ultimate] Blog Demo <email@example.com> ssb rsa2048/FB17BDCFFE854BB4 2020-07-03 [E] [expires: 2022-07-03]
Push To Keybase
If you work on more than one laptop, or virtual server, or plan to ever replace any of your hardware, it’s really convenient to have your keys (safely) stored in Keybase’s secure filesystem:
You should use the fingerprint for your new key. Thag’s the really long string if you’re not sure.
gpg --armor --export-secret-keys E06DDC6B8B12BE971C82CD9924C5369983FB95FB |keybase pgp import
You’ll see something like this:
▶ INFO Generated new PGP key: ▶ INFO user: Blog Demo <firstname.lastname@example.org> ▶ INFO 2048-bit RSA key, ID 24C5369983FB95FB, created 2020-07-03
Confirm Keybase knows about this key now with
keybase pgp list:
❯ keybase pgp list Keybase Key ID: 010151db5deebfcb219fa761c1ae5876b51520fe3c748fffb834139201362d5224ff0a PGP Fingerprint: e06ddc6b8b12be971c82cd9924c5369983fb95fb PGP Identities: Blog Demo <email@example.com>
Failed to restart keybase.service: Unit keybase.service not found.
I saw this when I was working on a headless server.
seems to resolve this.