Managing GPG keys is one of those things that’s far too easy to forget to keep on top of. Having Keybase as part of your toolset can save you from yourself.

Up

Managing GPG keys with Keybase

The recent acquisition of Keybase by Zoom might send some people running. If you’re one of those people, save yourself a few minutes and skip this one.

Prerequisites

Keybase

Download, and install Keybase. Explore, get yourself mildly comfortable with them.

The desktop apps are quite nice to have, but steps in this document require that you have installed the command-line client.

GPG

You’ll need to install a gpg command-line client otherwise you won’t get far at all with the whole process.

Importing Existing Key(s)

This is what you will want to do when you’re on a new machine to import your existing key(s) from Keybase. If you’re starting from scratch, skip this and jump to the key creation instructions.

This is essentially an export from Keybase piped into a gpg import:

You only need -q keyId if you have multiple keys.

keybase pgp export -q keyId |gpg --import

and

keybase pgp export -q keyID --secret |gpg --import --allow-secret-key-import

For example:

❯ keybase pgp export -q 24C5369983FB95FB |gpg --import
gpg: key 24C5369983FB95FB: "Blog Demo <blog.demo@chizography.net>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1

❯ keybase pgp export -q 24C5369983FB95FB --secret |gpg --import --allow-secret-key-import
gpg: key 24C5369983FB95FB: "Blog Demo <blog.demo@chizography.net>" not changed
gpg: key 24C5369983FB95FB: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

Starting From Scratch

Create New GPG Key

If this is your first time with GPG you’ll need a key to work with.

gpg --gen-key

Just follow the prompts and you’ll be fine. Slighty edited output for brevity:

❯ gpg --gen-key

GnuPG needs to construct a user ID to identify your key.

Real name: Blog Demo
Email address: blog.demo@chizography.net
You selected this USER-ID:
    "Blog Demo <blog.demo@chizography.net>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o

gpg: key 24C5369983FB95FB marked as ultimately trusted
gpg: directory '/path/to/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/path/to/.gnupg/openpgp-revocs.d/E06DDC6B8B12BE971C82CD9924C5369983FB95FB.rev'
public and secret key created and signed.

pub   rsa2048 2020-07-03 [SC] [expires: 2022-07-03]
      E06DDC6B8B12BE971C82CD9924C5369983FB95FB
uid                      Blog Demo <blog.demo@chizography.net>
sub   rsa2048 2020-07-03 [E] [expires: 2022-07-03]

Verify Key Exists Locally

You should take a moment to verify that you really have created a new gpg key.

First check public keys:

❯ gpg --list-keys
pub   rsa2048 2020-07-03 [SC] [expires: 2022-07-03]
      E06DDC6B8B12BE971C82CD9924C5369983FB95FB
uid           [ultimate] Blog Demo <blog.demo@chizography.net>
sub   rsa2048 2020-07-03 [E] [expires: 2022-07-03]

Next make sure you have your private key:

❯ gpg --list-secret-keys --keyid-format LONG

/path/to/.gnupg/pubring.kbx
--------------------------------
sec   rsa2048/24C5369983FB95FB 2020-07-03 [SC] [expires: 2022-07-03]
      E06DDC6B8B12BE971C82CD9924C5369983FB95FB
uid                 [ultimate] Blog Demo <blog.demo@chizography.net>
ssb   rsa2048/FB17BDCFFE854BB4 2020-07-03 [E] [expires: 2022-07-03]

Push To Keybase

If you work on more than one laptop, or virtual server, or plan to ever replace any of your hardware, it’s really convenient to have your keys (safely) stored in Keybase’s secure filesystem:

You should use the fingerprint for your new key. Thag’s the really long string if you’re not sure.

gpg --armor --export-secret-keys E06DDC6B8B12BE971C82CD9924C5369983FB95FB |keybase pgp import

You’ll see something like this:

▶ INFO Generated new PGP key:
▶ INFO   user: Blog Demo <blog.demo@chizography.net>
▶ INFO   2048-bit RSA key, ID 24C5369983FB95FB, created 2020-07-03

Confirm Keybase knows about this key now with keybase pgp list:

❯ keybase pgp list
Keybase Key ID:  010151db5deebfcb219fa761c1ae5876b51520fe3c748fffb834139201362d5224ff0a
PGP Fingerprint: e06ddc6b8b12be971c82cd9924c5369983fb95fb
PGP Identities:
   Blog Demo <blog.demo@chizography.net>

Troubleshooting

Failed to restart keybase.service: Unit keybase.service not found.

I saw this when I was working on a headless server.

export KEYBASE_SYSTEMD=0

seems to resolve this.

Attributions

Up