Generate pgp key linux

◂ Free & easy to use client-side PGP key generator ▸

Use the form below to generate a PGP key pair.

Here are the answers to some frequently asked questions we receive.

Is it safe for me to generate my PGP keys through your website?

Yes, it is as safe as generating your keys using a local application. The key generation on our website is done client-side only. This means the key pairs are generated entirely in your web browser and they never leave your computer. Our website never sees any key related data or the key itself.

Can you tell me more about the keys you generate?

Sure. For starters, we enforce using a passphrase with each key generated. This ensures some level of protection if your key is ever stolen. We also automatically generate two subkeys for you, one for signing and the other for encryption. You can use your subkeys to sign and encrypt data and keep your private key safe. The bit length of generated subkeys will be identical to the length you specified for the primary key. The primary key we generate for you never expires. You can, however, set the expiration date on the generated subkeys using the ‘Expire’ option in the key generation form.

What is Elliptic Curve Cryptography?

Elliptic Curve Cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits in comparison with non-ECC cryptography (with plain Galois fields as a basis) is the same level of security provided by keys of smaller size. For example, a 256-bit ECC public key should provide comparable security to a 3072-bit RSA public key. ECC is still not widely supported in many PGP client applications so we advise that you generate ECC keys only if you know what you’re doing. You can read more about it at RFC 6637.

I’m concerned about my privacy. Do you keep or gather logs of any sort?

Our website is hosted entirely on Amazon’s S3 and CloudFront platforms. All of our code is client-side. We have NO backend servers. Since we don’t have a backend server we don’t keep any logs. The only logging that occurs when you visit our website is performed by Google Analytics, which helps us keep track of the number of people visiting the site monthly.

Why does my web browser or computer slow down when I’m generating keys?

PGP key generation is a resource intensive process. As a result, your may experience increased CPU and memory usage on your device, which can result in performance issues. The performance impact depends on the hardware capabilities of your device.

A bit of information about us.

We wanted to make an easy to use, accessible, tool for people to generate PGP keys with. Today, the common methods for generating keys still involve going to a command prompt of a Linux/Unix machine and using the GPG utility , or installing a PGP compatible application on your desktop. We wanted to provide an easier way to generate keys. None of this would be possible without the awesome Open Source software we’re utilizing. We’re using KeyBase’s awesome JavaScript implementation of PGP (kbpgp). For file saving capabilities we are utilizing Eli Grey’s wonderful FileSaver.js interface.

Please note that this project is still a work in progress and that we’ll making improvements and introducing more functionality in the near future. As a work in progress there are a number of issues we are aware of that we will resolve:

Currently we can only support ECC keys with length of 384 bits. We will support more sizes soon.

Setting expiration date of subkeys to ‘Never’ results in an expiration date of 8 years.

To generate multiple key pairs you’ll have to refresh the page after each run; there is no way to reset the form.

Источник

GnuPG

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC 4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).

Contents

Installation

This will also install pinentry , a collection of simple PIN or passphrase entry dialogs which GnuPG uses for passphrase entry. The shell script /usr/bin/pinentry determines which pinentry dialog is used, in the order described at #pinentry.

If you want to use a graphical frontend or program that integrates with GnuPG, see List of applications/Security#Encryption, signing, steganography.

Configuration

Directory location

$GNUPGHOME is used by GnuPG to point to the directory where its configuration files are stored. By default $GNUPGHOME is not set and your $HOME is used instead; thus, you will find a

/.gnupg directory right after installation.

To change the default location, either run gpg this way $ gpg —homedir path/to/file or set the GNUPGHOME environment variable.

Configuration files

This article or section is out of date.

/.gnupg/dirmngr.conf is no longer created; perhaps because no skeleton file can be found in usr/share/doc/gnupg/ (Discuss in Talk:GnuPG)

The default configuration files are

By default, the gnupg directory has its permissions set to 700 and the files it contains have their permissions set to 600 . Only the owner of the directory has permission to read, write, and access the files. This is for security purposes and should not be changed. In case this directory or any file inside it does not follow this security measure, you will get warnings about unsafe file and home directory permissions.

Append to these files any long options you want. Do not write the two dashes, but simply the name of the option and required arguments. You will find skeleton files in /usr/share/doc/gnupg/ . These files are copied to

/.gnupg the first time gpg is run if they do not exist there. Other examples are found in #See also.

Additionally, pacman uses a different set of configuration files for package signature verification. See Pacman/Package signing for details.

Default options for new users

If you want to setup some default options for new users, put configuration files in /etc/skel/.gnupg/ . When the new user is added in system, files from here will be copied to its GnuPG home directory. There is also a simple script called addgnupghome which you can use to create new GnuPG home directories for existing users:

This will add the respective /home/user1/.gnupg/ and /home/user2/.gnupg/ and copy the files from the skeleton directory to it. Users with existing GnuPG home directory are simply skipped.

Usage

Create a key pair

Generate a key pair by typing in a terminal:

Also add the —expert option to the command line to access more ciphers and in particular the newer ECC cipher (Wikipedia:Elliptic-curve cryptography).

The command will prompt for answers to several questions. For general use most people will want:

• The default RSA and RSA for sign and encrypt keys.
• A keysize of the default 3072 value. A larger keysize of 4096 «gives us almost nothing, while costing us quite a lot» (see why doesn’t GnuPG default to using RSA-4096).
• An expiration date: a period of one year is good enough for the average user. This way even if access is lost to the keyring, it will allow others to know that it is no longer valid. At a later stage, if necessary, the expiration date can be extended without having to re-issue a new key.
• Your name and email address. You can add multiple identities to the same key later (e.g., if you have multiple email addresses you want to associate with this key).
• no optional comment. Since the semantics of the comment field are not well-defined, it has limited value for identification.
• A secure passphrase, find some guidelines in Security#Choosing secure passwords.

List keys

To list keys in your public key ring:

To list keys in your secret key ring:

Export your public key

GnuPG’s main usage is to ensure confidentiality of exchanged messages via public-key cryptography. With it each user distributes the public key of their keyring, which can be used by others to encrypt messages to the user. The private key must always be kept private, otherwise confidentiality is broken. See Wikipedia:Public-key cryptography for examples about the message exchange.

So, in order for others to send encrypted messages to you, they need your public key.

To generate an ASCII version of a user’s public key to file public.key (e.g. to distribute it by e-mail):

Alternatively, or in addition, you can #Use a keyserver to share your key.

Import a public key

In order to encrypt messages to others, as well as verify their signatures, you need their public key. To import a public key with file name public.key to your public key ring:

Alternatively, #Use a keyserver to find a public key.

If you wish to import a key ID to install a specific Arch Linux package, see pacman/Package signing#Managing the keyring and Makepkg#Signature checking.

Use a keyserver

Sending keys

You can register your key with a public PGP key server, so that others can retrieve it without having to contact you directly:

Searching and receiving keys

To find out details of a key on the keyserver, without importing it, do:

To import a key from a key server:

Key servers

The most common keyservers are:

• Ubuntu Keyserver: federated, no verification, keys cannot be deleted.
• SKS Keyserver Pool [dead link 2021-05-13 ⓘ] : federated, no verification, keys cannot be deleted.
• Mailvelope Keyserver: central, verification of email IDs, keys can be deleted.
• keys.openpgp.org: central, verification of email IDs, keys can be deleted, no third-party signatures (i.e. no Web of Trust support).

An alternative key server can be specified with the keyserver option in one of the #Configuration files, for instance:

A temporary use of another server is handy when the regular one does not work as it should. It can be achieved by, for example,

Web Key Directory

The Web Key Service (WKS) protocol is a new standard for key distribution, where the email domain provides its own key server called Web Key Directory (WKD). When encrypting to an email address (e.g. user@example.com ), GnuPG (>=2.1.16) will query the domain ( example.com ) via HTTPS for the public OpenPGP key if it is not already in the local keyring. The option auto-key-locate will locate a key using the WKD protocol if there is no key on the local keyring for this email address.

See the GnuPG Wiki for a list of email providers that support WKD. If you control the domain of your email address yourself, you can follow this guide to enable WKD for your domain. To check if your key can be found in the WKD you can use this webinterface.

Encrypt and decrypt

Asymmetric

You need to #Import a public key of a user before encrypting (option -e / —encrypt ) a file or message to that recipient (option -r / —recipient ). Additionally you need to #Create a key pair if you have not already done so.

To encrypt a file with the name doc, use:

To decrypt (option -d / —decrypt ) a file with the name doc.gpg encrypted with your public key, use:

gpg will prompt you for your passphrase and then decrypt and write the data from doc.gpg to doc. If you omit the -o / —output option, gpg will write the decrypted data to stdout.

Symmetric

Symmetric encryption does not require the generation of a key pair and can be used to simply encrypt data with a passphrase. Simply use -c / —symmetric to perform symmetric encryption:

The following example:

• Encrypts doc with a symmetric cipher using a passphrase
• Uses the AES-256 cipher algorithm to encrypt the passphrase
• Uses the SHA-512 digest algorithm to mangle the passphrase
• Mangles the passphrase for 65536 iterations

To decrypt a symmetrically encrypted doc.gpg using a passphrase and output decrypted contents into the same directory as doc do:

Directory

Encrypting/decrypting a directory can be done with gpgtar(1) .

Key maintenance

Backup your private key

To backup your private key do the following:

Note the above command will require that you enter the passphrase for the key. This is because otherwise anyone who gains access to the above exported file would be able to encrypt and sign documents as if they were you without needing to know your passphrase.

To import the backup of your private key:

Backup your revocation certificate

Revocation certificates are automatically generated for newly generated keys. These are by default located in

/.gnupg/openpgp-revocs.d/ . The filename of the certificate is the fingerprint of the key it will revoke. The revocation certificates can also be generated manually by the user later using:

This certificate can be used to #Revoke a key if it is ever lost or compromised. The backup will be useful if you have no longer access to the secret key and are therefore not able to generate a new revocation certificate with the above command. It is short enough to be printed out and typed in by hand if necessary.

Edit your key

Running the gpg —edit-key user-id command will present a menu which enables you to do most of your key management related tasks.

Type help in the edit key sub menu to show the complete list of commands. Some useful ones:

Exporting subkey

If you plan to use the same key across multiple devices, you may want to strip out your master key and only keep the bare minimum encryption subkey on less secure systems.

First, find out which subkey you want to export.

Select only that subkey to export.

At this point you could stop, but it is most likely a good idea to change the passphrase as well. Import the key into a temporary folder.

At this point, you can now use /tmp/subkey.altpass.gpg on your other devices.

Extending expiration date

It is good practice to set an expiration date on your subkeys, so that if you lose access to the key (e.g. you forget the passphrase) the key will not continue to be used indefinitely by others. When the key expires, it is relatively straight-forward to extend the expiration date:

You will be prompted for a new expiration date, as well as the passphrase for your secret key, which is used to sign the new expiration date.

Repeat this for any further subkeys that have expired:

Finally, save the changes and quit:

Update it to a keyserver.

Alternatively, if you use this key on multiple computers, you can export the public key (with new signed expiration dates) and import it on those machines:

There is no need to re-export your secret key or update your backups: the master secret key itself never expires, and the signature of the expiration date left on the public key and subkeys is all that is needed.

Rotating subkeys

Alternatively, if you prefer to stop using subkeys entirely once they have expired, you can create new ones. Do this a few weeks in advance to allow others to update their keyring.

Create new subkey (repeat for both signing and encrypting key)

And answer the following questions it asks (see #Create a key pair for suggested settings).

Update it to a keyserver.

You will also need to export a fresh copy of your secret keys for backup purposes. See the section #Backup your private key for details on how to do this.

Revoke a key

Key revocation should be performed if the key is compromised, superseded, no longer used, or you forget your passphrase. This is done by merging the key with the revocation certificate of the key.

If you have no longer access to your keypair, first #Import a public key to import your own key. Then, to revoke the key, import the file saved in #Backup your revocation certificate:

Now the revocation needs to be made public. #Use a keyserver to send the revoked key to a public PGP server if you used one in the past, otherwise, export the revoked key to a file and distribute it to your communication partners.

Signatures

Signatures certify and timestamp documents. If the document is modified, verification of the signature will fail. Unlike encryption which uses public keys to encrypt a document, signatures are created with the user’s private key. The recipient of a signed document then verifies the signature using the sender’s public key.

Create a signature

Sign a file

To sign a file use the -s / —sign flag:

doc.sig contains both the compressed content of the original file doc and the signature in a binary format, but the file is not encrypted. However, you can combine signing with encrypting.

Clearsign a file or message

To sign a file without compressing it into binary format use:

Here both the content of the original file doc and the signature are stored in human-readable form in doc.sig .

Make a detached signature

To create a separate signature file to be distributed separately from the document or file itself, use the —detach-sig flag:

Here the signature is stored in doc.sig , but the contents of doc are not stored in it. This method is often used in distributing software projects to allow users to verify that the program has not been modified by a third party.

Verify a signature

To verify a signature use the —verify flag:

where doc.sig is the signed file containing the signature you wish to verify.

If you are verifying a detached signature, both the signed data file and the signature file must be present when verifying. For example, to verify Arch Linux’s latest iso you would do:

where archlinux-version.iso must be located in the same directory.

You can also specify the signed data file with a second argument:

If a file has been encrypted in addition to being signed, simply decrypt the file and its signature will also be verified.

gpg-agent

gpg-agent is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. gnupg comes with systemd user sockets which are enabled by default. These sockets are gpg-agent.socket , gpg-agent-extra.socket , gpg-agent-browser.socket , gpg-agent-ssh.socket , and dirmngr.socket .

• The main gpg-agent.socket is used by gpg to connect to the gpg-agent daemon.
• The intended use for the gpg-agent-extra.socket on a local system is to set up a Unix domain socket forwarding from a remote system. This enables to use gpg on the remote system without exposing the private keys to the remote system. See gpg-agent(1) for details.
• The gpg-agent-browser.socket allows web browsers to access the gpg-agent daemon.
• The gpg-agent-ssh.socket can be used by SSH to cache SSH keys added by the ssh-add program. See #SSH agent for the necessary configuration.
• The dirmngr.socket starts a GnuPG daemon handling connections to keyservers.

Configuration

gpg-agent can be configured via

/.gnupg/gpg-agent.conf file. The configuration options are listed in gpg-agent(1) . For example you can change cache ttl for unused keys:

Reload the agent

After changing the configuration, reload the agent using gpg-connect-agent:

The command should print OK .

However in some cases only the restart may not be sufficient, like when keep-screen has been added to the agent configuration. In this case you firstly need to kill the ongoing gpg-agent process and then you can restart it as was explained above.

pinentry

gpg-agent can be configured via the pinentry-program stanza to use a particular pinentry user interface when prompting the user for a passphrase. For example:

There are other pinentry programs that you can choose from — see pacman -Ql pinentry | grep /usr/bin/ .

Remember to reload the agent after making changes to the configuration.

Cache passwords

max-cache-ttl and default-cache-ttl defines how many seconds gpg-agent should cache the passwords. To enter a password once a session, set them to something very high, for instance:

For password caching in SSH emulation mode, set default-cache-ttl-ssh and max-cache-ttl-ssh instead, for example:

Unattended passphrase

Starting with GnuPG 2.1.0 the use of gpg-agent and pinentry is required, which may break backwards compatibility for passphrases piped in from STDIN using the —passphrase-fd 0 commandline option. In order to have the same type of functionality as the older releases two things must be done:

First, edit the gpg-agent configuration to allow loopback pinentry mode:

Reload the agent if it is running to let the change take effect.

Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:

. or if this is not possible, add the option to the configuration:

SSH agent

gpg-agent has OpenSSH agent emulation. If you already use the GnuPG suite, you might consider using its agent to also cache your SSH keys. Additionally, some users may prefer the PIN entry dialog GnuPG agent provides as part of its passphrase management.

Set SSH_AUTH_SOCK

You have to set SSH_AUTH_SOCK to communicate with gpg-agent and replace the default ssh-agent. User-based configuration of pam_env allows you to set environment variables by user, instead of shell.

Alternatively, depend on Bash. This works for non-standard socket locations as well:

Configure pinentry to use the correct TTY

Also set the GPG_TTY and refresh the TTY in case user has switched into an X session as stated in gpg-agent(1) . For example:

If you use multiple terminals simultaneously and want gpg-agent to ask for passphrase via pinentry-curses from the same terminal where the ssh command was run, add the following to the SSH configuration file. This will make the TTY to be refreshed every time an ssh command is run [4]:

Note that GPG_TTY environment variable has to be set for this to work.

Add SSH keys

Once gpg-agent is running you can use ssh-add to approve keys, following the same steps as for ssh-agent. The list of approved keys is stored in the

Once your key is approved, you will get a pinentry dialog every time your passphrase is needed. For password caching see #Cache passwords.

Using a PGP key for SSH authentication

You can also use your PGP key as an SSH key. This requires a key with the Authentication capability (see #Custom capabilities). There are various benefits gained by using a PGP key for SSH authentication, including:

• Reduced key maintenance, as you will no longer need to maintain an SSH key.
• The ability to store the authentication key on a smartcard. GnuPG will automatically detect the key when the card is available, and add it to the agent (check with ssh-add -l or ssh-add -L ). The comment for the key should be something like: openpgp:key-id or cardno:card-id .

To retrieve the public key part of your GPG/SSH key, run gpg —export-ssh-key gpg-key . If your key is authentication-capable but this command still fails with «Unusable public key», add a ! suffix ([5]).

Unless you have your GPG key on a keycard, you need to add your key to $GNUPGHOME/sshcontrol to be recognized as a SSH key. If your key is on a keycard, its keygrip is added to sshcontrol implicitly. If not, get the keygrip of your key this way:

Then edit sshcontrol like this. Adding the keygrip is a one-time action; you will not need to edit the file again, unless you are adding additional keys.

Smartcards

GnuPG uses scdaemon as an interface to your smartcard reader, please refer to the man page scdaemon(1) for details.

GnuPG only setups

If you do not plan to use other cards but those based on GnuPG, you should check the reader-port parameter in

/.gnupg/scdaemon.conf . The value ‘0’ refers to the first available serial port reader and a value of ‘32768’ (default) refers to the first USB reader.

GnuPG with pcscd (PCSC Lite)

pcscd(8) is a daemon which handles access to smartcard (SCard API). If GnuPG’s scdaemon fails to connect the smartcard directly (e.g. by using its integrated CCID support), it will fallback and try to find a smartcard using the PCSC Lite driver.

To use pscsd install pcsclite and ccid . Then start and/or enable pcscd.service . Alternatively start and/or enable pcscd.socket to activate the daemon when needed.

Always use pcscd

If you are using any smartcard with an opensc driver (e.g.: ID cards from some countries) you should pay some attention to GnuPG configuration. Out of the box you might receive a message like this when using gpg —card-status

By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together. In order to point scdaemon to use pcscd you should remove reader-port from

/.gnupg/scdaemon.conf , specify the location to libpcsclite.so library and disable ccid so we make sure that we use pcscd:

Please check scdaemon(1) if you do not use OpenSC.

Shared access with pcscd

GnuPG scdaemon is the only popular pcscd client that uses PCSC_SHARE_EXCLUSIVE flag when connecting to pcscd . Other clients like OpenSC PKCS#11 that are used by browsers and programs listed in Electronic identification are using PCSC_SHARE_SHARED that allows simultaneous access to single smartcard. pcscd will not give exclusive access to smartcard while there are other clients connected. This means that to use GnuPG smartcard features you must before have to close all your open browser windows or do some other inconvenient operations. Starting from version 2.2.28 LTS and 2.3.0 you can enable shared access by modifying your scdaemon.conf file and adding pcsc-shared line end of it.

Multi applet smart cards

When using YubiKeys or other multi applet USB dongles with OpenSC PKCS#11 may run into problems where OpenSC switches your Yubikey from OpenPGP to PIV applet, breaking the scdaemon .

You can hack around the problem by forcing OpenSC to also use the OpenPGP applet. Open /etc/opensc.conf file, search for Yubikey and change the driver = «PIV-II»; line to driver = «openpgp»; . If there is no such entry, use pcsc_scan . Search for the Answer to Reset ATR: 12 34 56 78 90 AB CD . . Then create a new entry.

After that you can test with pkcs11-tool -O —login that the OpenPGP applet is selected by default. Other PKCS#11 clients like browsers may need to be restarted for that change to be applied.

Tips and tricks

Different algorithm

You may want to use stronger algorithms:

In the latest version of GnuPG, the default algorithms used are SHA256 and AES, both of which are secure enough for most people. However, if you are using a version of GnuPG older than 2.1, or if you want an even higher level of security, then you should follow the above step.

Encrypt a password

It can be useful to encrypt some password, so it will not be written in clear on a configuration file. A good example is your email password.

First create a file with your password. You need to leave one empty line after the password, otherwise gpg will return an error message when evaluating the file.

-e is for encrypt, -a for armor (ASCII output), -r for recipient user ID.

You will be left with a new your_password_file.asc file.

Change trust model

By default GnuPG uses the Web of Trust as the trust model. You can change this to Trust on first use by adding —trust-model=tofu when adding a key or adding this option to your GnuPG configuration file. More details are in this email to the GnuPG list.

Hide all recipient id’s

By default the recipient’s key ID is in the encrypted message. This can be removed at encryption time for a recipient by using hidden-recipient user-id . To remove it for all recipients add throw-keyids to your configuration file. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis. (Using a little social engineering anyone who is able to decrypt the message can check whether one of the other recipients is the one he suspects.) On the receiving side, it may slow down the decryption process because all available secret keys must be tried (e.g. with —try-secret-key user-id ).

Using caff for keysigning parties

To allow users to validate keys on the keyservers and in their keyrings (i.e. make sure they are from whom they claim to be), PGP/GPG uses the Web of Trust. Keysigning parties allow users to get together at a physical location to validate keys. The Zimmermann-Sassaman key-signing protocol is a way of making these very effective. Here you will find a how-to article.

For an easier process of signing keys and sending signatures to the owners after a keysigning party, you can use the tool caff. It can be installed from the AUR with the package caff-git AUR .

To send the signatures to their owners you need a working MTA. If you do not have already one, install msmtp.

Always show long ID’s and fingerprints

To always show long key ID’s add keyid-format 0xlong to your configuration file. To always show full fingerprints of keys, add with-fingerprint to your configuration file.

Custom capabilities

For further customization also possible to set custom capabilities to your keys. The following capabilities are available:

• Certify (only for master keys) — allows the key to create subkeys, mandatory for master keys.
• Sign — allows the key to create cryptographic signatures that others can verify with the public key.
• Encrypt — allows anyone to encrypt data with the public key, that only the private key can decrypt.
• Authenticate — allows the key to authenticate with various non-GnuPG programs. The key can be used as e.g. an SSH key.

It’s possible to specify the capabilities of the master key, by running:

And select an option that allows you to set your own capabilities.

Comparably, to specify custom capabilities for subkeys, add the —expert flag to gpg —edit-key , see #Edit your key for more information.

Troubleshooting

Not enough random bytes available

When generating a key, gpg can run into this error:

To check the available entropy, check the kernel parameters:

A healthy Linux system with a lot of entropy available will have return close to the full 4,096 bits of entropy. If the value returned is less than 200, the system is running low on entropy.

To solve it, remember you do not often need to create keys and best just do what the message suggests (e.g. create disk activity, move the mouse, edit the wiki — all will create entropy). If that does not help, check which service is using up the entropy and consider stopping it for the time. If that is no alternative, see Random number generation#Alternatives.

When using pinentry , you must have the proper permissions of the terminal device (e.g. /dev/tty1 ) in use. However, with su (or sudo), the ownership stays with the original user, not the new one. This means that pinentry will fail with a Permission denied error, even as root. If this happens when attempting to use ssh, an error like sign_and_send_pubkey: signing failed: agent refused operation will be returned. The fix is to change the permissions of the device at some point before the use of pinentry (i.e. using gpg with an agent). If doing gpg as root, simply change the ownership to root right before using gpg:

and then change it back after using gpg the first time. The equivalent is true with /dev/pts/ .

Agent complains end of file

If the pinentry program is /usr/bin/pinentry-gnome3 , it needs a DBus session bus to run properly. See General troubleshooting#Session permissions for details.

Alternatively, you can use a variety of different options described in #pinentry.

KGpg configuration permissions

There have been issues with kgpg being able to access the

/.gnupg/ options. One issue might be a result of a deprecated options file, see the bug report.

GNOME on Wayland overrides SSH agent socket

For Wayland sessions, gnome-session sets SSH_AUTH_SOCK to the standard gnome-keyring socket, $XDG_RUNTIME_DIR/keyring/ssh . This overrides any value set in

/.pam_environmment or systemd unit files.

Mutt might not use gpg-agent correctly, you need to set an environment variable GPG_AGENT_INFO (the content does not matter) when running mutt. Be also sure to enable password caching correctly, see #Cache passwords.

«Lost» keys, upgrading to gnupg version 2.1

When gpg —list-keys fails to show keys that used to be there, and applications complain about missing or invalid keys, some keys may not have been migrated to the new format.

Please read GnuPG invalid packet workaround. Basically, it says that there is a bug with keys in the old pubring.gpg and secring.gpg files, which have now been superseded by the new pubring.kbx file and the private-keys-v1.d/ subdirectory and files. Your missing keys can be recovered with the following commands:

gpg hanged for all keyservers (when trying to receive keys)

If gpg hanged with a certain keyserver when trying to receive keys, you might need to kill dirmngr in order to get access to other keyservers which are actually working, otherwise it might keeping hanging for all of them.

Smartcard not detected

Your user might not have the permission to access the smartcard which results in a card error to be thrown, even though the card is correctly set up and inserted.

One possible solution is to add a new group scard including the users who need access to the smartcard.

Then use udev rules, similar to the following:

One needs to adapt VENDOR and MODEL according to the lsusb output, the above example is for a YubikeyNEO.

server ‘gpg-agent’ is older than us (x

This warning appears if gnupg is upgraded and the old gpg-agent is still running. Restart the user’s gpg-agent.socket (i.e., use the —user flag when restarting).

IPC connect call failed

The factual accuracy of this article or section is disputed.

Make sure gpg-agent and dirmngr are not running with killall gpg-agent dirmngr and the $GNUPGHOME/crls.d/ folder has permission set to 700 .

If your keyring is stored on a vFat filesystem (e.g. a USB drive), gpg-agent will fail to create the required sockets (vFat does not support sockets), you can create redirects to a location that handles sockets, e.g. /dev/shm :

Test that gpg-agent starts successfully with gpg-agent —daemon .

Mitigating Poisoned PGP Certificates

In June 2019, an unknown attacker spammed several high-profile PGP certificates with tens of thousands (or hundreds of thousands) of signatures (CVE-2019-13050) and uploaded these signatures to the SKS keyservers. The existence of these poisoned certificates in a keyring causes gpg to hang with the following message:

Possible mitigation involves removing the poisoned certificate as per this blog post.

Invalid IPC response and Inappropriate ioctl for device

The default pinentry program is /usr/bin/pinentry-gtk-2 . If gtk2 is unavailable, pinentry falls back to /usr/bin/pinentry-curses and causes signing to fail:

You need to set the GPG_TTY environment variable for the pinentry programs /usr/bin/pinentry-tty and /usr/bin/pinentry-curses .

Источник