====== Pretty Good Privacy ======

===== Disambiguation =====
^ OpenPGP | |
^ PGP | |
^ GPG (GnuPG) | |

===== Common operations =====
^ List private (own) keys | ''gpg -K'' |
^ Quickly extend keys[(note: you may need to [[https://unix.stackexchange.com/questions/552707/how-to-renew-an-expired-encryption-subkey-with-gpg|extend your subkeys]] if they had a different expiry date)] | ''%%gpg --quick-set-expire ABCDDEADBEEFABCDC0CCABCD42069ABCD7AFFF2 1y%%''\\ (replace with own key and ''1y'' with expiration date or period.) |
^ Create a new public/secret key pair | ''%%gpg --gen-key%%'' |
^ Export a public key | ''%%gpg --armor --output <pubkey.gpg> --export <key-id>%%'' |
^ Export a secret key | ''%%gpg --armor --output <privkey.gpg> --export-secret-key <key-id>%%'' |

===== extend subkeys =====
<code>
gpg --edit-key ABCDDEADBEEFABCDC0CCABCD42069ABCD7AFFF2
key 0
expire
1y
key 1
expire
1y
save
</code>

===== replace old key with new key =====
When replacing one uncompromised key with a newer (typically longer) one, using a transition period when both keys are trustworthy and participate in the web of trust uses trust transitivity to use links to the old key to trust signatures and links created by the new key. During a transition, both keys are trustworthy but you only use the newer one to sign documents and certify links in the web of trust.

<code bash>
gpg --expert --full-gen-key
  (9) ECC and ECC
  (1) Curve 25519

$PGP_NEWKEY_ID=<ID of new key>
$PGP_OLDKEY_ID=<ID of old key>

# sign new key with old key
gpg --default-key $OLDKEY --sign-key $NEWKEY
# sign old key with new key
gpg --default-key $NEWKEY --sign-key $OLDKEY 

# export in ASCII armored format
gpg --armor --output $NEWKEY.key --export-secret-key $NEWKEY
gpg --armor --output $NEWKEY.pub --export $NEWKEY
</code>

===== QR Codes =====
see also:
  * [[https://github.com/open-keychain/open-keychain/wiki/QR-Codes]]

===== How do I distribute my pubkey? =====
see also:
  * [[https://security.stackexchange.com/questions/406/how-should-i-distribute-my-public-key]]
  * [[http://www.bauser.com/websnob/keydist]]
  * [[https://www.facebook.com/notes/protect-the-graph/securing-email-communications-from-facebook/1611941762379302/|Securing Email Communications from Facebook]]

==== Keyservers ====
| [[http://hkps.pool.sks-keyservers.net/|SKS Keyservers]] | these have [[https://code.firstlook.media/the-death-of-sks-pgp-keyservers-and-how-first-look-media-is-handling-it|some issues]] |
| [[https://keyserver.ubuntu.com/|keyserver.ubuntu.com]] | [[https://hockeypuck.io/|Hockeypuck]] run by the Ubuntu people. |
| [[https://keys.openpgp.org|keys.openpgp.org]] | |
| [[https://keys.mailvelope.com/|Mailvelope Key Server]] | run by people behind the browser Add-On [[https://mailvelope.com/|Mailvelope]] |

Set in **Enigmail**: Settings → Keyservers, enter comma separated list, e.g.:\\ ''%%vks://keys.openpgp.org, hkps://keys.mailvelope.com, hkp://keyserver.ubuntu.com%%''

=== upload with GPG ===
<code bash>
# don't use "vks://" or "hkp://" infront of the domain name!
gpg --keyserver keys.example.com --send-keys $KEY_1 $KEY_2
</code>

=== get key manually ===
<code bash>
gpg2 --keyserver hkps://keyserver.ubuntu.com:443 --recv-keys $PUT_KEY_HERE
</code>
===== further reading =====
  * [[https://help.ubuntu.com/community/GnuPrivacyGuardHowto|GPG Howto]] (Ubuntu Community)
  * [[https://thoughtbot.com/blog/pgp-and-you|PGP and you]] (thoughtbot blog)
  * [[https://zacharyvoase.com/2009/08/20/openpgp/|OpenPGP for complete beginners]]
  * [[https://secushare.org/PGP|15 reasons not to start using PGP]] (secushare)