GnuPG Password Management

[last updated: 2023-07-15]
GnuPG encryption home page
-----

This page still in development ...

• Delete a key:
  • If a key has been revoked or expired, or for whatever other reason, you may want to delete it from your system.
  • You must delete the private key before gpg will let you delete the public key

  • $ gpg --delete-secret-key [ keyid or uid search parameter ]
    The search parameter can be the email associated with the key, a keyword from the comment field,
    either short (8-hex-chars) or long (16-hex-chars) key id, or the "real name" associated with the key.
  • Once the secret key is deleted, you can delete the public key:
    $ gpg --delete-key [ keyid or uid search parameter ]

  -----------------------------------------------------------------

• Exporting your private key:
  • If you want to take your private key to different computer than the one used to generate it,
    you will need to export it to a file.
  • You should of course separately encrypt this exported file to protect it while you transport it.
  • $ gpg --export-secret-key -a -o [ outputFileName ] [ search param if needed]
  • You will be asked for the passphrase that you specified when you generated the key.
  • The exported file will be created in your current directory.

  -----------------------------------------------------------------

• Editing your passwords:
  • I Think the following is true, but have not yet fully tested it ...
    Caution:
    If you edit a key, it changes. This means its fingerprint and subsequent keyid's change.
    It also means that if you've exported either your public or private keys, they are no longer valid.

  • $ gpg --edit-key [ keyIdentifier ]
    The "keyIdentifier" can be any of the parameters that uniquely define your key:
        the actual key ID, your email, your name, a unique comment, etc.
    Take care however if there is any ambiguity among the parameters,
    and be sure the key that is found is the one you want.
  • Once the gpg edit key is opened, the cursor will change to "gpg>"
  • At this point there are many commands you can execute to do a variety of edit tasks.
    See full documentation at: https://www.gnupg.org/gph/en/manual/r899.html
  • Ones I've found useful:
    • passwd
    • uid
    • adduid
    • deluid
  • you may need to enter "o" for OK, and you may need to enter your password.
  • When you're done, type: save
  • Exit with <ctrl-c> or type quit

  -----------------------------------------------------------------

• GnuPG Password manager:
  • Not sure how this works.
  • passwords are stored in "your key chain."
  • Experimenting, I see that, on the same computer, files are decrypted without password prompt
    whether or not you've selected to save your password in 'password manager,'
    and whether or not you've deleted (as a test) the whole of the ~/.gnupg directory
  • So in net not sure where the passwords are stored, perhaps in /usr/share/gnupg ...

  -----------------------------------------------------------------

• In the end, however, it remains true that some system of saving/storing/retrieving your passwords is needed.
  • the Pass program/command ... ... ...
    https://www.passwordstore.org/
    With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.
    pass makes managing these individual password files extremely easy. All passwords live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It's capable of temporarily putting passwords on your clipboard and tracking password changes using git.
    You can edit the password store using ordinary unix shell commands alongside the pass command. There are no funky file formats or new paradigms to learn. There is bash completion so that you can simply hit tab to fill in names and commands, as well as completion for zsh and fish available in the completion folder. The community has even produced a GUI client, an Android app, an iOS app, a Firefox plugin, a dmenu script, and even an emacs package.

  • Another method from some forum:
    To read my passwords I use an encrypted file in my home directory. To decrypt it, I simply use the decrypt command of GnuPG, covered in a nice shell script rpw (for read passwords) - it then asks me for a pass-phrase and displays all my passwords in the terminal. Optional, I can give a search term like e.g. rpw ebay. Then only the line, where 'ebay' appears, when I give out the passwords. Please find my script from /usr/local/bin/rpw here:
    gpg -d -o - /home/USER/pw.gpg | grep "$1"
    To write/ edit the password file, I decrypt it, edit it, and then encrypt it again, while wiping the decrypted file. Here is this script, which is called wpw (for write passwords). /usr/local/bin/wpw:
    gpg -d -o /home/USER/pw_unenc /home/USER/pw.gpg
    vi /home/USER/pw_unenc
    gpg -o /home/USER/pw.gpg -e /home/USER/pw_unenc
    wipe -f -s /home/USER/pw_unenc

    This is all very easy and relies on GnuPG's security.

  -----------------------------------------------------------------

• force passwords to be required:
  • From: https://security.stackexchange.com/questions/103034/gnupg-decryption-not...
    • As stated, if you execute a file decryption on the same computer where you did the encryption,
      you will not (by default) be prompted for a password.
    • On versions of GPG newer than v2.1, however, you can force a password to be entered in order to perform the decryption:
      Create the file: ~/.gnupg/gpg-agent.conf
      Put two lines into it:
      default-cache-ttl 1
      max-cache-ttl 1

      Restart the agent with:

      $ echo RELOADAGENT | gpg-connect-agent

  -----------------------------------------------------------------