IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [gnupg]

GNU Privacy Guard (GnuPG or GPG) is an open source implementation of PGP, a file encryption and signature tool widely used for emails

GNU Privacy Guard (GnuPG or GPG) is an implementation of OpenPGP, a file encryption and signature format widely used for emails. It is an open source alternative to PGP.

Use this tag for questions about security properties of GPG and how to effectively use GPG to achieve security policies. For questions on how to use GPG, ask on Unix & Linux, Super User (if you use Windows) or other sites as applicable.

747 questions
234
votes
15 answers

Where do you store your personal private GPG key?

So, I want to start using pass, but I need a GPG key for this. This application will store all of my passwords, which means it's very important that I don't lose my private key, once generated. Hard disks break, cloud providers are generally not…
Florian Margaine
  • 2,465
  • 3
  • 13
  • 10
93
votes
2 answers

How many OpenPGP keys should I make?

I am learning how to use OpenPGP keys in GnuPG, and I am wondering what is the threshold people generally use to maintain separate OpenPGP keys. Maintaining an incredibly large number of keys is not good since it makes it difficult to be trusted by…
user9117
54
votes
9 answers

How to securely send private keys

What is the recommend way and best-practice to send private keys and SSL private keys? I was thinking of zipping up the files, then using gpg: gpg -c thefile.zip The problem then becomes how do you send the passphrase used to encrypt to the other…
Justin
  • 1,117
  • 3
  • 14
  • 20
52
votes
5 answers

gpg --encrypt fails

When trying to encrypt files, I get the following error in KGpg editor window: The encryption failed with error code 2 On the command line I get: $ gpg --list-keys /home/user/.gnupg/pubring.gpg --------------------------------- pub …
marekful
  • 1,181
  • 1
  • 8
  • 11
49
votes
1 answer

Short OpenPGP key IDs are insecure, how to configure GnuPG to use long key IDs instead?

Short OpenPGP key IDs (with 32 bits / 8 hex characters) are subject to collision attacks. It is strongly recommended to stop using 32 bit IDs: Stop using 32bit key ids It takes 4 seconds to generate a colliding 32bit key id on a GPU (using…
Jens Erat
  • 23,446
  • 12
  • 72
  • 96
47
votes
5 answers

Migrating GPG master keys as subkeys to new master key

Currently I have 3 private GPG pairs which are all master keys. I want to convert these keys into subkeys for a new key pair (and keep that in the vault). I have read the following thread http://atom.smasher.org/gpg/gpg-migrate.txt which involes…
lz.
  • 571
  • 1
  • 4
  • 5
45
votes
3 answers

How safe are signed git tags? Only as safe as SHA-1 or somehow safer?

How safe are signed git tags? Especially because git uses SHA-1. There is contradictory information around. So if one verifies a git tag (git tag -v tagname), then checksouts the tag, and checks that git status reports no untracked/modified files,…
adrelanos
  • 680
  • 7
  • 21
45
votes
2 answers

Who owns the gpg key 4AEE18F83AFDEB23 and how did it sign a commit in my GitHub repo?

This commit in my GiHub repo is signed by a key I don't recognize: https://github.com/jonathancross/jc-docs/pull/2/commits/124672699991af75dd2454831670758f08bc74ab What is going on here?
Jonathan Cross
  • 1,548
  • 1
  • 12
  • 25
45
votes
3 answers

Is it a coincidence that the first 4 bytes of a PGP/GPG file are ellipsis, smile, female sign and a heart?

As the title says, do those 4 bytes carry a meaning (I assume they do as apparently the smile changes depending on the key bitness)? The two files below have been encrypted with the different keys, but within the same key those 4 bytes are always…
ajeh
  • 503
  • 1
  • 4
  • 6
45
votes
4 answers

GnuPG decryption not asking for passphrase

I've some stuff encrypted with GnuPG using gpg -e. When I decrypt them, the system does not ask for the passphrase, it decrypts it straight away. Does it store the secret key somewhere and uses it (I also stored my secret key in the GnuPG key chain,…
EsseTi
  • 643
  • 1
  • 5
  • 8
44
votes
2 answers

Will encrypting the same file with GnuPG and the same key produce the same ciphertext?

If I encrypt the same file twice with GnuPG, using the same key, will I get the same result? or is it using some random/psudeo-random segment to improve security like rsynccrypto?
Didi Kohen
  • 688
  • 1
  • 5
  • 9
43
votes
7 answers

Is layered encryption more secure than long passwords?

The comments in this question debate about the added security of multi-layered encryption. There seems to be some disagreement, and I thought a proper question would be helpful here. So, to provide some common background, consider the following…
luchonacho
  • 1,341
  • 2
  • 9
  • 14
42
votes
3 answers

Is it possible to use a GPG or SSH key for web based authentication in a secure fashion?

Let's say hypothetically I am writing a web application targeting technically inclined, security-conscious users who have no problems generating and using GPG or SSH keys. Is it possible to use said keys to authenticate with a web application in a…
user10211
36
votes
4 answers

How can I encrypt a file using gpg without including the recipient's key ID?

An OpenPGP encrypted file will include the key ID of the intended recipient's public encryption key, as explained in this question. Is there any way to remove that information from the resulting encrypted file? Does gpg provide an option to not…
Flimm
  • 1,230
  • 3
  • 13
  • 22
34
votes
4 answers

Can I specify a public key file instead of recipient when encrypting with GPG

Can I do something like: gpg --public-key my.pub -e file.txt If I can, any reason that I should not do that? P/s: I think I don't need to know about the recipient because my machine only has one public key at a time. But that key will change…
nvcnvn
  • 443
  • 1
  • 4
  • 6
1
2 3
49 50