gpg setup
Table of Contents
1. Introduction
Setting up GPG to avoid needing plaintext passwords in certain configuration files.
Originally introduced this when configuring mbsync for email setup.
2. Links
https://rzetterberg.github.io/yubikey-gpg-nixos.html GPG+nixos setup with a Yubikey
3. Install GPG via Nix
$ nix-env -i gnupg
4. Generate Keypair
Here (afaict) email address is the key-name for a signing authority
$ gpg --gen-key Real username: Alice Exampleton Email address: replacewithsomething@somewhere.com
This will populate files under ~/.gnupg
View public keys:
$ gpg -k
/home/roland/.gnupg/pubring.kbx
-------------------------------
pub rsa3072 2024-01-11 [SC] [expires: 2026-01-10]
158495DF3E604E65D12B85D4F1C0105549B5F0D1
uid [ultimate] Alice Exampleton <replacewithsomething@somewhere.com>
sub rsa3072 2024-01-11 [E] [expires: 2026-01-10]
5. Encrypt Secret
Using this to encrypt an email server password:
$ gpg --recipient replacewithsomething@somewhere.com -a -o .hushmail.gpg --encrypt replacewithpassword
Resulting in encrypted file like:
$ cat .hushmail.gpg -----BEGIN PGP MESSAGE----- hQGMA47kE/R9+tnNAQwA0EHQ11186CQ6tPPhQTidm4i1XBa2hdYi1xsh13jcJsod ... OlLUNkVxGMF3y2hM8sHNOtFKOW9I3qoViqCEufGJD8m/x9Ev9whgx59c20xSkGg= =9dw5 -----END PGP MESSAGE-----
6. Decrypt Secret
Recover secret like this:
$ gpg -q --for-your-eyes-only --no-tty -d .hushmail.gpg replacewithpassword