1. egpg(1)
  2. Easy GnuPG
  3. egpg(1)

NAME

egpg - Easy GnuPG

SYNOPSIS

egpg COMMAND [ARGS...] [OPTIONS...]

DESCRIPTION

There are scads of options presented by GnuPG, which are all part of making it the flexible and powerful an encryption framework that it is. But it's extremely complicated to get started with, and that quite reasonably puts people off.

egpg is a wrapper script that tries to simplify the process of using GnuPG. In order to simplify things, it is opinionated about the "right" way to use GnuPG.

COMMANDS

KEY COMMANDS

CONTACT COMMANDS

EXTERNAL COMMANDS

FILES

~/.egpg/ The default egpg directory.

~/.egpg/.gnupg The GnuPG directory.

~/.egpg/config.sh The configuration file.

~/.egpg/customize.sh Optional customization file.

ENVIRONMENT VARIABLES

EGPG_DIR Overrides the default egpg directory.

GNUPGHOME The directory used by GnuPG.

CUSTOMIZATION

The file $EGPG_DIR/customize.sh can be used to redefine and customize some functions, without having to touch the code of the main script. Also, external commands can be customized (or new commands can be defined) by adding the file $EGPG_DIR/cmd_command.sh, which contains the function cmd_command() { . . . }.

In general, for an external command the script will first look for $EGPG_DIR/cmd_command.sh, then for $LIB/ext/$PLATFORM/cmd_command.sh, and finally for $LIB/ext/cmd_command.sh. The first that is found is loaded and used. For key commands the name of the file must be cmd_key_command.sh and for contact commands it must be cmd_contact_command.sh.

SIMPLE EXAMPLE

Some basic usage is demonstrated on the examples below.

testuser@laptop:~$ rm -rf ~/.egpg/

testuser@laptop:~$ killall -u $USER gpg-agent

testuser@laptop:~$ egpg

No directory '/home/testuser/.egpg'
Try first: egpg init

testuser@laptop:~$ egpg init

mkdir: created directory '/home/testuser/.egpg'

Appended the following lines to '/home/testuser/.bashrc':
---------------8<---------------
### start egpg config
export GPG_TTY=$(tty)
export EGPG_DIR="/home/testuser/.egpg"
#export GNUPGHOME="/home/testuser/.egpg/.gnupg"
### end egpg config
--------------->8---------------
Please reload it to enable the new config:
    source "/home/testuser/.bashrc"

testuser@laptop:~$ source "/home/testuser/.bashrc"

testuser@laptop:~$ egpg

EasyGnuPG 2.1-1.0    ( https://github.com/easygnupg/egpg )

EGPG_DIR="/home/testuser/.egpg"
GNUPGHOME="/home/testuser/.egpg/.gnupg"
DONGLE=""
KEYSERVER="hkp://keys.gnupg.net"
GPG_TTY="/dev/pts/18"
SHARE=no
DEBUG=no

No valid key found.

Try first:  egpg key gen
       or:  egpg key fetch
       or:  egpg key restore
       or:  egpg key recover

testuser@laptop:~$ egpg key gen test@example.org "Test User"

Creating a new key.

Enter passphrase for the new key: 
Retype the passphrase of the key: 
Please enter the passphrase to unlock the OpenPGP secret key:
"Test User <test@example.org>"
4096-bit RSA key, ID 01D532A283DC1CBF,
created 2016-06-06.

Passphrase: 

id: 01D532A283DC1CBF
uid: Test User <test@example.org>
fpr: 4E91 DD0E EDD7 49F2 B6DE D9CE 01D5 32A2 83DC 1CBF 
trust: ultimate
sign: 01D532A283DC1CBF 2016-06-06 2016-07-06 
decr: 7BD4B1BE5D76CC0D 2016-06-06 2016-07-06 

Revocation certificate is at: 
    "/home/testuser/.egpg/.gnupg/openpgp-revocs.d/4E91DD0EEDD749F2B6DED9CE01D532A283DC1CBF.rev"
    "/home/testuser/.egpg/.gnupg/openpgp-revocs.d/4E91DD0EEDD749F2B6DED9CE01D532A283DC1CBF.rev.pdf"

testuser@laptop:~$ egpg info

EasyGnuPG 2.1-1.0    ( https://github.com/easygnupg/egpg )

EGPG_DIR="/home/testuser/.egpg"
GNUPGHOME="/home/testuser/.egpg/.gnupg"
DONGLE=""
KEYSERVER="hkp://keys.gnupg.net"
GPG_TTY="/dev/pts/18"
SHARE=no
DEBUG=no

id: 01D532A283DC1CBF
uid: Test User <test@example.org>
fpr: 4E91 DD0E EDD7 49F2 B6DE D9CE 01D5 32A2 83DC 1CBF 
trust: ultimate
sign: 01D532A283DC1CBF 2016-06-06 2016-07-06 
decr: 7BD4B1BE5D76CC0D 2016-06-06 2016-07-06 

testuser@laptop:~$ egpg key

id: 01D532A283DC1CBF
uid: Test User <test@example.org>
fpr: 4E91 DD0E EDD7 49F2 B6DE D9CE 01D5 32A2 83DC 1CBF 
trust: ultimate
sign: 01D532A283DC1CBF 2016-06-06 2016-07-06 
decr: 7BD4B1BE5D76CC0D 2016-06-06 2016-07-06 

testuser@laptop:~$ egpg key fpr

4E91 DD0E EDD7 49F2 B6DE D9CE 01D5 32A2 83DC 1CBF

testuser@laptop:~$ egpg key renew 1 year

Please enter the passphrase to unlock the OpenPGP secret key:
"Test User <test@example.org>"
4096-bit RSA key, ID 01D532A283DC1CBF,
created 2016-06-06.

Passphrase: 

id: 01D532A283DC1CBF
uid: Test User <test@example.org>
fpr: 4E91 DD0E EDD7 49F2 B6DE D9CE 01D5 32A2 83DC 1CBF 
trust: ultimate
sign: 01D532A283DC1CBF 2016-06-06 2017-06-06 
decr: 7BD4B1BE5D76CC0D 2016-06-06 2017-06-06 

testuser@laptop:~$ echo "This is a test message." > test.txt

testuser@laptop:~$ egpg seal test.txt

Please enter the passphrase to unlock the OpenPGP secret key:
"Test User <test@example.org>"
4096-bit RSA key, ID 01D532A283DC1CBF,
created 2016-06-06.

Passphrase: 

testuser@laptop:~$ egpg open test.txt.sealed

Please enter the passphrase to unlock the OpenPGP secret key:
"Test User <test@example.org>"
4096-bit RSA key, ID 7BD4B1BE5D76CC0D,
created 2016-06-06 (main key ID 01D532A283DC1CBF).

Passphrase: 
gpg: Signature made Mon 06 Jun 2016 06:28:52 PM CEST
gpg:                using RSA key 01D532A283DC1CBF
gpg: Good signature from "Test User <test@example.org>" [ultimate]

testuser@laptop:~$ egpg sign test.txt

Please enter the passphrase to unlock the OpenPGP secret key:
"Test User <test@example.org>"
4096-bit RSA key, ID 01D532A283DC1CBF,
created 2016-06-06.

Passphrase: 

testuser@laptop:~$ egpg verify test.txt.signature

gpg: Signature made Mon 06 Jun 2016 06:32:23 PM CEST
gpg:                using RSA key 01D532A283DC1CBF
gpg: Good signature from "Test User <test@example.org>" [ultimate]

testuser@laptop:~$ egpg contact search Dashamir

gpg: data source: http://svcs4.riverwillow.net.au:11371
(1) Dashamir Hoxha <dashohoxha@gmail.com>
      2048 bit RSA key 562AC309C01D2DBD, created: 2015-12-27, expires: 2020-12-31
(2) Dashamir Hoxha <dashohoxha@gmail.com>
    keybase.io/dashohoxha <dashohoxha@keybase.io>
      4096 bit RSA key 0967FD258D6414F9, created: 2015-05-27, expires: 2017-01-05
(3) Dashamir Hoxha <dashohoxha@gmail.com>
    Dashamir Hoxha <d_hoxha@dogana.gov.al>
      2048 bit RSA key FD06AA8E55D59B28, created: 2010-12-12, expires: 2015-12-13 (expired)
Keys 1-3 of 3 for "Dashamir".  Enter number(s), N)ext, or Q)uit > 1

testuser@laptop:~$ egpg contact ls

id: 01D532A283DC1CBF
uid: Test User <test@example.org>
fpr: 4E91 DD0E EDD7 49F2 B6DE D9CE 01D5 32A2 83DC 1CBF 
trust: ultimate
sign: 01D532A283DC1CBF 2016-06-06 2017-06-06 
decr: 7BD4B1BE5D76CC0D 2016-06-06 2017-06-06 


id: 562AC309C01D2DBD
uid: Dashamir Hoxha <dashohoxha@gmail.com>
fpr: 1EC0 8B86 1350 EE19 8053 7941 562A C309 C01D 2DBD 
sign: 562AC309C01D2DBD 2015-12-27 2020-12-31 
decr: 95B9FAD9DEF9A02A 2015-12-27 2020-12-31 

testuser@laptop:~$ egpg contact certify Dashamir

Please enter the passphrase to unlock the OpenPGP secret key:
"Test User <test@example.org>"
4096-bit RSA key, ID 01D532A283DC1CBF,
created 2016-06-06.

Passphrase: 

pub  rsa2048/562AC309C01D2DBD
     created: 2015-12-27  expires: 2020-12-31  usage: SC  
     trust: unknown       validity: unknown
 Primary key fingerprint: 1EC0 8B86 1350 EE19 8053  7941 562A C309 C01D 2DBD

     Dashamir Hoxha <dashohoxha@gmail.com>

This key is due to expire on 2020-12-31.

I have checked this key casually.

testuser@laptop:~$ egpg contact trust Dashamir

uid: Dashamir Hoxha <dashohoxha@gmail.com>
trust: marginal

testuser@laptop:~$ egpg contact ls Dashamir

id: 562AC309C01D2DBD
uid: Dashamir Hoxha <dashohoxha@gmail.com>
fpr: 1EC0 8B86 1350 EE19 8053 7941 562A C309 C01D 2DBD 
trust: marginal
sign: 562AC309C01D2DBD 2015-12-27 2020-12-31 
decr: 95B9FAD9DEF9A02A 2015-12-27 2020-12-31 
certified by: Test User <test@example.org> (01D532A283DC1CBF)

testuser@laptop:~$ egpg contact rm Dashamir

gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  rsa2048/562AC309C01D2DBD 2015-12-27 Dashamir Hoxha <dashohoxha@gmail.com>

Delete this key from the keyring? (y/N) y

testuser@laptop:~$ egpg key revoke

Revocation will make your current key useless.
You'll need to generate a new one.
Are you sure about this? [y/N] y

testuser@laptop:~$ egpg key ls

No valid key found.

Try first:  egpg key gen
       or:  egpg key fetch
       or:  egpg key restore
       or:  egpg key recover

testuser@laptop:~$ rm -rf ~/.egpg/

ADVANCED EXAMPLE

Get the key and contacts from an existing $GNUPGHOME:

testuser@laptop:~$ rm -rf ~/.egpg/

testuser@laptop:~$ killall -u $USER gpg-agent

testuser@laptop:~$ egpg init

mkdir: created directory '/home/testuser/.egpg'

Appended the following lines to '/home/testuser/.bashrc':
---------------8<---------------
### start egpg config
export GPG_TTY=$(tty)
export EGPG_DIR="/home/testuser/.egpg"
#export GNUPGHOME="/home/testuser/.egpg/.gnupg"
### end egpg config
--------------->8---------------
Please reload it to enable the new config:
    source "/home/testuser/.bashrc"

testuser@laptop:~$ source "/home/testuser/.bashrc"

testuser@laptop:~$ egpg migrate

Importing key from: /home/testuser/.gnupg

Importing contacts from: /home/testuser/.gnupg

Change the passphrase of the key:

testuser@laptop:~$ egpg key pass

Please enter the passphrase to unlock the OpenPGP secret key:
"Test 1 <test1@exampel.org>"
4096-bit RSA key, ID DB7065FD432FF513,
created 2016-06-06.

Passphrase: 
Please enter the new passphrase
Passphrase: 
Repeat: 

Use the default GNUPGHOME:

testuser@laptop:~$ egpg default

'/home/testuser/.gnupg' -> '/home/testuser/.gnupg-old'
'/home/testuser/.egpg/.gnupg' -> '/home/testuser/.gnupg'
OK

Afterwards egpg will use the directory ~/.gnupg (or whatever is in the environment variable $GNUPGHOME) for the key and contacts.

Send key to the keyserver network:

testuser@laptop:~$ egpg key share

You must enable sharing first with:
  egpg set share yes

testuser@laptop:~$ egpg set share yes

testuser@laptop:~$ egpg key share

Keep the sign/cert private key on a dongle

testuser@laptop:~$ egpg key2dongle

Enter the dongle directory: /media/testuser/19BA-88F9/

'/home/testuser/.egpg/.gnupg/private-keys-v1.d/C44D9A5C673623B0674F456999EE2607941EC904.key' -> '/media/testuser/19BA-88F9/.gnupg/C44D9A5C673623B0674F456999EE2607941EC904.key'
removed '/home/testuser/.egpg/.gnupg/private-keys-v1.d/C44D9A5C673623B0674F456999EE2607941EC904.key'

Key moved to /media/testuser/19BA-88F9/.gnupg/C44D9A5C673623B0674F456999EE2607941EC904.key 

Afterwards, in order to sign or certify, you need to mount the dongle first, otherwise it will not be able to find the key. However you can decrypt without the dongle, because the decrypting secret key is still on your home directory.

You can move back the signing private key like this:

testuser@laptop:~$ egpg key2dongle --reverse

Enter the dongle directory [/media/testuser/19BA-88F9]: 

'/media/testuser/19BA-88F9/.gnupg/C44D9A5C673623B0674F456999EE2607941EC904.key' -> '/home/testuser/.egpg/.gnupg/private-keys-v1.d/C44D9A5C673623B0674F456999EE2607941EC904.key'
removed '/media/testuser/19BA-88F9/.gnupg/C44D9A5C673623B0674F456999EE2607941EC904.key'

Key moved to /home/testuser/.egpg/.gnupg/private-keys-v1.d/C44D9A5C673623B0674F456999EE2607941EC904.key 

Split the key and use a dongle

You can split a key into 3 partial keys, so that any 2 of them can be combined to recreate the original key (but a single one is not enough). EasyGnuPG takes advantage of this to save a partial key on the local machine and another partial on a dongle (usb, removable device). The third partial key is used as a backup, to recover the full key in case that the dongle or the computer is lost.

testuser@laptop:~$ egpg key split

Splitting the key: 155E526BA47364BC

Enter the dongle directory: /media/testuser/sdb1

 * Backup partial key saved to: /home/testuser/155E526BA47364BC.key.089
 * Dongle partial key saved to: /media/testuser/sdb1/.gnupg/155E526BA47364BC.key.113
 * Local  partial key saved to: /home/testuser/.egpg/.gnupg/155E526BA47364BC.key.129

The key was split successfully. Whenever you need to use the key
(to sign, seal, open, etc.) connect first the dongle to the PC.

Make sure to move the backup out of the PC (for example on the cloud).
You will need it to recover the key in case that you loose the dongle
or the PC (but it cannot help you if you loose both of them).

testuser@laptop:~$ egpg key recover 155E526BA47364BC.key.089

testuser@laptop:~$ egpg key join

Spliting the key into partial keys makes key management safer and more robust. In case that you loose the dongle the key is not deconspired, because a single partial key is not enough to reconstruct the full key. The same goes for the backup partial key; you can store it on cloud and if somebody manages to get it, they still cannot get your key. Similarly, if you loose the dongle or change the PC, you still can recover the key using the remaining partial key and the backup partial key.

Run any gpg command but with the configuration settings of egpg:

testuser@laptop:~$ egpg gpg --list-secret-keys

/home/testuser/.egpg/.gnupg/secring.gpg
------------------------------------
sec   2048R/C01D2DBD 2015-12-27 [expires: 2020-12-31]
uid                  Dashamir Hoxha <dashohoxha@gmail.com>
ssb   2048R/DEF9A02A 2015-12-27

Use more than one private keys:

EasyGnuPG does not allow more than one valid key (which is unexpired and unrevoked). What can you do if you need to use more than one private key? You can use different home directories for EGPG, one for each key, and they will not mess with each-other. Let's see an example of doing this.

testuser@laptop:~$ egpg init ~/.egpg1 <<< n

testuser@laptop:~$ egpg init ~/.egpg2 <<< n

testuser@laptop:~$ egpg init ~/.egpg <<< n

Now add these lines to ~/.bashrc:

alias egpg1='EGPG_DIR="/home/testuser/.egpg1" egpg'
alias egpg2='EGPG_DIR="/home/testuser/.egpg2" egpg'
export EGPG_DIR="/home/testuser/.egpg"

testuser@laptop:~$ source ~/.bashrc

testuser@laptop:~$ egpg

EasyGnuPG 2.1-1.0    ( https://github.com/easygnupg/egpg )

EGPG_DIR="/home/testuser/.egpg"
GNUPGHOME="/home/testuser/.egpg/.gnupg"
DONGLE=""
KEYSERVER="hkp://keys.gnupg.net"
GPG_TTY="/dev/pts/20"
SHARE=no
DEBUG=no

No valid key found.

Try first:  egpg key gen
       or:  egpg key fetch
       or:  egpg key restore
       or:  egpg key recover

testuser@laptop:~$ egpg1

EasyGnuPG 2.1-1.0    ( https://github.com/easygnupg/egpg )

EGPG_DIR="/home/testuser/.egpg1"
GNUPGHOME="/home/testuser/.egpg1/.gnupg"
DONGLE=""
KEYSERVER="hkp://keys.gnupg.net"
GPG_TTY="/dev/pts/20"
SHARE=no
DEBUG=no

No valid key found.

Try first:  egpg key gen
       or:  egpg key fetch
       or:  egpg key restore
       or:  egpg key recover

testuser@laptop:~$ egpg2

EasyGnuPG 2.1-1.0    ( https://github.com/easygnupg/egpg )

EGPG_DIR="/home/testuser/.egpg2"
GNUPGHOME="/home/testuser/.egpg2/.gnupg"
DONGLE=""
KEYSERVER="hkp://keys.gnupg.net"
GPG_TTY="/dev/pts/20"
SHARE=no
DEBUG=no

No valid key found.

Try first:  egpg key gen
       or:  egpg key fetch
       or:  egpg key restore
       or:  egpg key recover

Debug

testuser@laptop:~$ egpg set debug yes

testuser@laptop:~$ egpg sign test.txt

debug: /usr/bin/gpg2 --quiet --status-fd=2 --homedir=/dev/shm/egpg.YoWn6SQbmXGk0 --list-secret-keys --with-colons
debug: /usr/bin/gpg2 --quiet --status-fd=2 --homedir=/dev/shm/egpg.YoWn6SQbmXGk0 --list-keys --with-colons 01965828F3DA198A
debug: /usr/bin/gpg2 --quiet --status-fd=2 --list-keys --fingerprint --with-sig-check --with-colons 01965828F3DA198A
debug: /usr/bin/gpg2 --quiet --status-fd=2 --list-keys --with-colons 01965828F3DA198A
debug: /usr/bin/gpg2 --quiet --status-fd=2 --import /dev/shm/egpg.YoWn6SQbmXGk0/01965828F3DA198A/01965828F3DA198A.pub
[GNUPG:] IMPORT_OK 0 E8C5C6414838799DD062A2B401965828F3DA198A
[GNUPG:] IMPORT_RES 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0
debug: /usr/bin/gpg2 --quiet --no-tty --status-fd=2 --no-tty --batch --command-fd=0 --edit-key 01965828F3DA198A
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT
[GNUPG:] GET_LINE edit_ownertrust.value
[GNUPG:] GOT_IT
[GNUPG:] GET_BOOL edit_ownertrust.set_ultimate.okay
[GNUPG:] GOT_IT
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT
debug: /usr/bin/gpg2 --quiet --status-fd=2 --local-user 01965828F3DA198A --detach-sign --armor --output test.txt.signature test.txt
[GNUPG:] BEGIN_SIGNING H8
[GNUPG:] PINENTRY_LAUNCHED 20338
Please enter the passphrase to unlock the OpenPGP secret key:
"Test 1 <test1@example.org>"
4096-bit RSA key, ID 01965828F3DA198A,
created 2016-06-06.

Passphrase: 
[GNUPG:] SIG_CREATED D 1 8 00 1465233946 E8C5C6414838799DD062A2B401965828F3DA198A

testuser@laptop:~$ egpg set debug no

AUTHOR

Copyright (C) 2016 Dashamir Hoxha (dashohoxha@gmail.com). The code is on GitHub at https://github.com/easygnupg/egpg.

COPYLEFT

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

SEE ALSO

gpg2(1), haveged(8), parcimonie(1p), gfsplit(1), gfcombine(1).

  1. dashohoxha
  2. January 2018
  3. egpg(1)