# GPG Setup for Email Signing ## Quick Setup (Automated) Run the setup script to create a GPG key with all email identities: ```bash gpg-setup ``` This will: 1. Create a 4096-bit RSA key (expires in 2 years) 2. Add all name/email variations as UIDs 3. Print the key ID to use in neomutt config ## Manual Setup ### Step 1: Create the primary key ```bash gpg --full-generate-key ``` When prompted: 1. Select `(1) RSA and RSA` 2. Key size: `4096` 3. Expiration: `2y` (or your preference) 4. Real name: `Ray Andrew Sinurat` (use your most formal name) 5. Email: `raydreww@gmail.com` (primary email) 6. Comment: (leave empty) 7. Enter a passphrase ### Step 2: Add additional UIDs Add more email addresses and name variations to the same key: ```bash gpg-add-uid "Ray Andrew Sinurat" "rayandrew@uchicago.edu" gpg-add-uid "Ray Andrew" "raydreww@gmail.com" gpg-add-uid "Ray Andrew" "rayandrew@uchicago.edu" gpg-add-uid "Ray A. O. Sinurat" "raydreww@gmail.com" gpg-add-uid "Ray A. O. Sinurat" "rayandrew@uchicago.edu" ``` ### Example final key structure ``` sec rsa4096/ABCD1234EFGH5678 2024-01-01 [SC] [expires: 2026-01-01] uid [ultimate] Ray Andrew Sinurat uid [ultimate] Ray Andrew Sinurat uid [ultimate] Ray Andrew uid [ultimate] Ray Andrew uid [ultimate] Ray A. O. Sinurat uid [ultimate] Ray A. O. Sinurat ssb rsa4096/1234567890ABCDEF 2024-01-01 [E] [expires: 2026-01-01] ``` ## Get Key ID ```bash gpg --list-secret-keys --keyid-format LONG ``` The key ID is the part after `rsa4096/` (e.g., `ABCD1234EFGH5678`). ## Update NeoMutt Config Use the **same key ID** for both accounts: ### Personal (`config/neomutt/accounts/personal`) ``` set pgp_sign_as = 0xYOUR_KEY_ID ``` ### UChicago (`config/neomutt/accounts/uchicago`) ``` set pgp_sign_as = 0xYOUR_KEY_ID ``` ## Export Public Key (for sharing) ```bash # Print to stdout gpg-public-key # Copy to clipboard (works on macOS, Linux with xclip or wl-copy) gpg-public-key -c # Export specific key gpg-public-key raydreww@gmail.com # Export to file gpg-public-key > ~/public-key.asc ``` ## Import Existing Keys If you have backed up keys: ```bash # Restore from backup (imports and sets trust) gpg-restore-key ~/private-key-backup.asc # Or with public key too gpg-restore-key ~/private-key.asc ~/public-key.asc ``` ## Backup Keys ```bash # Backup both keys to home directory gpg-backup-key # Backup to specific directory gpg-backup-key ~/secure-backup # Backup specific key gpg-backup-key ~/backup raydreww@gmail.com ``` This creates: - `gpg-private-key-.asc` (chmod 600) - `gpg-public-key-.asc` ### Manual export ```bash # Export private key (keep this safe!) gpg-private-key > ~/private-key-backup.asc # Copy private key to clipboard gpg-private-key -c # Export public key gpg-public-key > ~/public-key-backup.asc ``` ## GPG Agent Make sure gpg-agent is running. It's enabled in home-manager config: ```nix services.gpg-agent = { enable = true; }; ``` To manually start: ```bash gpgconf --launch gpg-agent ``` ## Troubleshooting ### "secret key not found" - Check key ID matches: `gpg --list-secret-keys` - Ensure gpg-agent is running: `gpgconf --launch gpg-agent` - Reload agent: `gpg-connect-agent reloadagent /bye` ### Disable signing temporarily In neomutt account file, set: ``` set crypt_autosign = no ``` ## Delete Keys To delete a GPG key (e.g., when leaving an organization): ```bash # Delete by key ID or email gpg-delete-key 7C19EB1AF0BD68BF gpg-delete-key raydreww@gmail.com # Interactive mode (shows keys and prompts) gpg-delete-key ```