rayandrew/nix
rayandrew/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix/docs/gpg-setup.md
Ray Andrew cfd5093d74
email ux
2025-12-03 20:09:09 -06:00

177 lines
3.7 KiB
Markdown
Raw Blame History

# GPG Setup for Email Signing
## Quick Setup (Automated)
Run the setup script to create a GPG key with all email identities:
```bash
gpg-setup
```
This will:
1. Create a 4096-bit RSA key (expires in 2 years)
2. Add all name/email variations as UIDs
3. Print the key ID to use in neomutt config
## Manual Setup
### Step 1: Create the primary key
```bash
gpg --full-generate-key
```
When prompted:
1. Select `(1) RSA and RSA`
2. Key size: `4096`
3. Expiration: `2y` (or your preference)
4. Real name: `Ray Andrew Sinurat` (use your most formal name)
5. Email: `raydreww@gmail.com` (primary email)
6. Comment: (leave empty)
7. Enter a passphrase
### Step 2: Add additional UIDs
Add more email addresses and name variations to the same key:
```bash
gpg-add-uid "Ray Andrew Sinurat" "rayandrew@uchicago.edu"
gpg-add-uid "Ray Andrew" "raydreww@gmail.com"
gpg-add-uid "Ray Andrew" "rayandrew@uchicago.edu"
gpg-add-uid "Ray A. O. Sinurat" "raydreww@gmail.com"
gpg-add-uid "Ray A. O. Sinurat" "rayandrew@uchicago.edu"
```
### Example final key structure
```
sec rsa4096/ABCD1234EFGH5678 2024-01-01 [SC] [expires: 2026-01-01]
uid [ultimate] Ray Andrew Sinurat <raydreww@gmail.com>
uid [ultimate] Ray Andrew Sinurat <rayandrew@uchicago.edu>
uid [ultimate] Ray Andrew <raydreww@gmail.com>
uid [ultimate] Ray Andrew <rayandrew@uchicago.edu>
uid [ultimate] Ray A. O. Sinurat <raydreww@gmail.com>
uid [ultimate] Ray A. O. Sinurat <rayandrew@uchicago.edu>
ssb rsa4096/1234567890ABCDEF 2024-01-01 [E] [expires: 2026-01-01]
```
## Get Key ID
```bash
gpg --list-secret-keys --keyid-format LONG
```
The key ID is the part after `rsa4096/` (e.g., `ABCD1234EFGH5678`).
## Update NeoMutt Config
Use the **same key ID** for both accounts:
### Personal (`config/neomutt/accounts/personal`)
```
set pgp_sign_as = 0xYOUR_KEY_ID
```
### UChicago (`config/neomutt/accounts/uchicago`)
```
set pgp_sign_as = 0xYOUR_KEY_ID
```
## Export Public Key (for sharing)
```bash
# Print to stdout
gpg-public-key
# Copy to clipboard (works on macOS, Linux with xclip or wl-copy)
gpg-public-key -c
# Export specific key
gpg-public-key raydreww@gmail.com
# Export to file
gpg-public-key > ~/public-key.asc
```
## Import Existing Keys
If you have backed up keys:
```bash
# Restore from backup (imports and sets trust)
gpg-restore-key ~/private-key-backup.asc
# Or with public key too
gpg-restore-key ~/private-key.asc ~/public-key.asc
```
## Backup Keys
```bash
# Backup both keys to home directory
gpg-backup-key
# Backup to specific directory
gpg-backup-key ~/secure-backup
# Backup specific key
gpg-backup-key ~/backup raydreww@gmail.com
```
This creates:
- `gpg-private-key-<KEY_ID>.asc` (chmod 600)
- `gpg-public-key-<KEY_ID>.asc`
### Manual export
```bash
# Export private key (keep this safe!)
gpg-private-key > ~/private-key-backup.asc
# Copy private key to clipboard
gpg-private-key -c
# Export public key
gpg-public-key > ~/public-key-backup.asc
```
## GPG Agent
Make sure gpg-agent is running. It's enabled in home-manager config:
```nix
services.gpg-agent = {
enable = true;
};
```
To manually start:
```bash
gpgconf --launch gpg-agent
```
## Troubleshooting
### "secret key not found"
- Check key ID matches: `gpg --list-secret-keys`
- Ensure gpg-agent is running: `gpgconf --launch gpg-agent`
- Reload agent: `gpg-connect-agent reloadagent /bye`
### Disable signing temporarily
In neomutt account file, set:
```
set crypt_autosign = no
```
## Delete Keys
To delete a GPG key (e.g., when leaving an organization):
```bash
# Delete by key ID or email
gpg-delete-key 7C19EB1AF0BD68BF
gpg-delete-key raydreww@gmail.com
# Interactive mode (shows keys and prompts)
gpg-delete-key
```
Reference in a new issue View git blame Copy permalink