3.7 KiB
3.7 KiB
GPG Setup for Email Signing
Quick Setup (Automated)
Run the setup script to create a GPG key with all email identities:
gpg-setup
This will:
- Create a 4096-bit RSA key (expires in 2 years)
- Add all name/email variations as UIDs
- Print the key ID to use in neomutt config
Manual Setup
Step 1: Create the primary key
gpg --full-generate-key
When prompted:
- Select
(1) RSA and RSA - Key size:
4096 - Expiration:
2y(or your preference) - Real name:
Ray Andrew Sinurat(use your most formal name) - Email:
raydreww@gmail.com(primary email) - Comment: (leave empty)
- Enter a passphrase
Step 2: Add additional UIDs
Add more email addresses and name variations to the same key:
gpg-add-uid "Ray Andrew Sinurat" "rayandrew@uchicago.edu"
gpg-add-uid "Ray Andrew" "raydreww@gmail.com"
gpg-add-uid "Ray Andrew" "rayandrew@uchicago.edu"
gpg-add-uid "Ray A. O. Sinurat" "raydreww@gmail.com"
gpg-add-uid "Ray A. O. Sinurat" "rayandrew@uchicago.edu"
Example final key structure
sec rsa4096/ABCD1234EFGH5678 2024-01-01 [SC] [expires: 2026-01-01]
uid [ultimate] Ray Andrew Sinurat <raydreww@gmail.com>
uid [ultimate] Ray Andrew Sinurat <rayandrew@uchicago.edu>
uid [ultimate] Ray Andrew <raydreww@gmail.com>
uid [ultimate] Ray Andrew <rayandrew@uchicago.edu>
uid [ultimate] Ray A. O. Sinurat <raydreww@gmail.com>
uid [ultimate] Ray A. O. Sinurat <rayandrew@uchicago.edu>
ssb rsa4096/1234567890ABCDEF 2024-01-01 [E] [expires: 2026-01-01]
Get Key ID
gpg --list-secret-keys --keyid-format LONG
The key ID is the part after rsa4096/ (e.g., ABCD1234EFGH5678).
Update NeoMutt Config
Use the same key ID for both accounts:
Personal (config/neomutt/accounts/personal)
set pgp_sign_as = 0xYOUR_KEY_ID
UChicago (config/neomutt/accounts/uchicago)
set pgp_sign_as = 0xYOUR_KEY_ID
Export Public Key (for sharing)
# Print to stdout
gpg-public-key
# Copy to clipboard (works on macOS, Linux with xclip or wl-copy)
gpg-public-key -c
# Export specific key
gpg-public-key raydreww@gmail.com
# Export to file
gpg-public-key > ~/public-key.asc
Import Existing Keys
If you have backed up keys:
# Restore from backup (imports and sets trust)
gpg-restore-key ~/private-key-backup.asc
# Or with public key too
gpg-restore-key ~/private-key.asc ~/public-key.asc
Backup Keys
# Backup both keys to home directory
gpg-backup-key
# Backup to specific directory
gpg-backup-key ~/secure-backup
# Backup specific key
gpg-backup-key ~/backup raydreww@gmail.com
This creates:
gpg-private-key-<KEY_ID>.asc(chmod 600)gpg-public-key-<KEY_ID>.asc
Manual export
# Export private key (keep this safe!)
gpg-private-key > ~/private-key-backup.asc
# Copy private key to clipboard
gpg-private-key -c
# Export public key
gpg-public-key > ~/public-key-backup.asc
GPG Agent
Make sure gpg-agent is running. It's enabled in home-manager config:
services.gpg-agent = {
enable = true;
};
To manually start:
gpgconf --launch gpg-agent
Troubleshooting
"secret key not found"
- Check key ID matches:
gpg --list-secret-keys - Ensure gpg-agent is running:
gpgconf --launch gpg-agent - Reload agent:
gpg-connect-agent reloadagent /bye
Disable signing temporarily
In neomutt account file, set:
set crypt_autosign = no
Delete Keys
To delete a GPG key (e.g., when leaving an organization):
# Delete by key ID or email
gpg-delete-key 7C19EB1AF0BD68BF
gpg-delete-key raydreww@gmail.com
# Interactive mode (shows keys and prompts)
gpg-delete-key