GPG

GPG operations for the domus secrets workflow.

Key Inventory

List public keys with long key IDs

gpg --list-keys --keyid-format long

List secret (private) keys

gpg --list-secret-keys --keyid-format long

Show full fingerprint — verify out-of-band before trusting

gpg --fingerprint evan@domusdigitalis.dev

Key Generation

Generate a new GPG key pair — ed25519 preferred for new keys

gpg --full-generate-key

Select ECC (sign and encrypt) > Curve 25519 > set expiry (2y recommended). Keys without expiry are a liability.

Non-interactive generation — scripted environments

gpg --batch --gen-key <<'EOF'
Key-Type: eddsa
Key-Curve: ed25519
Key-Usage: sign
Subkey-Type: ecdh
Subkey-Curve: cv25519
Subkey-Usage: encrypt
Name-Real: Evan
Name-Email: evan@domusdigitalis.dev
Expire-Date: 2y
%no-protection
%commit
EOF

Export & Import

Export public key — safe to share

gpg --armor --export evan@domusdigitalis.dev > evan-public.asc

Export private key — encrypt immediately with age after export

gpg --armor --export-secret-keys evan@domusdigitalis.dev > evan-private.asc
age -e -R ~/.age/recipients/self.txt -o evan-private.asc.age evan-private.asc
shred -u evan-private.asc

Import a public key

gpg --import colleague-public.asc

Import a private key — restore from backup

gpg --import evan-private.asc

Encrypt & Decrypt for gopass

gopass uses GPG under the hood. These commands are for direct GPG operations outside gopass.

Encrypt for a recipient — ASCII-armored

gpg --armor --encrypt --recipient evan@domusdigitalis.dev document.txt

Decrypt to stdout — pipe without touching disk

gpg --decrypt --quiet secrets.gpg | jq '.api_key'

Signing

Sign a file — detached signature

gpg --armor --detach-sign release.tar.gz

Verify a detached signature

gpg --verify release.tar.gz.asc release.tar.gz

Git Integration

Configure git to sign commits

gpg --list-secret-keys --keyid-format long | awk '/^sec/{print $2}' | cut -d/ -f2
git config --global user.signingkey KEYID
git config --global commit.gpgsign true

Export key for GitHub — paste in Settings > SSH and GPG keys

gpg --armor --export evan@domusdigitalis.dev | wl-copy

Revocation

Generate revocation certificate — do this immediately after key creation

gpg --gen-revoke --armor --output revoke-evan.asc evan@domusdigitalis.dev

Store revoke-evan.asc offline. If the key is compromised:

Revoke a compromised key

gpg --import revoke-evan.asc
gpg --keyserver hkps://keys.openpgp.org --send-keys KEYID

Agent Management

Restart the agent — fixes "no secret key" errors

gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

Set cache TTL in ~/.gnupg/gpg-agent.conf

default-cache-ttl 3600
max-cache-ttl 86400