Lines Matching full:your
66 Your distro should already have GnuPG installed by default, you just
92 You can put that in your ``.bashrc`` to make sure it's always the case.
111 edit your ``~/.gnupg/gpg-agent.conf`` file to set your own values::
120 beginning of your shell session. You may want to check your rc files
126 Protect your PGP key
134 You should also make a new key if your current one is weaker than 2048
161 private key on your chain.
168 3. A single subkey may have multiple capabilities (e.g. your **[C]** key
169 can also be your **[S]** key).
185 If you used the default parameters when generating your key, then that
194 The long line under the ``sec`` entry is your key fingerprint --
198 Ensure your passphrase is strong
201 GnuPG uses passphrases to encrypt your private keys before storing them on
202 disk. This way, even if your ``.gnupg`` directory is leaked or stolen in
203 its entirety, the attackers cannot use your private keys without first
206 It is absolutely essential that your private keys are protected by a
214 Our goal is to protect your Certify key by moving it to offline media,
228 recommend that you create an ECC signing subkey for your kernel
236 Back up your Certify key for disaster recovery
239 The more signatures you have on your PGP key from other developers, the
243 The best way to create a printable hardcopy of your private key is by
249 Run the following command to create a hardcopy backup of your private
255 pen and write your passphrase on the margin of the paper. **This is
261 and store in a secure and well-protected place, preferably away from your
262 home, such as your bank vault.
266 Your printer is probably no longer a simple dumb device connected to
267 your parallel port, but since the output is still encrypted with
268 your passphrase, printing out even to "cloud-integrated" modern
271 Back up your whole GnuPG directory
278 It is important to have a readily available backup of your PGP keys
281 on these external copies whenever you need to use your Certify key --
282 such as when making changes to your own key or signing other people's
287 -- refer to your distro's documentation on how to accomplish this.
289 For the encryption passphrase, you can use the same one as on your
293 sure it gets properly mounted. Copy your entire ``.gnupg`` directory
309 Remove the Certify key from your homedir
321 Protecting your key with a good passphrase greatly helps reduce the risk
324 recommended setup is to remove your Certify key from your home directory
330 your GnuPG directory in its entirety. What we are about to do will
331 render your key useless if you do not have a usable backup!
333 First, identify the keygrip of your Certify key::
349 Certify key fingerprint). This will correspond directly to a file in your
380 If you do not have a ``~/.gnupg/private-keys-v1.d`` directory, then your
382 GnuPG v1. Making any changes to your key, such as changing the
387 file, which still contains your private keys.
395 subkeys are still in your home directory. Anyone who manages to get
396 their hands on those will be able to decrypt your communication or fake
397 your signatures (if they know the passphrase). Furthermore, each time a
402 The best way to completely protect your keys is to move them to a
423 Unless all your laptops and workstations have smartcard readers, the
441 others. Your choice will depend on cost, shipping availability in your
457 Configure your smartcard device
460 Your smartcard device should Just Work (TM) the moment you plug it into
471 To configure your smartcard, you will need to use the GnuPG menu system, as
488 additionally leak information about your smartcard should you lose it.
501 Move the subkeys to your smartcard
505 your subkeys onto the smartcard. You will need both your PGP key
543 Your selection? 2
546 slot. When you submit your selection, you will be prompted first for
547 your PGP key passphrase, and then for the admin PIN. If the command
548 returns without an error, your key has been moved.
559 Your selection? 1
563 again, if your command returns without an error, then the operation was
569 Saving the changes will delete the keys you moved to the card from your
587 available on the smartcard. If you go back into your secret keys
606 This should ask for your smartcard PIN on your first command, and then
610 steal your digital developer identity!
616 with your PGP key.
618 Mounting your safe offline storage
621 You will need your Certify key for any of the operations below, so you
622 will first need to mount your backup offline storage and tell GnuPG to
630 your regular home directory location).
639 To extend the expiration on your key by a year from current date, just
645 your birthday, January 1st, or Canada Day)::
653 Updating your work directory after any changes
656 After you make any changes to your key using the offline storage, you will
657 want to import these changes back into your regular working directory::
665 You can forward your gpg-agent over ssh if you need to sign tags or
682 repository is cloned to your system, you have full history of the
696 impersonate you without having access to your PGP keys.
700 Configure git to use your PGP key
703 If you only have one secret key in your keyring, then you don't really
704 need to do anything extra, as it becomes your default key. However, if
706 should be used (``[fpr]`` is the fingerprint of your key)::
776 signatures. Furthermore, when rebasing your repository to match
777 upstream, even your own PGP commit signatures will end up discarded. For
782 However, if you have your working git tree publicly available at some
784 then the recommendation is that you sign all your git commits even if
792 2. If you ever need to re-clone your local repository (for example,
794 integrity before resuming your work.
795 3. If someone needs to cherry-pick your commits, this allows them to
824 It is possible to use your PGP key to sign patches sent to kernel
841 If you already have your PGP key configured with git (via the
843 further configuration. You can start signing your patches by installing
849 signed with your cryptographic signature.
888 developers' public keys, then you can jumpstart your keyring by relying
891 the prospect of starting your own Web of Trust from scratch is too
894 Add the following to your ``~/.gnupg/gpg.conf``::
904 respectively, before adding auto-retrieved public keys to your local
908 accounts. Once you have the above changes in your ``gpg.conf``, you can
915 UID to your key`_ to make WKD more useful to other kernel developers.
917 .. _`add the kernel.org UID to your key`: https://korg.wiki.kernel.org/userdoc/mail#adding_a_kernel…
925 various software makers dictating who should be your trusted certifying
954 that repository as your source of public keys can be found here:
958 If you are a kernel developer, please consider submitting your key for