GPG
GNU Privacy Guard (GPG, also GnuPG) is free encryption software that is compliant with the OpenPGP (RFC4880) standard. Using GPG, it is possible to encrypt (and decrypt) files that contain sensitive data or sign / verify the documents.
Why use GPG with Trezor[edit]
GPG Trezor integration lets user sign emails, git commits, and software packages, manage passwords (with pass and gopass, among others), authenticate web tunnels or file transfers, and more. Instead of keeping your GPG keys on your computer and decrypting it with a passphrase when you want to use it, the key is generated and stored on the Trezor device and never reaches your computer. If the device is stolen or damaged, user can easily restore the keys using backup - Recovery seed - on the new device. To read more about common use cases of GPG, please visit this GitHub page.
Install and use Trezor GPG signing/encrypting on Linux[edit]
1. Update repositories, install dependencies and GPG
sudo apt update && sudo apt install -y python3-pip python3-dev libusb-1.0-0-dev libudev-dev gnupg2
2. Install setuptools and wheel
pip3 install setuptools wheel
3. Install trezor agent
pip3 install trezor_agent
4. Update your $PATH by running
source .profile
5. Udev rules need to be set up on your system; this can be done in two ways:
a) by installing Trezor Bridge via https://wallet.trezor.io
or
b) by setting up Udev rules
6. Initialize the agent GPG directory
trezor-gpg init "Username <[email protected]>" -v
7. Add the following line at the end of your .bashrc file which is located in your home directory
export GNUPGHOME=~/.gnupg/trezor
This GNUPGHOME contains your hardware keyring and agent settings. The agent software assumes all keys are backed by hardware devices, so you cannot use standard GPG keys in GNUPGHOME (if you do mix keys, you will receive an error when you attempt to use them).
8. Close and reopen terminal.
9. Sign or encrypt document with Trezor
gpg2 --sign <your document> gpg2 --encrypt -r Username <your document>
10. Verify or decrypt the document
gpg2 --verify <your document> gpg2 --decrypt -r Username <your document>