GPG

From Trezor Wiki
Jump to: navigation, search


GNU Privacy Guard (GPG, also GnuPG) is free encryption software that is compliant with the OpenPGP (RFC4880) standard. Using GPG, it is possible to encrypt (and decrypt) files that contain sensitive data or sign / verify the documents.

See also NIST256P1, Ed25519

Why use GPG with Trezor[edit]

GPG Trezor integration lets user sign emails, git commits, and software packages, manage passwords (with pass and gopass, among others), authenticate web tunnels or file transfers, and more. Instead of keeping your GPG keys on your computer and decrypting it with a passphrase when you want to use it, the key is generated and stored on the Trezor device and never reaches your computer. If the device is stolen or damaged, user can easily restore the keys using backup - Recovery seed - on the new device. To read more about common use cases of GPG, please visit this GitHub page.

Install and use Trezor GPG signing/encrypting on Linux[edit]

NoteThis guide was tested on the following clean systems: Linux Mint 19, Ubuntu 18.04.1 LTS (Bionic Beaver). It works with Trezor One with 1.6.0 bootloader and 1.7.0 firmware or higher and with Trezor Model T.


1. Update repositories, install dependencies and GPG

sudo apt update && sudo apt install -y python3-pip python3-dev libusb-1.0-0-dev libudev-dev gnupg2

2. Install setuptools and wheel

pip3 install setuptools wheel

3. Install trezor agent

pip3 install trezor_agent

4. Update your $PATH by running

source .profile

5. Udev rules need to be set up on your system; this can be done in two ways:

a) by installing Trezor Bridge via https://wallet.trezor.io

or

b) by setting up Udev rules


NoteReconnect your Trezor device after this step.


6. Initialize the agent GPG directory

trezor-gpg init "Username <[email protected]>" -v

7. Add the following line at the end of your .bashrc file which is located in your home directory

export GNUPGHOME=~/.gnupg/trezor 

This GNUPGHOME contains your hardware keyring and agent settings. The agent software assumes all keys are backed by hardware devices, so you cannot use standard GPG keys in GNUPGHOME (if you do mix keys, you will receive an error when you attempt to use them).

8. Close and reopen terminal.

9. Sign or encrypt document with Trezor

gpg2 --sign <your document>
gpg2 --encrypt -r Username <your document>

10. Verify or decrypt the document

gpg2 --verify <your document>
gpg2 --decrypt -r Username <your document>


Note We would like to thank Roman Zeyde for his contribution on Trezor GPG implementation.


Like Trezor? Get one here!