What are the file in ~/.gnupg ?
dgouttegattat at incenp.org
Sat Oct 30 01:20:40 CEST 2021
On Fri, Oct 29, 2021 at 04:04:11PM +0200, Romain LT via Gnupg-users wrote:
> configuration for dirmngr (keyserver access)
Dirmngr is also used for fetching the Certificate Revocation Lists
(CRLs), if you’re using GpgSM (the X.509/SMIME part of GnuPG).
This is where dirmngr stores the aforementioned CRLs. The DIR.txt file
acts as a kind of index for the CRLs that are cached in that folder. It
is normal for that folder to be empty (save for the DIR.txt file) if you
don’t use GpgSM.
> folder to store revocs certificates (for my own keys ?)
Yes. This is where Gpg writes out the revocation certificate it
automatically generates upon creating a new key.
> should I store certificates in this waiting for the moment my keys are
> compromised ?)
That is ultimately dependent on your threat model. Keep in mind that,
contrary to your private key, the revocation certificate is *not*
passphrase-protected (whoever manages to grab it can use it to revoke
your key without needing anything else). That may be reason enough to
want to move it offline, elsewhere than on your computer, instead of
leaving it in the openpgp-revocs.d folder.
> folder with private keys files, named afte key or subkey keygrip
> Is there only the private key part of my own keys in this ? or
> is there a way to obtain public+private key from one of those
> files ?
Private key only. I believe the purely “mathematical” components of the
public key can be derived from it (though I may be wrong here), but that
does not include the User IDs and associated signatures, that are
necessary to make a ”full” public key – those components are in
> is an sqlite database and mean Trust On First Use. But what does
> it means and what does it contains ?
TOFU is a new (or not so new anymore, it has been introduced in 2015 or
so) trust model, that can either replace the web of trust or be used in
combination with the web of trust.
The TOFU database is what allows GnuPG to keep track of which email
address a given key is associated with, so that it can detect any future
mismatch (which could be a sign that a MITM attack is under way).
> the "trust database" which seem to be usefull for web of trust.
> The doc says to not backup this file. Why, and why did it
> contains, and what is it for ?
This is indeed the database for the web of trust. It contains the
ownertrust value you assigned to the public keys of you keyring. (The
“onwertrust value” is when you state how much you trust the owner of a
key to sign other people’s keys.) In the web-of-trust model, GnuPG uses
the ownertrust values combined with key signatures to decide whether a
public key in your keyring is valid.
Those values should be backed up (unless you don’t mind manually
re-assigning ownertrust values for all the keys you trust if you come to
lose the trustdb.gpg file). The current manual page says:
There is no need to backup this file; it is better to backup the
ownertrust values (see option --export-ownertrust).
This is not intended to mean the trustdb.gpg file is worthless, merely
that its contents should be backed up using the --export-ownertrust
command instead of simply doing a file-level backup:
gpg --export-ownertrust > ownertrust.backup
# to restore
gpg --import-ownertrust < ownertrust.backup
Hope that helps,
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 228 bytes
Desc: not available
More information about the Gnupg-users