What are the file in ~/.gnupg ?

Damien Goutte-Gattat dgouttegattat at incenp.org
Sat Oct 30 01:20:40 CEST 2021


On Fri, Oct 29, 2021 at 04:04:11PM +0200, Romain LT via Gnupg-users wrote:
>dirmngr.conf :
>	configuration for dirmngr (keyserver access)

Dirmngr is also used for fetching the Certificate Revocation Lists 
(CRLs), if you’re using GpgSM (the X.509/SMIME part of GnuPG).

>	????

This is where dirmngr stores the aforementioned CRLs. The DIR.txt file 
acts as a kind of index for the CRLs that are cached in that folder. It 
is normal for that folder to be empty (save for the DIR.txt file) if you 
don’t use GpgSM.

>	folder to store revocs certificates (for my own keys ?)

Yes. This is where Gpg writes out the revocation certificate it 
automatically generates upon creating a new key.

> should I store certificates in this waiting for the moment my keys are 
> compromised ?)

That is ultimately dependent on your threat model. Keep in mind that, 
contrary to your private key, the revocation certificate is *not* 
passphrase-protected (whoever manages to grab it can use it to revoke 
your key without needing anything else). That may be reason enough to 
want to move it offline, elsewhere than on your computer, instead of 
leaving it in the openpgp-revocs.d folder.

>	folder with private keys files, named afte key or subkey keygrip
>	Is there only the private key part of my own keys in this ? or
>	is there a way to obtain public+private key from one of those
>	files ?

Private key only. I believe the purely “mathematical” components of the 
public key can be derived from it (though I may be wrong here), but that 
does not include the User IDs and associated signatures, that are 
necessary to make a ”full” public key – those components are in 

>	is an sqlite database and mean Trust On First Use. But what does
>	it means and what does it contains ?

TOFU is a new (or not so new anymore, it has been introduced in 2015 or 
so) trust model, that can either replace the web of trust or be used in 
combination with the web of trust.

The TOFU database is what allows GnuPG to keep track of which email 
address a given key is associated with, so that it can detect any future 
mismatch (which could be a sign that a MITM attack is under way).

>	the "trust database" which seem to be usefull for web of trust.
>	The doc says to not backup this file. Why, and why did it
>	contains, and what is it for ?

This is indeed the database for the web of trust. It contains the 
ownertrust value you assigned to the public keys of you keyring. (The 
“onwertrust value” is when you state how much you trust the owner of a 
key to sign other people’s keys.) In the web-of-trust model, GnuPG uses 
the ownertrust values combined with key signatures to decide whether a 
public key in your keyring is valid.

Those values should be backed up (unless you don’t mind manually 
re-assigning ownertrust values for all the keys you trust if you come to 
lose the trustdb.gpg file). The current manual page says:

   There is no need to backup this file; it is better to backup the 
   ownertrust values (see option --export-ownertrust).

This is not intended to mean the trustdb.gpg file is worthless, merely 
that its contents should be backed up using the --export-ownertrust 
command instead of simply doing a file-level backup:

   gpg --export-ownertrust > ownertrust.backup
   # to restore
   gpg --import-ownertrust < ownertrust.backup

Hope that helps,

- Damien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211030/69087c1b/attachment.sig>

More information about the Gnupg-users mailing list