GNU Privacy Guard (GPG, also GnuPG) is free encryption software that is compliant with the OpenPGP (RFC4880) standard. Using GPG, it is possible to encrypt (and decrypt) files that contain sensitive data or sign / verify the documents.
GPG Trezor integration lets users sign emails, git commits, and software packages, manage passwords (with pass and gopass, among others), authenticate web tunnels or file transfers, encrypt files, and more.
Instead of keeping your GPG keys on a computer and decrypting it with a passphrase when you want to use it, the key is generated and stored on the Trezor device and never reaches your computer. If the device is stolen or damaged, user can easily restore the keys using backup - Recovery seed - on the new device.
1. Update repositories, install dependencies and GPG
2. Install setuptools and wheel
3. Install trezor agent
4. Update your $PATH by running
5. Udev rules need to be set up on your system; this can be done in two ways:
a) by installing Trezor Bridge via https://suite.trezor.io/web/bridge or
b) by setting up Udev rules
6. Initialize the agent GPG directory
If you use Trezor Agent v.0.14.1 or newer, your key will be generated with a default timestamp of 0 (unless you set it manually). With timestamp 0, you do not have to pay much attention to it, your keys will be derived from your seed deterministically.
If you generate your key pair with older version of Trezor Agent, pay close attention to the warning about the produced timestamp and record the timestamp somewhere safe. You will need to use the specific timestamp in combination with your seed to produce the same set of keys if you ever lose your Trezor device.
7. Add the following line at the end of your .bashrc file which is located in your home directory. If there's no such file yet, create it.
This GNUPGHOME contains your hardware keyring and agent settings. The agent software assumes all keys are backed by hardware devices, so you cannot use standard GPG keys in GNUPGHOME (if you do mix keys, you will receive an error when you attempt to use them).
8. Close and reopen terminal.
Sign or encrypt document with Trezor
Verify or decrypt the document
If you ever lose your Trezor device or decide to use another device to use with the key pair, you will need to use the trezor-gpg init command together with the UNIX timestamp which was first used when you generated the key pair for the first time. If you generated your keypair with the timestamp=0 (default in version 0.14.1 and newer), you do not have to specify the timestamp in this process.