rwx.work/help
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

gnupg

Browse source
This commit is contained in:
Marc Beninca 2019-08-25 11:04:01 +02:00
parent e4777ff1e2
commit ea42e8cc57
8 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

88
in/public/security/gpg/configure.rst
View file

@ -1,88 +0,0 @@
Configure
=========
If up:
.. code:: shell
killall -9 gpg-agent
killall -9 dirmngr
wipe if needed
--------------
.. code:: shell
rm --force --recursive ~/.gnupg
mkdir -m 700 ~/.gnupg
check available algorithms
--------------------------
.. code:: shell
gpg --version
avoid default use of SHA256
---------------------------
* gpg.conf
::
keyid-format long
keyserver-options include-revoked
list-options show-uid-validity
no-verbose
verify-options show-uid-validity
with-fingerprint
with-keygrip
with-subkey-fingerprint
no-comments
no-emit-version
default-preference-list SHA512 AES256 BZIP2
cert-digest-algo SHA512
cipher-algo AES256
compress-algo BZIP2
digest-algo SHA512
personal-cipher-preferences AES256
personal-digest-preferences SHA512
personal-compress-preferences BZIP2
s2k-cipher-algo AES256
s2k-digest-algo SHA512
s2k-mode 3
s2k-count 65011712
avoid DL/UL issues, depending on DNS
------------------------------------
* dirmngr.conf
::
keyserver hkps://keys.openpgp.org
standard-resolver
authenticate
------------
* gpg-agent.conf
::
enable-ssh-support
* sshcontrol
KeyGrip to use if there are several
::
KKEEYYGGRRIIPP
* export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

50
in/public/security/gpg/fun.rst
View file

@ -1,50 +0,0 @@
“Choose” fingerprint
====================
.. code:: bash
#! /bin/bash
mkdir --parents _
while true; do
gpg \
--batch \
--passphrase '' \
--quick-generate-key \
'First Last <first-last@domain.tld>' \
ed25519 \
cert \
1y \
&> /dev/null
gpg \
--armor \
--export-secret-keys \
'First Last' > "tmp.gpg"
name=$(\
cat tmp.gpg \
| gpg --list-packets \
| grep v4 \
| awk -F ' ' '{print $9}' \
| awk -F ')' '{print $1}' \
)
name="${name:24:4}_${name:28:4}__${name:32:4}_${name:36}"
echo "${name}"
mv tmp.gpg "_/${name}"
rm openpgp-revocs.d/*
rm private-keys-v1.d/*
gpg \
--batch \
--yes \
--delete-keys 'First Last'
rm pubring.kbx*
rm trustdb.gpg
done

54
in/public/security/gpg/generate.rst
View file

@ -1,54 +0,0 @@
Generate
========
master key
----------
.. code:: shell
gpg --expert --full-generate-key
::
8 → RSA (set your own capabilities)
s → toggle the sign capability
e → toggle the encrypt capability
q → finished
4096
1y → key expires in 1 year
y → this is correct
First Last
user@domain.tld
comment
o → ok
.. code:: shell
gpg --quick-generate-key 'First Last <user@domain.tld>' rsa4096 cert 1y
revocation certificate
----------------------
.. code:: shell
gpg --generate-revocation "KeyID" > "FFIINNGGEERRPPRRIINNTT.rev"
::
y
::
0 → no reason specified
1 → key has been compromised
2 → key is superseded
3 → key is no longer used
::
description
y
.. warning::
Hide this file in an encrypted container!

11
in/public/security/gpg/index.rst
View file

@ -1,11 +0,0 @@
GnuPG
=====
.. toctree::
:maxdepth: 2
overview
configure
generate
servers
fun

186
in/public/security/gpg/overview.rst
View file

@ -1,186 +0,0 @@
********
OverView
********
.. todo::
* setpref, or elsehow at key generation
* ! suffix to exclude subkeys
* trust key
* sign file
* sign key
* encrypt for [hidden-]recipient
* delete secret key
* import secret key
* refresh keys
List
====
.. code:: shell
gpg --list-keys
.. code:: shell
gpg --list-signatures
Modify
======
.. code:: shell
gpg --expert --edit-key "KEY ID"
[…]
::
save
add a subkey to a master key
----------------------------
::
addkey
8 → RSA (set your own capabilities)
[…]
::
q → finished
4096
1y → key expires in 1 year
y → this is correct
y → really create
sign
^^^^
::
e → toggle the encrypt capability
.. code:: shell
gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 auth 1y
gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 encr 1y
gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 sign 1y
encrypt
^^^^^^^
::
s → toggle the sign capability
authenticate
^^^^^^^^^^^^
::
s → toggle the sign capability
e → toggle the encrypt capability
a → toggle the authenticate capability
set expiration date
-------------------
::
expire
1y
y
add another UserID
------------------
::
adduid
First Last
user@domain.tld
comment
o
set primary UserID
------------------
::
uid 1
primary
Export
======
private key
-----------
.. code:: shell
gpg --armor --export-secret-keys FFIINNGGEERRPPRRIINNTT > key.gpg
private subkeys
---------------
.. code:: shell
gpg --armor --export-secret-subkeys FFIINNGGEERRPPRRIINNTT > subkeys.gpg
public key
----------
.. code:: shell
gpg --armor --export "Key ID" > id.asc
public SSH key
--------------
.. code:: shell
gpg --armor --export-ssh-key "Key ID" > id.pub
Dump
====
.. code:: shell
gpg --list-packets
.. code:: shell
pgpdump pub.asc
Secure
======
hide the master key in an encrypted container
---------------------------------------------
* ~/.gnupg/private-keys-v1.d/KKEEYYGGRRIIPP.key
Sign
====
.. code:: shell
gpg --armor --detach-sign file
Revoke
======
.. code:: shell
gpg --import "FFIINNGGEERRPPRRIINNTT.rev"
gpg --send-keys "KEY ID"
Verify
======
.. code:: shell
gpg --verify file.asc file

66
in/public/security/gpg/servers.rst
View file

@ -1,66 +0,0 @@
Servers
=======
Search
------
.. code:: shell
gpg \
--keyserver hkps://sub.domain.tld \
--search-keys "Key ID"
Download
--------
.. code:: shell
gpg \
--keyserver hkps://sub.domain.tld \
--receive-keys "Key ID"
Upload
------
.. code:: shell
gpg \
--keyserver hkps://sub.domain.tld \
--send-keys "Key ID"
Available
---------
Mitigated
^^^^^^^^^
* hkps://
::
keys.openpgp.org
Vulnerable
^^^^^^^^^^
* hkps://
::
keyring.debian.org
pgp.key-server.io
pgp.mit.edu
peegeepee.com
pgp.rediris.es
sks-keyservers.net
pgp.surfnet.nl
keyserver.ubuntu.com
# round-robin
keys.gnupg.net
* hkp://
::
pgp.uni-mainz.de

1
in/public/security/index.rst
View file

@ -4,6 +4,5 @@ Security
.. toctree::
:maxdepth: 2
gpg/index
openssh-client/index
openssh-server/index