rtfd/in/public/security/gpg/index.rst

###
GPG
###

TODO
====

* setpref, or elsehow at key generation
* ! suffix to exclude subkeys
* trust
* sign
* delete
* ssh authentication ???

Configure
=========

If up:

.. code:: shell

  killall gpg-agent
  killall dirmngr

wipe if needed
--------------

.. code:: shell

  rm --force --recursive ~/.gnupg
  mkdir -m 700 ~/.gnupg

check available algorithms
--------------------------

.. code:: shell

  gpg --version

avoid default use of SHA256
---------------------------

* gpg.conf

::

  cert-digest-algo SHA512
  personal-digest-preferences SHA512
  personal-cipher-preferences CAMELLIA256 TWOFISH AES256
  personal-compress-preferences BZIP2 ZLIB ZIP
  default-preference-list SHA512 CAMELLIA256 TWOFISH AES256 BZIP2 ZLIB ZIP

  keyserver-options include-revoked

  with-subkey-fingerprint

avoid DL/UL issues, depending on DNS
------------------------------------

* dirmngr.conf

::

  standard-resolver

Generate
========

master key
----------

.. code:: shell

  gpg --expert --full-generate-key

::

  8 → RSA (set your own capabilities)
  4096
  s → toggle the sign capability
  e → toggle the encrypt capability
  q → finished
  2y → key expires in 2 years
  y → this is correct
  First Last
  user@domain.tld
  comment
  o → ok
  PassPhrase

revocation certificate
----------------------

.. code:: shell

  gpg --generate-revocation "KeyID" > "FFIINNGGEERRPPRRIINNTT.rev"

.. warning::

  Hide this file in an encrypted container!

Search
======

.. code:: shell

  gpg --search-keys "Key ID"

Download
========

.. code:: shell

  gpg --receive-keys "KEY ID"

List
====

.. code:: shell

  gpg --list-keys

Modify
======

.. code:: shell

  gpg --edit-key "KEY ID"

[…]

::

  PassPhrase
  save

add a subkey to a master key
----------------------------

::

  addkey

set expiration date
-------------------

::

  expire

add another UserID
------------------

::

  adduid
  First Last
  user@domain.tld
  Comment

set primary UserID
------------------

::

  uid 1
  primary

Export
======

.. code:: shell

  gpg --armor --export "Key ID" > pub.asc

Dump
====

.. code:: shell

  pgpdump pub.asc

Secure
======

find out master keygrip
-----------------------

.. code:: shell

  gpg --list-keys --with-keygrip

hide the master key in an encrypted container
---------------------------------------------

* ~/.gnupg/private-keys-v1.d/KKEEYYGGRRIIPP.key

Upload
======

.. code:: shell

  gpg --send-keys "KEY ID"

Revoke
======

.. code:: shell

  gpg --import "FFIINNGGEERRPPRRIINNTT.rev"
  gpg --send-keys "KEY ID"
content 2017-12-02 22:02:37 +00:00			`###`
			`GPG`
			`###`
gpg 2017-12-05 21:32:10 +00:00
			`TODO`
			`====`

			`* setpref, or elsehow at key generation`
			`* ! suffix to exclude subkeys`
			`* trust`
			`* sign`
			`* delete`
			`* ssh authentication ???`

			`Configure`
			`=========`

gpg killall 2019-05-03 12:03:26 +00:00			`If up:`

			`.. code:: shell`

			`killall gpg-agent`
			`killall dirmngr`

gpg 2017-12-05 21:32:10 +00:00			`wipe if needed`
			`--------------`

			`.. code:: shell`

			`rm --force --recursive ~/.gnupg`
			`mkdir -m 700 ~/.gnupg`

			`check available algorithms`
			`--------------------------`

			`.. code:: shell`

			`gpg --version`

			`avoid default use of SHA256`
			`---------------------------`

			`* gpg.conf`

			`::`

			`cert-digest-algo SHA512`
			`personal-digest-preferences SHA512`
			`personal-cipher-preferences CAMELLIA256 TWOFISH AES256`
			`personal-compress-preferences BZIP2 ZLIB ZIP`
			`default-preference-list SHA512 CAMELLIA256 TWOFISH AES256 BZIP2 ZLIB ZIP`

			`keyserver-options include-revoked`

			`with-subkey-fingerprint`

			`avoid DL/UL issues, depending on DNS`
			`------------------------------------`

			`* dirmngr.conf`

			`::`

			`standard-resolver`

			`Generate`
			`========`

			`master key`
			`----------`

			`.. code:: shell`

gpg generate master key 2019-05-03 12:04:29 +00:00			`gpg --expert --full-generate-key`
gpg 2017-12-05 21:32:10 +00:00
			`::`

gpg generate master key 2019-05-03 12:04:29 +00:00			`8 → RSA (set your own capabilities)`
gpg 2017-12-05 21:32:10 +00:00			`4096`
gpg generate master key 2019-05-03 12:04:29 +00:00			`s → toggle the sign capability`
			`e → toggle the encrypt capability`
			`q → finished`
			`2y → key expires in 2 years`
gpg 2017-12-05 21:32:10 +00:00			`y → this is correct`
			`First Last`
			`user@domain.tld`
gpg generate master key 2019-05-03 12:04:29 +00:00			`comment`
gpg 2017-12-05 21:32:10 +00:00			`o → ok`
			`PassPhrase`

			`revocation certificate`
			`----------------------`

			`.. code:: shell`

			`gpg --generate-revocation "KeyID" > "FFIINNGGEERRPPRRIINNTT.rev"`

			`.. warning::`

			`Hide this file in an encrypted container!`

			`Search`
			`======`

			`.. code:: shell`

			`gpg --search-keys "Key ID"`

			`Download`
			`========`

			`.. code:: shell`

			`gpg --receive-keys "KEY ID"`

			`List`
			`====`

			`.. code:: shell`

			`gpg --list-keys`

			`Modify`
			`======`

			`.. code:: shell`

			`gpg --edit-key "KEY ID"`

			`[…]`

			`::`

			`PassPhrase`
			`save`

			`add a subkey to a master key`
			`----------------------------`

			`::`

			`addkey`

			`set expiration date`
			`-------------------`

			`::`

			`expire`

			`add another UserID`
			`------------------`

			`::`

			`adduid`
			`First Last`
			`user@domain.tld`
			`Comment`

			`set primary UserID`
			`------------------`

			`::`

			`uid 1`
			`primary`

			`Export`
			`======`

			`.. code:: shell`

			`gpg --armor --export "Key ID" > pub.asc`

			`Dump`
			`====`

			`.. code:: shell`

			`pgpdump pub.asc`

			`Secure`
			`======`

			`find out master keygrip`
			`-----------------------`

			`.. code:: shell`

			`gpg --list-keys --with-keygrip`

			`hide the master key in an encrypted container`
			`---------------------------------------------`

			`* ~/.gnupg/private-keys-v1.d/KKEEYYGGRRIIPP.key`

			`Upload`
			`======`

			`.. code:: shell`

			`gpg --send-keys "KEY ID"`

			`Revoke`
			`======`

			`.. code:: shell`

			`gpg --import "FFIINNGGEERRPPRRIINNTT.rev"`
			`gpg --send-keys "KEY ID"`