rtfd/in/public/security/gpg/index.rst

###
GPG
###

TODO
====

* setpref, or elsehow at key generation
* ! suffix to exclude subkeys
* trust
* sign
* delete

Configure
=========

If up:

.. code:: shell

  killall -9 gpg-agent
  killall -9 dirmngr

wipe if needed
--------------

.. code:: shell

  rm --force --recursive ~/.gnupg
  mkdir -m 700 ~/.gnupg

check available algorithms
--------------------------

.. code:: shell

  gpg --version

avoid default use of SHA256
---------------------------

* gpg.conf

::

  keyid-format long
  keyserver-options include-revoked
  list-options show-uid-validity
  verify-options show-uid-validity
  with-fingerprint
  with-keygrip
  with-subkey-fingerprint

  export-options export-minimal
  no-comments
  no-emit-version

  default-preference-list SHA512 AES256 BZIP2

  cert-digest-algo SHA512
  cipher-algo AES256
  compress-algo BZIP2
  digest-algo SHA512

  personal-cipher-preferences AES256
  personal-digest-preferences SHA512
  personal-compress-preferences BZIP2

  s2k-cipher-algo AES256
  s2k-digest-algo SHA512
  s2k-mode 3
  s2k-count 65011712

avoid DL/UL issues, depending on DNS
------------------------------------

* dirmngr.conf

::

  standard-resolver

authenticate
------------

* gpg-agent.conf

::

  enable-ssh-support

* sshcontrol

KeyGrip to use if there are several

::

  KKEEYYGGRRIIPP

* export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

Generate
========

master key
----------

.. code:: shell

  gpg --expert --full-generate-key

::

  8 → RSA (set your own capabilities)
  s → toggle the sign capability
  e → toggle the encrypt capability
  q → finished
  4096
  1y → key expires in 1 year
  y → this is correct
  First Last
  user@domain.tld
  comment
  o → ok

.. code:: shell

  gpg --quick-generate-key 'First Last <user@domain.tld>' rsa4096 cert 1y

revocation certificate
----------------------

.. code:: shell

  gpg --generate-revocation "KeyID" > "FFIINNGGEERRPPRRIINNTT.rev"

::

  y

::

  0 → no reason specified
  1 → key has been compromised
  2 → key is superseded
  3 → key is no longer used

::

  description
  y

.. warning::

  Hide this file in an encrypted container!

Search
======

.. code:: shell

  gpg --search-keys "Key ID"

Download
========

.. code:: shell

  gpg --receive-keys "KEY ID"

List
====

.. code:: shell

  gpg --list-keys

Modify
======

.. code:: shell

  gpg --expert --edit-key "KEY ID"

[…]

::

  save

add a subkey to a master key
----------------------------

::

  addkey
  8 → RSA (set your own capabilities)

[…]

::

  q → finished
  4096
  1y → key expires in 1 year
  y → this is correct
  y → really create

sign
^^^^

::

  e → toggle the encrypt capability

.. code:: shell

  gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 auth 1y
  gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 encr 1y
  gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 sign 1y

encrypt
^^^^^^^

::

  s → toggle the sign capability

authenticate
^^^^^^^^^^^^

::

  s → toggle the sign capability
  e → toggle the encrypt capability
  a → toggle the authenticate capability

set expiration date
-------------------

::

  expire
  1y
  y

add another UserID
------------------

::

  adduid
  First Last
  user@domain.tld
  comment
  o

set primary UserID
------------------

::

  uid 1
  primary

Export
======

private key
-----------

.. code:: shell

  gpg --armor --export-secret-keys FFIINNGGEERRPPRRIINNTT > key.gpg

private subkeys
---------------

.. code:: shell

  gpg --armor --export-secret-subkeys FFIINNGGEERRPPRRIINNTT > subkeys.gpg

public key
----------

.. code:: shell

  gpg --armor --export "Key ID" > id.asc

public SSH key
--------------

.. code:: shell

  gpg --armor --export-ssh-key "Key ID" > id.pub

Dump
====

.. code:: shell

  pgpdump pub.asc

Secure
======

hide the master key in an encrypted container
---------------------------------------------

* ~/.gnupg/private-keys-v1.d/KKEEYYGGRRIIPP.key

Upload
======

.. code:: shell

  gpg --send-keys "KEY ID"

Revoke
======

.. code:: shell

  gpg --import "FFIINNGGEERRPPRRIINNTT.rev"
  gpg --send-keys "KEY ID"
content 2017-12-02 22:02:37 +00:00			`###`
			`GPG`
			`###`
gpg 2017-12-05 21:32:10 +00:00
			`TODO`
			`====`

			`* setpref, or elsehow at key generation`
			`* ! suffix to exclude subkeys`
			`* trust`
			`* sign`
			`* delete`

			`Configure`
			`=========`

gpg killall 2019-05-03 12:03:26 +00:00			`If up:`

			`.. code:: shell`

gpg killall -9 2019-05-04 07:34:43 +00:00			`killall -9 gpg-agent`
			`killall -9 dirmngr`
gpg killall 2019-05-03 12:03:26 +00:00
gpg 2017-12-05 21:32:10 +00:00			`wipe if needed`
			`--------------`

			`.. code:: shell`

			`rm --force --recursive ~/.gnupg`
			`mkdir -m 700 ~/.gnupg`

			`check available algorithms`
			`--------------------------`

			`.. code:: shell`

			`gpg --version`

			`avoid default use of SHA256`
			`---------------------------`

			`* gpg.conf`

			`::`

gpg keyid-format 2019-05-03 18:09:46 +00:00			`keyid-format long`
gpg configuration 2019-05-03 17:33:32 +00:00			`keyserver-options include-revoked`
gpg show-uid-validity 2019-05-03 18:06:12 +00:00			`list-options show-uid-validity`
			`verify-options show-uid-validity`
gpg with-fingerprint 2019-05-03 18:41:19 +00:00			`with-fingerprint`
gpg configuration 2019-05-03 17:33:32 +00:00			`with-keygrip`
			`with-subkey-fingerprint`

gpg export-minimal 2019-05-03 18:38:05 +00:00			`export-options export-minimal`
gpg configuration 2019-05-03 17:33:32 +00:00			`no-comments`
			`no-emit-version`

gpg configuration 2019-05-03 15:44:02 +00:00			`default-preference-list SHA512 AES256 BZIP2`
gpg 2017-12-05 21:32:10 +00:00
gpg configuration 2019-05-03 15:44:02 +00:00			`cert-digest-algo SHA512`
			`cipher-algo AES256`
			`compress-algo BZIP2`
			`digest-algo SHA512`
gpg 2017-12-05 21:32:10 +00:00
gpg configuration 2019-05-03 15:44:02 +00:00			`personal-cipher-preferences AES256`
			`personal-digest-preferences SHA512`
			`personal-compress-preferences BZIP2`
gpg with-keygrip 2019-05-03 13:24:36 +00:00
gpg configuration 2019-05-03 17:33:32 +00:00			`s2k-cipher-algo AES256`
			`s2k-digest-algo SHA512`
			`s2k-mode 3`
			`s2k-count 65011712`
gpg configuration 2019-05-03 15:44:02 +00:00
gpg 2017-12-05 21:32:10 +00:00			`avoid DL/UL issues, depending on DNS`
			`------------------------------------`

			`* dirmngr.conf`

			`::`

			`standard-resolver`

gpg gpg-agent.conf enable-ssh-support 2019-05-04 11:47:15 +00:00			`authenticate`
			`------------`

			`* gpg-agent.conf`

			`::`

			`enable-ssh-support`

gpg ssh keygrip 2019-05-04 11:52:28 +00:00			`* sshcontrol`

			`KeyGrip to use if there are several`

			`::`

			`KKEEYYGGRRIIPP`

gpg ssh environment variable 2019-05-04 16:38:02 +00:00			`* export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)`

gpg 2017-12-05 21:32:10 +00:00			`Generate`
			`========`

			`master key`
			`----------`

			`.. code:: shell`

gpg generate master key 2019-05-03 12:04:29 +00:00			`gpg --expert --full-generate-key`
gpg 2017-12-05 21:32:10 +00:00
			`::`

gpg generate master key 2019-05-03 12:04:29 +00:00			`8 → RSA (set your own capabilities)`
			`s → toggle the sign capability`
			`e → toggle the encrypt capability`
			`q → finished`
gpg fix master key bits 2019-05-03 12:22:25 +00:00			`4096`
gpg 1y 2019-05-03 18:50:43 +00:00			`1y → key expires in 1 year`
gpg 2017-12-05 21:32:10 +00:00			`y → this is correct`
			`First Last`
			`user@domain.tld`
gpg generate master key 2019-05-03 12:04:29 +00:00			`comment`
gpg 2017-12-05 21:32:10 +00:00			`o → ok`
gpg quick syntax 2019-05-03 15:35:46 +00:00
			`.. code:: shell`

gpg 1y 2019-05-03 18:50:43 +00:00			`gpg --quick-generate-key 'First Last <user@domain.tld>' rsa4096 cert 1y`
gpg 2017-12-05 21:32:10 +00:00
			`revocation certificate`
			`----------------------`

			`.. code:: shell`

			`gpg --generate-revocation "KeyID" > "FFIINNGGEERRPPRRIINNTT.rev"`

gpg fixes 2019-05-03 15:40:13 +00:00			`::`

			`y`

			`::`

			`0 → no reason specified`
			`1 → key has been compromised`
			`2 → key is superseded`
			`3 → key is no longer used`

			`::`

			`description`
			`y`

gpg 2017-12-05 21:32:10 +00:00			`.. warning::`

			`Hide this file in an encrypted container!`

			`Search`
			`======`

			`.. code:: shell`

			`gpg --search-keys "Key ID"`

			`Download`
			`========`

			`.. code:: shell`

			`gpg --receive-keys "KEY ID"`

			`List`
			`====`

			`.. code:: shell`

			`gpg --list-keys`

			`Modify`
			`======`

			`.. code:: shell`

gpg expert edit, add subkeys 2019-05-03 12:24:03 +00:00			`gpg --expert --edit-key "KEY ID"`
gpg 2017-12-05 21:32:10 +00:00
			`[…]`

			`::`

			`save`

			`add a subkey to a master key`
			`----------------------------`

			`::`

			`addkey`
gpg expert edit, add subkeys 2019-05-03 12:24:03 +00:00			`8 → RSA (set your own capabilities)`

			`[…]`

			`::`

			`q → finished`
			`4096`
			`1y → key expires in 1 year`
			`y → this is correct`
			`y → really create`

			`sign`
			`^^^^`

			`::`

			`e → toggle the encrypt capability`

gpg quick syntax 2019-05-03 15:35:46 +00:00			`.. code:: shell`

			`gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 auth 1y`
			`gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 encr 1y`
			`gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 sign 1y`

gpg expert edit, add subkeys 2019-05-03 12:24:03 +00:00			`encrypt`
			`^^^^^^^`

			`::`

			`s → toggle the sign capability`

			`authenticate`
			`^^^^^^^^^^^^`

			`::`

			`s → toggle the sign capability`
			`e → toggle the encrypt capability`
			`a → toggle the authenticate capability`
gpg 2017-12-05 21:32:10 +00:00
			`set expiration date`
			`-------------------`

			`::`

			`expire`
gpg fixes 2019-05-03 15:40:13 +00:00			`1y`
			`y`
gpg 2017-12-05 21:32:10 +00:00
			`add another UserID`
			`------------------`

			`::`

			`adduid`
			`First Last`
			`user@domain.tld`
gpg fixes 2019-05-03 15:40:13 +00:00			`comment`
			`o`
gpg 2017-12-05 21:32:10 +00:00
			`set primary UserID`
			`------------------`

			`::`

			`uid 1`
			`primary`

			`Export`
			`======`

gpg export private key and subkeys 2019-05-03 17:07:54 +00:00			`private key`
			`-----------`

			`.. code:: shell`

			`gpg --armor --export-secret-keys FFIINNGGEERRPPRRIINNTT > key.gpg`

			`private subkeys`
			`---------------`

			`.. code:: shell`

			`gpg --armor --export-secret-subkeys FFIINNGGEERRPPRRIINNTT > subkeys.gpg`

gpg export public SSH key 2019-05-04 12:23:48 +00:00			`public key`
			`----------`

			`.. code:: shell`

			`gpg --armor --export "Key ID" > id.asc`

			`public SSH key`
			`--------------`

			`.. code:: shell`

			`gpg --armor --export-ssh-key "Key ID" > id.pub`

gpg 2017-12-05 21:32:10 +00:00			`Dump`
			`====`

			`.. code:: shell`

			`pgpdump pub.asc`

			`Secure`
			`======`

			`hide the master key in an encrypted container`
			`---------------------------------------------`

			`* ~/.gnupg/private-keys-v1.d/KKEEYYGGRRIIPP.key`

			`Upload`
			`======`

			`.. code:: shell`

			`gpg --send-keys "KEY ID"`

			`Revoke`
			`======`

			`.. code:: shell`

			`gpg --import "FFIINNGGEERRPPRRIINNTT.rev"`
			`gpg --send-keys "KEY ID"`