From 22c6dba78d65ade540a82876ca1821e4d1af2ad0 Mon Sep 17 00:00:00 2001 From: Marc Beninca Date: Tue, 14 May 2019 10:39:00 +0200 Subject: [PATCH] gpg overview,servers --- in/public/security/gpg/index.rst | 330 +--------------------------- in/public/security/gpg/overview.rst | 325 +++++++++++++++++++++++++++ in/public/security/gpg/servers.rst | 30 +++ 3 files changed, 361 insertions(+), 324 deletions(-) create mode 100644 in/public/security/gpg/overview.rst create mode 100644 in/public/security/gpg/servers.rst diff --git a/in/public/security/gpg/index.rst b/in/public/security/gpg/index.rst index 7f7f3d9..5887994 100644 --- a/in/public/security/gpg/index.rst +++ b/in/public/security/gpg/index.rst @@ -1,326 +1,8 @@ -### -GPG -### +GnuPG +===== -TODO -==== +.. toctree:: + :maxdepth: 2 -* setpref, or elsehow at key generation -* ! suffix to exclude subkeys -* trust -* sign -* delete - -Configure -========= - -If up: - -.. code:: shell - - killall -9 gpg-agent - killall -9 dirmngr - -wipe if needed --------------- - -.. code:: shell - - rm --force --recursive ~/.gnupg - mkdir -m 700 ~/.gnupg - -check available algorithms --------------------------- - -.. code:: shell - - gpg --version - -avoid default use of SHA256 ---------------------------- - -* gpg.conf - -:: - - keyid-format long - keyserver-options include-revoked - list-options show-uid-validity - no-verbose - verify-options show-uid-validity - with-fingerprint - with-keygrip - with-subkey-fingerprint - - export-options export-minimal - no-comments - no-emit-version - - default-preference-list SHA512 AES256 BZIP2 - - cert-digest-algo SHA512 - cipher-algo AES256 - compress-algo BZIP2 - digest-algo SHA512 - - personal-cipher-preferences AES256 - personal-digest-preferences SHA512 - personal-compress-preferences BZIP2 - - s2k-cipher-algo AES256 - s2k-digest-algo SHA512 - s2k-mode 3 - s2k-count 65011712 - -avoid DL/UL issues, depending on DNS ------------------------------------- - -* dirmngr.conf - -:: - - standard-resolver - -authenticate ------------- - -* gpg-agent.conf - -:: - - enable-ssh-support - -* sshcontrol - -KeyGrip to use if there are several - -:: - - KKEEYYGGRRIIPP - -* export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) - -Generate -======== - -master key ----------- - -.. code:: shell - - gpg --expert --full-generate-key - -:: - - 8 → RSA (set your own capabilities) - s → toggle the sign capability - e → toggle the encrypt capability - q → finished - 4096 - 1y → key expires in 1 year - y → this is correct - First Last - user@domain.tld - comment - o → ok - -.. code:: shell - - gpg --quick-generate-key 'First Last ' rsa4096 cert 1y - -revocation certificate ----------------------- - -.. code:: shell - - gpg --generate-revocation "KeyID" > "FFIINNGGEERRPPRRIINNTT.rev" - -:: - - y - -:: - - 0 → no reason specified - 1 → key has been compromised - 2 → key is superseded - 3 → key is no longer used - -:: - - description - y - -.. warning:: - - Hide this file in an encrypted container! - -Search -====== - -.. code:: shell - - gpg --search-keys "Key ID" - -Download -======== - -.. code:: shell - - gpg --receive-keys "KEY ID" - -List -==== - -.. code:: shell - - gpg --list-keys - -Modify -====== - -.. code:: shell - - gpg --expert --edit-key "KEY ID" - -[…] - -:: - - save - -add a subkey to a master key ----------------------------- - -:: - - addkey - 8 → RSA (set your own capabilities) - -[…] - -:: - - q → finished - 4096 - 1y → key expires in 1 year - y → this is correct - y → really create - -sign -^^^^ - -:: - - e → toggle the encrypt capability - -.. code:: shell - - gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 auth 1y - gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 encr 1y - gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 sign 1y - -encrypt -^^^^^^^ - -:: - - s → toggle the sign capability - -authenticate -^^^^^^^^^^^^ - -:: - - s → toggle the sign capability - e → toggle the encrypt capability - a → toggle the authenticate capability - -set expiration date -------------------- - -:: - - expire - 1y - y - -add another UserID ------------------- - -:: - - adduid - First Last - user@domain.tld - comment - o - -set primary UserID ------------------- - -:: - - uid 1 - primary - -Export -====== - -private key ------------ - -.. code:: shell - - gpg --armor --export-secret-keys FFIINNGGEERRPPRRIINNTT > key.gpg - -private subkeys ---------------- - -.. code:: shell - - gpg --armor --export-secret-subkeys FFIINNGGEERRPPRRIINNTT > subkeys.gpg - -public key ----------- - -.. code:: shell - - gpg --armor --export "Key ID" > id.asc - -public SSH key --------------- - -.. code:: shell - - gpg --armor --export-ssh-key "Key ID" > id.pub - -Dump -==== - -.. code:: shell - - pgpdump pub.asc - -Secure -====== - -hide the master key in an encrypted container ---------------------------------------------- - -* ~/.gnupg/private-keys-v1.d/KKEEYYGGRRIIPP.key - -Upload -====== - -.. code:: shell - - gpg --send-keys "KEY ID" - -Revoke -====== - -.. code:: shell - - gpg --import "FFIINNGGEERRPPRRIINNTT.rev" - gpg --send-keys "KEY ID" + overview + servers diff --git a/in/public/security/gpg/overview.rst b/in/public/security/gpg/overview.rst new file mode 100644 index 0000000..32bdefe --- /dev/null +++ b/in/public/security/gpg/overview.rst @@ -0,0 +1,325 @@ +******** +OverView +******** + +.. todo:: + + * setpref, or elsehow at key generation + * ! suffix to exclude subkeys + * trust + * sign + * delete + +Configure +========= + +If up: + +.. code:: shell + + killall -9 gpg-agent + killall -9 dirmngr + +wipe if needed +-------------- + +.. code:: shell + + rm --force --recursive ~/.gnupg + mkdir -m 700 ~/.gnupg + +check available algorithms +-------------------------- + +.. code:: shell + + gpg --version + +avoid default use of SHA256 +--------------------------- + +* gpg.conf + +:: + + keyid-format long + keyserver-options include-revoked + list-options show-uid-validity + no-verbose + verify-options show-uid-validity + with-fingerprint + with-keygrip + with-subkey-fingerprint + + export-options export-minimal + no-comments + no-emit-version + + default-preference-list SHA512 AES256 BZIP2 + + cert-digest-algo SHA512 + cipher-algo AES256 + compress-algo BZIP2 + digest-algo SHA512 + + personal-cipher-preferences AES256 + personal-digest-preferences SHA512 + personal-compress-preferences BZIP2 + + s2k-cipher-algo AES256 + s2k-digest-algo SHA512 + s2k-mode 3 + s2k-count 65011712 + +avoid DL/UL issues, depending on DNS +------------------------------------ + +* dirmngr.conf + +:: + + standard-resolver + +authenticate +------------ + +* gpg-agent.conf + +:: + + enable-ssh-support + +* sshcontrol + +KeyGrip to use if there are several + +:: + + KKEEYYGGRRIIPP + +* export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) + +Generate +======== + +master key +---------- + +.. code:: shell + + gpg --expert --full-generate-key + +:: + + 8 → RSA (set your own capabilities) + s → toggle the sign capability + e → toggle the encrypt capability + q → finished + 4096 + 1y → key expires in 1 year + y → this is correct + First Last + user@domain.tld + comment + o → ok + +.. code:: shell + + gpg --quick-generate-key 'First Last ' rsa4096 cert 1y + +revocation certificate +---------------------- + +.. code:: shell + + gpg --generate-revocation "KeyID" > "FFIINNGGEERRPPRRIINNTT.rev" + +:: + + y + +:: + + 0 → no reason specified + 1 → key has been compromised + 2 → key is superseded + 3 → key is no longer used + +:: + + description + y + +.. warning:: + + Hide this file in an encrypted container! + +Search +====== + +.. code:: shell + + gpg --search-keys "Key ID" + +Download +======== + +.. code:: shell + + gpg --receive-keys "KEY ID" + +List +==== + +.. code:: shell + + gpg --list-keys + +Modify +====== + +.. code:: shell + + gpg --expert --edit-key "KEY ID" + +[…] + +:: + + save + +add a subkey to a master key +---------------------------- + +:: + + addkey + 8 → RSA (set your own capabilities) + +[…] + +:: + + q → finished + 4096 + 1y → key expires in 1 year + y → this is correct + y → really create + +sign +^^^^ + +:: + + e → toggle the encrypt capability + +.. code:: shell + + gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 auth 1y + gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 encr 1y + gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 sign 1y + +encrypt +^^^^^^^ + +:: + + s → toggle the sign capability + +authenticate +^^^^^^^^^^^^ + +:: + + s → toggle the sign capability + e → toggle the encrypt capability + a → toggle the authenticate capability + +set expiration date +------------------- + +:: + + expire + 1y + y + +add another UserID +------------------ + +:: + + adduid + First Last + user@domain.tld + comment + o + +set primary UserID +------------------ + +:: + + uid 1 + primary + +Export +====== + +private key +----------- + +.. code:: shell + + gpg --armor --export-secret-keys FFIINNGGEERRPPRRIINNTT > key.gpg + +private subkeys +--------------- + +.. code:: shell + + gpg --armor --export-secret-subkeys FFIINNGGEERRPPRRIINNTT > subkeys.gpg + +public key +---------- + +.. code:: shell + + gpg --armor --export "Key ID" > id.asc + +public SSH key +-------------- + +.. code:: shell + + gpg --armor --export-ssh-key "Key ID" > id.pub + +Dump +==== + +.. code:: shell + + pgpdump pub.asc + +Secure +====== + +hide the master key in an encrypted container +--------------------------------------------- + +* ~/.gnupg/private-keys-v1.d/KKEEYYGGRRIIPP.key + +Upload +====== + +.. code:: shell + + gpg --send-keys "KEY ID" + +Revoke +====== + +.. code:: shell + + gpg --import "FFIINNGGEERRPPRRIINNTT.rev" + gpg --send-keys "KEY ID" diff --git a/in/public/security/gpg/servers.rst b/in/public/security/gpg/servers.rst new file mode 100644 index 0000000..277a77c --- /dev/null +++ b/in/public/security/gpg/servers.rst @@ -0,0 +1,30 @@ +Servers +======= + +* hkps:// + +:: + + keyring.debian.org + pgp.key-server.io + pgp.mit.edu + peegeepee.com + pgp.rediris.es + sks-keyservers.net + pgp.surfnet.nl + keyserver.ubuntu.com + + # round-robin + keys.gnupg.net + +* hkp:// + +:: + + pgp.uni-mainz.de + +* not sure + +:: + + keyserver.oeg.com.au