gpg overview,servers

in/public/security/gpg/index.rst

@@ -1,326 +1,8 @@
-###
+GnuPG
-GPG
+=====
-###
 
-TODO
+.. toctree::
-====
+   :maxdepth: 2
 
-* setpref, or elsehow at key generation
+   overview
-* ! suffix to exclude subkeys
+   servers
-* trust
-* sign
-* delete
-
-Configure
-=========
-
-If up:
-
-.. code:: shell
-
-  killall -9 gpg-agent
-  killall -9 dirmngr
-
-wipe if needed
---------------
-
-.. code:: shell
-
-  rm --force --recursive ~/.gnupg
-  mkdir -m 700 ~/.gnupg
-
-check available algorithms
---------------------------
-
-.. code:: shell
-
-  gpg --version
-
-avoid default use of SHA256
----------------------------
-
-* gpg.conf
-
-::
-
-  keyid-format long
-  keyserver-options include-revoked
-  list-options show-uid-validity
-  no-verbose
-  verify-options show-uid-validity
-  with-fingerprint
-  with-keygrip
-  with-subkey-fingerprint
-
-  export-options export-minimal
-  no-comments
-  no-emit-version
-
-  default-preference-list SHA512 AES256 BZIP2
-
-  cert-digest-algo SHA512
-  cipher-algo AES256
-  compress-algo BZIP2
-  digest-algo SHA512
-
-  personal-cipher-preferences AES256
-  personal-digest-preferences SHA512
-  personal-compress-preferences BZIP2
-
-  s2k-cipher-algo AES256
-  s2k-digest-algo SHA512
-  s2k-mode 3
-  s2k-count 65011712
-
-avoid DL/UL issues, depending on DNS
-------------------------------------
-
-* dirmngr.conf
-
-::
-
-  standard-resolver
-
-authenticate
-------------
-
-* gpg-agent.conf
-
-::
-
-  enable-ssh-support
-
-* sshcontrol
-
-KeyGrip to use if there are several
-
-::
-
-  KKEEYYGGRRIIPP
-
-* export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
-
-Generate
-========
-
-master key
-----------
-
-.. code:: shell
-
-  gpg --expert --full-generate-key
-
-::
-
-  8 → RSA (set your own capabilities)
-  s → toggle the sign capability
-  e → toggle the encrypt capability
-  q → finished
-  4096
-  1y → key expires in 1 year
-  y → this is correct
-  First Last
-  user@domain.tld
-  comment
-  o → ok
-
-.. code:: shell
-
-  gpg --quick-generate-key 'First Last <user@domain.tld>' rsa4096 cert 1y
-
-revocation certificate
-----------------------
-
-.. code:: shell
-
-  gpg --generate-revocation "KeyID" > "FFIINNGGEERRPPRRIINNTT.rev"
-
-::
-
-  y
-
-::
-
-  0 → no reason specified
-  1 → key has been compromised
-  2 → key is superseded
-  3 → key is no longer used
-
-::
-
-  description
-  y
-
-.. warning::
-
-  Hide this file in an encrypted container!
-
-Search
-======
-
-.. code:: shell
-
-  gpg --search-keys "Key ID"
-
-Download
-========
-
-.. code:: shell
-
-  gpg --receive-keys "KEY ID"
-
-List
-====
-
-.. code:: shell
-
-  gpg --list-keys
-
-Modify
-======
-
-.. code:: shell
-
-  gpg --expert --edit-key "KEY ID"
-
-[…]
-
-::
-
-  save
-
-add a subkey to a master key
-----------------------------
-
-::
-
-  addkey
-  8 → RSA (set your own capabilities)
-
-[…]
-
-::
-
-  q → finished
-  4096
-  1y → key expires in 1 year
-  y → this is correct
-  y → really create
-
-sign
-^^^^
-
-::
-
-  e → toggle the encrypt capability
-
-.. code:: shell
-
-  gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 auth 1y
-  gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 encr 1y
-  gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 sign 1y
-
-encrypt
-^^^^^^^
-
-::
-
-  s → toggle the sign capability
-
-authenticate
-^^^^^^^^^^^^
-
-::
-
-  s → toggle the sign capability
-  e → toggle the encrypt capability
-  a → toggle the authenticate capability
-
-set expiration date
--------------------
-
-::
-
-  expire
-  1y
-  y
-
-add another UserID
-------------------
-
-::
-
-  adduid
-  First Last
-  user@domain.tld
-  comment
-  o
-
-set primary UserID
-------------------
-
-::
-
-  uid 1
-  primary
-
-Export
-======
-
-private key
------------
-
-.. code:: shell
-
-  gpg --armor --export-secret-keys FFIINNGGEERRPPRRIINNTT > key.gpg
-
-private subkeys
----------------
-
-.. code:: shell
-
-  gpg --armor --export-secret-subkeys FFIINNGGEERRPPRRIINNTT > subkeys.gpg
-
-public key
-----------
-
-.. code:: shell
-
-  gpg --armor --export "Key ID" > id.asc
-
-public SSH key
---------------
-
-.. code:: shell
-
-  gpg --armor --export-ssh-key "Key ID" > id.pub
-
-Dump
-====
-
-.. code:: shell
-
-  pgpdump pub.asc
-
-Secure
-======
-
-hide the master key in an encrypted container
----------------------------------------------
-
-* ~/.gnupg/private-keys-v1.d/KKEEYYGGRRIIPP.key
-
-Upload
-======
-
-.. code:: shell
-
-  gpg --send-keys "KEY ID"
-
-Revoke
-======
-
-.. code:: shell
-
-  gpg --import "FFIINNGGEERRPPRRIINNTT.rev"
-  gpg --send-keys "KEY ID"

in/public/security/gpg/overview.rst

@@ -0,0 +1,325 @@
+********
+OverView
+********
+
+.. todo::
+
+ * setpref, or elsehow at key generation
+ * ! suffix to exclude subkeys
+ * trust
+ * sign
+ * delete
+
+Configure
+=========
+
+If up:
+
+.. code:: shell
+
+  killall -9 gpg-agent
+  killall -9 dirmngr
+
+wipe if needed
+--------------
+
+.. code:: shell
+
+  rm --force --recursive ~/.gnupg
+  mkdir -m 700 ~/.gnupg
+
+check available algorithms
+--------------------------
+
+.. code:: shell
+
+  gpg --version
+
+avoid default use of SHA256
+---------------------------
+
+* gpg.conf
+
+::
+
+  keyid-format long
+  keyserver-options include-revoked
+  list-options show-uid-validity
+  no-verbose
+  verify-options show-uid-validity
+  with-fingerprint
+  with-keygrip
+  with-subkey-fingerprint
+
+  export-options export-minimal
+  no-comments
+  no-emit-version
+
+  default-preference-list SHA512 AES256 BZIP2
+
+  cert-digest-algo SHA512
+  cipher-algo AES256
+  compress-algo BZIP2
+  digest-algo SHA512
+
+  personal-cipher-preferences AES256
+  personal-digest-preferences SHA512
+  personal-compress-preferences BZIP2
+
+  s2k-cipher-algo AES256
+  s2k-digest-algo SHA512
+  s2k-mode 3
+  s2k-count 65011712
+
+avoid DL/UL issues, depending on DNS
+------------------------------------
+
+* dirmngr.conf
+
+::
+
+  standard-resolver
+
+authenticate
+------------
+
+* gpg-agent.conf
+
+::
+
+  enable-ssh-support
+
+* sshcontrol
+
+KeyGrip to use if there are several
+
+::
+
+  KKEEYYGGRRIIPP
+
+* export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+
+Generate
+========
+
+master key
+----------
+
+.. code:: shell
+
+  gpg --expert --full-generate-key
+
+::
+
+  8 → RSA (set your own capabilities)
+  s → toggle the sign capability
+  e → toggle the encrypt capability
+  q → finished
+  4096
+  1y → key expires in 1 year
+  y → this is correct
+  First Last
+  user@domain.tld
+  comment
+  o → ok
+
+.. code:: shell
+
+  gpg --quick-generate-key 'First Last <user@domain.tld>' rsa4096 cert 1y
+
+revocation certificate
+----------------------
+
+.. code:: shell
+
+  gpg --generate-revocation "KeyID" > "FFIINNGGEERRPPRRIINNTT.rev"
+
+::
+
+  y
+
+::
+
+  0 → no reason specified
+  1 → key has been compromised
+  2 → key is superseded
+  3 → key is no longer used
+
+::
+
+  description
+  y
+
+.. warning::
+
+  Hide this file in an encrypted container!
+
+Search
+======
+
+.. code:: shell
+
+  gpg --search-keys "Key ID"
+
+Download
+========
+
+.. code:: shell
+
+  gpg --receive-keys "KEY ID"
+
+List
+====
+
+.. code:: shell
+
+  gpg --list-keys
+
+Modify
+======
+
+.. code:: shell
+
+  gpg --expert --edit-key "KEY ID"
+
+[…]
+
+::
+
+  save
+
+add a subkey to a master key
+----------------------------
+
+::
+
+  addkey
+  8 → RSA (set your own capabilities)
+
+[…]
+
+::
+
+  q → finished
+  4096
+  1y → key expires in 1 year
+  y → this is correct
+  y → really create
+
+sign
+^^^^
+
+::
+
+  e → toggle the encrypt capability
+
+.. code:: shell
+
+  gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 auth 1y
+  gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 encr 1y
+  gpg --quick-add-key FFIINNGGEERRPPRRIINNTT rsa4096 sign 1y
+
+encrypt
+^^^^^^^
+
+::
+
+  s → toggle the sign capability
+
+authenticate
+^^^^^^^^^^^^
+
+::
+
+  s → toggle the sign capability
+  e → toggle the encrypt capability
+  a → toggle the authenticate capability
+
+set expiration date
+-------------------
+
+::
+
+  expire
+  1y
+  y
+
+add another UserID
+------------------
+
+::
+
+  adduid
+  First Last
+  user@domain.tld
+  comment
+  o
+
+set primary UserID
+------------------
+
+::
+
+  uid 1
+  primary
+
+Export
+======
+
+private key
+-----------
+
+.. code:: shell
+
+  gpg --armor --export-secret-keys FFIINNGGEERRPPRRIINNTT > key.gpg
+
+private subkeys
+---------------
+
+.. code:: shell
+
+  gpg --armor --export-secret-subkeys FFIINNGGEERRPPRRIINNTT > subkeys.gpg
+
+public key
+----------
+
+.. code:: shell
+
+  gpg --armor --export "Key ID" > id.asc
+
+public SSH key
+--------------
+
+.. code:: shell
+
+  gpg --armor --export-ssh-key "Key ID" > id.pub
+
+Dump
+====
+
+.. code:: shell
+
+  pgpdump pub.asc
+
+Secure
+======
+
+hide the master key in an encrypted container
+---------------------------------------------
+
+* ~/.gnupg/private-keys-v1.d/KKEEYYGGRRIIPP.key
+
+Upload
+======
+
+.. code:: shell
+
+  gpg --send-keys "KEY ID"
+
+Revoke
+======
+
+.. code:: shell
+
+  gpg --import "FFIINNGGEERRPPRRIINNTT.rev"
+  gpg --send-keys "KEY ID"

in/public/security/gpg/servers.rst

@@ -0,0 +1,30 @@
+Servers
+=======
+
+* hkps://
+
+::
+
+ keyring.debian.org
+ pgp.key-server.io
+ pgp.mit.edu
+ peegeepee.com
+ pgp.rediris.es
+ sks-keyservers.net
+ pgp.surfnet.nl
+ keyserver.ubuntu.com
+
+ # round-robin
+ keys.gnupg.net
+
+* hkp://
+
+::
+
+ pgp.uni-mainz.de
+
+* not sure
+
+::
+
+ keyserver.oeg.com.au