Skip to content

Latest commit

 

History

History
312 lines (222 loc) · 7.37 KB

gpg.md

File metadata and controls

312 lines (222 loc) · 7.37 KB

GPG

Commands

  • Listing public keys - metadata only
gpg --list-public-keys
gpg -k

pub: your public key info sub: your public subkey info

  • Listing private keys - metadata only
gpg --list-secret-keys
gpg -K

sec: the master/primary secret key. There is key size, keyid, creation date, expiration date and fingerprint information displayed. ssb: secret subkeys. These can be your sub signing key, encryption key or authentication key. You can have multiple subkeys. uid: this is the user information associated with the secret key. You can have multiple uids. sec#: # after sec means that your secret key is missing from the machine. But it has a reference to the secret key. ssb>: > after ssb means that your subkeys are not the machine. Instead they are on a smartcard.

  • Encrypt a file in binary
# Creates a message.txt.gpg file that is encrypted
gpg --encrypt --recipient 'YOUREMAILGPGKEY' message.txt
  • Encrypt a file in ascii armor
# Creates a message.txt.asc that is encrypted
gpg --encrypt --armor --recipient '[email protected]' message.txt
  • Decrypt a binary/ascii armor file
gpg --decrypt message.txt.gpg
gpg --decrypt message.txt.asc
  • Signing a file
# WARNING: THIS DOES NOT ENCRYPT THE FILE
gpg --sign <file>
  • Verify a file
gpg --verify file
  • How to export a gpg secret key from one device to another
# Generate a random password to encrypt key (use it in the next step)
gpg --armor --gen-random 1 20

# Export the encrypted secret key
gpg --armor --export-secret-keys YOUREMAILADDRESS | gpg --armor --symmetric --output mykey.sec.asc

# Transfer it with any method you want and then remove the file
rm mykey.sec.asc
  • Import a gpg key - Do not forget to shred it!
$ gpg2 --import A85EA103-private-subkey.gpg
$ shred --remove A85EA103-private-subkey.gpg
  • Create a new master key with GPG
gpg --full-generate-key
  • Generate a revokation certificate in case it gets lost or compromised
gpg --gen-revoke $KEYID > $KEYID-revoke.txt
  • Save a copy of the private key
gpg --armor --export-secret-keys $KEYID > $KEYID-master.key
  • Edit key to add subkeys
gpg --expert --edit-key KEYID
  • Delete a secret-key: WARNING!! Make sure you have a backup
gpg --delete-secret-keys KEYID
  • Encrypt a message to your own key (useful for storing passwords and credentials)
echo "test message string" | gpg --encrypt --armor --recipient $KEYID -o encrypted.txt
  • Decrypt message
gpg --decrypt --armor encrypted.txt
  • Sign a message
echo "test message string" | gpg --armor --clearsign > signed.txt
  • Verify the signature
gpg --verify signed.txt

Renew sub-keys

  1. Setup the environment with the loaded master key in an airgapped system: https://github.com/drduh/YubiKey-Guide#setup-environment
  2. Edit the expiry date and export the public key: https://github.com/drduh/YubiKey-Guide#renewing-sub-keys
gpg --edit-card $KEYID
key 2  # Do this for the keys that need to be extended and repeat (2, 3, 4) Sign, Encrypt, Authenticate
expire
3y
save
gpg --armor --export $KEYID > "$KEYID-public.asc"
gpg --armor --export-secret-keys $KEYID > "$KEYID-private-subkeys.key"
  1. Load the public keys into the devices that are using it (phone, laptop, etc)
gpg --import "$KEYID-public.asc"

Yubikey

I routinely swap between two YubiKeys, the Nano in my docking station and the Neo on my keychain. I have the same encryption and authentication keys on both YubiKeys and distinct signing keys on each. In order to swap between which YubiKey I want to use, I do the following:

killall gpg-agent
rm -r ~/.gnupg/private-keys-v1.d/
# Plug in the new YubiKey to load the keys
gpg --card-status
# gpg --card-edit

Note: Make sure the card is visible, also notifies gpg which keys are available for current card Now the alternate card should be usable. If it's not, unplug the YubiKey and repeat steps 1-4 again, it should work the second time. I've found the command gpg-connect-agent updatestartuptty /bye can also be helpful.

This process should help you when you are trying to create the YubiKeys as well. The gpg-agent keeps track of the yubikey card id, to tell gpg-agent to relearn the serial number on the smartcard

gpg-connect-agent "scd serialno" "learn --force" /bye

Yubikey with OpenKeyChain and Password Store

  1. Export the public key as a file
gpg --armor --export [email protected] > mykey.asc
  1. Or: share with QR code scanning option from the OpenKeyChain Android App
  2. Transfer the file to your Android phone
  3. Import the key via UI - the key is now loaded into the app, it cannot be used yet as we need to let OpenKeyChain know that it is on the yubikey
  4. import Key from yubikey - this will make the imported key available for other apps like Password Store

Change Admin PIN

One can change PIN and Admin PIN using this command:

gpg --change-pin

Require Touch

  • Signing
ykman openpgp set-touch sig on
  • Encryption
ykman openpgp set-touch enc on
  • Authentication
ykman openpgp set-touch aut on
  • Turn it off: on -> off
ykman openpgp set-touch sig off
ykman openpgp set-touch enc off
ykman openpgp set-touch aut off

SSH setup

  • To use a GPG key instead of an SSH one, one can follow the instructions there
  • If the agent complains that it can't sign_and_send_pubkey: signing failed..., run this and try again:
gpg-connect-agent updatestartuptty /bye
ssh-keygen -t ecdsa-sk -O resident

The resident key can be loaded directly form the security key.

  • To use the SSH key on a new computer until it is rebooted:
ssh-add -K
  • To permanently import the key permanently
ssh-keygen -K

And then move the two generated files id_ecdsa_sk_rk and id_ecdsa_sk_rk.pub to your ssh directory

  • Display the ssh public key
ssh-add -L
``

### Github setup

* Go to the config file in the `.git` folder of the project and change the https:// to:

```sh
[remote "origin"]
  url = [email protected]:<repo-path>

Setup

Resources