Gpg keys: Difference between revisions
(→Export) |
|||
Line 25: | Line 25: | ||
<source lang="bash"> | <source lang="bash"> | ||
# export public-key | # export public-key | ||
gpg --export | gpg \ | ||
--homedir ~/ | --armor `# (opt) only ascii chars` \ | ||
--export foo@domain.com `# export` | |||
> | --homedir ~/foo-gpg `# (opt) alt homedir` \ | ||
> foo@domain.com.pub | |||
# export private-key | # export private-key | ||
gpg | gpg \ | ||
--armor `# (opt) only ascii chars` \ | --armor `# (opt) only ascii chars` \ | ||
> | --export-secret-keys foo@domain.com \ | ||
--homedir ~/foo-gpg `# (opt) alt homedir` \ | |||
> foo@domain.com.prv | |||
</source> | </source> | ||
</blockquote><!-- export --> | </blockquote><!-- export --> |
Revision as of 02:57, 29 May 2022
Basics
GPG Keys are what you use to encryt/decrypt text.
A user account will frequently have several public keys installed by other programs (ex: tor)
It is strongly encouraged to work with keys in a hierarchy.
- Day-to-day you interact with a master key
- Underneath it are several subkeys, limited in scope.
GPG keys can be assigned multiple identities.
Manage
gpg --list-keys # list all keys gpg --list-public-keys # list pub keys gpg --list-secret-keys # list prv keys
Export
# export public-key gpg \ --armor `# (opt) only ascii chars` \ --export foo@domain.com `# export` --homedir ~/foo-gpg `# (opt) alt homedir` \ > foo@domain.com.pub # export private-key gpg \ --armor `# (opt) only ascii chars` \ --export-secret-keys foo@domain.com \ --homedir ~/foo-gpg `# (opt) alt homedir` \ > foo@domain.com.prv
Import
# import key (pub/prv) gpg --import keyname.pub # trust imported key gpg --edit keyname > trust > 5 > quit # scripted trust imported key echo -e "5\ny\n" | gpg --command-fd 0 --edit-key keyname trust
Create Keys
Create Master Keys
Create a Key
gpg --full-generate-key # gen key with all options gpg --gen-key # gen key with basic options # choices: # user: name of gpgkey # email: user@server.com (it doesn't really matter)Create a Revocation Certificate
# If you will be sharing this key with a keyserver, # Revocation-Certs are a lever you can pull to stop your key # from being abused if it is ever stolen. # # Keep a designated backup USB (offline) to # store your revocation certificate # # Choose Reason '0' since you do not yet know why you # are revoking the cert. gpg \ --output revoke.asc \ --gen-revoke user@domain.comMaster/Sub Keys
Create multiple purpose-built master gpg-keys on a usb stick.
Export and add subkeys on devices.
Subkeys can be revoked or replaced, but the parent signature remains valid.
Keep history of subkeys, or you cannot decrypt old messages.NOTE:
Primarily useful for publicly exposed keys, for ability to revoke.
Creation
create usb media
# partition-table sudo fdisk /dev/sdb g # create gpt table n # create partition t # 11 (microsoft basic data) w # write # create partition sudo mkfs.fat /dev/sdb1 # mount, owned by current user sudo mount -o uid=`id -u`,gid=`id -g` /dev/sdb1 /mnt/usb # create gpg homedir mkdir /mnt/usb/gpg/${keyname}create master key
# create master key (WITH PASSPHRASE) gpg --homedir /mnt/usb/gpg/${keyname} --gen-key # prefer stronger hashes gpg --homedir /mnt/usb/${keyname} --edit-key user@domain.com gpg> setpref SHA512 SHA384 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP gpg> save # create revocation cert gpg --homedir /mnt/usb/gpg/${keyname} \ --output \ '/mnt/usb/user@domain.com.gpg-revocation-certificate' \ --gen-revoke user@domain.com gpg> 1 # key has been compromised gpg> # descriptioncreate subkey
# create signing key gpg --homedir /mnt/usb/gpg/${keyname} \ --edit-key user@domain.com gpg> addkey gpg> 4 # RSA (sign only) gpg> 4096 # max size gpg> 0 # does not expire gpg> save # export/remove signing subkey gpg --homedir /mnt/usb/gpg/${keyname} \ --armor \ --export-secret-subkeys user@domain.com \ > /mnt/usb/gpg/${keyname}.gpg.subkeyUsage
import subkey onto machine
# import onto your machine (encrypt/decrypt) gpg --import /mnt/usb/gpg/${keyname}.gpg.subkey # trust imported key gpg --edit-key user@domain.com > trust > 5 > quitencrypt/decrypt using subkey
# encrypt echo foo \ | gpg --encrypt -r user@domain.com `# encrypt` \ | gpg `# decrypt`Subkey Revocation
revoke
I haven't used this yet.
gpg --import /mnt/usb/ gpg --edit-key user@domain.com gpg> key1 # select first subkey gpg> key2 # select second subkey gpg> revkey # revoke selected # distribute revoked key to a keyserver
Delete Keys
gpg --delete-keys keyname gpg --delete-secret-keys keyname gpg --delete-secret-and-public-key keyname