2.6 KiB
2.6 KiB
gnupg cheatsheet
Best practices with gpg Use a separate key for each identity, this means a own key for each email account, which should not be cross referenced.
generale notes
- the additional uids are bundled to the public key
best practise in general usage
# show public from keyroll
gpg -k
# show private keys
gpg -K
#export things with ascii armor
best practice with PIN/passphrase
- activate KDF
- change the admin PIN (12345678) PW3
- import key material
- change user PIN (123456) ← PW1
- Generate Reset Code if needed (reset code only apply to PW1)
- PW2 is legacy and synced to PW1 by the card
show recognized card
#check for scdaemon or pcscd
gpg --card-status
Reader ...........: 20A0:4211:FSIJ-1.2.15-AABBCCDD:0
Application ID ...: D276000124010200FF0AABBCCDD0000
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: AABBCCDD
Name of cardholder: pseudo
Language prefs ...: [nicht gesetzt]
Salutation .......:
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: on
gpg --card-edit
<internal cmd structure>
generate master key
gpg2 --expert --full-gen-key
(9) ECC and ECC
(1) Curve 25519
//because of this: http://safecurves.cr.yp.to/index.html
3y
//because it is hard enough in real life with humans
//or keep it unlimited, because it should be safe or a real world problem.
//optional: add the name/synonym and the first email
gpg --edit-key name/synonym
adduid
list [the trust is not yet 'ultimate' but after a save it will be]
uid [n] //adjust primary uid
primary
save
after creating all needed master keys, generate the revocation certificate and store it hardcopy in reallife.
for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g')
do
gpg --armor --export --output "$mail".pub "$mail"
gpg --armor --output revoc_"$mail".asc --gen-revoke
done
renew date on smartcard aka gnuk
#mount encrypted .gpg folder
gpg --list-keys
gpg --expert --edit-key #KEYID
<key 0>
<key 1>
<expire>
1y
<key 1>
<key 2>
<expire>
...
<save>
gpg --expert --edit-key #KEYID
<key 0>
<key 1>
keytocard
quit
not to save
really, really
the export the refreshed public keys with the new date:
for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g')
do
gpg --armor --export --output "$mail".pub "$mail"
done
after import those keys atleast GPA needs a restart. Otherwise those keys get not reread.