coelner/gnupg-root
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
master
gnupg-root/gpg-howto.md
coelner a80e037fce fix merge conflicts artefacts
2022-06-05 11:49:31 +02:00

2.6 KiB
Raw Permalink Blame History

gnupg cheatsheet

Best practices with gpg Use a separate key for each identity, this means a own key for each email account, which should not be cross referenced.

generale notes

  • the additional uids are bundled to the public key

best practise in general usage

# show public from keyroll
gpg -k
# show private keys
gpg -K
#export things with ascii armor

best practice with PIN/passphrase

  1. activate KDF
  2. change the admin PIN (12345678) PW3
  3. import key material
  4. change user PIN (123456) ← PW1
  5. Generate Reset Code if needed (reset code only apply to PW1)
  • PW2 is legacy and synced to PW1 by the card

show recognized card

    #check for scdaemon or pcscd
gpg --card-status
Reader ...........: 20A0:4211:FSIJ-1.2.15-AABBCCDD:0
Application ID ...: D276000124010200FF0AABBCCDD0000
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: AABBCCDD
Name of cardholder: pseudo  
Language prefs ...: [nicht gesetzt]
Salutation .......: 
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: on
gpg --card-edit
<internal cmd structure>

generate master key

gpg2 --expert --full-gen-key
(9) ECC and ECC
(1) Curve 25519
//because of this: http://safecurves.cr.yp.to/index.html
3y
//because it is hard enough in real life with humans
//or keep it unlimited, because it should be safe or a real world problem.

//optional: add the name/synonym and the first email

gpg --edit-key name/synonym
adduid
list [the trust is not yet 'ultimate' but after a save it will be]
uid [n] //adjust primary uid
primary
save

after creating all needed master keys, generate the revocation certificate and store it hardcopy in reallife.

for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g')
do
  gpg --armor --export --output "$mail".pub "$mail"
  gpg --armor --output revoc_"$mail".asc --gen-revoke
done

renew date on smartcard aka gnuk

#mount encrypted .gpg  folder
gpg --list-keys
gpg --expert --edit-key #KEYID
<key 0>
<key 1>
<expire>
1y
<key 1>
<key 2>
<expire>
...
<save>
gpg --expert --edit-key #KEYID
<key 0>
<key 1>
keytocard
quit
not to save
really, really

the export the refreshed public keys with the new date:

for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g')
do
  gpg --armor --export --output "$mail".pub "$mail"
done

after import those keys atleast GPA needs a restart. Otherwise those keys get not reread.