GnuPG PGP tips & tricks

1 Basics

1.1 export public key

gpg --export -a 'email@example.net'

1.2 export secret key

gpg --export-secret-key -a 'email@example.net'

1.3 import secret key

gpg --allow-secret-key-import --import private.key

1.4 Get details on key, signature, anything

gpg --list-packets -v <something>

Example:

$ gpg  --list-packets -v sig.txt 
gpg: armor header: Version: GnuPG v2.0.22 (GNU/Linux)
:signature packet: algo 1, keyid 6359A4A9B75C2346
	version 4, created 1390864773, md5len 0, sigclass 0x01
	digest algo 8, begin of digest e1 04
	hashed subpkt 2 len 4 (sig created 2014-01-27)
	subpkt 16 len 8 (issuer key ID 6359A4A9B75C2346)
	data: [4095 bits]

2 Yubikey Neo

2.1 Configure yubikey

$ ykpersonalize -m82

Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card

Then setup the smard card in gnupg:

$ gpg --card-edit

Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Switch to admin mode

gpg/card> admin
Admin commands are allowed

Generate a new key on the yubikey

gpg/card> generate

Please note that the factory settings of the PINs are
   PIN = `123456'     Admin PIN = `12345678'
You should change them using the command --change-pin

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: OpSec MIG Dev Key
Email address: opsec+mig+dev@allizom.org
Comment: Development Key. Do not use in production.
You selected this USER-ID:
    "OpSec MIG Dev Key (Development Key. Do not use in production.) <opsec+mig+dev@allizom.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: generating new key
gpg: 2 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN
[remaining attempts: 2]
gpg: please wait while key is being generated ...
gpg: key generation completed (5 seconds)
gpg: signatures created so far: 0
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (19 seconds)
gpg: signatures created so far: 1
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (15 seconds)
gpg: signatures created so far: 3
gpg: signatures created so far: 4
gpg: key CF292CA2 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: WARNING: signing subkey 36EC6AC4 is not cross-certified
gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   3  signed:  13  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1  valid:  13  signed:  60  trust: 10-, 0q, 0n, 1m, 2f, 0u
gpg: depth: 2  valid:  17  signed:  52  trust: 0-, 0q, 0n, 11m, 6f, 0u
gpg: depth: 3  valid:  42  signed:  78  trust: 1-, 12q, 0n, 19m, 10f, 0u
gpg: depth: 4  valid:  12  signed:  23  trust: 0-, 10q, 0n, 0m, 2f, 0u
gpg: next trustdb check due at 2014-03-28
pub   2048R/CF292CA2 2014-01-28
      Key fingerprint = 150B 6410 1D46 4B53 FCB6  21DC DE64 B4E8 CF29 2CA2
uid                  OpSec MIG Dev Key (Development Key. Do not use in production.) <opsec+mig+dev@allizom.org>
sub   2048R/EC0073B5 2014-01-28
sub   2048R/F9C6DACB 2014-01-28

2.2 Understand Yubikey storage

The yubikey stores the key material, and a stub is stored in the secring on the local machine. The key material cannot be exported. If you lose the key, you lose the private GPG key forever. The stub on the local machine can be exported and inspected. It almost looks like any other GPG private key, with the exception of not containing key material. Instead, each subkey contains gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0.

$ gpg --export-secret-keys -a opsec+mig-dev@allizom.org > opsecmigdevallizom.key 
$ gpg --list-packets -v opsecmigdevallizom.key 
gpg: armor header: Version: GnuPG v1
:secret key packet:
	version 4, algo 1, created 1390925294, expires 0
	skey[0]: [2048 bits]
	skey[1]: [17 bits]
	gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
	serial-number:  d2 76 00 01 24 01 02 00 00 00 00 00 00 01 00 00
	keyid: F0B040DFB52D84E0
:user ID packet: "OpSec MIG DEV (MIG DEVELOPMENT KEY. DO NOT USE IN PRODUCTION!) <opsec+mig-dev@allizom.org>"
:signature packet: algo 1, keyid F0B040DFB52D84E0
	version 4, created 1390925294, md5len 0, sigclass 0x13
	digest algo 8, begin of digest a9 5f
	hashed subpkt 2 len 4 (sig created 2014-01-28)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
	hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
	hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (key server preferences: 80)
	subpkt 16 len 8 (issuer key ID F0B040DFB52D84E0)
	data: [2048 bits]
:secret sub key packet:
	version 4, algo 1, created 1390925294, expires 0
	skey[0]: [2048 bits]
	skey[1]: [17 bits]
	gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
	serial-number:  d2 76 00 01 24 01 02 00 00 00 00 00 00 01 00 00
	keyid: A10CE0EC68CCAA77
:signature packet: algo 1, keyid F0B040DFB52D84E0
	version 4, created 1390925294, md5len 0, sigclass 0x18
	digest algo 8, begin of digest 63 0e
	hashed subpkt 2 len 4 (sig created 2014-01-28)
	hashed subpkt 27 len 1 (key flags: 20)
	subpkt 16 len 8 (issuer key ID F0B040DFB52D84E0)
	data: [2046 bits]
:secret sub key packet:
	version 4, algo 1, created 1390925294, expires 0
	skey[0]: [2048 bits]
	skey[1]: [17 bits]
	gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
	serial-number:  d2 76 00 01 24 01 02 00 00 00 00 00 00 01 00 00
	keyid: F495A22CD9739759
:signature packet: algo 1, keyid F0B040DFB52D84E0
	version 4, created 1390925294, md5len 0, sigclass 0x18
	digest algo 8, begin of digest 68 4d
	hashed subpkt 2 len 4 (sig created 2014-01-28)
	hashed subpkt 27 len 1 (key flags: 0C)
	subpkt 16 len 8 (issuer key ID F0B040DFB52D84E0)
	data: [2048 bits]
en/ressources/astuces/gnupg_pgp.txt · Last modified: 2014/06/09 19:22 (external edit)
CC Attribution-Noncommercial-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0