en:ressources:astuces:gnupg_pgp
Table of Contents
GnuPG PGP tips & tricks
- Basics
- export public key
gpg --export -a 'email@example.net'
- export secret key
gpg --export-secret-key -a 'email@example.net'
- import secret key
gpg --allow-secret-key-import --import private.key
- Get details on key, signature, anything
gpg --list-packets -v <something>
Example:
$ gpg --list-packets -v sig.txt gpg: armor header: Version: GnuPG v2.0.22 (GNU/Linux) :signature packet: algo 1, keyid 6359A4A9B75C2346 version 4, created 1390864773, md5len 0, sigclass 0x01 digest algo 8, begin of digest e1 04 hashed subpkt 2 len 4 (sig created 2014-01-27) subpkt 16 len 8 (issuer key ID 6359A4A9B75C2346) data: [4095 bits]
- Yubikey Neo
- Configure yubikey
$ ykpersonalize -m82
<note> Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card </note> Then setup the smard card in gnupg:
$ gpg --card-edit Application ID ...: D2760001240102000000000000010000 Version ..........: 2.0 Manufacturer .....: test card Serial number ....: 00000001 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
Switch to admin mode
gpg/card> admin Admin commands are allowed
Generate a new key on the yubikey
gpg/card> generate Please note that the factory settings of the PINs are PIN = `123456' Admin PIN = `12345678' You should change them using the command --change-pin Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: OpSec MIG Dev Key Email address: opsec+mig+dev@allizom.org Comment: Development Key. Do not use in production. You selected this USER-ID: "OpSec MIG Dev Key (Development Key. Do not use in production.) <opsec+mig+dev@allizom.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O gpg: generating new key gpg: 2 Admin PIN attempts remaining before card is permanently locked Please enter the Admin PIN [remaining attempts: 2] gpg: please wait while key is being generated ... gpg: key generation completed (5 seconds) gpg: signatures created so far: 0 gpg: generating new key gpg: please wait while key is being generated ... gpg: key generation completed (19 seconds) gpg: signatures created so far: 1 gpg: signatures created so far: 2 gpg: generating new key gpg: please wait while key is being generated ... gpg: key generation completed (15 seconds) gpg: signatures created so far: 3 gpg: signatures created so far: 4 gpg: key CF292CA2 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: WARNING: signing subkey 36EC6AC4 is not cross-certified gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 3 signed: 13 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: depth: 1 valid: 13 signed: 60 trust: 10-, 0q, 0n, 1m, 2f, 0u gpg: depth: 2 valid: 17 signed: 52 trust: 0-, 0q, 0n, 11m, 6f, 0u gpg: depth: 3 valid: 42 signed: 78 trust: 1-, 12q, 0n, 19m, 10f, 0u gpg: depth: 4 valid: 12 signed: 23 trust: 0-, 10q, 0n, 0m, 2f, 0u gpg: next trustdb check due at 2014-03-28 pub 2048R/CF292CA2 2014-01-28 Key fingerprint = 150B 6410 1D46 4B53 FCB6 21DC DE64 B4E8 CF29 2CA2 uid OpSec MIG Dev Key (Development Key. Do not use in production.) <opsec+mig+dev@allizom.org> sub 2048R/EC0073B5 2014-01-28 sub 2048R/F9C6DACB 2014-01-28
- Understand Yubikey storage
The yubikey stores the key material, and a stub is stored in the secring on the local machine. The key material cannot be exported. If you lose the key, you lose the private GPG key forever. The stub on the local machine can be exported and inspected. It almost looks like any other GPG private key, with the exception of not containing key material. Instead, each subkey contains gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0.
$ gpg --export-secret-keys -a opsec+mig-dev@allizom.org > opsecmigdevallizom.key
$ gpg --list-packets -v opsecmigdevallizom.key gpg: armor header: Version: GnuPG v1 :secret key packet: version 4, algo 1, created 1390925294, expires 0 skey[0]: [2048 bits] skey[1]: [17 bits] gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0 serial-number: d2 76 00 01 24 01 02 00 00 00 00 00 00 01 00 00 keyid: F0B040DFB52D84E0 :user ID packet: "OpSec MIG DEV (MIG DEVELOPMENT KEY. DO NOT USE IN PRODUCTION!) <opsec+mig-dev@allizom.org>" :signature packet: algo 1, keyid F0B040DFB52D84E0 version 4, created 1390925294, md5len 0, sigclass 0x13 digest algo 8, begin of digest a9 5f hashed subpkt 2 len 4 (sig created 2014-01-28) hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3) hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11) hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) subpkt 16 len 8 (issuer key ID F0B040DFB52D84E0) data: [2048 bits] :secret sub key packet: version 4, algo 1, created 1390925294, expires 0 skey[0]: [2048 bits] skey[1]: [17 bits] gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0 serial-number: d2 76 00 01 24 01 02 00 00 00 00 00 00 01 00 00 keyid: A10CE0EC68CCAA77 :signature packet: algo 1, keyid F0B040DFB52D84E0 version 4, created 1390925294, md5len 0, sigclass 0x18 digest algo 8, begin of digest 63 0e hashed subpkt 2 len 4 (sig created 2014-01-28) hashed subpkt 27 len 1 (key flags: 20) subpkt 16 len 8 (issuer key ID F0B040DFB52D84E0) data: [2046 bits] :secret sub key packet: version 4, algo 1, created 1390925294, expires 0 skey[0]: [2048 bits] skey[1]: [17 bits] gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0 serial-number: d2 76 00 01 24 01 02 00 00 00 00 00 00 01 00 00 keyid: F495A22CD9739759 :signature packet: algo 1, keyid F0B040DFB52D84E0 version 4, created 1390925294, md5len 0, sigclass 0x18 digest algo 8, begin of digest 68 4d hashed subpkt 2 len 4 (sig created 2014-01-28) hashed subpkt 27 len 1 (key flags: 0C) subpkt 16 len 8 (issuer key ID F0B040DFB52D84E0) data: [2048 bits]
en/ressources/astuces/gnupg_pgp.txt · Last modified: 2024/04/17 10:19 by 127.0.0.1