Differences

This shows you the differences between two versions of the page.

Link to this comparison view

en:ressources:astuces:gnupg_pgp [2014/06/09 17:22] (current)
Line 1: Line 1:
 +====== GnuPG PGP tips & tricks ======
  
 +===== - Basics =====
 +
 +==== - export public key ====
 +<​code>​
 +gpg --export -a '​email@example.net'​
 +</​code>​
 +
 +==== - export secret key ====
 +<​code>​
 +gpg --export-secret-key -a '​email@example.net'​
 +</​code>​
 +
 +==== - import secret key ====
 +<​code>​
 +gpg --allow-secret-key-import --import private.key
 +</​code>​
 +
 +==== - Get details on key, signature, anything ====
 +<​code>​
 +gpg --list-packets -v <​something>​
 +</​code>​
 +Example:
 +<​code>​
 +$ gpg  --list-packets -v sig.txt ​
 +gpg: armor header: Version: GnuPG v2.0.22 (GNU/Linux)
 +:signature packet: algo 1, keyid 6359A4A9B75C2346
 + version 4, created 1390864773, md5len 0, sigclass 0x01
 + digest algo 8, begin of digest e1 04
 + hashed subpkt 2 len 4 (sig created 2014-01-27)
 + subpkt 16 len 8 (issuer key ID 6359A4A9B75C2346)
 + data: [4095 bits]
 +</​code>​
 +
 +===== - Yubikey Neo =====
 +==== - Configure yubikey ====
 +<​code>​
 +$ ykpersonalize -m82
 +</​code>​
 +<​note>​
 +Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card
 +</​note>​
 +Then setup the smard card in gnupg:
 +<​code>​
 +$ gpg --card-edit
 +
 +Application ID ...: D2760001240102000000000000010000
 +Version ..........: 2.0
 +Manufacturer .....: test card
 +Serial number ....: 00000001
 +Name of cardholder: [not set]
 +Language prefs ...: [not set]
 +Sex ..............:​ unspecified
 +URL of public key : [not set]
 +Login data .......: [not set]
 +Signature PIN ....: forced
 +Key attributes ...: 2048R 2048R 2048R
 +Max. PIN lengths .: 127 127 127
 +PIN retry counter : 3 3 3
 +Signature counter : 0
 +Signature key ....: [none]
 +Encryption key....: [none]
 +Authentication key: [none]
 +General key info..: [none]
 +</​code>​
 +Switch to admin mode
 +<​code>​
 +gpg/​card>​ admin
 +Admin commands are allowed
 +
 +</​code>​
 +Generate a new key on the yubikey
 +<​code>​
 +gpg/​card>​ generate
 +
 +Please note that the factory settings of the PINs are
 +   PIN = `123456' ​    Admin PIN = `12345678'​
 +You should change them using the command --change-pin
 +
 +Please specify how long the key should be valid.
 +         0 = key does not expire
 +      <​n> ​ = key expires in n days
 +      <n>w = key expires in n weeks
 +      <n>m = key expires in n months
 +      <n>y = key expires in n years
 +Key is valid for? (0) 0
 +Key does not expire at all
 +Is this correct? (y/N) y
 +
 +You need a user ID to identify your key; the software constructs the user ID
 +from the Real Name, Comment and Email Address in this form:
 +    "​Heinrich Heine (Der Dichter) <​heinrichh@duesseldorf.de>"​
 +
 +Real name: OpSec MIG Dev Key
 +Email address: opsec+mig+dev@allizom.org
 +Comment: Development Key. Do not use in production.
 +You selected this USER-ID:
 +    "OpSec MIG Dev Key (Development Key. Do not use in production.) <​opsec+mig+dev@allizom.org>"​
 +
 +Change (N)ame, (C)omment, (E)mail or (O)kay/​(Q)uit?​ O
 +gpg: generating new key
 +gpg: 2 Admin PIN attempts remaining before card is permanently locked
 +
 +Please enter the Admin PIN
 +[remaining attempts: 2]
 +gpg: please wait while key is being generated ...
 +gpg: key generation completed (5 seconds)
 +gpg: signatures created so far: 0
 +gpg: generating new key
 +gpg: please wait while key is being generated ...
 +gpg: key generation completed (19 seconds)
 +gpg: signatures created so far: 1
 +gpg: signatures created so far: 2
 +gpg: generating new key
 +gpg: please wait while key is being generated ...
 +gpg: key generation completed (15 seconds)
 +gpg: signatures created so far: 3
 +gpg: signatures created so far: 4
 +gpg: key CF292CA2 marked as ultimately trusted
 +public and secret key created and signed.
 +
 +gpg: checking the trustdb
 +gpg: WARNING: signing subkey 36EC6AC4 is not cross-certified
 +gpg: please see http://​www.gnupg.org/​faq/​subkey-cross-certify.html for more information
 +gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
 +gpg: depth: 0  valid: ​  ​3 ​ signed: ​ 13  trust: 0-, 0q, 0n, 0m, 0f, 3u
 +gpg: depth: 1  valid: ​ 13  signed: ​ 60  trust: 10-, 0q, 0n, 1m, 2f, 0u
 +gpg: depth: 2  valid: ​ 17  signed: ​ 52  trust: 0-, 0q, 0n, 11m, 6f, 0u
 +gpg: depth: 3  valid: ​ 42  signed: ​ 78  trust: 1-, 12q, 0n, 19m, 10f, 0u
 +gpg: depth: 4  valid: ​ 12  signed: ​ 23  trust: 0-, 10q, 0n, 0m, 2f, 0u
 +gpg: next trustdb check due at 2014-03-28
 +pub   ​2048R/​CF292CA2 2014-01-28
 +      Key fingerprint = 150B 6410 1D46 4B53 FCB6  21DC DE64 B4E8 CF29 2CA2
 +uid                  OpSec MIG Dev Key (Development Key. Do not use in production.) <​opsec+mig+dev@allizom.org>​
 +sub   ​2048R/​EC0073B5 2014-01-28
 +sub   ​2048R/​F9C6DACB 2014-01-28
 +</​code>​
 +==== - Understand Yubikey storage ====
 +The yubikey stores the key material, and a stub is stored in the secring on the local machine. The key material cannot be exported. If you lose the key, you lose the private GPG key forever. ​
 +The stub on the local machine can be exported and inspected. It almost looks like any other GPG private key, with the exception of not containing key material. Instead, each subkey contains **gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0**.
 +
 +<​code>​
 +$ gpg --export-secret-keys -a opsec+mig-dev@allizom.org > opsecmigdevallizom.key ​
 +</​code>​
 +<​code>​
 +$ gpg --list-packets -v opsecmigdevallizom.key ​
 +gpg: armor header: Version: GnuPG v1
 +:secret key packet:
 + version 4, algo 1, created 1390925294, expires 0
 + skey[0]: [2048 bits]
 + skey[1]: [17 bits]
 + gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
 + serial-number: ​ d2 76 00 01 24 01 02 00 00 00 00 00 00 01 00 00
 + keyid: F0B040DFB52D84E0
 +:user ID packet: "OpSec MIG DEV (MIG DEVELOPMENT KEY. DO NOT USE IN PRODUCTION!) <​opsec+mig-dev@allizom.org>"​
 +:signature packet: algo 1, keyid F0B040DFB52D84E0
 + version 4, created 1390925294, md5len 0, sigclass 0x13
 + digest algo 8, begin of digest a9 5f
 + hashed subpkt 2 len 4 (sig created 2014-01-28)
 + hashed subpkt 27 len 1 (key flags: 03)
 + hashed subpkt 11 len 4 (pref-sym-algos:​ 9 8 7 3)
 + hashed subpkt 21 len 4 (pref-hash-algos:​ 10 9 8 11)
 + hashed subpkt 22 len 4 (pref-zip-algos:​ 2 3 1 0)
 + hashed subpkt 30 len 1 (features: 01)
 + hashed subpkt 23 len 1 (key server preferences:​ 80)
 + subpkt 16 len 8 (issuer key ID F0B040DFB52D84E0)
 + data: [2048 bits]
 +:secret sub key packet:
 + version 4, algo 1, created 1390925294, expires 0
 + skey[0]: [2048 bits]
 + skey[1]: [17 bits]
 + gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
 + serial-number: ​ d2 76 00 01 24 01 02 00 00 00 00 00 00 01 00 00
 + keyid: A10CE0EC68CCAA77
 +:signature packet: algo 1, keyid F0B040DFB52D84E0
 + version 4, created 1390925294, md5len 0, sigclass 0x18
 + digest algo 8, begin of digest 63 0e
 + hashed subpkt 2 len 4 (sig created 2014-01-28)
 + hashed subpkt 27 len 1 (key flags: 20)
 + subpkt 16 len 8 (issuer key ID F0B040DFB52D84E0)
 + data: [2046 bits]
 +:secret sub key packet:
 + version 4, algo 1, created 1390925294, expires 0
 + skey[0]: [2048 bits]
 + skey[1]: [17 bits]
 + gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
 + serial-number: ​ d2 76 00 01 24 01 02 00 00 00 00 00 00 01 00 00
 + keyid: F495A22CD9739759
 +:signature packet: algo 1, keyid F0B040DFB52D84E0
 + version 4, created 1390925294, md5len 0, sigclass 0x18
 + digest algo 8, begin of digest 68 4d
 + hashed subpkt 2 len 4 (sig created 2014-01-28)
 + hashed subpkt 27 len 1 (key flags: 0C)
 + subpkt 16 len 8 (issuer key ID F0B040DFB52D84E0)
 + data: [2048 bits]
 +</​code>​
en/ressources/astuces/gnupg_pgp.txt ยท Last modified: 2014/06/09 17:22 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0