====== GnuPG PGP tips & tricks ======
===== - Basics =====
==== - export public key ====
gpg --export -a 'email@example.net'
==== - export secret key ====
gpg --export-secret-key -a 'email@example.net'
==== - import secret key ====
gpg --allow-secret-key-import --import private.key
==== - Get details on key, signature, anything ====
gpg --list-packets -v
Example:
$ gpg --list-packets -v sig.txt
gpg: armor header: Version: GnuPG v2.0.22 (GNU/Linux)
:signature packet: algo 1, keyid 6359A4A9B75C2346
version 4, created 1390864773, md5len 0, sigclass 0x01
digest algo 8, begin of digest e1 04
hashed subpkt 2 len 4 (sig created 2014-01-27)
subpkt 16 len 8 (issuer key ID 6359A4A9B75C2346)
data: [4095 bits]
===== - Yubikey Neo =====
==== - Configure yubikey ====
$ ykpersonalize -m82
Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card
Then setup the smard card in gnupg:
$ gpg --card-edit
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
Switch to admin mode
gpg/card> admin
Admin commands are allowed
Generate a new key on the yubikey
gpg/card> generate
Please note that the factory settings of the PINs are
PIN = `123456' Admin PIN = `12345678'
You should change them using the command --change-pin
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) "
Real name: OpSec MIG Dev Key
Email address: opsec+mig+dev@allizom.org
Comment: Development Key. Do not use in production.
You selected this USER-ID:
"OpSec MIG Dev Key (Development Key. Do not use in production.) "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: generating new key
gpg: 2 Admin PIN attempts remaining before card is permanently locked
Please enter the Admin PIN
[remaining attempts: 2]
gpg: please wait while key is being generated ...
gpg: key generation completed (5 seconds)
gpg: signatures created so far: 0
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (19 seconds)
gpg: signatures created so far: 1
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (15 seconds)
gpg: signatures created so far: 3
gpg: signatures created so far: 4
gpg: key CF292CA2 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: WARNING: signing subkey 36EC6AC4 is not cross-certified
gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 3 signed: 13 trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1 valid: 13 signed: 60 trust: 10-, 0q, 0n, 1m, 2f, 0u
gpg: depth: 2 valid: 17 signed: 52 trust: 0-, 0q, 0n, 11m, 6f, 0u
gpg: depth: 3 valid: 42 signed: 78 trust: 1-, 12q, 0n, 19m, 10f, 0u
gpg: depth: 4 valid: 12 signed: 23 trust: 0-, 10q, 0n, 0m, 2f, 0u
gpg: next trustdb check due at 2014-03-28
pub 2048R/CF292CA2 2014-01-28
Key fingerprint = 150B 6410 1D46 4B53 FCB6 21DC DE64 B4E8 CF29 2CA2
uid OpSec MIG Dev Key (Development Key. Do not use in production.)
sub 2048R/EC0073B5 2014-01-28
sub 2048R/F9C6DACB 2014-01-28
==== - Understand Yubikey storage ====
The yubikey stores the key material, and a stub is stored in the secring on the local machine. The key material cannot be exported. If you lose the key, you lose the private GPG key forever.
The stub on the local machine can be exported and inspected. It almost looks like any other GPG private key, with the exception of not containing key material. Instead, each subkey contains **gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0**.
$ gpg --export-secret-keys -a opsec+mig-dev@allizom.org > opsecmigdevallizom.key
$ gpg --list-packets -v opsecmigdevallizom.key
gpg: armor header: Version: GnuPG v1
:secret key packet:
version 4, algo 1, created 1390925294, expires 0
skey[0]: [2048 bits]
skey[1]: [17 bits]
gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
serial-number: d2 76 00 01 24 01 02 00 00 00 00 00 00 01 00 00
keyid: F0B040DFB52D84E0
:user ID packet: "OpSec MIG DEV (MIG DEVELOPMENT KEY. DO NOT USE IN PRODUCTION!) "
:signature packet: algo 1, keyid F0B040DFB52D84E0
version 4, created 1390925294, md5len 0, sigclass 0x13
digest algo 8, begin of digest a9 5f
hashed subpkt 2 len 4 (sig created 2014-01-28)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID F0B040DFB52D84E0)
data: [2048 bits]
:secret sub key packet:
version 4, algo 1, created 1390925294, expires 0
skey[0]: [2048 bits]
skey[1]: [17 bits]
gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
serial-number: d2 76 00 01 24 01 02 00 00 00 00 00 00 01 00 00
keyid: A10CE0EC68CCAA77
:signature packet: algo 1, keyid F0B040DFB52D84E0
version 4, created 1390925294, md5len 0, sigclass 0x18
digest algo 8, begin of digest 63 0e
hashed subpkt 2 len 4 (sig created 2014-01-28)
hashed subpkt 27 len 1 (key flags: 20)
subpkt 16 len 8 (issuer key ID F0B040DFB52D84E0)
data: [2046 bits]
:secret sub key packet:
version 4, algo 1, created 1390925294, expires 0
skey[0]: [2048 bits]
skey[1]: [17 bits]
gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
serial-number: d2 76 00 01 24 01 02 00 00 00 00 00 00 01 00 00
keyid: F495A22CD9739759
:signature packet: algo 1, keyid F0B040DFB52D84E0
version 4, created 1390925294, md5len 0, sigclass 0x18
digest algo 8, begin of digest 68 4d
hashed subpkt 2 len 4 (sig created 2014-01-28)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID F0B040DFB52D84E0)
data: [2048 bits]