ezup.dev

Source Code of Dash Eclipse's Personal Site (ezup.dev)
git clone git://ezup.dev/ezup.dev.git
Log | Files | Refs | README | LICENSE

create-and-use-openpgp-keys.html (8014B)


      1<!DOCTYPE html>
      2<html lang="en">
      3<head>
      4<!-- 2021-03-21 -->
      5<meta charset="utf-8">
      6<meta name="viewport" content="width=device-width, initial-scale=1">
      7<title>Create and Use OpenPGP Keys</title>
      8<meta name="generator" content="Org mode">
      9<meta name="author" content="Dash Eclipse">
     10<meta name="description" content="How do I generate OpenPGP keys and use it"
     11>
     12<meta name="keywords" content="openpgp, pgp, gnupg, gpg, subkey">
     13<link rel='icon' type='image/x-icon' href='/favicon.svg'/>
     14<meta name='viewport' content='width=device-width, initial-scale=1'>
     15<link rel='stylesheet' href='/styles/topnav.css' type='text/css'/>
     16<link rel='stylesheet' href='/styles/site.css' type='text/css'/>
     17<link rel='stylesheet' href='/styles/syntax-coloring.css' type='text/css'/>
     18<link rel='alternate' type='application/rss+xml' title='RSS' href='/blog/rss.xml'>
     19</head>
     20<body>
     21<header id="top" class="status">
     22<div>
     23<ul class='topnav'>
     24<li class='home'><a href='/#dash'>ezup.dev</a></li>
     25<li><a class='active' href='./'>Blog</a></li>
     26<li><a href='/#pgp'>PGP</a></li>
     27<li><a href='/git/' target='_blank'><u>Git</u></a></li>
     28<li class='right'><a href='/#about'>About</a></li>
     29</ul>
     30</div>
     31</header>
     32<main id="content">
     33<header>
     34<h1 class="title">Create and Use OpenPGP Keys</h1>
     35<p class="subtitle">Published on 2020-06-30 by Dash Eclipse</p>
     36</header><p>
     37In this article I'm gonna explain how do I generate and use OpenPGP keys.
     38</p>
     39
     40<section id="outline-container-org1629fd1" class="outline-2">
     41<h2 id="org1629fd1"><span class="section-number-2">1</span> Install GnuPG</h2>
     42<div class="outline-text-2" id="text-1">
     43<p>
     44On macOS you can use brew to install GnuPG <code>brew install gnupg</code>, you will also need <code>pinentry-mac</code> package if you are going to use it with GUI programs such like Thunderbird with Eng
     45</p>
     46</div>
     47</section>
     48
     49<section id="outline-container-orgd1d061d" class="outline-2">
     50<h2 id="orgd1d061d"><span class="section-number-2">2</span> OpenPGP key generation</h2>
     51<div class="outline-text-2" id="text-2">
     52<p>
     53Beside <code>gpg --full-generate-key</code>, you can also create a key with gpg in batch mode<sup><a id="fnr.1" class="footref" href="#fn.1">1</a></sup>.
     54</p>
     55<div class="org-src-container">
     56<pre class="src src-sh">cat &gt;first-last.txt &lt;&lt;EOF
     57<span class="org-sh-heredoc">%echo Generating a basic OpenPGP key</span>
     58<span class="org-sh-heredoc">Key-Type: RSA</span>
     59<span class="org-sh-heredoc">Key-Length: 4096</span>
     60<span class="org-sh-heredoc">Key-Usage: cert</span>
     61<span class="org-sh-heredoc">#Subkey-Type: RSA</span>
     62<span class="org-sh-heredoc">#Subkey-Length: 4096</span>
     63<span class="org-sh-heredoc">Name-Real: First Last</span>
     64<span class="org-sh-heredoc">#Name-Comment:</span>
     65<span class="org-sh-heredoc">Name-Email: user@domain.tld</span>
     66<span class="org-sh-heredoc">Expire-Date: 30y</span>
     67<span class="org-sh-heredoc">Passphrase: password</span>
     68<span class="org-sh-heredoc">%commit</span>
     69<span class="org-sh-heredoc">%echo done</span>
     70<span class="org-sh-heredoc">EOF</span>
     71</pre>
     72</div>
     73<p>
     74Create a key in an ephemeral home directory
     75</p>
     76<div class="org-src-container">
     77<pre class="src src-sh">mkdir -m700 .gnupg
     78<span class="org-comment-delimiter">## </span><span class="org-comment">Set the environment variable</span>
     79<span class="org-comment-delimiter">## </span><span class="org-comment">or pass --homedir .gnupg as an argument</span>
     80<span class="org-builtin">export</span> <span class="org-variable-name">GNUPGHOME</span>=<span class="org-string">".gnupg"</span>
     81gpg --batch --generate-key first-last.txt
     82</pre>
     83</div>
     84</div>
     85</section>
     86
     87<section id="outline-container-orga272220" class="outline-2">
     88<h2 id="orga272220"><span class="section-number-2">3</span> Use subkeys</h2>
     89<div class="outline-text-2" id="text-3">
     90<p>
     91I use encryption and signing subkeys instead of just use one key for everything, because it's safer when you keep your master key elsewhere and use different keys for different purposes. Debian also recommend to use subkeys.<sup><a id="fnr.2" class="footref" href="#fn.2">2</a></sup>
     92</p>
     93<div class="org-src-container">
     94<pre class="src src-sh"><span class="org-comment-delimiter">## </span><span class="org-comment">adduid, (trust, 5,) save</span>
     95gpg --edit-key user@domain.tld
     96<span class="org-comment-delimiter">## </span><span class="org-comment">Get keygrip</span>
     97gpg --with-keygrip --list-key &lt;key-id&gt;
     98<span class="org-comment-delimiter">## </span><span class="org-comment">Export and Import the key to the GPG homedir</span>
     99<span class="org-comment-delimiter">## </span><span class="org-comment">where you are gonna use the key,</span>
    100<span class="org-comment-delimiter">## </span><span class="org-comment">remove the master key from there</span>
    101<span class="org-comment-delimiter">## </span><span class="org-comment">and change the password</span>
    102rm .gnupg/private-keys-v1.d/&lt;keygrip&gt;.key
    103gpg --edit-key &lt;key-id&gt; passwd
    104</pre>
    105</div>
    106</div>
    107<div id="outline-container-org30fef6b" class="outline-3">
    108<h3 id="org30fef6b"><span class="section-number-3">3.1</span> Thunderbird and Enigmail</h3>
    109<div class="outline-text-3" id="text-3-1">
    110<p>
    111I use Thunderbird with Enigmail to send and receive PGP encrypted emails, you can follow <a href="https://ssd.eff.org/en/module/how-use-pgp-mac-os-x">the guide by EFF SSD</a> to set it up. Note you need to install <code>pinentry-mac</code> the package to use GPG with such GUI programs.
    112</p>
    113<div class="org-src-container">
    114<pre class="src src-sh">brew install pinentry-mac
    115<span class="org-builtin">echo</span> <span class="org-string">'pinentry-program /usr/local/bin/pinentry-mac'</span> &gt; ~/.gnupg/gpg-agent.conf
    116</pre>
    117</div>
    118</div>
    119</div>
    120<div id="outline-container-orgd0924f8" class="outline-3">
    121<h3 id="orgd0924f8"><span class="section-number-3">3.2</span> Git</h3>
    122<div class="outline-text-3" id="text-3-2">
    123<div class="org-src-container">
    124<pre class="src src-sh">git config --global gpg.program $(<span class="org-builtin">which</span> gpg)
    125git config --global user.name <span class="org-string">'First Last'</span>
    126git config --global user.email <span class="org-string">'user@domain.tld'</span>
    127git config --global user.signingkey &lt;signing_subkey_id&gt;
    128git config --global commit.gpgsign true
    129</pre>
    130</div>
    131<p>
    132In case you don't want to sign commits for specific repo, just run <code>git config commit.gpgsign false</code> in the repo directory.
    133</p>
    134</div>
    135</div>
    136<div id="outline-container-org3d9e22d" class="outline-3">
    137<h3 id="org3d9e22d"><span class="section-number-3">3.3</span> pass (the standard unix password manager)</h3>
    138<div class="outline-text-3" id="text-3-3">
    139<p>
    140I use <a href="https://www.passwordstore.org/">pass</a> to manage my passwords, with a different key. pass store passwords in a git repo, you can also store the <code>$GNUPGHOME</code> in a git repo or just in the same repo.
    141I have some config like this in my zsh config <code>~/.zshrc.local</code>
    142</p>
    143<div class="org-src-container">
    144<pre class="src src-sh"><span class="org-variable-name">PASSWORD_STORE_DIR</span>=<span class="org-string">"$HOME/passwordstore"</span>
    145<span class="org-builtin">alias</span> <span class="org-variable-name">pass</span>=<span class="org-string">"GNUPGHOME=\"$HOME/passwordstore/.gnupg\" PASSWORD_STORE_DIR=\"$HOME/passwordstore\" pass"</span>
    146</pre>
    147</div>
    148</div>
    149</div>
    150</section>
    151<div id="footnotes">
    152<h2 class="footnotes">Footnotes: </h2>
    153<div id="text-footnotes">
    154
    155<div class="footdef"><sup><a id="fn.1" class="footnum" href="#fnr.1">1</a></sup> <div class="footpara"><p class="footpara">
    156<a href="https://www.gnupg.org/documentation//manuals/gnupg/Unattended-GPG-key-generation.html">4.5.4 Unattended key generation | The GNU Privacy Guard Manual</a>
    157</p></div></div>
    158
    159<div class="footdef"><sup><a id="fn.2" class="footnum" href="#fnr.2">2</a></sup> <div class="footpara"><p class="footpara">
    160<a href="https://wiki.debian.org/Subkeys">Subkeys | Debian Wiki</a>
    161</p></div></div>
    162
    163
    164</div>
    165</div></main>
    166</body>
    167</html>