create-and-use-openpgp-keys.html (8014B)
1<!DOCTYPE html> 2<html lang="en"> 3<head> 4<!-- 2021-03-21 --> 5<meta charset="utf-8"> 6<meta name="viewport" content="width=device-width, initial-scale=1"> 7<title>Create and Use OpenPGP Keys</title> 8<meta name="generator" content="Org mode"> 9<meta name="author" content="Dash Eclipse"> 10<meta name="description" content="How do I generate OpenPGP keys and use it" 11> 12<meta name="keywords" content="openpgp, pgp, gnupg, gpg, subkey"> 13<link rel='icon' type='image/x-icon' href='/favicon.svg'/> 14<meta name='viewport' content='width=device-width, initial-scale=1'> 15<link rel='stylesheet' href='/styles/topnav.css' type='text/css'/> 16<link rel='stylesheet' href='/styles/site.css' type='text/css'/> 17<link rel='stylesheet' href='/styles/syntax-coloring.css' type='text/css'/> 18<link rel='alternate' type='application/rss+xml' title='RSS' href='/blog/rss.xml'> 19</head> 20<body> 21<header id="top" class="status"> 22<div> 23<ul class='topnav'> 24<li class='home'><a href='/#dash'>ezup.dev</a></li> 25<li><a class='active' href='./'>Blog</a></li> 26<li><a href='/#pgp'>PGP</a></li> 27<li><a href='/git/' target='_blank'><u>Git</u></a></li> 28<li class='right'><a href='/#about'>About</a></li> 29</ul> 30</div> 31</header> 32<main id="content"> 33<header> 34<h1 class="title">Create and Use OpenPGP Keys</h1> 35<p class="subtitle">Published on 2020-06-30 by Dash Eclipse</p> 36</header><p> 37In this article I'm gonna explain how do I generate and use OpenPGP keys. 38</p> 39 40<section id="outline-container-org1629fd1" class="outline-2"> 41<h2 id="org1629fd1"><span class="section-number-2">1</span> Install GnuPG</h2> 42<div class="outline-text-2" id="text-1"> 43<p> 44On macOS you can use brew to install GnuPG <code>brew install gnupg</code>, you will also need <code>pinentry-mac</code> package if you are going to use it with GUI programs such like Thunderbird with Eng 45</p> 46</div> 47</section> 48 49<section id="outline-container-orgd1d061d" class="outline-2"> 50<h2 id="orgd1d061d"><span class="section-number-2">2</span> OpenPGP key generation</h2> 51<div class="outline-text-2" id="text-2"> 52<p> 53Beside <code>gpg --full-generate-key</code>, you can also create a key with gpg in batch mode<sup><a id="fnr.1" class="footref" href="#fn.1">1</a></sup>. 54</p> 55<div class="org-src-container"> 56<pre class="src src-sh">cat >first-last.txt <<EOF 57<span class="org-sh-heredoc">%echo Generating a basic OpenPGP key</span> 58<span class="org-sh-heredoc">Key-Type: RSA</span> 59<span class="org-sh-heredoc">Key-Length: 4096</span> 60<span class="org-sh-heredoc">Key-Usage: cert</span> 61<span class="org-sh-heredoc">#Subkey-Type: RSA</span> 62<span class="org-sh-heredoc">#Subkey-Length: 4096</span> 63<span class="org-sh-heredoc">Name-Real: First Last</span> 64<span class="org-sh-heredoc">#Name-Comment:</span> 65<span class="org-sh-heredoc">Name-Email: user@domain.tld</span> 66<span class="org-sh-heredoc">Expire-Date: 30y</span> 67<span class="org-sh-heredoc">Passphrase: password</span> 68<span class="org-sh-heredoc">%commit</span> 69<span class="org-sh-heredoc">%echo done</span> 70<span class="org-sh-heredoc">EOF</span> 71</pre> 72</div> 73<p> 74Create a key in an ephemeral home directory 75</p> 76<div class="org-src-container"> 77<pre class="src src-sh">mkdir -m700 .gnupg 78<span class="org-comment-delimiter">## </span><span class="org-comment">Set the environment variable</span> 79<span class="org-comment-delimiter">## </span><span class="org-comment">or pass --homedir .gnupg as an argument</span> 80<span class="org-builtin">export</span> <span class="org-variable-name">GNUPGHOME</span>=<span class="org-string">".gnupg"</span> 81gpg --batch --generate-key first-last.txt 82</pre> 83</div> 84</div> 85</section> 86 87<section id="outline-container-orga272220" class="outline-2"> 88<h2 id="orga272220"><span class="section-number-2">3</span> Use subkeys</h2> 89<div class="outline-text-2" id="text-3"> 90<p> 91I use encryption and signing subkeys instead of just use one key for everything, because it's safer when you keep your master key elsewhere and use different keys for different purposes. Debian also recommend to use subkeys.<sup><a id="fnr.2" class="footref" href="#fn.2">2</a></sup> 92</p> 93<div class="org-src-container"> 94<pre class="src src-sh"><span class="org-comment-delimiter">## </span><span class="org-comment">adduid, (trust, 5,) save</span> 95gpg --edit-key user@domain.tld 96<span class="org-comment-delimiter">## </span><span class="org-comment">Get keygrip</span> 97gpg --with-keygrip --list-key <key-id> 98<span class="org-comment-delimiter">## </span><span class="org-comment">Export and Import the key to the GPG homedir</span> 99<span class="org-comment-delimiter">## </span><span class="org-comment">where you are gonna use the key,</span> 100<span class="org-comment-delimiter">## </span><span class="org-comment">remove the master key from there</span> 101<span class="org-comment-delimiter">## </span><span class="org-comment">and change the password</span> 102rm .gnupg/private-keys-v1.d/<keygrip>.key 103gpg --edit-key <key-id> passwd 104</pre> 105</div> 106</div> 107<div id="outline-container-org30fef6b" class="outline-3"> 108<h3 id="org30fef6b"><span class="section-number-3">3.1</span> Thunderbird and Enigmail</h3> 109<div class="outline-text-3" id="text-3-1"> 110<p> 111I use Thunderbird with Enigmail to send and receive PGP encrypted emails, you can follow <a href="https://ssd.eff.org/en/module/how-use-pgp-mac-os-x">the guide by EFF SSD</a> to set it up. Note you need to install <code>pinentry-mac</code> the package to use GPG with such GUI programs. 112</p> 113<div class="org-src-container"> 114<pre class="src src-sh">brew install pinentry-mac 115<span class="org-builtin">echo</span> <span class="org-string">'pinentry-program /usr/local/bin/pinentry-mac'</span> > ~/.gnupg/gpg-agent.conf 116</pre> 117</div> 118</div> 119</div> 120<div id="outline-container-orgd0924f8" class="outline-3"> 121<h3 id="orgd0924f8"><span class="section-number-3">3.2</span> Git</h3> 122<div class="outline-text-3" id="text-3-2"> 123<div class="org-src-container"> 124<pre class="src src-sh">git config --global gpg.program $(<span class="org-builtin">which</span> gpg) 125git config --global user.name <span class="org-string">'First Last'</span> 126git config --global user.email <span class="org-string">'user@domain.tld'</span> 127git config --global user.signingkey <signing_subkey_id> 128git config --global commit.gpgsign true 129</pre> 130</div> 131<p> 132In case you don't want to sign commits for specific repo, just run <code>git config commit.gpgsign false</code> in the repo directory. 133</p> 134</div> 135</div> 136<div id="outline-container-org3d9e22d" class="outline-3"> 137<h3 id="org3d9e22d"><span class="section-number-3">3.3</span> pass (the standard unix password manager)</h3> 138<div class="outline-text-3" id="text-3-3"> 139<p> 140I use <a href="https://www.passwordstore.org/">pass</a> to manage my passwords, with a different key. pass store passwords in a git repo, you can also store the <code>$GNUPGHOME</code> in a git repo or just in the same repo. 141I have some config like this in my zsh config <code>~/.zshrc.local</code> 142</p> 143<div class="org-src-container"> 144<pre class="src src-sh"><span class="org-variable-name">PASSWORD_STORE_DIR</span>=<span class="org-string">"$HOME/passwordstore"</span> 145<span class="org-builtin">alias</span> <span class="org-variable-name">pass</span>=<span class="org-string">"GNUPGHOME=\"$HOME/passwordstore/.gnupg\" PASSWORD_STORE_DIR=\"$HOME/passwordstore\" pass"</span> 146</pre> 147</div> 148</div> 149</div> 150</section> 151<div id="footnotes"> 152<h2 class="footnotes">Footnotes: </h2> 153<div id="text-footnotes"> 154 155<div class="footdef"><sup><a id="fn.1" class="footnum" href="#fnr.1">1</a></sup> <div class="footpara"><p class="footpara"> 156<a href="https://www.gnupg.org/documentation//manuals/gnupg/Unattended-GPG-key-generation.html">4.5.4 Unattended key generation | The GNU Privacy Guard Manual</a> 157</p></div></div> 158 159<div class="footdef"><sup><a id="fn.2" class="footnum" href="#fnr.2">2</a></sup> <div class="footpara"><p class="footpara"> 160<a href="https://wiki.debian.org/Subkeys">Subkeys | Debian Wiki</a> 161</p></div></div> 162 163 164</div> 165</div></main> 166</body> 167</html>