pgp.html (8026B)
1 <!DOCTYPE html> 2 <html lang="en"> 3 <head> 4 <!-- 2020-07-13 --> 5 <meta charset="utf-8"> 6 <meta name="viewport" content="width=device-width, initial-scale=1"> 7 <title>OpenPGP Key Generation and Usage</title> 8 <meta name="generator" content="Org mode"> 9 <meta name="author" content="Dash Eclipse"> 10 <meta name="description" content="How do I generate OpenPGP keys and use it" 11 > 12 <meta name="keywords" content="openpgp, pgp, gnupg, gpg, subkey"> 13 <link rel='icon' type='image/x-icon' href='/favicon.svg'/> 14 <meta name='viewport' content='width=device-width, initial-scale=1'> 15 <link rel='stylesheet' href='/styles/topnav.css' type='text/css'/> 16 <link rel='stylesheet' href='/styles/site.css' type='text/css'/> 17 <link rel='stylesheet' href='/styles/syntax-coloring.css' type='text/css'/> 18 <link rel='alternate' type='application/rss+xml' title='RSS' href='/blog/rss.xml'> 19 </head> 20 <body> 21 <header id="top" class="status"> 22 <div> 23 <ul class='topnav'> 24 <li class='home'><a href='/#dash'>ezup.dev</a></li> 25 <li><a class='active' href='./'>Blog</a></li> 26 <li><a href='/#pgp'>PGP</a></li> 27 <li><a href='/git/' target='_blank'><u>Git</u></a></li> 28 <li class='right'><a href='/#about'>About</a></li> 29 </ul> 30 </div> 31 </header> 32 <main id="content"> 33 <header> 34 <h1 class="title">OpenPGP Key Generation and Usage</h1> 35 <p class="subtitle">Published on 2020-06-30 by Dash Eclipse.</p> 36 </header><p> 37 In this article I'm gonna explain how do I generate and use OpenPGP keys. 38 </p> 39 40 <section id="outline-container-org05d1dfb" class="outline-2"> 41 <h2 id="org05d1dfb"><span class="section-number-2">1</span> Install GnuPG</h2> 42 <div class="outline-text-2" id="text-1"> 43 <p> 44 On macOS you can use brew to install GnuPG <code>brew install gnupg</code>, you will also need <code>pinentry-mac</code> package if you are going to use it with GUI programs such like Thunderbird with Eng 45 </p> 46 </div> 47 </section> 48 49 <section id="outline-container-org00eba01" class="outline-2"> 50 <h2 id="org00eba01"><span class="section-number-2">2</span> OpenPGP key generation</h2> 51 <div class="outline-text-2" id="text-2"> 52 <p> 53 Beside <code>gpg --full-generate-key</code>, you can also create a key with gpg in batch mode<sup><a id="fnr.1" class="footref" href="#fn.1">1</a></sup>. 54 </p> 55 <div class="org-src-container"> 56 <pre class="src src-sh">cat >first-last.txt <<EOF 57 <span class="org-sh-heredoc">%echo Generating a basic OpenPGP key</span> 58 <span class="org-sh-heredoc">Key-Type: RSA</span> 59 <span class="org-sh-heredoc">Key-Length: 4096</span> 60 <span class="org-sh-heredoc">Key-Usage: cert</span> 61 <span class="org-sh-heredoc">#Subkey-Type: RSA</span> 62 <span class="org-sh-heredoc">#Subkey-Length: 4096</span> 63 <span class="org-sh-heredoc">Name-Real: First Last</span> 64 <span class="org-sh-heredoc">#Name-Comment:</span> 65 <span class="org-sh-heredoc">Name-Email: user@domain.tld</span> 66 <span class="org-sh-heredoc">Expire-Date: 30y</span> 67 <span class="org-sh-heredoc">Passphrase: password</span> 68 <span class="org-sh-heredoc">%commit</span> 69 <span class="org-sh-heredoc">%echo done</span> 70 <span class="org-sh-heredoc">EOF</span> 71 </pre> 72 </div> 73 <p> 74 Create a key in an ephemeral home directory 75 </p> 76 <div class="org-src-container"> 77 <pre class="src src-sh">mkdir -m700 .gnupg 78 <span class="org-comment-delimiter">## </span><span class="org-comment">Set the environment variable</span> 79 <span class="org-comment-delimiter">## </span><span class="org-comment">or pass --homedir .gnupg as an argument</span> 80 <span class="org-builtin">export</span> <span class="org-variable-name">GNUPGHOME</span>=<span class="org-string">".gnupg"</span> 81 gpg --batch --generate-key first-last.txt 82 </pre> 83 </div> 84 </div> 85 </section> 86 87 <section id="outline-container-org28b1257" class="outline-2"> 88 <h2 id="org28b1257"><span class="section-number-2">3</span> Use subkeys</h2> 89 <div class="outline-text-2" id="text-3"> 90 <p> 91 I use encryption and signing subkeys instead of just use one key for everything, because it's safer when you keep your master key elsewhere and use different keys for different purposes. Debian also recommend to use subkeys.<sup><a id="fnr.2" class="footref" href="#fn.2">2</a></sup> 92 </p> 93 <div class="org-src-container"> 94 <pre class="src src-sh"><span class="org-comment-delimiter">## </span><span class="org-comment">adduid, (trust, 5,) save</span> 95 gpg --edit-key user@domain.tld 96 <span class="org-comment-delimiter">## </span><span class="org-comment">Get keygrip</span> 97 gpg --with-keygrip --list-key <key-id> 98 <span class="org-comment-delimiter">## </span><span class="org-comment">Export and Import the key to the GPG homedir</span> 99 <span class="org-comment-delimiter">## </span><span class="org-comment">where you are gonna use the key,</span> 100 <span class="org-comment-delimiter">## </span><span class="org-comment">remove the master key from there</span> 101 <span class="org-comment-delimiter">## </span><span class="org-comment">and change the password</span> 102 rm .gnupg/private-keys-v1.d/<keygrip>.key 103 gpg --edit-key <key-id> passwd 104 </pre> 105 </div> 106 </div> 107 <div id="outline-container-orgb570cb2" class="outline-3"> 108 <h3 id="orgb570cb2"><span class="section-number-3">3.1</span> Thunderbird and Enigmail</h3> 109 <div class="outline-text-3" id="text-3-1"> 110 <p> 111 I use Thunderbird with Enigmail to send and receive PGP encrypted emails, you can follow <a href="https://ssd.eff.org/en/module/how-use-pgp-mac-os-x">the guide by EFF SSD</a> to set it up. Note you need to install <code>pinentry-mac</code> the package to use GPG with such GUI programs. 112 </p> 113 <div class="org-src-container"> 114 <pre class="src src-sh">brew install pinentry-mac 115 <span class="org-builtin">echo</span> <span class="org-string">'pinentry-program /usr/local/bin/pinentry-mac'</span> > ~/.gnupg/gpg-agent.conf 116 </pre> 117 </div> 118 </div> 119 </div> 120 <div id="outline-container-orgafdbd6c" class="outline-3"> 121 <h3 id="orgafdbd6c"><span class="section-number-3">3.2</span> Git</h3> 122 <div class="outline-text-3" id="text-3-2"> 123 <div class="org-src-container"> 124 <pre class="src src-sh">git config --global gpg.program $(<span class="org-builtin">which</span> gpg) 125 git config --global user.name <span class="org-string">'First Last'</span> 126 git config --global user.email <span class="org-string">'user@domain.tld'</span> 127 git config --global user.signingkey <signing_subkey_id> 128 git config --global commit.gpgsign true 129 </pre> 130 </div> 131 <p> 132 In case you don't want to sign commits for specific repo, just run <code>git config commit.gpgsign false</code> in the repo directory. 133 </p> 134 </div> 135 </div> 136 <div id="outline-container-orgb021e05" class="outline-3"> 137 <h3 id="orgb021e05"><span class="section-number-3">3.3</span> pass (the standard unix password manager)</h3> 138 <div class="outline-text-3" id="text-3-3"> 139 <p> 140 I use <a href="https://www.passwordstore.org/">pass</a> to manage my passwords, with a different key. pass store passwords in a git repo, you can also store the <code>$GNUPGHOME</code> in a git repo or just in the same repo. 141 I have some config like this in my zsh config <code>~/.zshrc.local</code> 142 </p> 143 <div class="org-src-container"> 144 <pre class="src src-sh"><span class="org-variable-name">PASSWORD_STORE_DIR</span>=<span class="org-string">"$HOME/passwordstore"</span> 145 <span class="org-builtin">alias</span> <span class="org-variable-name">pass</span>=<span class="org-string">"GNUPGHOME=\"$HOME/passwordstore/.gnupg\" PASSWORD_STORE_DIR=\"$HOME/passwordstore\" pass"</span> 146 </pre> 147 </div> 148 </div> 149 </div> 150 </section> 151 <div id="footnotes"> 152 <h2 class="footnotes">Footnotes: </h2> 153 <div id="text-footnotes"> 154 155 <div class="footdef"><sup><a id="fn.1" class="footnum" href="#fnr.1">1</a></sup> <div class="footpara"><p class="footpara"> 156 <a href="https://www.gnupg.org/documentation//manuals/gnupg/Unattended-GPG-key-generation.html">4.5.4 Unattended key generation | The GNU Privacy Guard Manual</a> 157 </p></div></div> 158 159 <div class="footdef"><sup><a id="fn.2" class="footnum" href="#fnr.2">2</a></sup> <div class="footpara"><p class="footpara"> 160 <a href="https://wiki.debian.org/Subkeys">Subkeys | Debian Wiki</a> 161 </p></div></div> 162 163 164 </div> 165 </div></main> 166 </body> 167 </html>