pgp.html - ezup.dev - Source Code of Dash Eclipse's Personal Site (ezup.dev)

pgp.html (8026B)
      1 <!DOCTYPE html>
      2 <html lang="en">
      3 <head>
      4 <!-- 2020-07-13 -->
      5 <meta charset="utf-8">
      6 <meta name="viewport" content="width=device-width, initial-scale=1">
      7 <title>OpenPGP Key Generation and Usage</title>
      8 <meta name="generator" content="Org mode">
      9 <meta name="author" content="Dash Eclipse">
     10 <meta name="description" content="How do I generate OpenPGP keys and use it"
     11 >
     12 <meta name="keywords" content="openpgp, pgp, gnupg, gpg, subkey">
     13 <link rel='icon' type='image/x-icon' href='/favicon.svg'/>
     14 <meta name='viewport' content='width=device-width, initial-scale=1'>
     15 <link rel='stylesheet' href='/styles/topnav.css' type='text/css'/>
     16 <link rel='stylesheet' href='/styles/site.css' type='text/css'/>
     17 <link rel='stylesheet' href='/styles/syntax-coloring.css' type='text/css'/>
     18 <link rel='alternate' type='application/rss+xml' title='RSS' href='/blog/rss.xml'>
     19 </head>
     20 <body>
     21 <header id="top" class="status">
     22 <div>
     23 <ul class='topnav'>
     24 <li class='home'><a href='/#dash'>ezup.dev</a></li>
     25 <li><a class='active' href='./'>Blog</a></li>
     26 <li><a href='/#pgp'>PGP</a></li>
     27 <li><a href='/git/' target='_blank'><u>Git</u></a></li>
     28 <li class='right'><a href='/#about'>About</a></li>
     29 </ul>
     30 </div>
     31 </header>
     32 <main id="content">
     33 <header>
     34 <h1 class="title">OpenPGP Key Generation and Usage</h1>
     35 <p class="subtitle">Published on 2020-06-30 by Dash Eclipse.</p>
     36 </header><p>
     37 In this article I'm gonna explain how do I generate and use  OpenPGP keys.
     38 </p>
     39 
     40 <section id="outline-container-org05d1dfb" class="outline-2">
     41 <h2 id="org05d1dfb"><span class="section-number-2">1</span> Install GnuPG</h2>
     42 <div class="outline-text-2" id="text-1">
     43 <p>
     44 On macOS you can use brew to install GnuPG <code>brew install gnupg</code>, you will also need <code>pinentry-mac</code> package if you are going to use it with GUI programs such like Thunderbird with Eng
     45 </p>
     46 </div>
     47 </section>
     48 
     49 <section id="outline-container-org00eba01" class="outline-2">
     50 <h2 id="org00eba01"><span class="section-number-2">2</span> OpenPGP key generation</h2>
     51 <div class="outline-text-2" id="text-2">
     52 <p>
     53 Beside <code>gpg --full-generate-key</code>, you can also create a key with gpg in batch mode<sup><a id="fnr.1" class="footref" href="#fn.1">1</a></sup>.
     54 </p>
     55 <div class="org-src-container">
     56 <pre class="src src-sh">cat &gt;first-last.txt &lt;&lt;EOF
     57 <span class="org-sh-heredoc">%echo Generating a basic OpenPGP key</span>
     58 <span class="org-sh-heredoc">Key-Type: RSA</span>
     59 <span class="org-sh-heredoc">Key-Length: 4096</span>
     60 <span class="org-sh-heredoc">Key-Usage: cert</span>
     61 <span class="org-sh-heredoc">#Subkey-Type: RSA</span>
     62 <span class="org-sh-heredoc">#Subkey-Length: 4096</span>
     63 <span class="org-sh-heredoc">Name-Real: First Last</span>
     64 <span class="org-sh-heredoc">#Name-Comment:</span>
     65 <span class="org-sh-heredoc">Name-Email: user@domain.tld</span>
     66 <span class="org-sh-heredoc">Expire-Date: 30y</span>
     67 <span class="org-sh-heredoc">Passphrase: password</span>
     68 <span class="org-sh-heredoc">%commit</span>
     69 <span class="org-sh-heredoc">%echo done</span>
     70 <span class="org-sh-heredoc">EOF</span>
     71 </pre>
     72 </div>
     73 <p>
     74 Create a key in an ephemeral home directory
     75 </p>
     76 <div class="org-src-container">
     77 <pre class="src src-sh">mkdir -m700 .gnupg
     78 <span class="org-comment-delimiter">## </span><span class="org-comment">Set the environment variable</span>
     79 <span class="org-comment-delimiter">## </span><span class="org-comment">or pass --homedir .gnupg as an argument</span>
     80 <span class="org-builtin">export</span> <span class="org-variable-name">GNUPGHOME</span>=<span class="org-string">".gnupg"</span>
     81 gpg --batch --generate-key first-last.txt
     82 </pre>
     83 </div>
     84 </div>
     85 </section>
     86 
     87 <section id="outline-container-org28b1257" class="outline-2">
     88 <h2 id="org28b1257"><span class="section-number-2">3</span> Use subkeys</h2>
     89 <div class="outline-text-2" id="text-3">
     90 <p>
     91 I use encryption and signing subkeys instead of just use one key for everything, because it's safer when you keep your master key elsewhere and use different keys for different purposes. Debian also recommend to use subkeys.<sup><a id="fnr.2" class="footref" href="#fn.2">2</a></sup>
     92 </p>
     93 <div class="org-src-container">
     94 <pre class="src src-sh"><span class="org-comment-delimiter">## </span><span class="org-comment">adduid, (trust, 5,) save</span>
     95 gpg --edit-key user@domain.tld
     96 <span class="org-comment-delimiter">## </span><span class="org-comment">Get keygrip</span>
     97 gpg --with-keygrip --list-key &lt;key-id&gt;
     98 <span class="org-comment-delimiter">## </span><span class="org-comment">Export and Import the key to the GPG homedir</span>
     99 <span class="org-comment-delimiter">## </span><span class="org-comment">where you are gonna use the key,</span>
    100 <span class="org-comment-delimiter">## </span><span class="org-comment">remove the master key from there</span>
    101 <span class="org-comment-delimiter">## </span><span class="org-comment">and change the password</span>
    102 rm .gnupg/private-keys-v1.d/&lt;keygrip&gt;.key
    103 gpg --edit-key &lt;key-id&gt; passwd
    104 </pre>
    105 </div>
    106 </div>
    107 <div id="outline-container-orgb570cb2" class="outline-3">
    108 <h3 id="orgb570cb2"><span class="section-number-3">3.1</span> Thunderbird and Enigmail</h3>
    109 <div class="outline-text-3" id="text-3-1">
    110 <p>
    111 I use Thunderbird with Enigmail to send and receive PGP encrypted emails, you can follow <a href="https://ssd.eff.org/en/module/how-use-pgp-mac-os-x">the guide by EFF SSD</a> to set it up. Note you need to install <code>pinentry-mac</code> the package to use GPG with such GUI programs.
    112 </p>
    113 <div class="org-src-container">
    114 <pre class="src src-sh">brew install pinentry-mac
    115 <span class="org-builtin">echo</span> <span class="org-string">'pinentry-program /usr/local/bin/pinentry-mac'</span> &gt; ~/.gnupg/gpg-agent.conf
    116 </pre>
    117 </div>
    118 </div>
    119 </div>
    120 <div id="outline-container-orgafdbd6c" class="outline-3">
    121 <h3 id="orgafdbd6c"><span class="section-number-3">3.2</span> Git</h3>
    122 <div class="outline-text-3" id="text-3-2">
    123 <div class="org-src-container">
    124 <pre class="src src-sh">git config --global gpg.program $(<span class="org-builtin">which</span> gpg)
    125 git config --global user.name <span class="org-string">'First Last'</span>
    126 git config --global user.email <span class="org-string">'user@domain.tld'</span>
    127 git config --global user.signingkey &lt;signing_subkey_id&gt;
    128 git config --global commit.gpgsign true
    129 </pre>
    130 </div>
    131 <p>
    132 In case you don't want to sign commits for specific repo, just run <code>git config commit.gpgsign false</code> in the repo directory.
    133 </p>
    134 </div>
    135 </div>
    136 <div id="outline-container-orgb021e05" class="outline-3">
    137 <h3 id="orgb021e05"><span class="section-number-3">3.3</span> pass (the standard unix password manager)</h3>
    138 <div class="outline-text-3" id="text-3-3">
    139 <p>
    140 I use <a href="https://www.passwordstore.org/">pass</a> to manage my passwords, with a different key. pass store passwords in a git repo, you can also store the <code>$GNUPGHOME</code> in a git repo or just in the same repo.
    141 I have some config like this in my zsh config <code>~/.zshrc.local</code>
    142 </p>
    143 <div class="org-src-container">
    144 <pre class="src src-sh"><span class="org-variable-name">PASSWORD_STORE_DIR</span>=<span class="org-string">"$HOME/passwordstore"</span>
    145 <span class="org-builtin">alias</span> <span class="org-variable-name">pass</span>=<span class="org-string">"GNUPGHOME=\"$HOME/passwordstore/.gnupg\" PASSWORD_STORE_DIR=\"$HOME/passwordstore\" pass"</span>
    146 </pre>
    147 </div>
    148 </div>
    149 </div>
    150 </section>
    151 <div id="footnotes">
    152 <h2 class="footnotes">Footnotes: </h2>
    153 <div id="text-footnotes">
    154 
    155 <div class="footdef"><sup><a id="fn.1" class="footnum" href="#fnr.1">1</a></sup> <div class="footpara"><p class="footpara">
    156 <a href="https://www.gnupg.org/documentation//manuals/gnupg/Unattended-GPG-key-generation.html">4.5.4 Unattended key generation | The GNU Privacy Guard Manual</a>
    157 </p></div></div>
    158 
    159 <div class="footdef"><sup><a id="fn.2" class="footnum" href="#fnr.2">2</a></sup> <div class="footpara"><p class="footpara">
    160 <a href="https://wiki.debian.org/Subkeys">Subkeys | Debian Wiki</a>
    161 </p></div></div>
    162 
    163 
    164 </div>
    165 </div></main>
    166 </body>
    167 </html>
	ezup.dev Source Code of Dash Eclipse's Personal Site (ezup.dev)
	git clone git://ezup.dev/ezup.dev.git
	Log \| Files \| Refs \| README \| LICENSE