create-and-use-openpgp-keys.org (3808B)
1#+TITLE: Create and Use OpenPGP Keys 2#+AUTHOR: Dash Eclipse 3#+DATE: [2020-06-30 Tue] 4#+KEYWORDS: openpgp, pgp, gnupg, gpg, subkey 5#+DESCRIPTION: How do I generate OpenPGP keys and use it 6#+OPTIONS: toc:nil 7 8In this article I'm gonna explain how do I generate and use OpenPGP keys. 9 10* Install GnuPG 11 :PROPERTIES: 12 :ID: 22D75389-43AB-49A4-B998-B48AF2365397 13 :PUBDATE: <2020-07-02 Thu 21:30> 14 :END: 15 On macOS you can use brew to install GnuPG ~brew install gnupg~, you will also need ~pinentry-mac~ package if you are going to use it with GUI programs such like Thunderbird with Eng 16 17* OpenPGP key generation 18 :PROPERTIES: 19 :ID: 890C9B02-7790-4FAC-80B7-E36F5B3058D0 20 :PUBDATE: <2020-07-02 Thu 21:30> 21 :END: 22 Beside ~gpg --full-generate-key~, you can also create a key with gpg in batch mode[fn:1]. 23 #+BEGIN_SRC sh 24 cat >first-last.txt <<EOF 25 %echo Generating a basic OpenPGP key 26 Key-Type: RSA 27 Key-Length: 4096 28 Key-Usage: cert 29 #Subkey-Type: RSA 30 #Subkey-Length: 4096 31 Name-Real: First Last 32 #Name-Comment: 33 Name-Email: user@domain.tld 34 Expire-Date: 30y 35 Passphrase: password 36 %commit 37 %echo done 38 EOF 39 #+END_SRC 40 Create a key in an ephemeral home directory 41 #+BEGIN_SRC sh 42 mkdir -m700 .gnupg 43 ## Set the environment variable 44 ## or pass --homedir .gnupg as an argument 45 export GNUPGHOME=".gnupg" 46 gpg --batch --generate-key first-last.txt 47 #+END_SRC 48 49* Use subkeys 50 :PROPERTIES: 51 :ID: E5DD933D-DF29-4D17-A703-4306E7F28349 52 :PUBDATE: <2020-07-02 Thu 21:30> 53 :END: 54 I use encryption and signing subkeys instead of just use one key for everything, because it's safer when you keep your master key elsewhere and use different keys for different purposes. Debian also recommend to use subkeys.[fn:2] 55 #+BEGIN_SRC sh 56 ## adduid, (trust, 5,) save 57 gpg --edit-key user@domain.tld 58 ## Get keygrip 59 gpg --with-keygrip --list-key <key-id> 60 ## Export and Import the key to the GPG homedir 61 ## where you are gonna use the key, 62 ## remove the master key from there 63 ## and change the password 64 rm .gnupg/private-keys-v1.d/<keygrip>.key 65 gpg --edit-key <key-id> passwd 66 #+END_SRC 67** Thunderbird and Enigmail 68 I use Thunderbird with Enigmail to send and receive PGP encrypted emails, you can follow [[https://ssd.eff.org/en/module/how-use-pgp-mac-os-x][the guide by EFF SSD]] to set it up. Note you need to install ~pinentry-mac~ the package to use GPG with such GUI programs. 69 #+BEGIN_SRC sh 70 brew install pinentry-mac 71 echo 'pinentry-program /usr/local/bin/pinentry-mac' > ~/.gnupg/gpg-agent.conf 72 #+END_SRC 73** Git 74 #+BEGIN_SRC sh 75 git config --global gpg.program $(which gpg) 76 git config --global user.name 'First Last' 77 git config --global user.email 'user@domain.tld' 78 git config --global user.signingkey <signing_subkey_id> 79 git config --global commit.gpgsign true 80 #+END_SRC 81 In case you don't want to sign commits for specific repo, just run ~git config commit.gpgsign false~ in the repo directory. 82** pass (the standard unix password manager) 83 I use [[https://www.passwordstore.org/][pass]] to manage my passwords, with a different key. pass store passwords in a git repo, you can also store the ~$GNUPGHOME~ in a git repo or just in the same repo. 84 I have some config like this in my zsh config ~~/.zshrc.local~ 85 #+BEGIN_SRC sh 86 PASSWORD_STORE_DIR="$HOME/passwordstore" 87 alias pass="GNUPGHOME=\"$HOME/passwordstore/.gnupg\" PASSWORD_STORE_DIR=\"$HOME/passwordstore\" pass" 88 #+END_SRC 89* Footnotes 90 91[fn:1] [[https://www.gnupg.org/documentation//manuals/gnupg/Unattended-GPG-key-generation.html][4.5.4 Unattended key generation | The GNU Privacy Guard Manual]] 92[fn:2] [[https://wiki.debian.org/Subkeys][Subkeys | Debian Wiki]]