Debian: GPG-Config
Fehler, Verbesserungen oder Anmerkungen können mir gern per Email geschickt werden.
Vorraussetzungen
- Halbwegs sicherer Umgang mit einer Linux Konsole / Terminal.
- Grundkenntnisse mit gpg / GnuPG / OpenPGP.
gpg commands
### setup folder ###
mkdir -p -m 0700 ~/.gnupg
touch ~/.gnupg/{pub,sec}ring.gpg
touch ~/.gnupg/gpg.conf
chmod 600 ~/.gnupg/gpg.conf
### symmetric autocrypt keyken ###
# https://autocrypt.org/level1.html#setup-code
PASSPHRASE=$(gpg --armor --gen-random 1 20)
# od -A n -t u4 -N 24 /dev/urandom
# od -vAn -tu4 -N24 /dev/urandom
# od -vAn -tu4 -N16 /dev/urandom | sed 's/ //g' | tr -dc '0-9' | xargs
# od -vAn -tu4 -N16 /dev/urandom | sed 's/ //g'
# od -vAn -tu4 -N32 /dev/urandom | sed 's/ //g' | sed 's/.\{4\}/&-/g'
# Get urandom, remove spaces, cut to 36 chars, insert '-' after every 4th char, remove last char:(reverse, cut first char, reverse)
PASSPHRASE=$(od -vAn -tu4 -N16 /dev/urandom | sed 's/ //g' | cut -c 1-36 | sed 's/.\{4\}/&-/g' | rev | cut -c 2- | rev)
echo ${PASSPHRASE}
### PGP Key Gen ##
mkdir -p ~/.gnupg/private-keys-v1.d
chmod 700 ~/.gnupg/private-keys-v1.d
DISPLAY="" gpg --full-generate-key
DISPLAY="" gpg --full-generate-key --homedir ${HOME}/.gnupg
DISPLAY="" gpg --default-new-key-algo rsa4096 --gen-key
DISPLAY="" gpg --default-new-key-algo rsa4096 --gen-key
gpg --expert --full-gen-key
### PGP List Keys ###
gpg -K
gpg --list-secret-keys --keyid-format LONG
gpg -k
gpg --list-keys --keyid-format LONG
### PGP Edit ###
gpg --edit-key (keyIDNumber)
### PGP Revoke Gen ###
gpg --gen-revoke
gpg --gen-revoke --armor --output=revocation_certificate.asc user-id
### PGP Import ###
gpg --with-fingerprin public.key
gpg --import public.key
### PGP Export ###
KEY=user@domain.tld
KEY=AA11FF00DEADBEAF
SAFEPATH=~/.gnupg/mykeys/keyexport.asc
gpg --armor --export ${KEY} > ${SAFEPATH}
gpg --armor --export-secret-keys ${KEY} >> ${SAFEPATH}
gpg -a --output ${SAFEPATH} --export ${KEY}
gpg --output public.pgp --armor --export ${KEY}
gpg --output private.pgp --armor --export-secret-key ${KEY}
### PGP Backup ###
gpg --output backupkeys.pgp --armor --export --export-options export-backup user@email
### PGP Encrypt ###
PLAIN=~/file.plain.txt
CYPHER=~file.sec.asc
echo "some pipe" | gpg --armor --symmetric --output ${CYPHER}
gpg --batch --yes --passphrase "${PASSPHRASE}" --symmetric --cipher-algo AES256 --output ${CYPHER} --armor ${PLAIN}
gpg --batch --yes --passphrase "some password" --symmetric --cipher-algo AES256 --output ${CYPHER} --armor ${PLAIN}
PLAIN=/home/frank/.gnupg/mykeys/frank.blaschke@mailbox.org.plain.asc
CYPHER=/home/frank/.gnupg/mykeys/frank.blaschke@mailbox.org.sec-keyringkey.asc
gpg --symmetric --cipher-algo AES256 --output ${CYPHER} --armor ${PLAIN}
PLAIN=/home/frank/.gnupg/mykeys/frank@zisko.io.plain.asc
CYPHER=/home/frank/.gnupg/mykeys/frank@zisko.io.sec-keyringkey.asc
gpg --symmetric --cipher-algo AES256 --output ${CYPHER} --armor ${PLAIN}
gpg --symmetric --cipher-algo CAMELLIA256 --output ${CYPHER} --armor ${PLAIN}
### PGP Decrypt ###
gpg --decrypt ${CYPHER}
### PGP Check ###
#
#
### Import from OpenKeyChain ###
gpg --decrypt backup.sec.pgp | gpg --import
# Enter Backupcode (encryption password) with minuses, e.g.: ####-####-####-...
gpg --decrypt frank@zisko.space-backup_2019-09-05.sec.pgp | gpg --import
2348-0706-0219-9561-7012-3208-1095-2819-6455
### Export for OpenKeyChain ###
gpg --armor --export-secret-keys my@mail.tld | gpg --armor --symmetric --output mykey.sec.ascgpg keygen
# Generate key
gpg --expert --full-generate-key --batch
# Type: (8) ... RSA
# Func: (S) ... Toggle signing to: no
# Func: (V) ... Toggle encryption to: no
# Func: Just Cert
# Func: (Q) ... Quit
# Length: 4096 bits
# # Declining: 2y ... declining 2 years # Never for 'master keys'
# Name:
# Email:
# Comment:
# (F) ... Fertig
KEY=
# Edit key
gpg --expert --edit-key ${KEY}
# addkey
# (8) RSA
# Sign
# 4096
# addkey
# (8) RSA
# Encrypt
# 4096
# addkey
# (8) RSA
# Auth
# 4096gpg keygen batch
KEYUSR="test@zisko.io"
#KEYPwD=$(gpg --armor --gen-random 1 36)
# Get urandom, remove spaces, cut to 36 chars, insert '-' after every 4th char, remove last char:(reverse, cut first char, reverse)
#KEYPwD=$(od -vAn -tu4 -N16 /dev/urandom | sed 's/ //g' | cut -c 1-36 | sed 's/.\{4\}/&-/g' | rev | cut -c 2- | rev)
KEYPwD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 36 ; echo '')
echo ${KEYPwD} > ~/.gnupg/${KEYUSR}.key.pwd
cat > ~/.gnupg/${KEYUSR}.keygen.batch <<__EOF__
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 4096
Key-Usage: cert
Subkey-Type: RSA
Subkey-Length: 4096
Subkey-Usage: encrypt sign auth
Name-Real: Frank Zisko
Name-Email: ${KEYUSR}
#Name-Comment: No Comment.
#Expire-Date: 2y
Passphrase: ${KEYPwD}
%pubring ${KEYUSR}.pub
%secring ${KEYUSR}.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
__EOF__
cd ~/.gnupg
gpg --generate-key --batch ~/.gnupg/${KEYUSR}.keygen.batch
cat > ~/.gnupg/frank_zisko.gpg-keygen.batch <<__EOF__
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 4096
Key-Usage: cert
Subkey-Type: RSA
Subkey-Length: 4096
Subkey-Usage: encrypt sign auth
Name-Real: Frank Zisko
Name-Email: frank@zisko.io
Name-Comment: No Comment.
Expire-Date: 2y
Passphrase: ${KEYPWD}
%pubring frank_zisko.pub
%secring frank_zisko.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
__EOF__
cd ~/.gnupg
gpg --generate-key --batch ~/.gnupg/frank_zisko.gpg-keygen.batch
gpg --generate-key --batch \
" %echo Generating a basic OpenPGP key\
Key-Type: RSA\
Key-Length: 4096\
Subkey-Type: RSA\
Subkey-Length: 4096\
Name-Real: Frank Zisko\
Name-Email: frank@zisko.io\
Name-Comment: No Comment.\
Expire-Date: 2y\
Passphrase: ${KEYPWD}\
%pubring frank_zisko.pub\
%secring frank_zisko.sec\
# Do a commit here, so that we can later print "done" :-)\
%commit\
%echo done\
;\"
| gpg --generate-key --batch -
gpg --list-keys
gpg --list-sigs
gpg --list-secret-keys
KEY=KEYPwD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 ; echo '')
echo ${KEYPwD} > ~/.cipher/cloudenc.key
chmod 600 ~/.cipher/cloudenc.key
cat > ~/.cipher/cloudenc.gpg-keygen.batch <<__EOF__
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 4096
Key-Usage: cert
Subkey-Type: RSA
Subkey-Length: 4096
Subkey-Usage: encrypt sign auth
Name-Real: John Do
Name-Email: john@do.works
Name-Comment: with stupid passphrase
Expire-Date: 2y
Passphrase: ${KEYPwD}
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
__EOF__
gpg --generate-key --batch ~/.cipher/cloudenc.gpg-configConfigure ssh client.
THISUSER="frank"
su - ${THISUSER}
ssh-keygen -t ed25519 -b 8192 -C "${USER}@${HOSTNAME}" -f ${HOME}/.ssh/id_ed25519
APPUSER="${SYSUSER}-${HOSTNAME}-syncthing"
APPPWD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 ; echo '')
PWDHASH=$(htpasswd -nbBC 12 ${APPUSER} ${APPPWD} | cut -d ":" -f2)
LOCALSSHKEY=~/.ssh/id_ed25519
REMOTENAMESHORT=foo
REMOTENAME=foohostname
REMOTEUSER=foobar
cat >> ~/.ssh/config <<__EOF__
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: John Do
Name-Email: john@do.works
Name-Comment: with stupid passphrase
Expire-Date: 2y
Passphrase: abc
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
__EOF__
chmod 700 ${HOME}/.ssh
chmod 600 ${HOME}/.ssh/*Quellen
- https://wiki.archlinux.org/index.php/GnuPG
- https://wiki.ubuntuusers.de/GnuPG/
- https://alexcabal.com/creating-the-perfect-gpg-keypair
- https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/
- https://access.redhat.com/solutions/2115511
- https://www.gnupg.org/documentation/manuals/gnupg-devel/Unattended-GPG-key-generation.html
- https://rtcamp.com/tutorials/linux/gpg-keys/