https://github.com/cda0/gpg-keys
https://github.com/cda0/gpg-keys
Last synced: 3 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/cda0/gpg-keys
- Owner: CDA0
- Created: 2020-02-18T18:20:23.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2021-01-06T11:30:28.000Z (over 5 years ago)
- Last Synced: 2025-03-06T02:32:26.154Z (over 1 year ago)
- Language: Shell
- Size: 1.95 KB
- Stars: 1
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# GPG Key creation
## Generate a primary keypair for an identity
`gpg --expert --full-generate-key`
Select `RSA (set your own capabilities)`.
Toggle `sign` and `encrypt` OFF so the `current allowed actions` is `certify`***.
****Create a key length of 4096 bits.
Provide an expiry date (3y).
Finish creating with name and email.
## Add subkeys
Add shorterlived subkeys for sign, encryption and authenticate.
`gpg --export --edit-key name@example.com`
The prompt will change to `gpg>`.
The `addkey` command is used to create each subkey. Choose the option for `RSA (set your own capabilities)`.
Use a smaller length of 3072 to reduce size of the key.
After all three subkeys are created use the `save` command to exit.
## Add a picture
You can also at this point add a small image tothey key, but I won't cover that.
## Export the secret
`gpg --export-secret-key --armor name@example.com > \.private.gpg-key`
## Create a revocation certificate
`gpg --armor --gen-revoke name@example.com > \.gpg-revocation-certificate`
## Create qr codes
Use the `./printkey.sh` script to take a key, split it up and create a qrcode for each part.
Print these out and store them safely.
## Test scanned keypair
Run the following command to ensure the crc of the keypair is good.
`gpg --dearmor newkey >/dev/null`
If the key is already exported we can diff the files:
`diff input `
## Remove the primary key
Check the output of `gpg --list-secret-keys`
```
gpg --export-secret-subkeys --armor name@example.com > \.subkeys.gpg-key
gpg --delete-secret-keys name@example.com
gpg --import \.subkeys.gpg-key
```
Now look at the output of `gpg --list-secret-keys` it should say `#sec` in the first key.
This means that the signing key is not in the keypair.
Now `shred -z -u $file` any exported files.
## Move to another system
`gpg --export-secret-keys --armor name@example.com > \.laptop.private.gpg-key`
`gpg --export --armor name@example.com > \.laptop.public.gpg-key`
Then on the new system
`gpg --import \.laptop.public.gpg-key`
`gpg --import \.laptop.private.gpg-key`
## Restoring
Scan each barcode into a file:
`zbarcam --raw >> inputkey`
verify the CRC with
`gpg --dearmor inputkey >/dev/null`
After scanning there might be a 0x0A missing at the end of line 1 and an extra 0x0A at the end of
the last line.
Importing to an offline RPI running raspian involves using the loopback pinentry command
`gpg --import --pinentry-mode loopback inputkey`
## Expiring keys
When a key is expiring
`gpg --expert --edit-key `
`key 1`
`expire`
## SSH Keys
To export ssh public key
`gpg --export-ssh-key name@email.com`
and the privatekey
`gpg --export-ssh-secret-key name@email.com`
## Resources
* https://alexcabal.com/creating-the-perfect-gpg-keypair
* https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/
* https://unix.stackexchange.com/questions/280222/generating-qr-code-of-very-big-file
* http://wiki.debian.org/subkeys
* https://security.stackexchange.com/questions/31594/what-is-a-good-general-purpose-gnupg-key-setup