**GPG** (GNU Privacy Guard) is an open-source tool for encrypting, signing and authenticating data. In particular, it can be used to check that a downloaded file is valid and unaltered. GPG also offers the following features: * Secure connection to an SSH server with a GPG key. * Signature of Git commits * Secure keys via a physical device, for example a [Yubikey] key (https:%%)//%%www.yubico.com/la-cle-yubikey/?lang=en ====== GPG key management ====== ===== Key creation ===== The creation of a main key (for certification only) then generates subkeys dedicated to different operations (signature, encryption, authentication), with expiry dates. # Primary key(Certification only) gpg --quick-gen-key 'votre_email@example.com' rsa4096 cert export GPG_USERID=$(gpg -K | grep -oE "[a-fA-F0-9]{40}") # Create subkeys gpg --quick-addkey ${GPG_USERID} rsa4096 sign 2y gpg --quick-addkey ${GPG_USERID} rsa4096 encr 2y gpg --quick-addkey ${GPG_USERID} rsa4096 auth 2y ===== Adding additional information ===== Add an extra email address or photo to your key. gpg --quick-add-uid ${GPG_USERID} "" gpg --edit-key ${GPG_USERID} gpg trust gpg addphoto nom_du_fichier_photo gpg save gpg --check-trustdb ===== Revoke an old key (optional) ===== If you wish to revoke an old key while transferring its trust to a new key. # Import old keys gpg --import ${GPG_OLDKEY} gpg --edit-key ${GPG_OLDKEY} gpg setpref clean quit # Sign the new key with the old one if it is still valid gpg --default-key ${GPG_OLDKEY} --sign-key ${GPG_USERID} # Sign the old key with the new one gpg --default-key ${GPG_USERID} --sign-key ${GPG_OLDKEY} # Generate and import the revocation certificate of the old key gpg --gen-revoke ${GPG_OLDKEY} > /tmp/revoke.asc gpg --import /tmp/revoke.asc gpg --send-keys ${GPG_OLDKEY} ===== Key backup and publication ===== # Define variables in your bashrc or zenv (GPG_BACKUP_DIR and GPG_USERID) # backup command (see the source at the bottom of this document) gpg-backup-keys # Publication of public keys gpg --send-key ${GPG_USERID} You can also associate your key with other identities by adding it to [[https://keybase.io|Keybase]]. ===== Removing the master key from your computer ===== By removing the main key from your computer, you limit the risks in the event of a compromise, as it will no longer be possible to generate new subkeys from this machine. # Securing (delete the master key from the computer) gpg --delete-secret-key ${GPG_USERID} # Check that the computer no longer contains the master key gpg -K # You should see 'sec#', indicating that the master key does not have a private key ===== Importing keys ===== Restore keys from a backup. gpg --import ${GPG_BACKUP_DIR}/lastkeys/secret_key.gpg gpg --import ${GPG_BACKUP_DIR}/lastkeys/secret_subkeys.gpg gpg --import ${GPG_BACKUP_DIR}/lastkeys/public_key.gpg gpg --import-ownertrust ${GPG_BACKUP_DIR}/lastkeys/ownertrust.asc ===== Changing expiry dates ===== ==== Cancelling the expiry date on the primary key ==== gpg --edit-key $GPG_USERID expire # Select 0 (never expire) ==== Changing the expiry date on secondary keys ==== gpg --edit-key $GPG_USERID key 1 key 2 key 3 expire save ====== Using a Yubikey ====== ===== Transferring GPG keys to the Yubikey ===== To move the keys to a Yubikey : gpg2 -K gpg2 --expert --edit-key $GPG_USERID key 1 keytocard key 2 keytocard key 3 keytocard save quit ===== Check for absence of local private keys ===== Once the keys have been successfully transferred to the Yubikey, the following command should be displayed ''%%ssb>%%'' (or ''%%ssb#%%'' if GPG cannot locate the secret key). gpg -K ===== Displaying key details ===== gpg --card-status ====== SSH support ====== To enable SSH support, configure the necessary files by adding the appropriate parameters. Change the file ''%%~/.gnupg/gpg-agent.conf%% file'' to enable SSH support # Enable SSH support enable-ssh-support # [Optional] # Request paraphrase after this time default-cache-ttl 600 max-cache-ttl 7200 To indicate which keys to use for SSH connections, add the keygrip to the file ''%%~/.gnupg/sshcontrol%% file''. Keygrip which can be obtained with the following command gpg -k --with-keygrip Then restart the gpg-agent service with the following command ''%%gpgconf --kill gpg-agent%%%'' ====== Miscellaneous ====== ===== Annexes ===== # Show key information gpg --edit-key gpg> showpref # Another method gpg --export | gpg --list-packets # show a key was signed by another key gpg --list-sig # Import key gpg --import # Import remote key gpg --recv-keys # Edit key gpg --edit-key # Encrypt file gpg --encrypt -o [--recipient ] # Decrypt gpg --decrypt -o # Sign gpg -o --sign # sign verification gpg --verify ===== Disorders ===== #for f in $(ls ~/.ssh/*.pub); do # ssh-keygen -l -E md5 -f $f #done gpg-connect-agent "KEYINFO --ssh-list --ssh-fpr" /bye gpg-connect-agent "DELETE_KEY " /bye ===== Sources ===== ==== Backup script (gpg-backup-keys) ==== The following script allows you to back up your GPG keys. #!/usr/bin/env bash set -e BACKUP_DATE=$(date "+%Y-%m-%d") # Checking defined variables if [ -z "$GPG_BACKUP_DIR" ] || [ -z "$GPG_USERID" ]; then echo "Veuillez définir les variables GPG_BACKUP_DIR et GPG_USERID" exit 1 fi # Checking the existence of the folder if [ ! -d "$GPG_BACKUP_DIR" ]; then echo "Veuillez monter le disque '${GPG_BACKUP_DIR}'" exit 1 fi # Creation of the backup directory BACKUP_DIR="${GPG_BACKUP_DIR}/${BACKUP_DATE}" mkdir -p ${BACKUP_DIR} # Creating a link to the latest save directory LASTKEYS="${GPG_BACKUP_DIR}/lastkeys" rm -f ${LASTKEYS} ln -s ${BACKUP_DIR} ${LASTKEYS} # Saving the public key gpg -a --export ${GPG_USERID} > ${LASTKEYS}/public_key.gpg # Safeguarding trust (ownertrust) gpg -a --export-ownertrust > ${LASTKEYS}/ownertrust.asc # Backup of the master key (to be stored securely) gpg -a --export-secret-keys ${GPG_USERID} > ${LASTKEYS}/secret_key.gpg # Saving subkeys gpg -a --export-secret-subkeys ${GPG_USERID} > ${LASTKEYS}/secret_subkeys.gpg # Saving the revocation certificate cp ~/.gnupg/openpgp-revocs.d/${GPG_USERID}.rev ${LASTKEYS}/revocation.asc ===== Sources ===== * [[en:CharteIA]] * openai * Reformulation of sentences * Correction of spelling mistakes