Table des matières

GPG (GNU Privacy Guard) is an open-source tool for encrypting, signing and authenticating data. In particular, it can be used to check that a downloaded file is valid and unaltered. GPG also offers the following features:

* Secure connection to an SSH server with a GPG key. * Signature of Git commits * Secure keys via a physical device, for example a [Yubikey] key (https:)//www.yubico.com/la-cle-yubikey/?lang=en

GPG key management

Key creation

The creation of a main key (for certification only) then generates subkeys dedicated to different operations (signature, encryption, authentication), with expiry dates. 

# Primary key(Certification only)
gpg --quick-gen-key 'votre_email@example.com' rsa4096 cert
export GPG_USERID=$(gpg -K | grep -oE "[a-fA-F0-9]{40}")

# Create subkeys
gpg --quick-addkey ${GPG_USERID} rsa4096 sign 2y
gpg --quick-addkey ${GPG_USERID} rsa4096 encr 2y
gpg --quick-addkey ${GPG_USERID} rsa4096 auth 2y

Adding additional information

Add an extra email address or photo to your key. 

gpg --quick-add-uid ${GPG_USERID} ""
gpg --edit-key ${GPG_USERID}
gpg trust
gpg addphoto nom_du_fichier_photo
gpg save
gpg --check-trustdb

Revoke an old key (optional)

If you wish to revoke an old key while transferring its trust to a new key. 

# Import old keys
gpg --import ${GPG_OLDKEY}
gpg --edit-key ${GPG_OLDKEY}
gpg setpref clean quit

# Sign the new key with the old one if it is still valid
gpg --default-key ${GPG_OLDKEY} --sign-key ${GPG_USERID}

# Sign the old key with the new one
gpg --default-key ${GPG_USERID} --sign-key ${GPG_OLDKEY}

# Generate and import the revocation certificate of the old key
gpg --gen-revoke ${GPG_OLDKEY} > /tmp/revoke.asc
gpg --import /tmp/revoke.asc
gpg --send-keys ${GPG_OLDKEY}

Key backup and publication

# Define variables in your bashrc or zenv (GPG_BACKUP_DIR and GPG_USERID)
# backup command (see the source at the bottom of this document)
gpg-backup-keys

# Publication of public keys
gpg --send-key ${GPG_USERID}

You can also associate your key with other identities by adding it to Keybase.

Removing the master key from your computer

By removing the main key from your computer, you limit the risks in the event of a compromise, as it will no longer be possible to generate new subkeys from this machine. 

# Securing (delete the master key from the computer)
gpg --delete-secret-key ${GPG_USERID}

# Check that the computer no longer contains the master key
gpg -K # You should see 'sec#', indicating that the master key does not have a private key

Importing keys

Restore keys from a backup. 

gpg --import ${GPG_BACKUP_DIR}/lastkeys/secret_key.gpg
gpg --import ${GPG_BACKUP_DIR}/lastkeys/secret_subkeys.gpg
gpg --import ${GPG_BACKUP_DIR}/lastkeys/public_key.gpg
gpg --import-ownertrust ${GPG_BACKUP_DIR}/lastkeys/ownertrust.asc

Changing expiry dates

Cancelling the expiry date on the primary key

gpg --edit-key $GPG_USERID
expire
# Select 0 (never expire)

Changing the expiry date on secondary keys

gpg --edit-key $GPG_USERID
key 1
key 2
key 3
expire
save

Using a Yubikey

Transferring GPG keys to the Yubikey

To move the keys to a Yubikey : 

gpg2 -K
gpg2 --expert --edit-key $GPG_USERID
key 1
keytocard
key 2
keytocard
key 3
keytocard
save
quit

Check for absence of local private keys

Once the keys have been successfully transferred to the Yubikey, the following command should be displayed ssb> (or ssb# if GPG cannot locate the secret key). 

gpg -K

Displaying key details

gpg --card-status

SSH support

To enable SSH support, configure the necessary files by adding the appropriate parameters.

Change the file ~/.gnupg/gpg-agent.conf file to enable SSH support 

# Enable SSH support
enable-ssh-support

# [Optional]
# Request paraphrase after this time
default-cache-ttl 600
max-cache-ttl 7200

To indicate which keys to use for SSH connections, add the keygrip to the file ~/.gnupg/sshcontrol file. Keygrip which can be obtained with the following command 

gpg -k --with-keygrip

Then restart the gpg-agent service with the following command gpgconf --kill gpg-agent%

Miscellaneous

Annexes

# Show key information
gpg --edit-key 
gpg> showpref
# Another method
gpg --export  | gpg --list-packets

# show a key was signed by another key
gpg --list-sig 

# Import key
gpg --import 

# Import remote key
gpg --recv-keys 

# Edit key
gpg --edit-key 

# Encrypt file
gpg --encrypt -o  [--recipient ] 

# Decrypt
gpg --decrypt -o  

# Sign
gpg -o  --sign 

# sign verification
gpg --verify

Disorders

#for f in $(ls ~/.ssh/*.pub); do
#  ssh-keygen -l -E md5 -f $f
#done
gpg-connect-agent "KEYINFO --ssh-list --ssh-fpr" /bye
gpg-connect-agent "DELETE_KEY " /bye

Sources

Backup script (gpg-backup-keys)

The following script allows you to back up your GPG keys. 

#!/usr/bin/env bash

set -e

BACKUP_DATE=$(date "+%Y-%m-%d")

# Checking defined variables
if [ -z "$GPG_BACKUP_DIR" ] || [ -z "$GPG_USERID" ]; then
    echo "Veuillez définir les variables GPG_BACKUP_DIR et GPG_USERID"
    exit 1
fi

# Checking the existence of the folder
if [ ! -d "$GPG_BACKUP_DIR" ]; then
    echo "Veuillez monter le disque '${GPG_BACKUP_DIR}'"
    exit 1
fi

# Creation of the backup directory
BACKUP_DIR="${GPG_BACKUP_DIR}/${BACKUP_DATE}"
mkdir -p ${BACKUP_DIR}

# Creating a link to the latest save directory
LASTKEYS="${GPG_BACKUP_DIR}/lastkeys"
rm -f ${LASTKEYS}
ln -s ${BACKUP_DIR} ${LASTKEYS}

# Saving the public key
gpg -a --export ${GPG_USERID} > ${LASTKEYS}/public_key.gpg

# Safeguarding trust (ownertrust)
gpg -a --export-ownertrust > ${LASTKEYS}/ownertrust.asc

# Backup of the master key (to be stored securely)
gpg -a --export-secret-keys ${GPG_USERID} > ${LASTKEYS}/secret_key.gpg

# Saving subkeys
gpg -a --export-secret-subkeys ${GPG_USERID} > ${LASTKEYS}/secret_subkeys.gpg

# Saving the revocation certificate
cp ~/.gnupg/openpgp-revocs.d/${GPG_USERID}.rev ${LASTKEYS}/revocation.asc

Sources