Ceci est une ancienne révision du document !
* Secure connection to an SSH server with a GPG key. * Signature of Git commits * Secure keys via a physical device, for example a [Yubikey] key (https:)//www.yubico.com/la-cle-yubikey/?lang=en
GPG key management
Key creation
The creation of a main key (for certification only) then generates subkeys dedicated to different operations (signature, encryption, authentication), with expiry dates.
# Primary key(Certification only)
gpg --quick-gen-key 'votre_email@example.com' rsa4096 cert
export GPG_USERID=$(gpg -K | grep -oE "[a-fA-F0-9]{40}")
# Create subkeys
gpg --quick-addkey ${GPG_USERID} rsa4096 sign 2y
gpg --quick-addkey ${GPG_USERID} rsa4096 encr 2y
gpg --quick-addkey ${GPG_USERID} rsa4096 auth 2y
Adding additional information
Add an extra email address or photo to your key.
gpg --quick-add-uid ${GPG_USERID} ""
gpg --edit-key ${GPG_USERID}
gpg trust
gpg addphoto nom_du_fichier_photo
gpg save
gpg --check-trustdb
Revoke an old key (optional)
If you wish to revoke an old key while transferring its trust to a new key.
# Import old keys
gpg --import ${GPG_OLDKEY}
gpg --edit-key ${GPG_OLDKEY}
gpg setpref clean quit
# Sign the new key with the old one if it is still valid
gpg --default-key ${GPG_OLDKEY} --sign-key ${GPG_USERID}
# Sign the old key with the new one
gpg --default-key ${GPG_USERID} --sign-key ${GPG_OLDKEY}
# Generate and import the revocation certificate of the old key
gpg --gen-revoke ${GPG_OLDKEY} > /tmp/revoke.asc
gpg --import /tmp/revoke.asc
gpg --send-keys ${GPG_OLDKEY}
Key backup and publication
# Define variables in your bashrc or zenv (GPG_BACKUP_DIR and GPG_USERID)
# backup command (see the source at the bottom of this document)
gpg-backup-keys
# Publication of public keys
gpg --send-key ${GPG_USERID}
You can also associate your key with other identities by adding it to Keybase.
Removing the master key from your computer
By removing the main key from your computer, you limit the risks in the event of a compromise, as it will no longer be possible to generate new subkeys from this machine.
# Securing (delete the master key from the computer)
gpg --delete-secret-key ${GPG_USERID}
# Check that the computer no longer contains the master key
gpg -K # You should see 'sec#', indicating that the master key does not have a private key
Importing keys
Restore keys from a backup.
gpg --import ${GPG_BACKUP_DIR}/lastkeys/secret_key.gpg
gpg --import ${GPG_BACKUP_DIR}/lastkeys/secret_subkeys.gpg
gpg --import ${GPG_BACKUP_DIR}/lastkeys/public_key.gpg
gpg --import-ownertrust ${GPG_BACKUP_DIR}/lastkeys/ownertrust.asc
Changing expiry dates
Cancelling the expiry date on the primary key
gpg --edit-key $GPG_USERID
expire
# Select 0 (never expire)
Changing the expiry date on secondary keys
gpg --edit-key $GPG_USERID
key 1
key 2
key 3
expire
save
Using a Yubikey
Transferring GPG keys to the Yubikey
To move the keys to a Yubikey :
gpg2 -K
gpg2 --expert --edit-key $GPG_USERID
key 1
keytocard
key 2
keytocard
key 3
keytocard
save
quit
Check for absence of local private keys
Once the keys have been successfully transferred to the Yubikey, the following command should be displayed ssb> (or ssb# if GPG cannot locate the secret key).
gpg -K
Displaying key details
gpg --card-status
SSH support
To enable SSH support, configure the necessary files by adding the appropriate parameters.
Change the file ~/.gnupg/gpg-agent.conf file to enable SSH support
# Enable SSH support
enable-ssh-support
# [Optional]
# Request paraphrase after this time
default-cache-ttl 600
max-cache-ttl 7200
To indicate which keys to use for SSH connections, add the keygrip to the file ~/.gnupg/sshcontrol file. Keygrip which can be obtained with the following command
gpg -k --with-keygrip
Then restart the gpg-agent service with the following command gpgconf --kill gpg-agent%
Miscellaneous
Annexes
# Show key information
gpg --edit-key
gpg> showpref
# Another method
gpg --export | gpg --list-packets
# show a key was signed by another key
gpg --list-sig
# Import key
gpg --import
# Import remote key
gpg --recv-keys
# Edit key
gpg --edit-key
# Encrypt file
gpg --encrypt -o [--recipient ]
# Decrypt
gpg --decrypt -o
# Sign
gpg -o --sign
# sign verification
gpg --verify
Disorders
#for f in $(ls ~/.ssh/*.pub); do
# ssh-keygen -l -E md5 -f $f
#done
gpg-connect-agent "KEYINFO --ssh-list --ssh-fpr" /bye
gpg-connect-agent "DELETE_KEY " /bye
Sources
Backup script (gpg-backup-keys)
The following script allows you to back up your GPG keys.
#!/usr/bin/env bash
set -e
BACKUP_DATE=$(date "+%Y-%m-%d")
# Checking defined variables
if [ -z "$GPG_BACKUP_DIR" ] || [ -z "$GPG_USERID" ]; then
echo "Veuillez définir les variables GPG_BACKUP_DIR et GPG_USERID"
exit 1
fi
# Checking the existence of the folder
if [ ! -d "$GPG_BACKUP_DIR" ]; then
echo "Veuillez monter le disque '${GPG_BACKUP_DIR}'"
exit 1
fi
# Creation of the backup directory
BACKUP_DIR="${GPG_BACKUP_DIR}/${BACKUP_DATE}"
mkdir -p ${BACKUP_DIR}
# Creating a link to the latest save directory
LASTKEYS="${GPG_BACKUP_DIR}/lastkeys"
rm -f ${LASTKEYS}
ln -s ${BACKUP_DIR} ${LASTKEYS}
# Saving the public key
gpg -a --export ${GPG_USERID} > ${LASTKEYS}/public_key.gpg
# Safeguarding trust (ownertrust)
gpg -a --export-ownertrust > ${LASTKEYS}/ownertrust.asc
# Backup of the master key (to be stored securely)
gpg -a --export-secret-keys ${GPG_USERID} > ${LASTKEYS}/secret_key.gpg
# Saving subkeys
gpg -a --export-secret-subkeys ${GPG_USERID} > ${LASTKEYS}/secret_subkeys.gpg
# Saving the revocation certificate
cp ~/.gnupg/openpgp-revocs.d/${GPG_USERID}.rev ${LASTKEYS}/revocation.asc
Sources
-
- openai
- Reformulation of sentences
- Correction of spelling mistakes
badele