blob: 5580a131e985339983a17571dd277cb52d4e1108 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
How to GnuPG
============
WARN: You MUST only use those instructions if you know exactly what
you're doing! If you don't, you MUST NOT use those instructions!
## Prepare for a master key creation
- Choose a storage medium which will keep the master key and will be
kept VERY SAVE somewhere (also think for some redundancy). WARN: If
you choose a medium which probably could fail, you will be screwed up
in a later point in time!
- Choose how (or where?) to keep master passphrase.
## Initialize a new master key
export GNUPGHOME=/mnt/your/master/.gnupg
gpg --full-gen-key
## Add additional identities (as needed)
export GNUPGHOME=/mnt/your/master/.gnupg
gpg --edit-key foo@example.com
gpg> adduid
gpg> save
## Create keys for some daily-use devices
export GNUPGHOME=/mnt/your/master/.gnupg
gpg --edit-key foo@example.com
# Add an encryption and a sign key
gpg> addkey (then choose "encryp only")
gpg> addkey (then choose "sign only")
## Export subkeys for use on a daily-use device
# From now work with a temporary copy.
mkdir /mnt/your/tmp/.gnupg
(cd /mnt/your/master/.gnupg && tar c $(ls -A)) | (cd /mnt/your/tmp/.gnupg && tar x)
export GNUPGHOME=/mnt/your/tmp/.gnupg
# Print list of what we have
gpg --edit-key foo@example.com quit
# I suggest to use a different passphrase than the master key has.
# (HINT: just ignore error about missing private key. it works anyway)
gpg --edit-key foo@example.com passwd quit
# Choose one encrypt and one sign key and replace F00 and BA5
# below with them.
gpg --export-secret-subkeys F00! BA5! > keys-for-device
## Import prepared subkeys on daily-use device
gpg --import keys-for-device
gpg --edit-key foo@example.com
gpg> trust
gpg> save
## Sign a foreign key to express to the world that we trust it
gpgwin --sign-key foreignUser@example.com
## Expand detached subkey expiry
PS: Why is this so fu***** damn complicated! Anyone still wondering why this
system is not used by most humans?!? Please STOP producing so uselessly
complicated software!
cd "${WORKDIR:?}"
mkdir master
(cd "${OFFHOME:?}/.gnupg" && tar c $(ls -A)) | (cd master && tar x)
export GNUPGHOME="${WORKDIR:?}/master"
gpg --list-secret-keys --with-keygrip --keyid-format=long --with-fingerprint --with-subkey-fingerprint --list-options show-unusable-subkeys
gpg --edit-key SEC_KEY
expire
save
gpg --edit-key SSB_KEY
key 1
key 2
expire
save
NOW=$(date -u +%Y%m%d-%H%MZ)
gpg --export-secret-subkeys F00! BA5! > subkey-${NOW:?}.sec.gpg
gpg --export F00! BA5! > subkey-${NOW:?}.pub.gpg
gpg --list-packets subkey-${NOW:?}.sec.gpg
gpg --list-packets subkey-${NOW:?}.pub.gpg
tar --owner=0 --group=0 -c subkey-${NOW:?}.*.gpg | (cd "${OFFHOME:?}" && sudo tar x)
md5sum -b subkey-${NOW:?}.*.gpg | sudo tee -a "${OFFHOME:?}/MD5SUM"
echo "After import, you'd likely want to change phrase away from master"
gpg --edit-key foo@example.com passwd quit
## Use keys with throw-away keyring
GNUPGHOME="/tmp/foo/"
gpg ...
## Some other helpful places
- "https://insight.o-o.studio/article/setting-up-gpg.html#encryption-key"
- "https://davesteele.github.io/gpg/2014/09/20/anatomy-of-a-gpg-key/"
- "https://gpg.wtf/"
## Start/stop gpg-agent
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent
[windoof: Why does git complain that no GPG agent is running?](https://superuser.com/a/1663941/1123359) says:
gpg-connect-agent reloadagent /bye
|
