Created
September 21, 2021 05:31
-
-
Save dylanschmittle/dcdeadbdc737b99c6cb59730643fba2e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Check For Args | |
if [ $# -eq 0 ]; then | |
echo '"./batch-gpg.sh "Full Name" "email@domain.com"' | |
echo "same password each prompt" | |
exit 1 | |
fi | |
# Make Temp Workspace | |
GNUPGHOME="$(mktemp -d)" | |
export GNUPGHOME | |
chmod 700 "$GNUPGHOME" | |
# Drop Hardened Config | |
cat >"$GNUPGHOME/gpg.conf" <<EOF | |
personal-cipher-preferences AES256 AES192 AES | |
personal-digest-preferences SHA512 SHA384 SHA256 | |
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed | |
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed | |
cert-digest-algo SHA512 | |
s2k-digest-algo SHA512 | |
s2k-cipher-algo AES256 | |
charset utf-8 | |
fixed-list-mode | |
no-comments | |
no-emit-version | |
no-greeting | |
keyid-format 0xlong | |
list-options show-uid-validity | |
verify-options show-uid-validity | |
with-fingerprint | |
require-cross-certification | |
no-symkey-cache | |
use-agent | |
throw-keyids | |
EOF | |
# Create Template | |
export NAME=$1 | |
export EMAIL=$2 | |
cat >master <<EOF | |
%echo Generating a basic OpenPGP key | |
Key-Type: RSA | |
Key-Length: 4096 | |
Key-Usage: cert | |
Name-Real: ${NAME} | |
Name-Email: ${EMAIL} | |
Expire-Date: 0 | |
%commit | |
%echo done | |
EOF | |
# Batch Create | |
gpg --batch --generate-key master | |
# Get KeyID and make a folder | |
FPR=$(gpg --list-options show-only-fpr-mbox --list-secret-keys | awk '{print $1}') | |
mkdir "$FPR" | |
# Subkey Generation and Export | |
gpg --quick-add-key "$FPR" rsa4096 sign 1y | |
gpg --armor --export-secret-subkeys "$FPR" > "keybase-key.asc" | |
gpg --quick-add-key "$FPR" rsa4096 encrypt 1y | |
gpg --quick-add-key "$FPR" rsa4096 auth 1y | |
gpg --armor --export-secret-keys "$FPR" > "$FPR/secret.asc" | |
gpg --armor --export-secret-subkeys "$FPR" > "$FPR/secret-sub.asc" | |
gpg --armor --export "$FPR" > "$FPR/public.asc" | |
gpg --armor --export "$FPR" > "keybase-public.asc" | |
tar --create --file "${NAME}-${EMAIL}.tar.gz" "$FPR" | |
rm -rf "$FPR" | |
# Upload Your Pubkey to aws, grab the master key and encrypt your backup with it | |
export AWS_DEFAULT_REGION=us-west-2 | |
PUBKEY=$(cat keybase-public.asc) | |
aws secretsmanager create-secret --name "gpg/public/${FRP}" --secret-string "$PUBKEY" | |
PUBKEY=$(aws secretsmanager get-secret-value --secret-id gpg/public/master/2021 | jq -r '.SecretString') | |
gpg --trusted-key --import $PUBKEY | |
gpg --default-key $PUBKEY --armor --output "${NAME}-${EMAIL}.tar.gz.gpg" --encrypt ${NAME}-${EMAIL}.tar.gz" | |
# Clean up | |
rm -rf "$GNUPGHOME" | |
echo "If you have keybase installed do this" | |
echo '' | |
echo " gpg --import keybase-public.asc" | |
echo " gpg --import keybase-key.asc" | |
echo '' | |
echo " keybase signup" | |
echo '' | |
echo "After your done importing, get the rest of your keys" | |
echo '' | |
echo " gpg --import $FPR/secret.asc" | |
echo " gpg --import $FPR/secret-sub.asc" | |
echo '' | |
echo "Hide away the archive, delete the folder and files" | |
echo '' | |
echo "https://github.com/drduh/YubiKey-Guide" | |
echo "" | |
echo "${NAME}-${EMAIL}.tar.gz.asc is safe to store insecurly/redundently" | |
echo "${NAME}-${EMAIL}.tar.gz must be stored securely or deleted" | |
echo "keybase-key.asc must be deleted after upload to keybase" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment