Last active
November 21, 2018 23:01
-
-
Save ghassani/2e865bca34f12f86cf2d998e7b4ccb3d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
GPG_BIN=gpg2 | |
ROOTDIR=$(pwd) | |
WORKDIR=$ROOTDIR/out | |
TMPDIR="$(mktemp -d)" | |
MASTER_KEY_TYPE=RSA | |
MASTER_KEY_SIZE=4096 | |
REAL_NAME="Gassan Idriss" | |
REAL_EMAIL=ghassani@gmail.com | |
MASTER_KEY_EXPIRATION=0 | |
SUB_KEY_SIZE=4096 | |
SUB_KEY_EXPIRATION=2y | |
PASSPHRASE=$($GPG_BIN --gen-random -a 0 32) | |
PROVISION_DEVICE=1 | |
RESET_DEVICE_BEFORE_PROVISION=1 | |
EXPORT_KEYS=1 | |
if [ -d $WORKDIR ] | |
then | |
echo Removing Existing Folder | |
rm -rf $WORKDIR | |
fi | |
mkdir -p $WORKDIR/exported | |
chmod -R go-rwx $WORKDIR | |
export GNUPGHOME=$WORKDIR | |
cat > $WORKDIR/gpg.conf <<EOF | |
personal-cipher-preferences AES256 AES192 AES CAST5 | |
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 | |
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed | |
cert-digest-algo SHA512 | |
s2k-digest-algo SHA512 | |
s2k-cipher-algo AES256 | |
charset utf-8 | |
fixed-list-mode | |
no-comments | |
no-emit-version | |
keyid-format 0xlong | |
list-options show-uid-validity | |
verify-options show-uid-validity | |
with-fingerprint | |
require-cross-certification | |
use-agent | |
EOF | |
echo "[!] Root Dir $ROOTDIR" | |
echo "[!] GPG Dir $GNUPGHOME" | |
echo "[!] Generating Key Passphrase" | |
echo "[+] Key Passphrase Generated: $PASSPHRASE" | |
echo $PASSPHRASE > $WORKDIR/exported/passphrase.txt | |
read -p "Copy the passphrase and then press Enter key to start key generation..." | |
echo "[!] Generating Master Key" | |
cat > $TMPDIR/master_key.config <<EOF | |
%echo Generating a basic OpenPGP key | |
Key-Type: $MASTER_KEY_TYPE | |
Key-Length: $MASTER_KEY_TYPE | |
Name-Real: $REAL_NAME | |
Name-Email: $REAL_EMAIL | |
Expire-Date: $MASTER_KEY_EXPIRATION | |
Passphrase: $PASSPHRASE | |
EOF | |
$GPG_BIN --batch --full-generate-key $TMPDIR/master_key.config | |
MASTER_KEY_FINGERPRINT=$($GPG_BIN --list-keys | grep "Key fingerprint" | cut -d '=' -f 2 | tr -d '[:space:]') | |
MASTER_KEY_ID=$($GPG_BIN --list-keys | grep "pub " | cut -d '/' -f 2 | sed -e 's/[[:space:]].*$//g') | |
echo "[+] Generated Master Key: %MASTER_KEY_ID Fingerprint: $MASTER_KEY_FINGERPRINT" | |
echo "[!] Generating Signing Key" | |
cat > $TMPDIR/sign_key.config <<EOF | |
4 | |
$SUB_KEY_SIZE | |
$SUB_KEY_EXPIRATION | |
EOF | |
cat $TMPDIR/sign_key.config | $GPG_BIN --batch --expert --command-fd=0 --edit-key $MASTER_KEY_ID addkey save | |
SIGN_KEY_ID=$($GPG_BIN --list-secret-keys | grep "\[S\]" | cut -d '/' -f 2 | sed -e 's/[[:space:]].*$//g') | |
echo "[+] Generated Signing Key: $SIGN_KEY_ID" | |
echo "[!] Generating Encryption Key" | |
cat > $TMPDIR/enc_key.config <<EOF | |
6 | |
$SUB_KEY_SIZE | |
$SUB_KEY_EXPIRATION | |
EOF | |
cat $TMPDIR/enc_key.config | $GPG_BIN --batch --expert --command-fd=0 --edit-key $MASTER_KEY_ID addkey save | |
ENC_KEY_ID=$($GPG_BIN --list-secret-keys | grep "\[E\]" | cut -d '/' -f 2 | sed -e 's/[[:space:]].*$//g') | |
echo "[+] Generated Encryption Key: $ENC_KEY_ID" | |
echo "[!] Generating Authentication Key" | |
cat > $TMPDIR/auth_key.config <<EOF | |
8 | |
S | |
E | |
A | |
q | |
$SUB_KEY_SIZE | |
$SUB_KEY_EXPIRATION | |
EOF | |
cat $TMPDIR/auth_key.config | $GPG_BIN --batch --expert --command-fd=0 --edit-key $MASTER_KEY_ID addkey save | |
AUTH_KEY_ID=$($GPG_BIN --list-secret-keys | grep "\[A\]" | cut -d '/' -f 2 | sed -e 's/[[:space:]].*$//g') | |
echo "[+] Generated Authentication Key: $AUTH_KEY_ID" | |
if [ "$EXPORT_KEYS" -eq "1" ]; then | |
echo "[!] Exporting Keys to $GNUPGHOME/exported" | |
# Export and Backup Public Keys | |
$GPG_BIN --armor --export $MASTER_KEY_ID > $GNUPGHOME/exported/master.pub | |
echo "[+] Exported Master Public Key" | |
$GPG_BIN --armor --export $SIGN_KEY_ID > $GNUPGHOME/exported/sign.pub | |
echo "[+] Exported Signing Public Key" | |
$GPG_BIN --armor --export $ENC_KEY_ID > $GNUPGHOME/exported/auth.pub | |
echo "[+] Exported Encryption Public Key" | |
$GPG_BIN --armor --export $AUTH_KEY_ID > $GNUPGHOME/exported/enc.pub | |
echo "[+] Exported Authentication Public Key" | |
# Export and Backup Private Keys | |
$GPG_BIN --armor --export-secret-keys $MASTER_KEY_ID > $GNUPGHOME/exported/master.key | |
echo "[+] Exported Master Private Key" | |
$GPG_BIN --armor --export-secret-keys $SIGN_KEY_ID > $GNUPGHOME/exported/sign.key | |
echo "[+] Exported Signing Private Key" | |
$GPG_BIN --armor --export-secret-keys $ENC_KEY_ID > $GNUPGHOME/exported/enc.key | |
echo "[+] Exported Encryption Private Key" | |
$GPG_BIN --armor --export-secret-keys $AUTH_KEY_ID > $GNUPGHOME/exported/auth.key | |
echo "[+] Exported Authentication Private Key" | |
fi; | |
if [ "$PROVISION_DEVICE" -eq "1" ]; then | |
if [ "$RESET_DEVICE_BEFORE_PROVISION" -eq "1" ]; then | |
# Factory Reset the Key Before Provisioning | |
cat > $TMPDIR/reset_args.config <<EOF | |
admin | |
factory-reset | |
y | |
yes | |
EOF | |
cat $TMPDIR/reset_args.config | $GPG_BIN --batch --expert --command-fd=0 --edit-card | |
fi; | |
# Transfer The Keys to the Yubikey | |
echo "1" | $GPG_BIN --batch --command-fd=0 --expert --edit-key $MASTER_KEY_ID "key 1" keytocard save | |
echo "2" | $GPG_BIN --batch --command-fd=0 --expert --edit-key $MASTER_KEY_ID "key 2" keytocard save | |
echo "3" | $GPG_BIN --batch --command-fd=0 --expert --edit-key $MASTER_KEY_ID "key 3" keytocard save | |
fi; | |
# Cleanup | |
rm -rf $TMPDIR |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment