ghassani/generate_gpg_keys_for_smartcard.sh

## generate_gpg_keys_for_smartcard.sh
#!/bin/bash
GPG_BIN=gpg2
ROOTDIR=$(pwd)
WORKDIR=$ROOTDIR/out
TMPDIR="$(mktemp -d)"
MASTER_KEY_TYPE=RSA
MASTER_KEY_SIZE=4096
REAL_NAME="Gassan Idriss"
REAL_EMAIL=ghassani@gmail.com
MASTER_KEY_EXPIRATION=0
SUB_KEY_SIZE=4096
SUB_KEY_EXPIRATION=2y
PASSPHRASE=$($GPG_BIN --gen-random -a 0 32)
PROVISION_DEVICE=1
RESET_DEVICE_BEFORE_PROVISION=1
EXPORT_KEYS=1

if [ -d $WORKDIR ]
then
    echo Removing Existing Folder
    rm -rf $WORKDIR
fi

mkdir -p $WORKDIR/exported
chmod -R go-rwx $WORKDIR
export GNUPGHOME=$WORKDIR

cat > $WORKDIR/gpg.conf <<EOF
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
require-cross-certification
use-agent
EOF

echo "[!] Root Dir $ROOTDIR"
echo "[!] GPG Dir $GNUPGHOME"
echo "[!] Generating Key Passphrase"
echo "[+] Key Passphrase Generated: $PASSPHRASE"

echo $PASSPHRASE > $WORKDIR/exported/passphrase.txt

read -p "Copy the passphrase and then press Enter key to start key generation..."

echo "[!] Generating Master Key"

cat > $TMPDIR/master_key.config <<EOF
%echo Generating a basic OpenPGP key
Key-Type: $MASTER_KEY_TYPE
Key-Length: $MASTER_KEY_TYPE
Name-Real: $REAL_NAME
Name-Email: $REAL_EMAIL
Expire-Date: $MASTER_KEY_EXPIRATION
Passphrase: $PASSPHRASE
EOF

$GPG_BIN --batch --full-generate-key $TMPDIR/master_key.config

MASTER_KEY_FINGERPRINT=$($GPG_BIN --list-keys | grep "Key fingerprint" | cut -d '=' -f 2 | tr -d '[:space:]')
MASTER_KEY_ID=$($GPG_BIN --list-keys | grep "pub " | cut -d '/' -f 2 | sed -e 's/[[:space:]].*$//g')

echo "[+] Generated Master Key: %MASTER_KEY_ID Fingerprint: $MASTER_KEY_FINGERPRINT"

echo "[!] Generating Signing Key"
cat > $TMPDIR/sign_key.config <<EOF
4
$SUB_KEY_SIZE
$SUB_KEY_EXPIRATION
EOF
cat $TMPDIR/sign_key.config | $GPG_BIN --batch --expert --command-fd=0 --edit-key $MASTER_KEY_ID addkey save
SIGN_KEY_ID=$($GPG_BIN --list-secret-keys | grep "\[S\]" | cut -d '/' -f 2 | sed -e 's/[[:space:]].*$//g')
echo "[+] Generated Signing Key: $SIGN_KEY_ID"

echo "[!] Generating Encryption Key"
cat > $TMPDIR/enc_key.config <<EOF
6
$SUB_KEY_SIZE
$SUB_KEY_EXPIRATION
EOF
cat $TMPDIR/enc_key.config | $GPG_BIN --batch --expert --command-fd=0 --edit-key $MASTER_KEY_ID addkey save
ENC_KEY_ID=$($GPG_BIN --list-secret-keys | grep "\[E\]" | cut -d '/' -f 2 | sed -e 's/[[:space:]].*$//g')
echo "[+] Generated Encryption Key: $ENC_KEY_ID"

echo "[!] Generating Authentication Key"
cat > $TMPDIR/auth_key.config <<EOF
8
S
E
A
q
$SUB_KEY_SIZE
$SUB_KEY_EXPIRATION
EOF
cat $TMPDIR/auth_key.config | $GPG_BIN --batch --expert --command-fd=0 --edit-key $MASTER_KEY_ID addkey save
AUTH_KEY_ID=$($GPG_BIN --list-secret-keys | grep "\[A\]" | cut -d '/' -f 2 | sed -e 's/[[:space:]].*$//g')
echo "[+] Generated Authentication Key: $AUTH_KEY_ID"

if [ "$EXPORT_KEYS" -eq "1" ]; then
    echo "[!] Exporting Keys to $GNUPGHOME/exported"
    # Export and Backup Public Keys
    $GPG_BIN --armor --export $MASTER_KEY_ID > $GNUPGHOME/exported/master.pub
    echo "[+] Exported Master Public Key"

    $GPG_BIN --armor --export $SIGN_KEY_ID > $GNUPGHOME/exported/sign.pub
    echo "[+] Exported Signing Public Key"

    $GPG_BIN --armor --export $ENC_KEY_ID > $GNUPGHOME/exported/auth.pub
    echo "[+] Exported Encryption Public Key"

    $GPG_BIN --armor --export $AUTH_KEY_ID > $GNUPGHOME/exported/enc.pub
    echo "[+] Exported Authentication Public Key"

    # Export and Backup Private Keys
    $GPG_BIN --armor --export-secret-keys $MASTER_KEY_ID > $GNUPGHOME/exported/master.key
    echo "[+] Exported Master Private Key"

    $GPG_BIN --armor --export-secret-keys $SIGN_KEY_ID > $GNUPGHOME/exported/sign.key
    echo "[+] Exported Signing Private Key"

    $GPG_BIN --armor --export-secret-keys $ENC_KEY_ID > $GNUPGHOME/exported/enc.key
    echo "[+] Exported Encryption Private Key"

    $GPG_BIN --armor --export-secret-keys $AUTH_KEY_ID > $GNUPGHOME/exported/auth.key
    echo "[+] Exported Authentication Private Key"
fi;

if [ "$PROVISION_DEVICE" -eq "1" ]; then
    if [ "$RESET_DEVICE_BEFORE_PROVISION" -eq "1" ]; then
        # Factory Reset the Key Before Provisioning
        cat > $TMPDIR/reset_args.config <<EOF
admin
factory-reset
y
yes
EOF
        cat $TMPDIR/reset_args.config | $GPG_BIN --batch --expert --command-fd=0 --edit-card
    fi;

    # Transfer The Keys to the Yubikey
    echo "1" | $GPG_BIN --batch --command-fd=0 --expert --edit-key $MASTER_KEY_ID "key 1" keytocard save
    echo "2" | $GPG_BIN --batch --command-fd=0 --expert --edit-key $MASTER_KEY_ID "key 2" keytocard save
    echo "3" | $GPG_BIN --batch --command-fd=0 --expert --edit-key $MASTER_KEY_ID "key 3" keytocard save
fi;
# Cleanup
rm -rf $TMPDIR
	#!/bin/bash
	GPG_BIN=gpg2
	ROOTDIR=$(pwd)
	WORKDIR=$ROOTDIR/out
	TMPDIR="$(mktemp -d)"
	MASTER_KEY_TYPE=RSA
	MASTER_KEY_SIZE=4096
	REAL_NAME="Gassan Idriss"
	REAL_EMAIL=ghassani@gmail.com
	MASTER_KEY_EXPIRATION=0
	SUB_KEY_SIZE=4096
	SUB_KEY_EXPIRATION=2y
	PASSPHRASE=$($GPG_BIN --gen-random -a 0 32)
	PROVISION_DEVICE=1
	RESET_DEVICE_BEFORE_PROVISION=1
	EXPORT_KEYS=1

	if [ -d $WORKDIR ]
	then
	echo Removing Existing Folder
	rm -rf $WORKDIR
	fi

	mkdir -p $WORKDIR/exported
	chmod -R go-rwx $WORKDIR
	export GNUPGHOME=$WORKDIR

	cat > $WORKDIR/gpg.conf <<EOF
	personal-cipher-preferences AES256 AES192 AES CAST5
	personal-digest-preferences SHA512 SHA384 SHA256 SHA224
	default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
	cert-digest-algo SHA512
	s2k-digest-algo SHA512
	s2k-cipher-algo AES256
	charset utf-8
	fixed-list-mode
	no-comments
	no-emit-version
	keyid-format 0xlong
	list-options show-uid-validity
	verify-options show-uid-validity
	with-fingerprint
	require-cross-certification
	use-agent
	EOF

	echo "[!] Root Dir $ROOTDIR"
	echo "[!] GPG Dir $GNUPGHOME"
	echo "[!] Generating Key Passphrase"
	echo "[+] Key Passphrase Generated: $PASSPHRASE"

	echo $PASSPHRASE > $WORKDIR/exported/passphrase.txt

	read -p "Copy the passphrase and then press Enter key to start key generation..."

	echo "[!] Generating Master Key"

	cat > $TMPDIR/master_key.config <<EOF
	%echo Generating a basic OpenPGP key
	Key-Type: $MASTER_KEY_TYPE
	Key-Length: $MASTER_KEY_TYPE
	Name-Real: $REAL_NAME
	Name-Email: $REAL_EMAIL
	Expire-Date: $MASTER_KEY_EXPIRATION
	Passphrase: $PASSPHRASE
	EOF

	$GPG_BIN --batch --full-generate-key $TMPDIR/master_key.config

	MASTER_KEY_FINGERPRINT=$($GPG_BIN --list-keys \| grep "Key fingerprint" \| cut -d '=' -f 2 \| tr -d '[:space:]')
	MASTER_KEY_ID=$($GPG_BIN --list-keys \| grep "pub " \| cut -d '/' -f 2 \| sed -e 's/[[:space:]].*$//g')

	echo "[+] Generated Master Key: %MASTER_KEY_ID Fingerprint: $MASTER_KEY_FINGERPRINT"

	echo "[!] Generating Signing Key"
	cat > $TMPDIR/sign_key.config <<EOF
	4
	$SUB_KEY_SIZE
	$SUB_KEY_EXPIRATION
	EOF
	cat $TMPDIR/sign_key.config \| $GPG_BIN --batch --expert --command-fd=0 --edit-key $MASTER_KEY_ID addkey save
	SIGN_KEY_ID=$($GPG_BIN --list-secret-keys \| grep "\[S\]" \| cut -d '/' -f 2 \| sed -e 's/[[:space:]].*$//g')
	echo "[+] Generated Signing Key: $SIGN_KEY_ID"

	echo "[!] Generating Encryption Key"
	cat > $TMPDIR/enc_key.config <<EOF
	6
	$SUB_KEY_SIZE
	$SUB_KEY_EXPIRATION
	EOF
	cat $TMPDIR/enc_key.config \| $GPG_BIN --batch --expert --command-fd=0 --edit-key $MASTER_KEY_ID addkey save
	ENC_KEY_ID=$($GPG_BIN --list-secret-keys \| grep "\[E\]" \| cut -d '/' -f 2 \| sed -e 's/[[:space:]].*$//g')
	echo "[+] Generated Encryption Key: $ENC_KEY_ID"

	echo "[!] Generating Authentication Key"
	cat > $TMPDIR/auth_key.config <<EOF
	8
	S
	E
	A
	q
	$SUB_KEY_SIZE
	$SUB_KEY_EXPIRATION
	EOF
	cat $TMPDIR/auth_key.config \| $GPG_BIN --batch --expert --command-fd=0 --edit-key $MASTER_KEY_ID addkey save
	AUTH_KEY_ID=$($GPG_BIN --list-secret-keys \| grep "\[A\]" \| cut -d '/' -f 2 \| sed -e 's/[[:space:]].*$//g')
	echo "[+] Generated Authentication Key: $AUTH_KEY_ID"

	if [ "$EXPORT_KEYS" -eq "1" ]; then
	echo "[!] Exporting Keys to $GNUPGHOME/exported"
	# Export and Backup Public Keys
	$GPG_BIN --armor --export $MASTER_KEY_ID > $GNUPGHOME/exported/master.pub
	echo "[+] Exported Master Public Key"

	$GPG_BIN --armor --export $SIGN_KEY_ID > $GNUPGHOME/exported/sign.pub
	echo "[+] Exported Signing Public Key"

	$GPG_BIN --armor --export $ENC_KEY_ID > $GNUPGHOME/exported/auth.pub
	echo "[+] Exported Encryption Public Key"

	$GPG_BIN --armor --export $AUTH_KEY_ID > $GNUPGHOME/exported/enc.pub
	echo "[+] Exported Authentication Public Key"

	# Export and Backup Private Keys
	$GPG_BIN --armor --export-secret-keys $MASTER_KEY_ID > $GNUPGHOME/exported/master.key
	echo "[+] Exported Master Private Key"

	$GPG_BIN --armor --export-secret-keys $SIGN_KEY_ID > $GNUPGHOME/exported/sign.key
	echo "[+] Exported Signing Private Key"

	$GPG_BIN --armor --export-secret-keys $ENC_KEY_ID > $GNUPGHOME/exported/enc.key
	echo "[+] Exported Encryption Private Key"

	$GPG_BIN --armor --export-secret-keys $AUTH_KEY_ID > $GNUPGHOME/exported/auth.key
	echo "[+] Exported Authentication Private Key"
	fi;

	if [ "$PROVISION_DEVICE" -eq "1" ]; then
	if [ "$RESET_DEVICE_BEFORE_PROVISION" -eq "1" ]; then
	# Factory Reset the Key Before Provisioning
	cat > $TMPDIR/reset_args.config <<EOF
	admin
	factory-reset
	y
	yes
	EOF
	cat $TMPDIR/reset_args.config \| $GPG_BIN --batch --expert --command-fd=0 --edit-card
	fi;

	# Transfer The Keys to the Yubikey
	echo "1" \| $GPG_BIN --batch --command-fd=0 --expert --edit-key $MASTER_KEY_ID "key 1" keytocard save
	echo "2" \| $GPG_BIN --batch --command-fd=0 --expert --edit-key $MASTER_KEY_ID "key 2" keytocard save
	echo "3" \| $GPG_BIN --batch --command-fd=0 --expert --edit-key $MASTER_KEY_ID "key 3" keytocard save
	fi;
	# Cleanup
	rm -rf $TMPDIR