Last active
January 7, 2019 11:32
-
-
Save steeb/ef118f0d2ef551dfb001 to your computer and use it in GitHub Desktop.
GPG2 with master keypair
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #debian install gpg2 | |
| sudo apt-get install -t experimental gnupg2 dirmngr | |
| #verify versions | |
| gpg2 --version | |
| #gpg (GnuPG) 2.1.1 | |
| #libgcrypt 1.6.2 | |
| dirmngr --version | |
| #dirmngr (GnuPG) 2.1.1 | |
| #setup variables | |
| USBSTICK_DEV="/dev/sdc" | |
| USBSTICK_MOUNT_DIR="/mnt/" | |
| USBSTICK_KEYFILE="/path/to/keyfile" | |
| USBSTICK_MAPPER="gpg_usbcrypto" | |
| GPG2_USB="gpg2 --homedir $USBSTICK_MOUNT_DIR" | |
| GBG2_LOCAL="gpg2" | |
| CA_SKS_KEYSEVER_FILE="~/.gnupg/sks-keyservers.netCA.pem" | |
| #gpg2 config //hkps problems with dirmngr ;-( | |
| cat <<EOF > ~/.gnupg/gpg.conf | |
| no-greeting | |
| require-cross-certification | |
| charset utf-8 | |
| keyserver hkp://pool.sks-keyservers.net | |
| #keyserver hkps://hkps.pool.sks-keyservers.net | |
| #keyserver-options auto-key-retrieve | |
| keyserver-options no-try-dns-srv | |
| keyserver-options no-honor-keyserver-url | |
| list-options show-uid-validity | |
| verify-options show-uid-validity | |
| use-agent | |
| ask-cert-level | |
| personal-digest-preferences SHA512 | |
| personal-cipher-preferences AES256 | |
| cert-digest-algo SHA512 | |
| default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed | |
| fixed-list-mode | |
| keyid-format 0xlong | |
| no-emit-version | |
| EOF | |
| #certificate, if it work one day | |
| curl --cacert /usr/share/ca-certificates/mozilla/Thawte_Server_CA.crt https://sks-keyservers.net/sks-keyservers.netCA.pem > $CA_SKS_KEYSEVER_FILE | |
| echo "hkp-cacert $CA_SKS_KEYSEVER_FILE" > ~/.gnupg/dirmngr.conf | |
| #if necessary, create cryptostick | |
| dd if=/dev/random bs=1 count=128 of=$USBSTICK_KEYFILE | |
| sudo cryptsetup luksFormat --hash sha512 --cipher aes-xts-plain64 --key-size 512 --key-file $USBSTICK_KEYFILE $USBSTICK_DEV | |
| #open crpyto stick | |
| sudo cryptsetup luksOpen -d $USBSTICK_KEYFILE $USBSTICK_DEV $USBSTICK_MAPPER | |
| #if necessary, format usb device | |
| sudo mkfs.ext4 -m 0 -L GPG-Cryptostick /dev/mapper/$USBSTICK_MAPPER | |
| #mount crypto stick | |
| sudo mount /dev/mapper/$USBSTICK_MAPPER $USBSTICK_MOUNT_DIR | |
| #use same config for the usb stick | |
| ln -s ~/.gnupg/gpg.conf $USBSTICK_MOUNT_DIR/gpg.conf | |
| #create master keypair | |
| $GPG2_USB --expert --full-gen-key | |
| #Please select what kind of key you want: | |
| # (1) RSA and RSA (default) | |
| # (2) DSA and Elgamal | |
| # (3) DSA (sign only) | |
| # (4) RSA (sign only) | |
| # (7) DSA (set your own capabilities) | |
| # (8) RSA (set your own capabilities) | |
| # (9) ECC and ECC | |
| # (10) ECC (sign only) | |
| # (11) ECC (set your own capabilities) | |
| #Your selection? 8 | |
| # | |
| #Possible actions for a RSA key: Sign Certify Encrypt Authenticate | |
| #Current allowed actions: Sign Certify Encrypt | |
| # | |
| # (S) Toggle the sign capability | |
| # (E) Toggle the encrypt capability | |
| # (A) Toggle the authenticate capability | |
| # (Q) Finished | |
| # | |
| #Your selection? S | |
| # | |
| #Possible actions for a RSA key: Sign Certify Encrypt Authenticate | |
| #Current allowed actions: Certify Encrypt | |
| # | |
| # (S) Toggle the sign capability | |
| # (E) Toggle the encrypt capability | |
| # (A) Toggle the authenticate capability | |
| # (Q) Finished | |
| # | |
| #Your selection? E | |
| # | |
| #Possible actions for a RSA key: Sign Certify Encrypt Authenticate | |
| #Current allowed actions: Certify | |
| # | |
| # (S) Toggle the sign capability | |
| # (E) Toggle the encrypt capability | |
| # (A) Toggle the authenticate capability | |
| # (Q) Finished | |
| # | |
| #Your selection? Q | |
| #RSA keys may be between 1024 and 4096 bits long. | |
| #What keysize do you want? (2048) 4096 | |
| #Requested keysize is 4096 bits | |
| #Please specify how long the key should be valid. | |
| # 0 = key does not expire | |
| # <n> = key expires in n days | |
| # <n>w = key expires in n weeks | |
| # <n>m = key expires in n months | |
| # <n>y = key expires in n years | |
| #Key is valid for? (0) 2y | |
| #Key expires at Mo 09 Jan 2017 11:59:11 CET | |
| #Is this correct? (y/N) y | |
| # | |
| #GnuPG needs to construct a user ID to identify your key. | |
| # | |
| #Real name: real name | |
| #Email address: email@example.com | |
| #Comment: | |
| #You selected this USER-ID: | |
| # "Real Name <email@example.com>" | |
| # | |
| #Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O | |
| #We need to generate a lot of random bytes. It is a good idea to perform | |
| #some other action (type on the keyboard, move the mouse, utilize the | |
| #disks) during the prime generation; this gives the random number | |
| #generator a better chance to gain enough entropy. | |
| # ... | |
| # | |
| #gpg: checking the trustdb | |
| #gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model | |
| #gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u | |
| #gpg: next trustdb check due at 2017-01-09 | |
| #pub rsa4096/0x945275BA406CC0E0 2015-01-10 [expires: 2017-01-09] | |
| # Key fingerprint = F244 654F A960 FA67 3964 C9BF 9452 75BA 406C C0E0 | |
| #uid [ultimate] real name <email@example.com> | |
| KYID=0x945275BA406CC0E0 | |
| $GPG2_USB --expert --edit $KEYID | |
| #gpg> addkey | |
| #Please select what kind of key you want: | |
| # (3) DSA (sign only) | |
| # (4) RSA (sign only) | |
| # (5) Elgamal (encrypt only) | |
| # (6) RSA (encrypt only) | |
| # (7) DSA (set your own capabilities) | |
| # (8) RSA (set your own capabilities) | |
| # (10) ECC (sign only) | |
| # (11) ECC (set your own capabilities) | |
| # (12) ECC (encrypt only) | |
| # (13) Existing key | |
| #Your selection? 8 | |
| # | |
| #Possible actions for a RSA key: Sign Encrypt Authenticate | |
| #Current allowed actions: Sign Encrypt | |
| # | |
| # (S) Toggle the sign capability | |
| # (E) Toggle the encrypt capability | |
| # (A) Toggle the authenticate capability | |
| # (Q) Finished | |
| # | |
| #Your selection? Q | |
| #RSA keys may be between 1024 and 4096 bits long. | |
| #What keysize do you want? (2048) 4096 | |
| #Requested keysize is 4096 bits | |
| #Please specify how long the key should be valid. | |
| # 0 = key does not expire | |
| # <n> = key expires in n days | |
| # <n>w = key expires in n weeks | |
| # <n>m = key expires in n months | |
| # <n>y = key expires in n years | |
| #Key is valid for? (0) 2y | |
| #Key expires at Mo 09 Jan 2017 12:44:30 CET | |
| #Is this correct? (y/N) y | |
| #Really create? (y/N) y | |
| #We need to generate a lot of random bytes. It is a good idea to perform | |
| #some other action (type on the keyboard, move the mouse, utilize the | |
| #disks) during the prime generation; this gives the random number | |
| #generator a better chance to gain enough entropy. | |
| # ... | |
| # | |
| #pub rsa4096/0x945275BA406CC0E0 | |
| # created: 2015-01-10 expires: 2017-01-09 usage: C | |
| # trust: ultimate validity: ultimate | |
| #sub rsa4096/0x8B1F6EF779842575 | |
| # created: 2015-01-10 expires: 2017-01-09 usage: SE | |
| #[ultimate] (1). real name <email@example.com> | |
| #gpg> save | |
| #copy laptop keypair | |
| $GPG2_USB --armor --export-secret-subkeys $KEYID | $GBG2_LOCAL --import | |
| #umount cryptostick | |
| sudo umount /dev/mapper/$USBSTICK_MAPPER | |
| sudo cryptsetup luksClose $USBSTICK_MAPPER | |
| #reset environment | |
| killall gpg-agent | |
| #verify | |
| $GPG2_LOCAL -K $KEYID | |
| #sec# ... //# is important, indicats missing master secret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment