-
-
Save woods/8970150 to your computer and use it in GitHub Desktop.
| Key-Type: 1 | |
| Key-Length: 2048 | |
| Subkey-Type: 1 | |
| Subkey-Length: 2048 | |
| Name-Real: Root Superuser | |
| Name-Email: root@handbook.westarete.com | |
| Expire-Date: 0 |
| # Generate the key | |
| gpg --batch --gen-key gen-key-script |
Originally I had a couple extra steps to use rng-tools to seed entropy from /dev/urandom. Apparently this is a bad idea because it will just feed bytes regardless of whether there's enough entropy. Here's where I got the original idea, and the subsequent discussion of why it's bad.
For new machines, we should generate the keys on our laptops where there's much more entropy to draw from, and then transfer them to the new server, just like we're currently doing with the encrypted data bag secret.
This is awesome, thank you.
I configured libvirt tu use /dev/urandom of the host: https://libvirt.org/formatdomain.html#elementsRng
That way keys generated within the VM should be ok.
Thanks that was really helpful
I got what I needed from : https://www.gnupg.org/documentation/manuals/gnupg-devel/Unattended-GPG-key-generation.html
without creating an actual file:
gpg --batch --gen-key <<EOF
Key-Type: 1
Key-Length: 2048
Subkey-Type: 1
Subkey-Length: 2048
Name-Real: Root Superuser
Name-Email: root@handbook.westarete.com
Expire-Date: 0
EOF
I am getting the following error when running the script:
gpg: agent_genkey failed: No pinentry
gpg: key generation failed: No pinentry
@guillaume130679 https://www.google.com/search?q=gpg%3A+agent_genkey+failed%3A+No+pinentry
…
On Wed, Nov 11, 2020 at 7:07 AM Bluzz44 @.> wrote: @.* commented on this gist. ------------------------------ I am getting the following error when running the script: gpg: agent_genkey failed: No pinentry gpg: key generation failed: No pinentry — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://gist.github.com/8970150#gistcomment-3523891, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAYDQ6S76KYB4LG66SCMLSPJ46NANCNFSM4S3ZFNJA .
This was more of an FYI note, I found how to resolve the issue https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
Not sure what is different, but the code given on that page worked :)
Add %no-protection if you need to generate passwordless keys. This also prevents the pinentry to pop up.
Using Process Substitution can be support indentation
gpg --full-gen-key --batch <(echo "Key-Type: 1"; \
echo "Key-Length: 4096"; \
echo "Subkey-Type: 1"; \
echo "Subkey-Length: 4096"; \
echo "Expire-Date: 0"; \
echo "Name-Real: Root Superuser"; \
echo "Name-Email: root@handbook.westarete.com"; \
echo "%no-protection"; )
Here's a page that describes the options for the gen-key script: http://www.gnupg.org/documentation/manuals/gnupg-devel/Unattended-GPG-key-generation.html