quay:wiki

User Tools

Site Tools

Trace:
crypto:gnupg

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
crypto:gnupg [2018-12-11 02:01] – moar spaces! gabrielcrypto:gnupg [2018-12-20 00:48] (current) – a good article on managing subkeys gabriel
Line 1: Line 1:
 ====== GnuPG Notes and Best Practices ====== ====== GnuPG Notes and Best Practices ======
 +
 +Create a strong 4096-bit RSA key. In the future when a more modern elliptic curve key is standard for OpenPGP.  These instructions largely follow 
 +
 +<code sh>
 +sguy@helium:~$ gpg --full-gen-key
 +gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
 +This is free software: you are free to change and redistribute it.
 +There is NO WARRANTY, to the extent permitted by law.
 +
 +gpg: directory '/home/sguy/.gnupg' created
 +gpg: keybox '/home/sguy/.gnupg/pubring.kbx' created
 +Please select what kind of key you want:
 +   (1) RSA and RSA (default)
 +   (2) DSA and Elgamal
 +   (3) DSA (sign only)
 +   (4) RSA (sign only)
 +Your selection? 1
 +RSA keys may be between 1024 and 4096 bits long.
 +What keysize do you want? (3072) 4096
 +Requested keysize is 4096 bits
 +Please specify how long the key should be valid.
 +         0 = key does not expire
 +      <n>  = key expires in n days
 +      <n>w = key expires in n weeks
 +      <n>m = key expires in n months
 +      <n>y = key expires in n years
 +Key is valid for? (0) 2y
 +Key expires at Fri Dec 18 23:35:04 2020 EST
 +Is this correct? (y/N) y
 +
 +GnuPG needs to construct a user ID to identify your key.
 +
 +Real name: Some Guy
 +Email address: sguy@quay.net
 +Comment: 
 +You selected this USER-ID:
 +    "Some Guy <sguy@quay.net>"
 +
 +Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
 +We need to generate a lot of random bytes. It is a good idea to perform
 +some other action (type on the keyboard, move the mouse, utilize the
 +disks) during the prime generation; this gives the random number
 +generator a better chance to gain enough entropy.
 +We need to generate a lot of random bytes. It is a good idea to perform
 +some other action (type on the keyboard, move the mouse, utilize the
 +disks) during the prime generation; this gives the random number
 +generator a better chance to gain enough entropy.
 +gpg: /home/sguy/.gnupg/trustdb.gpg: trustdb created
 +gpg: key FEDCBA0987654321 marked as ultimately trusted
 +gpg: directory '/home/sguy/.gnupg/openpgp-revocs.d' created
 +gpg: revocation certificate stored as '/home/sguy/.gnupg/openpgp-revocs.d/1234567890ABCDEF111000FEDCBA0987654321.rev'
 +public and secret key created and signed.
 +
 +pub   rsa4096 2018-12-20 [SC] [expires: 2020-12-19]
 +      1234567890ABCDEF111000FEDCBA0987654321
 +uid                      Some Guy <sguy@quay.net>
 +sub   rsa4096 2018-12-20 [E] [expires: 2020-12-19]
 +
 +
 +sguy@helium:~/.gnupg$ cat gpg.conf 
 +keyid-format 0xlong
 +cert-digest-algo SHA512
 +default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
 +
 +
 +sguy@helium:~$ gpg --edit-key sguy@quay.net
 +gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
 +This is free software: you are free to change and redistribute it.
 +There is NO WARRANTY, to the extent permitted by law.
 +
 +Secret key is available.
 +
 +gpg: checking the trustdb
 +gpg: marginals needed: 3  completes needed: 1  trust model: pgp
 +gpg: depth: 0  valid:    signed:    trust: 0-, 0q, 0n, 0m, 0f, 1u
 +gpg: next trustdb check due at 2020-12-19
 +sec  rsa4096/0xFEDCBA0987654321
 +     created: 2018-12-20  expires: 2020-12-19  usage: SC  
 +     trust: ultimate      validity: ultimate
 +ssb  rsa4096/0xFEDCBA0987654322
 +     created: 2018-12-20  expires: 2020-12-19  usage: E   
 +[ultimate] (1). Some Guy <sguy@quay.net>
 +
 +gpg> addkey
 +Please select what kind of key you want:
 +   (3) DSA (sign only)
 +   (4) RSA (sign only)
 +   (5) Elgamal (encrypt only)
 +   (6) RSA (encrypt only)
 +Your selection? 4
 +RSA keys may be between 1024 and 4096 bits long.
 +What keysize do you want? (3072) 4096
 +Requested keysize is 4096 bits
 +Please specify how long the key should be valid.
 +         0 = key does not expire
 +      <n>  = key expires in n days
 +      <n>w = key expires in n weeks
 +      <n>m = key expires in n months
 +      <n>y = key expires in n years
 +Key is valid for? (0) 23m
 +Key expires at Sun Nov  8 23:50:18 2020 EST
 +Is this correct? (y/N) y
 +Really create? (y/N) y
 +We need to generate a lot of random bytes. It is a good idea to perform
 +some other action (type on the keyboard, move the mouse, utilize the
 +disks) during the prime generation; this gives the random number
 +generator a better chance to gain enough entropy.
 +
 +sec  rsa4096/0xFEDCBA0987654321
 +     created: 2018-12-20  expires: 2020-12-19  usage: SC  
 +     trust: ultimate      validity: ultimate
 +ssb  rsa4096/0xFEDCBA0987654322
 +     created: 2018-12-20  expires: 2020-12-19  usage: E   
 +ssb  rsa4096/0xFEDCBA0987654323
 +     created: 2018-12-20  expires: 2020-11-09  usage: S   
 +[ultimate] (1). Some Guy <sguy@quay.net>
 +
 +gpg> save
 +
 +</code>
 +
 +===== Reference =====
  
   * https://riseup.net/en/security/message-security/openpgp/best-practices   * https://riseup.net/en/security/message-security/openpgp/best-practices
Line 5: Line 127:
   * https://liquidat.wordpress.com/2013/05/07/howto-changing-the-expiry-date-of-gpg-keys/   * https://liquidat.wordpress.com/2013/05/07/howto-changing-the-expiry-date-of-gpg-keys/
   * https://alexcabal.com/creating-the-perfect-gpg-keypair   * https://alexcabal.com/creating-the-perfect-gpg-keypair
 +  * http://www.connexer.com/articles/openpgp-subkeys
  
crypto/gnupg.1544511714.txt.gz · Last modified: 2018-12-11 02:01 by gabriel