brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added script to automatically generate basic keys, updated the KB

Browse Source
This commit is contained in:
Michele Cereda
2022-09-22 11:50:36 +02:00
parent 7a58e5d47f
commit 588a148897
2 changed files with 81 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
knowledge base/gpg.md
View File

@@ -5,7 +5,7 @@
```sh ```sh
# List existing keys. # List existing keys.
gpg --list-keys gpg --list-keys
gpg --list-keys --keyid-format short gpg --list-keys --keyid-format 'short'
gpg --list-secret-keys --with-keygrip gpg --list-secret-keys --with-keygrip
# Generate a new key. # Generate a new key.
@@ -23,66 +23,67 @@ EOF
# Delete a key from the keyring. # Delete a key from the keyring.
# The non-interactive (--batch) option requires the key fingerprint. # The non-interactive (--batch) option requires the key fingerprint.
gpg --delete-secret-key recipient gpg --delete-secret-key 'recipient'
gpg --delete-key recipient gpg --delete-key 'recipient'
gpg --delete-keys --batch fingerprint gpg --delete-keys --batch 'key_fingerprint'
# Get a key's fingerprint information. # Get a key's fingerprint information.
gpg --fingerprint gpg --fingerprint
gpg --fingerprint recipient gpg --fingerprint 'recipient'
# Encrypt files. # Encrypt files.
gpg -e -o file.out.gpg -r recipient file.in gpg -e -o 'file.out.gpg' -r 'recipient' 'file.in'
gpg --encrypt -o file.out.gpg -u sender -r recipient file.in gpg --encrypt -o 'file.out.gpg' -u 'sender' -r 'recipient' 'file.in'
gpg --encrypt-files --batch -r recipient file.in.1 file.in.N gpg --encrypt-files --batch -r 'recipient' 'file.in.1' 'file.in.N'
gpg -e --multifile --batch -r recipient --yes file.in.1 file.in.N gpg -e --multifile --batch -r 'recipient' --yes 'file.in.1' 'file.in.N'
# Decrypt files. # Decrypt files.
gpg -d -o file.out file.in.gpg gpg -d -o 'file.out' 'file.in.gpg'
gpg --decrypt-files --batch file.in.gpg.1 file.in.gpg.N gpg --decrypt-files --batch 'file.in.gpg.1' 'file.in.gpg.N'
gpg -d --multifile --batch --yes file.in.gpg.1 file.in.gpg.N gpg -d --multifile --batch --yes 'file.in.gpg.1' 'file.in.gpg.N'
# Import keys from a file. # Import keys from a file.
gpg --import keys.asc gpg --import 'keys.asc'
# Export keys to a file. # Export keys to a file.
gpg --armor --export > all.public-keys.asc gpg --armor --export > 'all.public-keys.asc'
gpg --armor --export recipient > recipient.public-keys.asc gpg --armor --export recipient > 'recipient.public-keys.asc'
gpg --armor --export-secret-keys > all.private-keys.asc gpg --armor --export-secret-keys > 'all.private-keys.asc'
gpg --armor --export-secret-keys recipient > recipient.private-keys.asc gpg --armor --export-secret-keys recipient > 'recipient.private-keys.asc'
# Generate a revoke certificate. # Generate a revoke certificate.
gpg --gen-revoke gpg --gen-revoke
# Get the short ID of the signing key only for a user. # Get the short ID of the signing key only for a user.
# Primarily usable for git's signingKey configuration. # Primarily usable for git's signingKey configuration.
gpg --list-keys --keyid-format short recipient \ gpg --list-keys --keyid-format 'short' 'recipient' \
| grep --extended-regexp '^pub[[:blank:]]+[[:alnum:]]+/[[:alnum:]]+[[:blank:]].*\[[[:upper:]]*S[[:upper:]]*\]' \ | grep --extended-regexp '^pub[[:blank:]]+[[:alnum:]]+/[[:alnum:]]+[[:blank:]].*\[[[:upper:]]*S[[:upper:]]*\]' \
| awk '{print $2}' \ | awk '{print $2}' \
| cut -d '/' -f 2 | cut -d '/' -f 2
# Install on Mac OS X. # Install on Mac OS X.
# Choose one. # Choose one.
brew install --cask gpg-suite-no-mail brew install --cask 'gpg-suite-no-mail'
brew install gnupg brew install 'gnupg'
``` ```
## Encryption ## Encryption
```sh ```sh
# Single file. # Single file.
gpg --output $DB.key.gpg --encrypt --recipient $RECIPIENT $DB.key gpg --output 'file.out.gpg' --encrypt --recipient 'recipient' 'file.in'
gpg --armor --symmetric --output 'file.out.gpg' 'file.in'
# All files found. # All files found.
find . -type f -name secret.txt \ find . -type 'f' -name 'secret.txt' \
-exec gpg --batch --yes --encrypt-files --recipient $RECIPIENT {} ';' -exec gpg --batch --yes --encrypt-files --recipient 'recipient' {} ';'
``` ```
## Decryption ## Decryption
```sh ```sh
# Single file. # Single file.
gpg --output $DB.key --decrypt $DB.key.gpg gpg --output 'file.out' --decrypt 'file.in.gpg'
# All files found. # All files found.
find . -type f -name "*.gpg" -exec gpg --decrypt-files {} + find . -type f -name "*.gpg" -exec gpg --decrypt-files {} +
@@ -95,33 +96,42 @@ The second command will create the decrypted version of all files in the same di
As the original user, export all public keys to a base64-encoded text file and create an encrypted version of that file: As the original user, export all public keys to a base64-encoded text file and create an encrypted version of that file:
```sh ```sh
gpg --armor --export > mypubkeys.asc # Export.
gpg --armor --export email > mypubkeys-email.asc gpg --armor --export > 'all.public-keys.asc'
gpg --armor --symmetric --output mysecretatedpubkeys.sec.asc mypubkeys.asc gpg --armor --export 'recipient' > 'recipient.public-keys.asc'
# Encryption.
gpg --output 'file.out.gpg' --encrypt --recipient 'recipient' 'file.in'
gpg --armor --symmetric --output 'file.out.gpg' 'file.in'
``` ```
Export all encrypted private keys (which will also include corresponding public keys) to a text file and create an encrypted version of that file: Export all encrypted private keys (which will also include corresponding public keys) to a text file and create an encrypted version of that file:
```sh ```sh
gpg --armor --export-secret-keys > myprivatekeys.asc # Export.
gpg --armor --symmetric --output mysecretatedprivatekeys.sec.asc myprivatekeys.asc gpg --armor --export-secret-keys > 'all.private-keys.asc'
gpg --armor --export-secret-keys 'recipient' > 'recipient.private-keys.asc'
# Encryption.
gpg --output 'file.out.gpg' --encrypt --recipient 'recipient' 'file.in'
gpg --armor --symmetric --output 'file.out.gpg' 'file.in'
``` ```
Optionally, export gpg's trustdb to a text file: Optionally, also export `gpg`'s trustdb to a text file:
```sh ```sh
gpg --export-ownertrust > otrust.txt gpg --export-ownertrust > 'otrust.txt'
``` ```
## Key import ## Key import
As the new user, execute `gpg --import` commands against the two `.asc` files, or the decrypted content of those files, and then check for the new keys with `gpg -k` and `gpg -K`, e.g.: As the new user execute `gpg --import` commands against the secured files, or the decrypted content of those files, and then check for the new keys with `gpg -k` and `gpg -K`, e.g.:
```sh ```sh
gpg --output myprivatekeys.asc --decrypt mysecretatedprivatekeys.sec.asc gpg --output 'myprivatekeys.asc' --decrypt 'mysecretatedprivatekeys.sec.asc' && \
gpg --import myprivatekeys.asc gpg --import 'myprivatekeys.asc'
gpg --output mypubkeys.asc --decrypt mysecretatedpubkeys.sec.asc gpg --output 'mypubkeys.asc' --decrypt 'mysecretatedpubkeys.sec.asc'
gpg --import mypubkeys.asc gpg --import 'mypubkeys.asc'
gpg --list-secret-keys gpg --list-secret-keys
gpg --list-keys gpg --list-keys
``` ```
@@ -129,13 +139,13 @@ gpg --list-keys
Optionally import the trustdb file as well: Optionally import the trustdb file as well:
```sh ```sh
gpg --import-ownertrust otrust.txt gpg --import-ownertrust 'otrust.txt'
``` ```
## Key trust ## Key trust
```sh ```sh
$ gpg --edit-key fingerprint $ gpg --edit-key 'key_fingerprint'
gpg> trust gpg> trust
gpg> quit gpg> quit
``` ```
@@ -164,7 +174,7 @@ EOF
## Change a key's password ## Change a key's password
```sh ```sh
$ gpg --edit-key fingerprint $ gpg --edit-key 'key_fingerprint'
gpg> passwd gpg> passwd
gpg> quit gpg> quit
``` ```
@@ -198,7 +208,7 @@ You should already have a GPG key. If you don't, read one of the many fine tutor
You will create the subkey by editing your existing key **in expert mode** to get access to the appropriate options: You will create the subkey by editing your existing key **in expert mode** to get access to the appropriate options:
```sh ```sh
$ gpg2 --expert --edit-key fingerprint $ gpg2 --expert --edit-key 'key_fingerprint'
gpg> addkey gpg> addkey
Please select what kind of key you want: Please select what kind of key you want:
(3) DSA (sign only) (3) DSA (sign only)

31
scripts/gpg.generate-keys.bash Executable file
View File

@@ -0,0 +1,31 @@
#!/usr/bin/env bash
# Sources:
# - https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
: "${REAL_NAME:?required but not set}"
: "${PASSPHRASE:?required but not set}"
: "${KEY_TYPE:=rsa}"
: "${KEY_LENGTH:=4096}"
: "${EXPIRE_DATE:=5y}"
for EMAIL in $@
do
if gpg --list-secret-keys "$EMAIL" >/dev/null 2>&1
then
echo "gpg key for ${EMAIL} already exists" >&2
else
gpg --batch --generate-key <<-EOF
%echo generating key for $EMAIL
Key-Type: $KEY_TYPE
Key-Length: $KEY_LENGTH
Name-Real: $REAL_NAME
Name-Email: $EMAIL
Expire-Date: $EXPIRE_DATE
Passphrase: $PASSPHRASE
%commit
%echo done
EOF
fi
done