API tools faq
paste
Guest User

Untitled

a guest
Mar 26th, 2018
955
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.99 KB | None | 0 0
raw download clone embed print report
  1. GPG Cheat Sheet
  2. ---------------
  3.  
  4. Generate a new key
  5. ==================
  6.  
  7. .. code-block::
  8.  
  9. $ gpg --gen-key
  10. Please select what kind of key you want:
  11. (1) RSA and RSA (default)
  12. (2) DSA and Elgamal
  13. (3) DSA (sign only)
  14. (4) RSA (sign only)
  15. Your selection? 1
  16. RSA keys may be between 1024 and 4096 bits long.
  17. What keysize do you want? (2048) 4096
  18. Requested keysize is 4096 bits
  19. Please specify how long the key should be valid.
  20. 0 = key does not expire
  21. <n> = key expires in n days
  22. <n>w = key expires in n weeks
  23. <n>m = key expires in n months
  24. <n>y = key expires in n years
  25. Key is valid for? (0)
  26. Key does not expire at all
  27. Is this correct? (y/N) y
  28.  
  29. You need a user ID to identify your key; the software constructs the user ID
  30. from the Real Name, Comment and Email Address in this form:
  31. "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
  32.  
  33. Real name: Alice Doe
  34. Email address: alice.doe@gmail.com
  35. Comment: Alice's key
  36. You selected this USER-ID:
  37. "Alice Doe (Alice's key) <alice.doe@gmail.com>"
  38.  
  39. Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
  40. You need a Passphrase to protect your secret key.
  41.  
  42. gpg: key 0F7AA11C marked as ultimately trusted
  43. public and secret key created and signed.
  44.  
  45. gpg: checking the trustdb
  46. gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
  47. gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
  48. pub 4096R/0F7AA11C 2018-03-18
  49. Key fingerprint = EAF1 C5CF 4A61 7FFB E551 D8BA 28FD 8A49 0F7A A11C
  50. uid Alice Doe (Alice's key) <alice.doe@gmail.com>
  51. sub 4096R/8F2A5CE4 2018-03-18
  52.  
  53.  
  54. :Key type: RSA & RSA:
  55. This means, a master RSA key for signing and certifying, and a RSA sub encrytion key
  56. :Key size:
  57. Unless there is a good reason not to do so, choose 4096
  58. :Key validity:
  59. 0 (does not expire). A master key usually does not expire
  60. :Real name, email address:
  61. Real values need to be chosen here - these are the primary identification information.
  62.  
  63. List keys
  64. =========
  65.  
  66. List public keys
  67. ~~~~~~~~~~~~~~~~
  68.  
  69. .. code-block::
  70.  
  71. $ gpg -k
  72. pub 4096R/0F7AA11C 2018-03-18
  73. uid Alice Doe (Alice's key) <alice.doe@gmail.com>
  74. sub 4096R/8F2A5CE4 2018-03-18
  75.  
  76. :pub:
  77. Stands for mater public key
  78. :uid:
  79. User ID
  80. :sub:
  81. Subordinate public key
  82. :4096:
  83. Key length
  84. :R:
  85. Type of encryption, R is for RSA
  86. :0F7AA11C:
  87. Key short ID
  88. :2018-03-18:
  89. Date of creation
  90.  
  91. List private keys
  92. ~~~~~~~~~~~~~~~~~
  93.  
  94. .. code-block::
  95.  
  96. $ gpg -K
  97. sec 4096R/0F7AA11C 2018-03-18
  98. uid Alice Doe (Alice's key) <alice.doe@gmail.com>
  99. ssb 4096R/8F2A5CE4 2018-03-18
  100.  
  101. :sec:
  102. Secret master key
  103. :ssb:
  104. Secret subordinate key
  105.  
  106. Show key roles
  107. ~~~~~~~~~~~~~~
  108.  
  109. .. code-block::
  110.  
  111. $ gpg --edit-key alice
  112. Secret key is available.
  113.  
  114. pub 4096R/0F7AA11C created: 2018-03-18 expires: never usage: SC
  115. trust: ultimate validity: ultimate
  116. sub 4096R/8F2A5CE4 created: 2018-03-18 expires: never usage: E
  117. [ultimate] (1). Alice Doe (Alice's key) <alice.doe@gmail.com>
  118.  
  119.  
  120. :S:
  121. Key that can be used for signing messages
  122. :C:
  123. Key that can be used to certify other keys
  124. :E:
  125. Key that can be used for encryption
  126.  
  127. Create a subordinate signing key
  128. ================================
  129.  
  130. A subordinate signing key is useful in the sense that the master secret key can be stored in a secure place. For example, if I own a laptop, and it gets stolen, I have lost my secret master key, and there is no way to use the public key anymore - the only option is to revoke it entirely (c.f. below). With a subordinate signing secret key, I can keep the master secret key somewhere else (on a piece of paper for example, that can be stored in a safe), and delete it form my laptop. If my laptop gets stolen, only the subordinate secret signing key is compromised, and I can revoke this subordinate key alone, the public key will still be valid.
  131.  
  132. .. code-block::
  133.  
  134. $ gpg --edit-key alice
  135. gpg> addkey
  136. (enter passphrase)
  137. Please select what kind of key you want:
  138. (3) DSA (sign only)
  139. (4) RSA (sign only)
  140. (5) Elgamal (encrypt only)
  141. (6) RSA (encrypt only)
  142. Your selection? 4
  143. RSA keys may be between 1024 and 4096 bits long.
  144. What keysize do you want? (2048) 4096
  145. Requested keysize is 4096 bits
  146. Please specify how long the key should be valid.
  147. 0 = key does not expire
  148. <n> = key expires in n days
  149. <n>w = key expires in n weeks
  150. <n>m = key expires in n months
  151. <n>y = key expires in n years
  152. Key is valid for? (0) 6m
  153. Key expires at Fri 14 Sep 2018 10:38:09 PM +08
  154. Is this correct? (y/N) y
  155. Really create? (y/N) y
  156.  
  157. pub 4096R/0F7AA11C created: 2018-03-18 expires: never usage: SC
  158. trust: ultimate validity: ultimate
  159. sub 4096R/8F2A5CE4 created: 2018-03-18 expires: never usage: E
  160. sub 4096R/BD2FD2EF created: 2018-03-18 expires: 2018-09-14 usage: S
  161. [ultimate] (1). Alice Doe (Alice's key) <alice.doe@gmail.com>
  162.  
  163. gpg> save
  164.  
  165.  
  166. Export keys
  167. ===========
  168.  
  169. .. code-block::
  170.  
  171. $ gpg -a --output public.key --export alice
  172. $ gpg -a --output secret.master.key --export-secret-keys alice
  173. $ gpg -a --output secret.sub.key --export-secret-subkeys alice
  174.  
  175. The "-a" option creates a ASCII armored version of the key, i.e. it is in the form of ASCII characters, human readable. Keys are normally a bunch of random bytes. The armored version is useful for transmitting via email for example (public key only), or for printing the secret keys to store in a secure location.
  176.  
  177.  
  178. Generate a revocation certificate
  179. =================================
  180.  
  181. This step **must be done** at the time of the key creation. The revocation certificate can be applied to revoke the whole public key, in case the master secret key is corrupted.
  182.  
  183. .. code-block::
  184.  
  185. $ gpg --output revoke.crt --gen-revoke alice
  186.  
  187. sec 4096R/0F7AA11C 2018-03-18 Alice Doe (Alice's key) <alice.doe@gmail.com>
  188.  
  189. Create a revocation certificate for this key? (y/N) y
  190. Please select the reason for the revocation:
  191. 0 = No reason specified
  192. 1 = Key has been compromised
  193. 2 = Key is superseded
  194. 3 = Key is no longer used
  195. Q = Cancel
  196. (Probably you want to select 1 here)
  197. Your decision? 1
  198. Enter an optional description; end it with an empty line:
  199. > The secret master key has been compromised - the public key can't be trusted anymore
  200. >
  201. Reason for revocation: Key has been compromised
  202. The secret master key has been compromised - the public key can't be trusted anymore
  203. Is this okay? (y/N) y
  204.  
  205. You need a passphrase to unlock the secret key for
  206. user: "Alice Doe (Alice's key) <alice.doe@gmail.com>"
  207. 4096-bit RSA key, ID 0F7AA11C, created 2018-03-18
  208.  
  209. ASCII armored output forced.
  210. Revocation certificate created.
  211.  
  212. Please move it to a medium which you can hide away; if Mallory gets
  213. access to this certificate he can use it to make your key unusable.
  214. It is smart to print this certificate and store it away, just in case
  215. your media become unreadable. But have some caution: The print system of
  216. your machine might store the data and make it available to others!
  217.  
  218. It can be a good idea to create a couple of revocation certificates, with different reasons, just in case.
  219. The revocation certificate, as well as the secret master key, must be stored in a secure place.
  220.  
  221. Revoke the public key
  222. ~~~~~~~~~~~~~~~~~~~~~
  223.  
  224. This is to be used if the secret master key is compromised.
  225.  
  226. .. code-block::
  227.  
  228. $ gpg --import revoke.crt
  229. $ gpg --keyserver keyserver.ubuntu.com --send-keys 0F7AA11C
  230.  
  231. It is important to send the revoked public key to the keyserver, so that other parties are aware that they should not use this key.
  232.  
  233. Revoke the subordinate key
  234. ~~~~~~~~~~~~~~~~~~~~~~~~~~
  235.  
  236. This is to be used if the secret subordinate key is compromised - but the master secret key is still safe.
  237. Please make backups of the keys before attemping this (see above secion *Export keys*).
  238.  
  239. .. code-block::
  240.  
  241. $ gpg --delete-secret-keys alice
  242. $ gpg --import secret.master.key
  243. $ gpg --edit-key alice
  244. Secret key is available.
  245.  
  246. pub 4096R/0F7AA11C created: 2018-03-18 expires: never usage: SC
  247. trust: ultimate validity: ultimate
  248. sub 4096R/8F2A5CE4 created: 2018-03-18 expires: never usage: E
  249. sub 4096R/BD2FD2EF created: 2018-03-18 expires: 2018-09-14 usage: S
  250. [ultimate] (1). Alice Doe (Alice's key) <alice.doe@gmail.com>
  251.  
  252. gpg> key 2
  253.  
  254. pub 4096R/0F7AA11C created: 2018-03-18 expires: never usage: SC
  255. trust: ultimate validity: ultimate
  256. sub 4096R/8F2A5CE4 created: 2018-03-18 expires: never usage: E
  257. sub* 4096R/BD2FD2EF created: 2018-03-18 expires: 2018-09-14 usage: S
  258. [ultimate] (1). Alice Doe (Alice's key) <alice.doe@gmail.com>
  259.  
  260. gpg> revkey
  261. Do you really want to revoke this subkey? (y/N) y
  262. Please select the reason for the revocation:
  263. 0 = No reason specified
  264. 1 = Key has been compromised
  265. 2 = Key is superseded
  266. 3 = Key is no longer used
  267. Q = Cancel
  268. Your decision? 1
  269. Enter an optional description; end it with an empty line:
  270. > Key has been compromised - please do not trust messages signed with it
  271. >
  272. Reason for revocation: Key has been compromised
  273. Key has been compromised - please do not trust messages signed with it
  274. Is this okay? (y/N) y
  275.  
  276. You need a passphrase to unlock the secret key for
  277. user: "Alice Doe (Alice's key) <alice.doe@gmail.com>"
  278. 4096-bit RSA key, ID 0F7AA11C, created 2018-03-18
  279.  
  280.  
  281. pub 4096R/0F7AA11C created: 2018-03-18 expires: never usage: SC
  282. trust: ultimate validity: ultimate
  283. sub 4096R/8F2A5CE4 created: 2018-03-18 expires: never usage: E
  284. This key was revoked on 2018-03-18 by RSA key 0F7AA11C Alice Doe (Alice's key) <alice.doe@gmail.com>
  285. sub 4096R/BD2FD2EF created: 2018-03-18 revoked: 2018-03-18 usage: S
  286. [ultimate] (1). Alice Doe (Alice's key) <alice.doe@gmail.com>
  287.  
  288. gpg> save
  289.  
  290. $ gpg --keyserver keyserver.ubuntu.com --send-keys 0F7AA11C
  291.  
  292. It is assumed that the master secret key is not in the keyring (see below section), so it is needed to delete the secret key as a whole and reimport it from the master secret key.
  293.  
  294. Remove the master secret key from the device
  295. ============================================
  296.  
  297. **WARNING:** the secret master key must have been exported first, and stored somewhere else, otherwise, it is permanently lost.
  298. It is assumed that the keys have been exported on disk, as mentioned in the above section.
  299.  
  300. The complete secrey key must be deleted, and the sub-key reimported.
  301.  
  302. .. code-block::
  303.  
  304. $ gpg -K
  305.  
  306. sec 4096R/0F7AA11C 2018-03-18
  307. uid Alice Doe (Alice's key) <alice.doe@gmail.com>
  308. ssb 4096R/8F2A5CE4 2018-03-18
  309. ssb 4096R/BD2FD2EF 2018-03-18
  310.  
  311. $ gpg --delete-secret-keys alice
  312.  
  313. sec 4096R/0F7AA11C 2018-03-18 Alice Doe (Alice's key) <alice.doe@gmail.com>
  314.  
  315. Delete this key from the keyring? (y/N) y
  316. This is a secret key! - really delete? (y/N) y
  317.  
  318. $ gpg --import secret.sub.key
  319. gpg: key 0F7AA11C: secret key imported
  320. gpg: key 0F7AA11C: "Alice Doe (Alice's key) <alice.doe@gmail.com>" not changed
  321. gpg: Total number processed: 1
  322. gpg: unchanged: 1
  323. gpg: secret keys read: 1
  324. gpg: secret keys imported: 1
  325.  
  326. $ gpg -K
  327.  
  328. sec# 4096R/0F7AA11C 2018-03-18
  329. uid Alice Doe (Alice's key) <alice.doe@gmail.com>
  330. ssb 4096R/8F2A5CE4 2018-03-18
  331. ssb 4096R/BD2FD2EF 2018-03-18
  332.  
  333. $ rm secret.master.key secret.sub.key
  334.  
  335. The # in *sec#* indicates that the master key is not present on the device.
  336.  
  337. Please note that *rm* is not a secure way to delete a file, please look at *shred* or *wipe* for better ideas on how to securely delete a file.
  338.  
  339. Encrypt and sign a message
  340. ==========================
  341.  
  342. .. code-block::
  343.  
  344. $ echo "The bad guys are not nesessarily the ones we are told they are" | gpg --output message.asc -a -e -s -u alice -r guillaume
  345.  
  346.  
  347. :--output message.asc:
  348. The ecrypted message is stored in a file named "message.asc"
  349. :-a:
  350. ASCII armor of the encrypted message - useful for sending over a text based channel (e.g. email)
  351. :-e:
  352. Tell gpg to encrypt
  353. :-s -u alice:
  354. Tell gpg to sign the message (-s), and to use Alice's secret key for that (-u alice)
  355. :-r guillaume:
  356. The recipient of the message. Only this recipient can decrypt the message, with his secret key. Multiple recipients can be specified. In this example, Alice is not able to decrypt the message, even though she encrypted it. This can be useful, if she is pressured / tortured to give the key to decrypt the message, there is no way for her to provide it.
  357.  
  358. Decrypt a message
  359. =================
  360.  
  361. This is assuming it is run on Guillaume's machine, with his secret key available.
  362.  
  363. .. code-block::
  364.  
  365. $ gpg -d message.asc
  366.  
  367. You need a passphrase to unlock the secret key for
  368. user: "Guillaume Humbert <guillaume.humbert.jp@gmail.com>"
  369. 4096-bit RSA key, ID 40C17670, created 2018-02-25 (main key ID EBC7B065)
  370.  
  371. gpg: encrypted with 4096-bit RSA key, ID 40C17670, created 2018-02-25
  372. "Guillaume Humbert <guillaume.humbert.jp@gmail.com>"
  373. The bad guys are not nesessarily the ones we are told they are
  374. gpg: Signature made Sun 18 Mar 2018 11:15:41 PM +08 using RSA key ID BD2FD2EF
  375. gpg: Good signature from "Alice Doe (Alice's key) <alice.doe@gmail.com>"
  376.  
  377. Decrypting will also verify the signature.
  378.  
  379. Send public key to a key server
  380. ===============================
  381.  
  382. .. code-block::
  383.  
  384. $ gpg --keyserver keyserver.ubuntu.com --send-keys 0F7AA11C
  385.  
  386. There is generally no need to send the key to many key servers, they usually mirror each other, and keys are automatically propagated.
  387.  
  388. Receive public key from a key server
  389. ====================================
  390.  
  391. .. code-block::
  392.  
  393. $ gpg --keyserver serverurl --recv-key EBC7B065
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!