Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # My guide to setting up PGP/OpenPGP keys using modern methods
- # download gpg-keygen.py python script and run it. it's slow but it creates your gpg profile the correct way, with lots of entropy, and that's why it's slow
- $ cd ~/; wget https://raw.githubusercontent.com/object-code/gpg-keygen/master/gpg-keygen.py;
- ## deploy gpg using latest python scripting methods from gpg-keygen
- $ sudo ~/gpg-keygen.py --t /root/.gnupg/whomever --step generateMasterKey \
- --master-key-length 4096 \
- --master-key-type RSA \
- --identity-email derp@gmail.com \
- --identity-comment Whatever \
- --identity-name "Bob Dobbs" \
- --master-key-expire 0
- # Temporary directory for sensitive data will be '~/.gnupg/whomever'.
- # Make sure you delete using 'srm' (secure-delete) once it's not needed!
- # tidy up files
- $ sudo mv /root/.gnupg/whomever/tmp/gpg-homedir/pubring.gpg ~/root/.gnupg/pubring.gpg
- $ sudo mv /root/.gnupg/whomever/tmp/gpg-homedir/pubring.gpg ~/root/.gnupg/secring.gpg
- $ sudo mv /root/.gnupg/whomever/tmp/gpg-homedir/gpg.conf ~/root/.gnupg/gpg.conf
- $ sudo mv /root/.gnupg/whomever/tmp/gpg-homedir/trustdb.gpg ~/root/.gnupg/trustdb.gpg
- $ sudo gpg --armor --export derp@gmail.com
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- Version: GnuPG v1
- mQINBFbOe7kBEACaS8fTIxLGqcmRN3TsdJYMEy7DtBpJFx9o8SMfxk6oTLk1Rjkj
- TSpMyXamJMkC4RwrYD4NvQOiUzUvO+gVBssxQvbU/TJLBOusuwAgdIScJZMF2hZG
- UDGivOaqysSAmEiraUxtb7w7dGCtdftRLeGOhEat9ldVqFHBQ2UAS7otxXQHYcRH
- lTLlvtedTq7mnML6yIdaS/jz5bGxFuWkwB1ojKGXeTJMd7nfhXmbnTfc2TCm6ezt
- qeLwGx4ZDBU2iCDxszCRgoOdy4dUYiuMRv6iN1EsT9YG54AC764IVRx993szOYdC
- wb97ahuahBlFwgUl8DOWWwAEslqsYH+Wg4+ysOfog5K8VDqkKzYzlj7y8BqhpiFd
- z6S+R2QjufkRTWO5eJZzI8JYizkGo7Mo2d65dKLFV68w0V4F0FWdz1ffAinUDPxv
- 3GzQGus2fZOLm3oMA345UwaQXnf5PVkrSDp4qXxinNGKeU3+M/RO1LRn9975Watx
- 4hHg9cxA05SBoO4xet17Gy0Kv1FfbX6lQp/dFjO1e7KmLxuI1YlJBPNDgFzJWpZz
- d8f69Pk5rOtEaTnPKU6BTkZTcOM2Hsw5VeoTHphAtw6RyF6QugitDs+mrsrY8bZ4
- Kf802Lx2gO56QcbdqBqOJioJxPnkBKoz/rPlpAD4Ri+OsfKzgjg9OIuMeQARAQAB
- tDRDaHJpc3RvcGhlciBELiBIb2dhbiAoT2JqZWN0Y29kZSkgPHN0dW50c0BnbWFp
- bC5jb20+iQI3BBMBCgAhBQJWznu5AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheA
- AAoJEDFigqgY74rjQLsP/22tvu1OLKzstR1H61Hife6ejyvPKNyOSwvPzCFzMmdg
- M2uVS7aMj466kw6bM9j3/dXi/vcxU7psxKud8QWwFbBJWPuMZVQ7ukH7Eo5FbV3y
- 0zlqjaW1UppYWnhFjpj5snMj3prloMhjJML/SRO3N8UaBBm72g9AyBSzDkR3r160
- Zq3hlQES7jZPqWAGRANXh8+Es2oY793zGFzbhGVBSmyDdOud6sq+V1/7hf/7PkFc
- 5tK8Q+AZkNmPqpnlTTRpUMdSibqms1ej+b3a0x0qeMQacEjTWbOfB1vPgFFU2ri/
- UHC3N0s0vKW0btLnt0xFtcHszs9d11qwYU2fFVPjmzp/IqRd/L0AVHrj4Zu/XoOA
- g5iS++3hMctpS8s1hXb9kF+TVZO/Nsp0+Y9yQrXhQxmXilv6NxICfwY9t06hER8m
- 8ERd+i8rhC2OFsWjI6U5C61CRinHX0lOiOOboicDNIxx5U7SL+XM8cYnRMf8Xs26
- lM8SgxFIn3bI4kt8MZ1ZsAo4Dl60o5HNw2JYQ18TwBBKbcN+2nNzdjXJbil5Q07r
- 96BEAZKQYIsM/kjg0r/kNadwMAOC5vFo+Yify2wJkhLVpnSTdDwO172ScSbtr2zO
- KN1eNgyVmohN6qniZdZqvENi9XxyllSSDvEaXyOe7Y9Z2ZxNTPGbr6xndVNc+x2x
- =Dyl8
- -----END PGP PUBLIC KEY BLOCK-----
- $ sudo gpg --interactive --edit-key derp@gmail.com
- $ sudo gpg --list-keys
- /root/.gnupg/pubring.gpg
- ------------------------
- pub 4096R/18EF8AX9 2016-02-25
- uid Bob Dobbs <derp@gmail.com>
- gpg> help
- gpg> passwd
- This key is not protected.
- Enter the new passphrase for this secret key.
- .... (add in the password you want)
- gpg> keyserver
- Enter your preferred keyserver URL: https://pgp.mit.edu/
- You need a passphrase to unlock the secret key for
- user: "Bob Dobbs <derp@gmail.com>"
- 4096-bit RSA key, ID 18EF8XSE3, created 2016-02-25
- gpg> addphoto
- Enter JPEG filename for photo ID:
- ^z (suspend process)
- devops.png 100%[==============>] 14.85K --.-KB/s in 0.004s
- $ fg
- Are you sure you want to use it? (y/N) y
- gpg: no photo viewer set
- gpg: unable to display photo ID!
- Is this photo correct (y/N/q)? y
- gpg> list
- pub 4096R/18EF8AE3 created: 2016-02-25 expires: never usage: SC
- trust: ultimate validity: ultimate
- [ultimate] (1). Bob Dobbs <derp@gmail.com>
- [ unknown] (2) [jpeg image of size 15508]
- gpg> export
- gpg> fpr
- pub 4096R/18EF8AE3 2016-02-25 "Bob Dobbs <derp@gmail.com>"
- Primary key fingerprint: 50A8 A9EB F636 8DBA FC54 D208 3162 82A8 18EF 8AE3
- gpg> showpref
- [ultimate] (1)."Bob Dobbs <derp@gmail.com>"
- Cipher: AES256, AES192, AES, CAST5, 3DES
- Digest: SHA512, SHA384, SHA256, SHA224, SHA1
- Compression: ZLIB, BZIP2, ZIP, Uncompressed
- Features: MDC, Keyserver no-modify
- Preferred keyserver: https://pgp.mit.edu/
- gpg> quit
- # optionally export your public key as an armored ascii text blurb to put at the bottom of your emails (and log it in a file)
- $ sudo gpg --export --armor derp@gmail.com >> ~/.gpgpublic
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- Version: GnuPG v1
- mQINBFbOe7kBEACaS8fTIxLGqcmRN3TsdJYMEy7DtBpJFx9o8SMfxk6oTLk1Rjkj
- TSpMyXamJMkC4RwrYD4NvQOiUzUvO+gVBssxQvbU/TJLBOusuwAgdIScJZMF2hZG
- UDGivOaqysSAmEiraUxtb7w7dGCtdftRLeGOhEat9ldVqFHBQ2UAS7otxXQHYcRH
- lTLlvtedTq7mnML6yIdaS/jz5bGxFuWkwB1ojKGXeTJMd7nfhXmbnTfc2TCm6ezt
- qeLwGx4ZDBU2iCDxszCRgoOdy4dUYiuMRv6iN1EsT9YG54AC764IVRx993szOYdC
- wb97ahuahBlFwgUl8DOWWwAEslqsYH+Wg4+ysOfog5K8VDqkKzYzlj7y8BqhpiFd
- z6S+R2QjufkRTWO5eJZzI8JYizkGo7Mo2d65dKLFV68w0V4F0FWdz1ffAinUDPxv
- 3GzQGus2fZOLm3oMA345UwaQXnf5PVkrSDp4qXxinNGKeU3+M/RO1LRn9975Watx
- 4hHg9cxA05SBoO4xet17Gy0Kv1FfbX6lQp/dFjO1e7KmLxuI1YlJBPNDgFzJWpZz
- d8f69Pk5rOtEaTnPKU6BTkZTcOM2Hsw5VeoTHphAtw6RyF6QugitDs+mrsrY8bZ4
- Kf802Lx2gO56QcbdqBqOJioJxPnkBKoz/rPlpAD4Ri+OsfKzgjg9OIuMeQARAQAB
- tDRDaHJpc3RvcGhlciBELiBIb2dhbiAoT2JqZWN0Y29kZSkgPHN0dW50c0BnbW77
- bC5jb20+iQI3BBMBCgAhBQJWznu5AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheA
- AAoJEDFigqgY74rjQLsP/22tvu1OLKzstR1H61Hife6ejyvPKNyOSwvPzCFzMmdg
- M2uVS7aMj466kw6bM9j3/dXi/vcxU7psxKud8QWwFbBJWPuMZVQ7ukH7Eo5FbV3y
- 0zlqjaW1UppYWnhFjpj5snMj3prloMhjJML/SRO3N8UaBBm72g9AyBSzDkR3r160
- Zq3hlQES7jZPqWAGRANXh8+Es2oY793zGFzbhGVBSmyDdOud6sq+V1/7hf/7PkFc
- 5tK8Q+AZkNmPqpnlTTRpUMdSibqms1ej+b3a0x0qeMQacEjTWbOfB1vPgFFU2ri/
- UHC3N0s0vKW0btLnt0xFtcHszs9d11qwYU2fFVPjmzp/IqRd/L0AVHrj4Zu/XoOA
- g5iS++3hMctpS8s1hXb9kF+TVZO/Nsp0+Y9yQrXhQxmXilv6NxICfwY9t06hER8m
- 8ERd+i8rhC2OFsWjI6U5C61CRinHX0lOiOOboicDNIxx5U7SL+XM8cYnRMf8Xs26
- lM8SgxFIn3bI4kt8MZ1ZsAo4Dl60o5HNw2JYQ18TwBBKbcN+2nNzdjXJbil5Q07r
- 96BEAZKQYIsM/kjg0r/kNadwMAOC5vFo+Yify2wJkhLVpnSTdDwO172ScSbtr2zO
- KN1eNgyVmohN6qniZdZqvENi9XxyllSSDvEaXyOe7Y9Z2ZxNTPGbr6xndVNc+x2y
- =Dyl8
- -----END PGP PUBLIC KEY BLOCK-----
- # optionally list keys
- $ sudo gpg --list-keys --verbose --fingerprint >> ~/.gpgpublic
- gpg: using PGP trust model
- /root/.gnupg/pubring.gpg
- ------------------------
- pub 4096R/18XS8AE3 2016-02-25
- Key fingerprint = 50A8 A9EX F636 8DBA FSS4 D208 3162 82A8 18EF 8AE1
- uid "Bob Dobbs <derp@gmail.com>"
- # ----- NOTE: You can also choose to publish your public key on a website like https://pgp.mit.edu/
- # ------ then just link to the key in the footer of your e-mails instead of publishing a long armored string
- # once you've copied your keys to an external disk or smartcard, srm delete the secret keys please (don't forget!!!!)
- sudo srm /root/.gnupg/secring.gpg
- # why delete your private keys securely and keep them somewhere you bring with you or hide?
- * they cannot be stolent or hacked this way
- * I won't make fun of your for going through all this trouble for nothing
- #
- # an alternative is to store these files in an encrypted key/value mount using an adapter through json.
- # I am currently making software that stores private keys in an encrypted database with keys by KMS, and allows you to retreive them based on IAM roles
- #
- #
- # final thought:
- # Once retrieved, you can convert the RSA certs to their corresponding ssh hashes and they can be used in web apps.
- # >>> CHO
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement