From 7115f9a38503a6d66b051a13833d411f28881c05 Mon Sep 17 00:00:00 2001 From: "Wael M. Nasreddine" Date: Sat, 2 Feb 2019 09:38:40 -0800 Subject: [PATCH] Master key should have Certify-capability only! --- README.md | 90 ++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 63 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 2f13814..a4cc111 100644 --- a/README.md +++ b/README.md @@ -206,17 +206,53 @@ $ gpg --gen-random -a 0 24 ydOmByxmDe63u7gqx2XI9eDgpvJwibNH ``` -Generate a new key with GPG, selecting `(4) RSA (sign only)` and `4096` bit keysize. Do not set the key to expire - see [Note #3](#notes). +Generate a new key with GPG, selecting `(8) RSA (set your own capabilities)`, `Certify`-only and `4096` bit keysize. Do not set the key to expire - see [Note #3](#notes). ```console -$ gpg --full-generate-key +$ gpg --expert --full-generate-key Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) -Your selection? 4 + (7) DSA (set your own capabilities) + (8) RSA (set your own capabilities) + (9) ECC and ECC + (10) ECC (sign only) + (11) ECC (set your own capabilities) + (13) Existing key +Your selection? 8 + +Possible actions for a RSA key: Sign Certify Encrypt Authenticate +Current allowed actions: Sign Certify Encrypt + + (S) Toggle the sign capability + (E) Toggle the encrypt capability + (A) Toggle the authenticate capability + (Q) Finished + +Your selection? e + +Possible actions for a RSA key: Sign Certify Encrypt Authenticate +Current allowed actions: Sign Certify + + (S) Toggle the sign capability + (E) Toggle the encrypt capability + (A) Toggle the authenticate capability + (Q) Finished + +Your selection? s + +Possible actions for a RSA key: Sign Certify Encrypt Authenticate +Current allowed actions: Certify + + (S) Toggle the sign capability + (E) Toggle the encrypt capability + (A) Toggle the authenticate capability + (Q) Finished + +Your selection? q RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits @@ -252,7 +288,7 @@ public and secret key created and signed. Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose. -pub rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [SC] +pub rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C] Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB uid Dr Duh ``` @@ -275,7 +311,7 @@ $ gpg --expert --edit-key $KEYID Secret key is available. sec rsa4096/0xEA5DE91459B80592 - created: 2017-10-09 expires: never usage: SC + created: 2017-10-09 expires: never usage: C trust: ultimate validity: ultimate [ultimate] (1). Dr Duh ``` @@ -323,10 +359,10 @@ disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. sec rsa4096/0xFF3E7D88647EBCDB - created: 2017-10-09 expires: never usage: SC + created: 2017-10-09 expires: never usage: C trust: ultimate validity: ultimate ssb rsa4096/0xBECFA3C1AE191D15 - created: 2017-10-09 expires: 2018-10-09 usage: S + created: 2017-10-09 expires: 2018-10-09 usage: S [ultimate] (1). Dr Duh ``` @@ -367,12 +403,12 @@ disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. sec rsa4096/0xFF3E7D88647EBCDB - created: 2017-10-09 expires: never usage: SC + created: 2017-10-09 expires: never usage: C trust: ultimate validity: ultimate ssb rsa4096/0xBECFA3C1AE191D15 - created: 2017-10-09 expires: 2018-10-09 usage: S + created: 2017-10-09 expires: 2018-10-09 usage: S ssb rsa4096/0x5912A795E90DD2CF - created: 2017-10-09 expires: 2018-10-09 usage: E + created: 2017-10-09 expires: 2018-10-09 usage: E [ultimate] (1). Dr Duh ``` @@ -455,14 +491,14 @@ disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. sec rsa4096/0xFF3E7D88647EBCDB - created: 2017-10-09 expires: never usage: SC + created: 2017-10-09 expires: never usage: C trust: ultimate validity: ultimate ssb rsa4096/0xBECFA3C1AE191D15 - created: 2017-10-09 expires: 2018-10-09 usage: S + created: 2017-10-09 expires: 2018-10-09 usage: S ssb rsa4096/0x5912A795E90DD2CF - created: 2017-10-09 expires: 2018-10-09 usage: E + created: 2017-10-09 expires: 2018-10-09 usage: E ssb rsa4096/0x3F29127E79649A3D - created: 2017-10-09 expires: 2018-10-09 usage: A + created: 2017-10-09 expires: 2018-10-09 usage: A [ultimate] (1). Dr Duh gpg> save @@ -476,7 +512,7 @@ List the generated secret keys and verify the output: $ gpg --list-secret-keys /tmp.FLZC0xcM/pubring.kbx ------------------------------------------------------------------------- -sec rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [SC] +sec rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C] Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB uid Dr Duh ssb rsa4096/0xBECFA3C1AE191D15 2017-10-09 [S] [expires: 2018-10-09] @@ -782,14 +818,14 @@ $ gpg --edit-key $KEYID Secret key is available. sec rsa4096/0xFF3E7D88647EBCDB - created: 2017-10-09 expires: never usage: SC + created: 2017-10-09 expires: never usage: C trust: ultimate validity: ultimate ssb rsa4096/0xBECFA3C1AE191D15 - created: 2017-10-09 expires: 2018-10-09 usage: S + created: 2017-10-09 expires: 2018-10-09 usage: S ssb rsa4096/0x5912A795E90DD2CF - created: 2017-10-09 expires: 2018-10-09 usage: E + created: 2017-10-09 expires: 2018-10-09 usage: E ssb rsa4096/0x3F29127E79649A3D - created: 2017-10-09 expires: 2018-10-09 usage: A + created: 2017-10-09 expires: 2018-10-09 usage: A [ultimate] (1). Dr Duh ``` @@ -801,7 +837,7 @@ Select and move the signature key. You will be prompted for the key passphrase a gpg> key 1 sec rsa4096/0xFF3E7D88647EBCDB - created: 2017-10-09 expires: never usage: SC + created: 2017-10-09 expires: never usage: C trust: ultimate validity: ultimate ssb* rsa4096/0xBECFA3C1AE191D15 created: 2017-10-09 expires: 2018-10-09 usage: S @@ -832,7 +868,7 @@ gpg> key 1 gpg> key 2 sec rsa4096/0xFF3E7D88647EBCDB - created: 2017-10-09 expires: never usage: SC + created: 2017-10-09 expires: never usage: C trust: ultimate validity: ultimate ssb rsa4096/0xBECFA3C1AE191D15 created: 2017-10-09 expires: 2018-10-09 usage: S @@ -860,7 +896,7 @@ gpg> key 2 gpg> key 3 sec rsa4096/0xFF3E7D88647EBCDB - created: 2017-10-09 expires: never usage: SC + created: 2017-10-09 expires: never usage: C trust: ultimate validity: ultimate ssb rsa4096/0xBECFA3C1AE191D15 created: 2017-10-09 expires: 2018-10-09 usage: S @@ -886,7 +922,7 @@ Verify the subkeys have moved to YubiKey as indicated by `ssb>`: $ gpg --list-secret-keys /tmp.FLZC0xcM/pubring.kbx ------------------------------------------------------------------------- -sec rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [SC] +sec rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C] Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB uid Dr Duh ssb> rsa4096/0xBECFA3C1AE191D15 2017-10-09 [S] [expires: 2018-10-09] @@ -1008,7 +1044,7 @@ $ gpg --edit-key $KEYID Secret key is available. gpg> trust -pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: SC +pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: C trust: unknown validity: unknown sub 4096R/0xBECFA3C1AE191D15 created: 2017-10-09 expires: 2018-10-09 usage: S sub 4096R/0x5912A795E90DD2CF created: 2017-10-09 expires: 2018-10-09 usage: E @@ -1028,7 +1064,7 @@ Please decide how far you trust this user to correctly verify other users' keys Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y -pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: SC +pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: C trust: ultimate validity: unknown sub 4096R/0xBECFA3C1AE191D15 created: 2017-10-09 expires: 2018-10-09 usage: S sub 4096R/0x5912A795E90DD2CF created: 2017-10-09 expires: 2018-10-09 usage: E @@ -1081,7 +1117,7 @@ ssb> 4096R/0x3F29127E79649A3D created: 2017-10-09 expires: 2018-10-09 # Encryption ```console -$ echo "test message string" | gpg --encrypt --armor --recipient $KEYID +$ echo "test message string" | gpg --encrypt --armor --recipient $KEYID -----BEGIN PGP MESSAGE----- hQIMA1kSp5XpDdLPAQ/+JyYfLaUS/+llEzQaKDb5mWhG4HlUgD99dNJUXakm085h @@ -1386,7 +1422,7 @@ $ scp ~/.gnupg/pubring.kbx remote:~/.gnupg/ * Finally, to enable agent forwarding for a given machine, add the following to the local machine's ssh config file `~/.ssh/config` (your agent sockets may be different): ``` -Host +Host Hostname your-domain ForwardAgent yes RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra