YubiKey-Guide
YubiKey-Guide copied to clipboard
Suggest using --batch and --quick-add-keys
Hi!
I've recently learned how to use the gpg --batch
and --quick-add-key
commands, I find them useful and imo they remove a bit of complexity when creating keys, making the whole process less daunting.
This issue is for asking an opinion about replacing those steps in the guide with basically what follows:
- create a template for the master key
$ cat gen-params
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 4096
Key-Usage: cert
Name-Real: Joe Tester
Name-Email: [email protected]
Expire-Date: 0
Passphrase: hey
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
- generate master key (only certification), save fingerprint
gpg --batch --generate-key gen-params
FPR=$(gpg --list-options show-only-fpr-mbox --list-secret-keys | awk '{print $1}')
- generate sign, encrypt and auth subkeys
gpg --batch --passphrase 'hey' --quick-add-key $FPR rsa4096 sign 1y
gpg --batch --passphrase 'hey' --quick-add-key $FPR rsa4096 encrypt 1y
gpg --batch --passphrase 'hey' --quick-add-key $FPR rsa4096 auth 1y
The idea is not new, something similar was already suggested in #105 but then stalled. What am I suggesting here is a "smaller" version limited to the steps involved in creating the master key and the subkeys and without removing all the didactical details.
@drduh what do you think? If you like the idea I'll push a patch.
It's a good idea to document this. I would recommend piping passphrases to GPG with built-ins to keep them from appearing in the process table. See https://github.com/drduh/pwd.sh/blob/master/pwd.sh#L52-L66 for example.
@apiraino can you go ahead and craft a PR for review, please?
@drduh thanks for getting back to me and sorry for the delay. This issue is under my radar, I've just been procastinating the PR I suggested, I need to to get again the context that the myself of +5 months ago had.
I'll try to allocate some time for this task real soon (:tm:)
I have been doing some fiddling to automate the steps in your guide, so that a newbie user can just edit variables in a "config.sh" file and then run either several individual scripts or a metascript that just invokes those indiviual scripts in sequence as a convenience measure. wip-gpg-automation-scripts.2021-08-22.zip
$ bash ubuntu.step01-online.sh
$ bash ubuntu.stepn.generate-key.sh
$ bash ubuntu.stepn.keytocard.sh # (Once for each yubikey)
...
I figured I may as well throw them out into the world in case they are of any help to you, so I've attached the current WIP scripts.
Here is an except showing the stdin/stdout and passphrase method that seems to work:
echo "#[${0##*/}]" "Create master key"
( tee "dbg.create-master-key.heredoc.txt" \
| grep -v -e '^#' \
| tee "dbg.create-master-key.stripped.txt" | tee /dev/tty \
| gpg --command-fd=/dev/stdin --status-fd=/dev/stdout \
--pinentry-mode=loopback --passphrase="$key_passphrase" \
---expert --full-generate-key \
| tee "dbg.create-master-key.gpg-stdout.txt"
| perl -ne 'm/([A-Z0-9]+).rev/ ; print "$&"' \
| tee KEYID.txt
) <<EOF-create-master-key
# gpg>
## Custon RSA (8):
8
## Toggle/set key capabilities:
e
s
q
## How many bits long is key?
4096
## When does key expire?
0
y
## Key user details
$key_realname
$key_email/
$key_comment
## Save and exit
save
EOF-create-master-key
echo "#[${0##*/}]" "Reading keyid file"
KEYID="$(cat KEYID.txt)"
echo "#[${0##*/}]" "KEYID=$KEYID"
(Basically standard variable substituion in a heredoc piped to gpg with some args telling gpg to work with lines from stdin.)
@woodenphone thanks for sharing your scripts. I'm not the maintainer, here are my 2 cents nonetheless.
Your scripts are very useful but out of scope in the context of the tutorial since (imo) they would add additional cognitive overhead to the reader trying to figure out an already (unfortunately) complex topic such as creating GPG keys.
This said, in pr #282 I have created a ./contrib
directory also for the purpose of hosting user-contributed scripts. I encourage you to open a PR and open a discussion there (for example, pointing out if they are ubuntu or bash specific). I will certainly use your scripts! :-)
@apiraino can you give the PR an update so we can merge your suggestions?