« PGP - GPG » : différence entre les versions
|  Page créée avec « = Sources = * [https://grimoire.carcano.ch/blog/a-quick-easy-yet-comprehensive-gpg-tutorial/ Ce post de blog qui n'est pas si rapide qu'il le dit]  = Signification, désambiguation = PGP (Pretty Good Privacy) est un logiciel de chiffrement crée par Phil Zimmerman, qui utilise une suite de hashage, chiffrement, clefs symétriques et asymétriques, etc... dans le but de fournir du chiffrement et de l'authentification dans les communications. Il peut être utilisé... » | Aucun résumé des modifications | ||
| (4 versions intermédiaires par la même utilisatrice non affichées) | |||
| Ligne 88 : | Ligne 88 : | ||
| |- | |- | ||
| |} | |} | ||
| On peut voir les capacités avec la commande suivante (ne pas aller au bout du process, c'est juste pour avoir la liste): | |||
|  <nowiki> | |||
| baz@debian:~$ gpg --expert --full-gen-key | |||
| gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. | |||
| This is free software: you are free to change and redistribute it. | |||
| There is NO WARRANTY, to the extent permitted by law. | |||
| Please select what kind of key you want: | |||
|    (1) RSA and RSA (default) | |||
|    (2) DSA and Elgamal | |||
|    (3) DSA (sign only) | |||
|    (4) RSA (sign only) | |||
|    (7) DSA (set your own capabilities) | |||
|    (8) RSA (set your own capabilities) | |||
|    (9) ECC and ECC | |||
|   (10) ECC (sign only) | |||
|   (11) ECC (set your own capabilities) | |||
|   (13) Existing key | |||
|   (14) Existing key from card | |||
| Your selection? | |||
| </nowiki> | |||
| === Mise en oeuvre : création de clefs === | |||
| ==== Clefs RSA ==== | |||
| L'environnement d'un utilisateur est initialisé dès qu'il génère ou importe sa clef privée. On conseille les arguments --expert et --full-gen-key pour activer toutes les features et tous les types de clefs. On génère les clefs de "bar" en ssh (vraiment pas compréhensible...) | |||
|  <nowiki> | |||
| ssh -t bar@localhost "gpg --quick-gen-key 'Bar User (Bar User Primary Key) <bar@squi.fr>' rsa sign,cert never" | |||
| </nowiki> | |||
| On nous demande un mdp pour la clef, puis on nous dit que: | |||
|  <nowiki> | |||
| We need to generate a lot of random bytes. It is a good idea to perform | |||
| some other action (type on the keyboard, move the mouse, utilize the | |||
| disks) during the prime generation; this gives the random number | |||
| generator a better chance to gain enough entropy. | |||
| gpg: /home/bar/.gnupg/trustdb.gpg: trustdb created | |||
| gpg: key 7BF3AF5FF1E9220A marked as ultimately trusted | |||
| gpg: directory '/home/bar/.gnupg/openpgp-revocs.d' created | |||
| gpg: revocation certificate stored as '/home/bar/.gnupg/openpgp-revocs.d/F12E5320C9CA75322FD0BDB57BF3AF5FF1E9220A.rev' | |||
| public and secret key created and signed. | |||
| Note that this key cannot be used for encryption.  You may want to use | |||
| the command "--edit-key" to generate a subkey for this purpose. | |||
| pub   rsa3072 2023-05-13 [SC] | |||
|       F12E5320C9CA75322FD0BDB57BF3AF5FF1E9220A | |||
| uid                      Bar User (Bar User Primary Key) <bar@squi.fr> | |||
| Connection to localhost closed. | |||
| </nowiki> | |||
| Cette clef ne peut pas être utilisée pour le chiffrement, seulement pour identication (cf le tableau au-dessus). La bonne pratique de toute façon consiste à éviter d'utiliser la clef primaire, mais plutôt à générer des subkeys et à planquer la clef primaire en lieu sûr. On évite de se faire voler sa clef primaire ou de la perdre suite à une panne. Il est important de la stocker dans un endroit safe, autrement on ne peut plus rien faire ! | |||
| Bref, on va faire la même chose en passant directement sur un compte parce qu'on a rien compris à la commande au-dessus. Baz, à toi. | |||
|  <nowiki> | |||
| baz@debian:~$ gpg --pinentry-mode loopback --quick-gen-key 'Baz User (Baz User Primary Key) <baz@squi.fr>' rsa sign,cert never | |||
| #Ici, on nous demande un mdp | |||
| gpg: directory '/home/baz/.gnupg' created | |||
| gpg: keybox '/home/baz/.gnupg/pubring.kbx' created | |||
| We need to generate a lot of random bytes. It is a good idea to perform | |||
| some other action (type on the keyboard, move the mouse, utilize the | |||
| disks) during the prime generation; this gives the random number | |||
| generator a better chance to gain enough entropy. | |||
| gpg: /home/baz/.gnupg/trustdb.gpg: trustdb created | |||
| gpg: key 90E0D47DC4115033 marked as ultimately trusted | |||
| gpg: directory '/home/baz/.gnupg/openpgp-revocs.d' created | |||
| gpg: revocation certificate stored as '/home/baz/.gnupg/openpgp-revocs.d/634B60C0CE2AEE31F2EE62B990E0D47DC4115033.rev' | |||
| public and secret key created and signed. | |||
| Note that this key cannot be used for encryption.  You may want to use | |||
| the command "--edit-key" to generate a subkey for this purpose. | |||
| pub   rsa3072 2023-05-13 [SC] | |||
|       634B60C0CE2AEE31F2EE62B990E0D47DC4115033 | |||
| uid                      Baz User (Baz User Primary Key) <baz@squi.fr> | |||
| </nowiki> | |||
| On voit ici qu'on génère une clef RSA, qui n'expire jamais, et a les capacités Sign et Cert (correspondant au choix " (8) RSA (set your own capabilities)").  | |||
| On fait un exit du compte de baz. | |||
| ==== Clefs "Elliptic Curve" ==== | |||
| On va générer à foo une clef de type: | |||
| * ECC avec nistp256 comme elliptic curve | |||
| * Sign et Cert | |||
| * N'expire pas | |||
|  <nowiki> | |||
| justine@debian:~$ sudo -u foo gpg --pinentry-mode loopback --quick-gen-key 'Foo User (Foo User Primary Key) <foo@squi.fr>' nistp256 sign,cert never | |||
| #Nous refait le même speech qu'en RSA | |||
| </nowiki> | |||
| Pareil pour qux et fred mais en RSA: | |||
|  <nowiki> | |||
| justine@debian:~$ sudo -u qux gpg --pinentry-mode loopback --quick-gen-key 'Qux User (Qux User Primary Key) <qux@squi.fr>' rsa sign,cert never | |||
| justine@debian:~$ sudo -u fred gpg --pinentry-mode loopback --quick-gen-key 'Fred User (Fred User Primary Key) <fred@squi.fr>' rsa sign,cert never | |||
| </nowiki> | |||
| ==== Génération de subkey ==== | |||
| On va prendre le compte de foo pour générer une subkey à des fins de chiffrement. | |||
| Voici l'intégralité de l'extrait - j'ai dû rajouter --pinentrymode=loopback sinon erreur. En gros, on choisit une clef ECC (encrypt only), avec la curve NIST P-256, valable 1 an: | |||
|  <nowiki> | |||
| foo@debian:~$ gpg --verbose --expert --pinentry-mode=loopback --edit-key foo@squi.fr addkey | |||
| Secret key is available. | |||
| gpg: using pgp trust model | |||
| sec  nistp256/14692EE589B4006C | |||
|      created: 2023-05-13  expires: never       usage: SC   | |||
|      trust: ultimate      validity: ultimate | |||
| [ultimate] (1). Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| Please select what kind of key you want: | |||
|    (3) DSA (sign only) | |||
|    (4) RSA (sign only) | |||
|    (5) Elgamal (encrypt only) | |||
|    (6) RSA (encrypt only) | |||
|    (7) DSA (set your own capabilities) | |||
|    (8) RSA (set your own capabilities) | |||
|   (10) ECC (sign only) | |||
|   (11) ECC (set your own capabilities) | |||
|   (12) ECC (encrypt only) | |||
|   (13) Existing key | |||
|   (14) Existing key from card | |||
| Your selection? 12 | |||
| Please select which elliptic curve you want: | |||
|    (1) Curve 25519 | |||
|    (3) NIST P-256 | |||
|    (4) NIST P-384 | |||
|    (5) NIST P-521 | |||
|    (6) Brainpool P-256 | |||
|    (7) Brainpool P-384 | |||
|    (8) Brainpool P-512 | |||
|    (9) secp256k1 | |||
| Your selection? 3 | |||
| Please specify how long the key should be valid. | |||
|          0 = key does not expire | |||
|       <n>  = key expires in n days | |||
|       <n>w = key expires in n weeks | |||
|       <n>m = key expires in n months | |||
|       <n>y = key expires in n years | |||
| Key is valid for? (0) 1y | |||
| Key expires at Sun 12 May 2024 12:39:44 PM CEST | |||
| Is this correct? (y/N) y | |||
| Really create? (y/N) y | |||
| We need to generate a lot of random bytes. It is a good idea to perform | |||
| some other action (type on the keyboard, move the mouse, utilize the | |||
| disks) during the prime generation; this gives the random number | |||
| generator a better chance to gain enough entropy. | |||
| gpg: writing key binding signature | |||
| gpg: ECDSA/SHA512 signature from: "14692EE589B4006C Foo User (Foo User Primary Key) <foo@squi.fr>" | |||
| sec  nistp256/14692EE589B4006C | |||
|      created: 2023-05-13  expires: never       usage: SC   | |||
|      trust: ultimate      validity: ultimate | |||
| ssb  nistp256/6031A802EF033CDE | |||
|      created: 2023-05-13  expires: 2024-05-12  usage: E    | |||
| [ultimate] (1). Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| </nowiki> | |||
| Voir la fin où nous donne les clefs dispo, avec notre "ssb  nistp256/6031A802EF033CDE" nouvellement créée.  | |||
| On sauvegarde: | |||
|  gpg> save | |||
| On va aussi faire une subkey pour "baz", mais cette fois-ci sans la procédure interactive; on récupère l'id de la clef primaire pour ça puis on créée la subkey: | |||
|  <nowiki> | |||
| justine@debian:~$ sudo su -  | |||
| root@debian:~# sudo su - baz | |||
| baz@debian:~$ gpg --list-secret-keys --fingerprint | |||
| gpg: checking the trustdb | |||
| gpg: marginals needed: 3  completes needed: 1  trust model: pgp | |||
| gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u | |||
| /home/baz/.gnupg/pubring.kbx | |||
| ---------------------------- | |||
| sec   rsa3072 2023-05-13 [SC] | |||
|       634B 60C0 CE2A EE31 F2EE  62B9 90E0 D47D C411 5033 | |||
| uid           [ultimate] Baz User (Baz User Primary Key) <baz@squi.fr> | |||
| baz@debian:~$ gpg --pinentry-mode loopback --quick-add-key '634B 60C0 CE2A EE31 F2EE  62B9 90E0 D47D C411 5033' rsa sign 1y | |||
| </nowiki> | |||
| Elle est valable 1 an et peut sign. On exit le shell de baz. | |||
| ==== Générer une subkey d'authentification ==== | |||
| De la même façon, on va générer une subkey d'authentification pour "foo": | |||
|  <nowiki> | |||
| root@debian:~$ su - foo | |||
| foo@debian:~$ gpg --expert --pinentry-mode=loopback --edit-key foo@squi.fr addkey  | |||
| Secret key is available. | |||
| sec  nistp256/14692EE589B4006C | |||
|      created: 2023-05-13  expires: never       usage: SC   | |||
|      trust: ultimate      validity: ultimate | |||
| ssb  nistp256/6031A802EF033CDE | |||
|      created: 2023-05-13  expires: 2024-05-12  usage: E    | |||
| [ultimate] (1). Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| Please select what kind of key you want: | |||
|    (3) DSA (sign only) | |||
|    (4) RSA (sign only) | |||
|    (5) Elgamal (encrypt only) | |||
|    (6) RSA (encrypt only) | |||
|    (7) DSA (set your own capabilities) | |||
|    (8) RSA (set your own capabilities) | |||
|   (10) ECC (sign only) | |||
|   (11) ECC (set your own capabilities) | |||
|   (12) ECC (encrypt only) | |||
|   (13) Existing key | |||
|   (14) Existing key from card | |||
| Your selection? 11 | |||
| Possible actions for a ECDSA/EdDSA key: Sign Authenticate  | |||
| Current allowed actions: Sign  | |||
|    (S) Toggle the sign capability | |||
|    (A) Toggle the authenticate capability | |||
|    (Q) Finished | |||
| Your selection? A | |||
| Possible actions for a ECDSA/EdDSA key: Sign Authenticate  | |||
| Current allowed actions: Sign Authenticate  | |||
|    (S) Toggle the sign capability | |||
|    (A) Toggle the authenticate capability | |||
|    (Q) Finished | |||
| Your selection? Q | |||
| Please select which elliptic curve you want: | |||
|    (1) Curve 25519 | |||
|    (3) NIST P-256 | |||
|    (4) NIST P-384 | |||
|    (5) NIST P-521 | |||
|    (6) Brainpool P-256 | |||
|    (7) Brainpool P-384 | |||
|    (8) Brainpool P-512 | |||
|    (9) secp256k1 | |||
| Your selection? 3 | |||
| Please specify how long the key should be valid. | |||
|          0 = key does not expire | |||
|       <n>  = key expires in n days | |||
|       <n>w = key expires in n weeks | |||
|       <n>m = key expires in n months | |||
|       <n>y = key expires in n years | |||
| Key is valid for? (0) 1y | |||
| Key expires at Mon 13 May 2024 07:49:40 PM CEST | |||
| Is this correct? (y/N) y | |||
| Really create? (y/N) y | |||
| We need to generate a lot of random bytes. It is a good idea to perform | |||
| some other action (type on the keyboard, move the mouse, utilize the | |||
| disks) during the prime generation; this gives the random number | |||
| generator a better chance to gain enough entropy. | |||
| sec  nistp256/14692EE589B4006C | |||
|      created: 2023-05-13  expires: never       usage: SC   | |||
|      trust: ultimate      validity: ultimate | |||
| ssb  nistp256/6031A802EF033CDE | |||
|      created: 2023-05-13  expires: 2024-05-12  usage: E    | |||
| ssb  nistp256/B773A978B2013AD4 | |||
|      created: 2023-05-14  expires: 2024-05-13  usage: SA   | |||
| [ultimate] (1). Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| gpg> save | |||
| </nowiki> | |||
| La fin de la sortie nous donne la liste des clefs, on voit que notre clef nouvellement créée est là. Ne pas oublier de save avant de quitter. | |||
| ==== Générer le certificat de révocation ==== | |||
| Le but d'un certificat de révocation est de pouvoir révoquer une clef qui aurait été volée, par exemple. Bien que GPG en fasse un automatiquement avec la clef primaire (ce qui est une bonne pratique) il peut être intéressant de savoir le faire. Toujours en tant que foo: | |||
|  <nowiki> | |||
| foo@debian:~$ gpg --gen-revoke --armor --pinentry-mode loopback --output=foo@squi.fr.revocation.asc foo@squi.fr | |||
| sec  nistp256/14692EE589B4006C 2023-05-13 Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| Create a revocation certificate for this key? (y/N) y | |||
| Please select the reason for the revocation: | |||
|   0 = No reason specified | |||
|   1 = Key has been compromised | |||
|   2 = Key is superseded | |||
|   3 = Key is no longer used | |||
|   Q = Cancel | |||
| (Probably you want to select 1 here) | |||
| Your decision? 1 | |||
| Enter an optional description; end it with an empty line: | |||
| >  | |||
| Reason for revocation: Key has been compromised | |||
| (No description given) | |||
| Is this okay? (y/N) y | |||
| Revocation certificate created. | |||
| Please move it to a medium which you can hide away; if Mallory gets | |||
| access to this certificate he can use it to make your key unusable. | |||
| It is smart to print this certificate and store it away, just in case | |||
| your media become unreadable.  But have some caution:  The print system of | |||
| your machine might store the data and make it available to others! | |||
| </nowiki> | |||
| Et voilà. On peut lire son contenu qui donne un peu d'informations : | |||
|  <nowiki> | |||
| foo@debian:~$ cat .gnupg/openpgp-revocs.d/110693FE9A024E3FD4B87DF914692EE589B4006C.rev  | |||
| This is a revocation certificate for the OpenPGP key: | |||
| pub   nistp256/14692EE589B4006C 2023-05-13 [SC] | |||
|       Key fingerprint = 1106 93FE 9A02 4E3F D4B8  7DF9 1469 2EE5 89B4 006C | |||
| uid                          Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| A revocation certificate is a kind of "kill switch" to publicly | |||
| declare that a key shall not anymore be used.  It is not possible | |||
| to retract such a revocation certificate once it has been published. | |||
| Use it to revoke this key in case of a compromise or loss of | |||
| the secret key.  However, if the secret key is still accessible, | |||
| it is better to generate a new revocation certificate and give | |||
| a reason for the revocation.  For details see the description of | |||
| of the gpg command "--generate-revocation" in the GnuPG manual. | |||
| To avoid an accidental use of this file, a colon has been inserted | |||
| before the 5 dashes below.  Remove this colon with a text editor | |||
| before importing and publishing this revocation certificate. | |||
| :-----BEGIN PGP PUBLIC KEY BLOCK----- | |||
| Comment: This is a revocation certificate | |||
| iHgEIBMKACAWIQQRBpP+mgJOP9S4ffkUaS7libQAbAUCZF9mQgIdAAAKCRAUaS7l | |||
| ibQAbD72AQCMx5yaV/STrKnR0g6SEL18uOgiDBEJA30CnLwIHKQQlgEAz+SvPMG2 | |||
| lsK8/Wua75K18ZG701hLrZkaVBj7vMOcAYc= | |||
| =E0tR | |||
| -----END PGP PUBLIC KEY BLOCK----- | |||
| </nowiki> | |||
| Comme indiqué, il est conseiller de le stocker en lieu sûr. | |||
| === Mise en oeuvre : modifier les clefs === | |||
| Maintenant que nos utilisateurs ont des clefs PGP, on va pouvoir faire des trucs avec. On va commencer par utiliser le compte de foo, à qui l'on vient de donner des clefs. | |||
|  sudo su - foo | |||
| On peut lister les clefs secrètes: | |||
|  <nowiki> | |||
| foo@debian:~$ gpg --list-secret-keys | |||
| /home/foo/.gnupg/pubring.kbx | |||
| ---------------------------- | |||
| sec   nistp256/14692EE589B4006C 2023-05-13 [SC] | |||
|       Key fingerprint = 1106 93FE 9A02 4E3F D4B8  7DF9 1469 2EE5 89B4 006C | |||
| uid                 [ultimate] Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| ssb   nistp256/6031A802EF033CDE 2023-05-13 [E] [expires: 2024-05-12] | |||
| ssb   nistp256/B773A978B2013AD4 2023-05-14 [SA] [expires: 2024-05-13] | |||
| </nowiki> | |||
| La première colonne indique le type de clef : sec pour secret, ssb pour secret subkey. Ainsi la sortie nous affiche : notre clef secrète (sec), son uid (ligne uid), et des subkey secrètes.  | |||
| ==== Ajouter un UID ==== | |||
| Cela se fait en mode interactif. | |||
|  <nowiki> | |||
| foo@debian:~$ gpg --pinentry-mode loopback --edit-key '<foo@squi.fr>'  | |||
| Secret key is available. | |||
| sec  nistp256/14692EE589B4006C | |||
|      created: 2023-05-13  expires: never       usage: SC   | |||
|      trust: ultimate      validity: ultimate | |||
| ssb  nistp256/6031A802EF033CDE | |||
|      created: 2023-05-13  expires: 2024-05-12  usage: E    | |||
| ssb  nistp256/B773A978B2013AD4 | |||
|      created: 2023-05-14  expires: 2024-05-13  usage: SA   | |||
| [ultimate] (1). Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| gpg> help | |||
| #Abbrévié | |||
| gpg> adduid | |||
| Real name: Squi squi | |||
| Email address: squi@squi.fr | |||
| Comment: Clef primaire de squi squi | |||
| You selected this USER-ID: | |||
|     "Squi squi (Clef primaire de squi squi) <squi@squi.fr>" | |||
| Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O | |||
| sec  nistp256/14692EE589B4006C | |||
|      created: 2023-05-13  expires: never       usage: SC   | |||
|      trust: ultimate      validity: ultimate | |||
| ssb  nistp256/6031A802EF033CDE | |||
|      created: 2023-05-13  expires: 2024-05-12  usage: E    | |||
| ssb  nistp256/B773A978B2013AD4 | |||
|      created: 2023-05-14  expires: 2024-05-13  usage: SA   | |||
| [ultimate] (1)  Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| [ unknown] (2). Squi squi (Clef primaire de squi squi) <squi@squi.fr> | |||
| gpg> save | |||
| </nowiki> | |||
| Le "unkown" sur l'avant dernière ligne ici n'est pas important. On peut vérifier le résultat derrière: | |||
|  <nowiki> | |||
| foo@debian:~$ gpg --list-secret-keys | |||
| gpg: checking the trustdb | |||
| gpg: marginals needed: 3  completes needed: 1  trust model: pgp | |||
| gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u | |||
| /home/foo/.gnupg/pubring.kbx | |||
| ---------------------------- | |||
| sec   nistp256/14692EE589B4006C 2023-05-13 [SC] | |||
|       Key fingerprint = 1106 93FE 9A02 4E3F D4B8  7DF9 1469 2EE5 89B4 006C | |||
| uid                 [ultimate] Squi squi (Clef primaire de squi squi) <squi@squi.fr> | |||
| uid                 [ultimate] Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| ssb   nistp256/6031A802EF033CDE 2023-05-13 [E] [expires: 2024-05-12] | |||
| ssb   nistp256/B773A978B2013AD4 2023-05-14 [SA] [expires: 2024-05-13] | |||
| </nowiki> | |||
| ==== Choisir un UID avant de lancer une commande ==== | |||
| Cela se fait via la commande "uid" : | |||
|  <nowiki> | |||
| foo@debian:~$ gpg --pinentry-mode loopback --edit-key '<foo@squi.fr>'  | |||
| Secret key is available. | |||
| [...] | |||
| [ultimate] (1). Squi squi (Clef primaire de squi squi) <squi@squi.fr> | |||
| [ultimate] (2)  Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| gpg> uid 1 | |||
| [...] | |||
| [ultimate] (1)* Squi squi (Clef primaire de squi squi) <squi@squi.fr> | |||
| [ultimate] (2)  Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| gpg> quit | |||
| </nowiki> | |||
| Ici on ne fait rien de plus puisque c'est pour l'exemple. Cependant on voit que l'uid 1 est marqué d'une étoile : il a été sélectionné, et toutes les commandes suivantes seront en lien avec celui-ci.  | |||
| ==== Supprimer un UID ==== | |||
| Même principe, mais avec la commande "deluid". | |||
| ==== Sélectionner une subkey ==== | |||
| Un peu comme l'uid, je peux par exemple choisir la troisième subkey avec la commande "key 3" dans l'interface gpg. | |||
| ==== Étendre la période d'expiration d'une subkey ==== | |||
| Choisir la subkey, puis utiliser la commande "expire".  | |||
| ==== Supprimer une subkey ==== | |||
| Choisir la subkey, puis "delkey". | |||
| ==== Exporter les clefs secrètes ==== | |||
| Afin de pouvoir backuper les clefs, il faut pouvoir les exporter. Toujours sur le compte de foo, on commence par lister nos clefs secrètes, en notant "l'armor": | |||
|  <nowiki> | |||
| gpg --list-secret-keys | |||
| /home/foo/.gnupg/pubring.kbx | |||
| ---------------------------- | |||
| sec   nistp256/14692EE589B4006C 2023-05-13 [SC] | |||
|       Key fingerprint = 1106 93FE 9A02 4E3F D4B8  7DF9 1469 2EE5 89B4 006C | |||
| uid                 [ultimate] Squi squi (Clef primaire de squi squi) <squi@squi.fr> | |||
| uid                 [ultimate] Foo User (Foo User Primary Key) <foo@squi.fr> | |||
| ssb   nistp256/6031A802EF033CDE 2023-05-13 [E] [expires: 2024-05-12] | |||
| ssb   nistp256/B773A978B2013AD4 2023-05-14 [SA] [expires: 2024-05-13] | |||
| </nowiki>  | |||
| L'armor est le numéro en hexa qui suit l'algo (ici nistp256). | |||
| On peut ensuite soit exporter la clef secrète avec toutes ses sous-clefs : | |||
|  <nowiki> | |||
| foo@debian:~$ gpg --pinentry-mode loopback --export-secret-keys --armor 14692EE589B4006C > /tmp/foo@squi.fr | |||
| foo@debian:~$ cat /tmp/foo@squi.fr  | |||
| -----BEGIN PGP PRIVATE KEY BLOCK----- | |||
| lKUEZF9mPxMIKoZIzj0DAQcCAwRMxBBoux28RyhOlpl9cy5dAJB5xRKU1MP5W7qB | |||
| PRH6mVOTUv+Pxjnoi/HbXf/EyVdhPuOggpQrw6JaTRd+r1Yy/gcDAiOzPx3sCuE6 | |||
| /793EcoXv2xooHr3erN4xOvxIIYGCpksx5k9d6CO/2fnZa4qPGMORcGFZVsTdoOw | |||
| RwbHB4E5BbLbjnVZIcXJuTdMGdbJasG0LUZvbyBVc2VyIChGb28gVXNlciBQcmlt | |||
| YXJ5IEtleSkgPGZvb0BzcXVpLmZyPoiQBBMTCgA4FiEEEQaT/poCTj/UuH35FGku | |||
| 5Ym0AGwFAmRfZj8CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQFGku5Ym0 | |||
| AGxTAQD/awrCNd/MPpuY7AjPxxKssSBILCyWLfj3329+2C2xPJ8A/RqLKZb+DIii | |||
| 5cjjJyO9fsVDtCGfrQUNgRh6uSdH4niLtDVTcXVpIHNxdWkgKENsZWYgcHJpbWFp | |||
| cmUgZGUgc3F1aSBzcXVpKSA8c3F1aUBzcXVpLmZyPoiQBBMTCgA4FiEEEQaT/poC | |||
| Tj/UuH35FGku5Ym0AGwFAmRhIlECGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AA | |||
| CgkQFGku5Ym0AGy2gQD/anwjX/hd9gzVbhLKLtbkofgIf+WUUeSv40ZYt+ZGLK4A | |||
| /2ZnX66Hq6IK4aZHJvH6DvXC6TxRhcgVXM5QI/XLxMlinKkEZF9o6BIIKoZIzj0D | |||
| AQcCAwSrfUAj6fGhyDIt3mfSwwiyaek9/mrn1Le1ibmgU48lFEik3T6qcP17arvP | |||
| imGBs+/g/MrCrAY4RK0o69vPmh3WAwEIB/4HAwKvVnf+xYp0DP9F3tNxYC18AYma | |||
| Cnq689NTy1HnzL2KmXYqG7Pqj23Kc9zLEHn6d/UxkN5hZH9JE5h6dvm4jNVO28qf | |||
| +r8CP57D0H4BTtPViH4EGBMKACYWIQQRBpP+mgJOP9S4ffkUaS7libQAbAUCZF9o | |||
| 6AIbDAUJAeEzgAAKCRAUaS7libQAbGxbAP4tgQLqcFU4FlJGXXwiAxDEmEDF2c77 | |||
| XiECZr6TZFOU9QEAjPbikfdZp1S35Qk9XXAXrQ312XSBVajVGX+U/5FHUWmcpQRk | |||
| YR8iEwgqhkjOPQMBBwIDBF9p9Ola7dq/56Nwzgg6zc7ZXtUPldi5bqxOGtm/o0Su | |||
| R4O+JENH4o3xUYAzSmpad7L93/ah5yQV1GviD94W6U7+BwMCxhDNaIEqRm7/zn6+ | |||
| YEY4Hhbd0IuhFlocskh4iNadJw/rkHiOAQy99NVTFDF3+P3hP02jQbGQSWmG1OjP | |||
| cSUwOuxRHuMXprdHDJyium9kAoj1BBgTCgAmFiEEEQaT/poCTj/UuH35FGku5Ym0 | |||
| AGwFAmRhHyICGyIFCQHhM4AAgQkQFGku5Ym0AGx2IAQZEwoAHRYhBF9vZhkbUysb | |||
| CqjACbdzqXiyATrUBQJkYR8iAAoJELdzqXiyATrU7W4A/0S0DpxrFzU7IDOJs0n8 | |||
| XrnQbzg3Oncc73MbiGCQQ6BHAP4jkQyVzWVZRNGPUyiNRQfc8Hm01GwDlu7W1L05 | |||
| V82k8L98AP4xQY3m/KL916S1GrlKiqXmhMtcMSTC4DEAgJx8suKhyQEAsHnmKzZ4 | |||
| mt1k2nA3+YNdlRM5tv+7x+rIJixhch5giV8= | |||
| =rFNN | |||
| -----END PGP PRIVATE KEY BLOCK----- | |||
| </nowiki> | |||
| Soit exporter uniquement les subkeys secrète. En effet, on a normalement rarement besoin de toucher à la clef primaire, vu qu'il est conseillé de surtout travailler avec des subkeys. | |||
|  <nowiki> | |||
| foo@debian:~$ gpg --pinentry-mode loopback --export-secret-subkeys --armor 14692EE589B4006C > /tmp/foo@squi.fr | |||
| foo@debian:~$ cat /tmp/foo@squi.fr  | |||
| -----BEGIN PGP PRIVATE KEY BLOCK----- | |||
| lFoEZF9mPxMIKoZIzj0DAQcCAwRMxBBoux28RyhOlpl9cy5dAJB5xRKU1MP5W7qB | |||
| PRH6mVOTUv+Pxjnoi/HbXf/EyVdhPuOggpQrw6JaTRd+r1Yy/wBlAEdOVQG0LUZv | |||
| byBVc2VyIChGb28gVXNlciBQcmltYXJ5IEtleSkgPGZvb0BzcXVpLmZyPoiQBBMT | |||
| CgA4FiEEEQaT/poCTj/UuH35FGku5Ym0AGwFAmRfZj8CGwMFCwkIBwMFFQoJCAsF | |||
| FgIDAQACHgECF4AACgkQFGku5Ym0AGxTAQD/awrCNd/MPpuY7AjPxxKssSBILCyW | |||
| Lfj3329+2C2xPJ8A/RqLKZb+DIii5cjjJyO9fsVDtCGfrQUNgRh6uSdH4niLtDVT | |||
| cXVpIHNxdWkgKENsZWYgcHJpbWFpcmUgZGUgc3F1aSBzcXVpKSA8c3F1aUBzcXVp | |||
| LmZyPoiQBBMTCgA4FiEEEQaT/poCTj/UuH35FGku5Ym0AGwFAmRhIlECGwMFCwkI | |||
| BwMFFQoJCAsFFgIDAQACHgECF4AACgkQFGku5Ym0AGy2gQD/anwjX/hd9gzVbhLK | |||
| LtbkofgIf+WUUeSv40ZYt+ZGLK4A/2ZnX66Hq6IK4aZHJvH6DvXC6TxRhcgVXM5Q | |||
| I/XLxMlinKkEZF9o6BIIKoZIzj0DAQcCAwSrfUAj6fGhyDIt3mfSwwiyaek9/mrn | |||
| 1Le1ibmgU48lFEik3T6qcP17arvPimGBs+/g/MrCrAY4RK0o69vPmh3WAwEIB/4H | |||
| AwLotTNrRxrKav8639nxuIH1EpDu4Su7gX/8x7+eGbn8TfOZz9pvMjizcjWtqwX3 | |||
| BOL9/nPW39oSLnn7yc+ktC8H1l6Ptu6RK7y7cf7tg0i1iH4EGBMKACYWIQQRBpP+ | |||
| mgJOP9S4ffkUaS7libQAbAUCZF9o6AIbDAUJAeEzgAAKCRAUaS7libQAbGxbAP4t | |||
| gQLqcFU4FlJGXXwiAxDEmEDF2c77XiECZr6TZFOU9QEAjPbikfdZp1S35Qk9XXAX | |||
| rQ312XSBVajVGX+U/5FHUWmcpQRkYR8iEwgqhkjOPQMBBwIDBF9p9Ola7dq/56Nw | |||
| zgg6zc7ZXtUPldi5bqxOGtm/o0SuR4O+JENH4o3xUYAzSmpad7L93/ah5yQV1Gvi | |||
| D94W6U7+BwMCNAdI01JPhXD/XP/3DBnUsoRyHvzmoi8j2L80gp8PbLCLsC2T3n6F | |||
| 1t+RzFIDGwsHSuUGDFmyIl0M58yV3YCzkhkQA/Y8gXsZAqR8md0sIIj1BBgTCgAm | |||
| FiEEEQaT/poCTj/UuH35FGku5Ym0AGwFAmRhHyICGyIFCQHhM4AAgQkQFGku5Ym0 | |||
| AGx2IAQZEwoAHRYhBF9vZhkbUysbCqjACbdzqXiyATrUBQJkYR8iAAoJELdzqXiy | |||
| ATrU7W4A/0S0DpxrFzU7IDOJs0n8XrnQbzg3Oncc73MbiGCQQ6BHAP4jkQyVzWVZ | |||
| RNGPUyiNRQfc8Hm01GwDlu7W1L05V82k8L98AP4xQY3m/KL916S1GrlKiqXmhMtc | |||
| MSTC4DEAgJx8suKhyQEAsHnmKzZ4mt1k2nA3+YNdlRM5tv+7x+rIJixhch5giV8= | |||
| =YjLn | |||
| -----END PGP PRIVATE KEY BLOCK----- | |||
| </nowiki> | |||
| !!!!CONTINUER à "OPERATING PUBLIC KEYS" | |||
Dernière version du 16 mai 2023 à 09:51
Sources
Signification, désambiguation
PGP (Pretty Good Privacy) est un logiciel de chiffrement crée par Phil Zimmerman, qui utilise une suite de hashage, chiffrement, clefs symétriques et asymétriques, etc... dans le but de fournir du chiffrement et de l'authentification dans les communications. Il peut être utilisé pour signer, chiffrer du texte, des mails, des fichiers, et même des partitions de disque. PGP suit le standard OpenPGP ainsi que la RFC 4880.
GPG (Pour "Gnu Privacy Guard", ou GnuPG ce qui est vachement mieux) est une *implémentation* de PGP. Il est intéropérable avec les autres car compliant avec la RFC4880.
Mise en oeuvre de GnuPG
Je pars d'une machine avec différent users pour simuler le fait de se connecter en SSH.
Plugin VIM
La source donne un plugin vim permettant de lire les fichiers chiffrés à la volée - je le met en oeuvre, je cite :
sudo mkdir -p /etc/skel/.vim/pack/bundle/start sudo apt install -y git sudo git clone https://github.com/jamessan/vim-gnupg.git /etc/skel/.vim/pack/bundle/start/vim-gnupg
Créer /etc/skel/.vimrc avec:
/etc/skel/.vimrc
Puis enfin, on donne des variables relatives à l'agent pour qu'il fonctionne correctement (je passe les détails...)
sudo bash -c "cat >> /etc/profile.d/gpg.sh" << "EOF" GPG_TTY=`tty` export GPG_TTY EOF
Users
Ma machine a 5 users (foo, bar, baz, qux, fred) en plus du mien. On pourra se connecter en SSH local pour simuler.
GnuPG
Il est installé de base sur Deb12, en version 2.2.27 dans mon cas:
justine@debian:~$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.8.8
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/justine/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
On voit qu'ECDH est supporté. On peut lister les curves ECDH supportées avec :
justine@debian:~$ gpg --with-colons --list-config curve cfg:curve:cv25519;ed25519;nistp256;nistp384;nistp521;brainpoolP256r1;brainpoolP384r1;brainpoolP512r1;secp256k1
Fonctionnement et Génération des clefs
Quoi qu'est-ce ?
GPG utilise à la fois le chiffrement symétrique et asymétrique:
- Des clefs publiques pour chiffrer les fichiers et vérifier les signatures
- Des clefs privées pour signer les fichiers et les déchiffrer.
On a différent type de clefs avec différentes capacités.
Ces clefs sont appellées:
- Keys (clefs primaires) : ont des capacités de chiffrement et signature. "sec" identifie la clef secrète et "pub" la clef publique.
- Subkeys (clefs liées à la clef primaire) : ssb est la subkey secrète, sub est la subkey publique.
| Capacité | Description | Key | Subkey | 
|---|---|---|---|
| C | Certification - Certifie une identité. Une subkey ne peut pas le faire. | X | |
| S | Signer d'autres clefs ou des données. | X | X | 
| E | Chiffrer ("encrypting"). | X | |
| A | Authent. Par exemple, SSH, TLS avec GnuTLS... | X | 
On peut voir les capacités avec la commande suivante (ne pas aller au bout du process, c'est juste pour avoir la liste):
baz@debian:~$ gpg --expert --full-gen-key gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card Your selection?
Mise en oeuvre : création de clefs
Clefs RSA
L'environnement d'un utilisateur est initialisé dès qu'il génère ou importe sa clef privée. On conseille les arguments --expert et --full-gen-key pour activer toutes les features et tous les types de clefs. On génère les clefs de "bar" en ssh (vraiment pas compréhensible...)
ssh -t bar@localhost "gpg --quick-gen-key 'Bar User (Bar User Primary Key) <bar@squi.fr>' rsa sign,cert never"
On nous demande un mdp pour la clef, puis on nous dit que:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/bar/.gnupg/trustdb.gpg: trustdb created
gpg: key 7BF3AF5FF1E9220A marked as ultimately trusted
gpg: directory '/home/bar/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/bar/.gnupg/openpgp-revocs.d/F12E5320C9CA75322FD0BDB57BF3AF5FF1E9220A.rev'
public and secret key created and signed.
Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.
pub   rsa3072 2023-05-13 [SC]
      F12E5320C9CA75322FD0BDB57BF3AF5FF1E9220A
uid                      Bar User (Bar User Primary Key) <bar@squi.fr>
Connection to localhost closed.
Cette clef ne peut pas être utilisée pour le chiffrement, seulement pour identication (cf le tableau au-dessus). La bonne pratique de toute façon consiste à éviter d'utiliser la clef primaire, mais plutôt à générer des subkeys et à planquer la clef primaire en lieu sûr. On évite de se faire voler sa clef primaire ou de la perdre suite à une panne. Il est important de la stocker dans un endroit safe, autrement on ne peut plus rien faire !
Bref, on va faire la même chose en passant directement sur un compte parce qu'on a rien compris à la commande au-dessus. Baz, à toi.
baz@debian:~$ gpg --pinentry-mode loopback --quick-gen-key 'Baz User (Baz User Primary Key) <baz@squi.fr>' rsa sign,cert never
#Ici, on nous demande un mdp
gpg: directory '/home/baz/.gnupg' created
gpg: keybox '/home/baz/.gnupg/pubring.kbx' created
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/baz/.gnupg/trustdb.gpg: trustdb created
gpg: key 90E0D47DC4115033 marked as ultimately trusted
gpg: directory '/home/baz/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/baz/.gnupg/openpgp-revocs.d/634B60C0CE2AEE31F2EE62B990E0D47DC4115033.rev'
public and secret key created and signed.
Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.
pub   rsa3072 2023-05-13 [SC]
      634B60C0CE2AEE31F2EE62B990E0D47DC4115033
uid                      Baz User (Baz User Primary Key) <baz@squi.fr>
On voit ici qu'on génère une clef RSA, qui n'expire jamais, et a les capacités Sign et Cert (correspondant au choix " (8) RSA (set your own capabilities)").
On fait un exit du compte de baz.
Clefs "Elliptic Curve"
On va générer à foo une clef de type:
- ECC avec nistp256 comme elliptic curve
- Sign et Cert
- N'expire pas
justine@debian:~$ sudo -u foo gpg --pinentry-mode loopback --quick-gen-key 'Foo User (Foo User Primary Key) <foo@squi.fr>' nistp256 sign,cert never #Nous refait le même speech qu'en RSA
Pareil pour qux et fred mais en RSA:
justine@debian:~$ sudo -u qux gpg --pinentry-mode loopback --quick-gen-key 'Qux User (Qux User Primary Key) <qux@squi.fr>' rsa sign,cert never justine@debian:~$ sudo -u fred gpg --pinentry-mode loopback --quick-gen-key 'Fred User (Fred User Primary Key) <fred@squi.fr>' rsa sign,cert never
Génération de subkey
On va prendre le compte de foo pour générer une subkey à des fins de chiffrement.
Voici l'intégralité de l'extrait - j'ai dû rajouter --pinentrymode=loopback sinon erreur. En gros, on choisit une clef ECC (encrypt only), avec la curve NIST P-256, valable 1 an:
foo@debian:~$ gpg --verbose --expert --pinentry-mode=loopback --edit-key foo@squi.fr addkey
Secret key is available.
gpg: using pgp trust model
sec  nistp256/14692EE589B4006C
     created: 2023-05-13  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
[ultimate] (1). Foo User (Foo User Primary Key) <foo@squi.fr>
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 12
Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 3
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sun 12 May 2024 12:39:44 PM CEST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: writing key binding signature
gpg: ECDSA/SHA512 signature from: "14692EE589B4006C Foo User (Foo User Primary Key) <foo@squi.fr>"
sec  nistp256/14692EE589B4006C
     created: 2023-05-13  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp256/6031A802EF033CDE
     created: 2023-05-13  expires: 2024-05-12  usage: E   
[ultimate] (1). Foo User (Foo User Primary Key) <foo@squi.fr>
Voir la fin où nous donne les clefs dispo, avec notre "ssb nistp256/6031A802EF033CDE" nouvellement créée.
On sauvegarde:
gpg> save
On va aussi faire une subkey pour "baz", mais cette fois-ci sans la procédure interactive; on récupère l'id de la clef primaire pour ça puis on créée la subkey:
justine@debian:~$ sudo su - 
root@debian:~# sudo su - baz
baz@debian:~$ gpg --list-secret-keys --fingerprint
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/baz/.gnupg/pubring.kbx
----------------------------
sec   rsa3072 2023-05-13 [SC]
      634B 60C0 CE2A EE31 F2EE  62B9 90E0 D47D C411 5033
uid           [ultimate] Baz User (Baz User Primary Key) <baz@squi.fr>
baz@debian:~$ gpg --pinentry-mode loopback --quick-add-key '634B 60C0 CE2A EE31 F2EE  62B9 90E0 D47D C411 5033' rsa sign 1y
Elle est valable 1 an et peut sign. On exit le shell de baz.
Générer une subkey d'authentification
De la même façon, on va générer une subkey d'authentification pour "foo":
root@debian:~$ su - foo
foo@debian:~$ gpg --expert --pinentry-mode=loopback --edit-key foo@squi.fr addkey 
Secret key is available.
sec  nistp256/14692EE589B4006C
     created: 2023-05-13  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp256/6031A802EF033CDE
     created: 2023-05-13  expires: 2024-05-12  usage: E   
[ultimate] (1). Foo User (Foo User Primary Key) <foo@squi.fr>
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 11
Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
Current allowed actions: Sign 
   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished
Your selection? A
Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
Current allowed actions: Sign Authenticate 
   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished
Your selection? Q
Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 3
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon 13 May 2024 07:49:40 PM CEST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec  nistp256/14692EE589B4006C
     created: 2023-05-13  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp256/6031A802EF033CDE
     created: 2023-05-13  expires: 2024-05-12  usage: E   
ssb  nistp256/B773A978B2013AD4
     created: 2023-05-14  expires: 2024-05-13  usage: SA  
[ultimate] (1). Foo User (Foo User Primary Key) <foo@squi.fr>
gpg> save
La fin de la sortie nous donne la liste des clefs, on voit que notre clef nouvellement créée est là. Ne pas oublier de save avant de quitter.
Générer le certificat de révocation
Le but d'un certificat de révocation est de pouvoir révoquer une clef qui aurait été volée, par exemple. Bien que GPG en fasse un automatiquement avec la clef primaire (ce qui est une bonne pratique) il peut être intéressant de savoir le faire. Toujours en tant que foo:
foo@debian:~$ gpg --gen-revoke --armor --pinentry-mode loopback --output=foo@squi.fr.revocation.asc foo@squi.fr sec nistp256/14692EE589B4006C 2023-05-13 Foo User (Foo User Primary Key) <foo@squi.fr> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > Reason for revocation: Key has been compromised (No description given) Is this okay? (y/N) y Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others!
Et voilà. On peut lire son contenu qui donne un peu d'informations :
foo@debian:~$ cat .gnupg/openpgp-revocs.d/110693FE9A024E3FD4B87DF914692EE589B4006C.rev 
This is a revocation certificate for the OpenPGP key:
pub   nistp256/14692EE589B4006C 2023-05-13 [SC]
      Key fingerprint = 1106 93FE 9A02 4E3F D4B8  7DF9 1469 2EE5 89B4 006C
uid                          Foo User (Foo User Primary Key) <foo@squi.fr>
A revocation certificate is a kind of "kill switch" to publicly
declare that a key shall not anymore be used.  It is not possible
to retract such a revocation certificate once it has been published.
Use it to revoke this key in case of a compromise or loss of
the secret key.  However, if the secret key is still accessible,
it is better to generate a new revocation certificate and give
a reason for the revocation.  For details see the description of
of the gpg command "--generate-revocation" in the GnuPG manual.
To avoid an accidental use of this file, a colon has been inserted
before the 5 dashes below.  Remove this colon with a text editor
before importing and publishing this revocation certificate.
:-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: This is a revocation certificate
iHgEIBMKACAWIQQRBpP+mgJOP9S4ffkUaS7libQAbAUCZF9mQgIdAAAKCRAUaS7l
ibQAbD72AQCMx5yaV/STrKnR0g6SEL18uOgiDBEJA30CnLwIHKQQlgEAz+SvPMG2
lsK8/Wua75K18ZG701hLrZkaVBj7vMOcAYc=
=E0tR
-----END PGP PUBLIC KEY BLOCK-----
Comme indiqué, il est conseiller de le stocker en lieu sûr.
Mise en oeuvre : modifier les clefs
Maintenant que nos utilisateurs ont des clefs PGP, on va pouvoir faire des trucs avec. On va commencer par utiliser le compte de foo, à qui l'on vient de donner des clefs.
sudo su - foo
On peut lister les clefs secrètes:
foo@debian:~$ gpg --list-secret-keys
/home/foo/.gnupg/pubring.kbx
----------------------------
sec   nistp256/14692EE589B4006C 2023-05-13 [SC]
      Key fingerprint = 1106 93FE 9A02 4E3F D4B8  7DF9 1469 2EE5 89B4 006C
uid                 [ultimate] Foo User (Foo User Primary Key) <foo@squi.fr>
ssb   nistp256/6031A802EF033CDE 2023-05-13 [E] [expires: 2024-05-12]
ssb   nistp256/B773A978B2013AD4 2023-05-14 [SA] [expires: 2024-05-13]
La première colonne indique le type de clef : sec pour secret, ssb pour secret subkey. Ainsi la sortie nous affiche : notre clef secrète (sec), son uid (ligne uid), et des subkey secrètes.
Ajouter un UID
Cela se fait en mode interactif.
foo@debian:~$ gpg --pinentry-mode loopback --edit-key '<foo@squi.fr>' 
Secret key is available.
sec  nistp256/14692EE589B4006C
     created: 2023-05-13  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp256/6031A802EF033CDE
     created: 2023-05-13  expires: 2024-05-12  usage: E   
ssb  nistp256/B773A978B2013AD4
     created: 2023-05-14  expires: 2024-05-13  usage: SA  
[ultimate] (1). Foo User (Foo User Primary Key) <foo@squi.fr>
gpg> help
#Abbrévié
gpg> adduid
Real name: Squi squi
Email address: squi@squi.fr
Comment: Clef primaire de squi squi
You selected this USER-ID:
    "Squi squi (Clef primaire de squi squi) <squi@squi.fr>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
sec  nistp256/14692EE589B4006C
     created: 2023-05-13  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp256/6031A802EF033CDE
     created: 2023-05-13  expires: 2024-05-12  usage: E   
ssb  nistp256/B773A978B2013AD4
     created: 2023-05-14  expires: 2024-05-13  usage: SA  
[ultimate] (1)  Foo User (Foo User Primary Key) <foo@squi.fr>
[ unknown] (2). Squi squi (Clef primaire de squi squi) <squi@squi.fr>
gpg> save
Le "unkown" sur l'avant dernière ligne ici n'est pas important. On peut vérifier le résultat derrière:
foo@debian:~$ gpg --list-secret-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/foo/.gnupg/pubring.kbx
----------------------------
sec   nistp256/14692EE589B4006C 2023-05-13 [SC]
      Key fingerprint = 1106 93FE 9A02 4E3F D4B8  7DF9 1469 2EE5 89B4 006C
uid                 [ultimate] Squi squi (Clef primaire de squi squi) <squi@squi.fr>
uid                 [ultimate] Foo User (Foo User Primary Key) <foo@squi.fr>
ssb   nistp256/6031A802EF033CDE 2023-05-13 [E] [expires: 2024-05-12]
ssb   nistp256/B773A978B2013AD4 2023-05-14 [SA] [expires: 2024-05-13]
Choisir un UID avant de lancer une commande
Cela se fait via la commande "uid" :
foo@debian:~$ gpg --pinentry-mode loopback --edit-key '<foo@squi.fr>' Secret key is available. [...] [ultimate] (1). Squi squi (Clef primaire de squi squi) <squi@squi.fr> [ultimate] (2) Foo User (Foo User Primary Key) <foo@squi.fr> gpg> uid 1 [...] [ultimate] (1)* Squi squi (Clef primaire de squi squi) <squi@squi.fr> [ultimate] (2) Foo User (Foo User Primary Key) <foo@squi.fr> gpg> quit
Ici on ne fait rien de plus puisque c'est pour l'exemple. Cependant on voit que l'uid 1 est marqué d'une étoile : il a été sélectionné, et toutes les commandes suivantes seront en lien avec celui-ci.
Supprimer un UID
Même principe, mais avec la commande "deluid".
Sélectionner une subkey
Un peu comme l'uid, je peux par exemple choisir la troisième subkey avec la commande "key 3" dans l'interface gpg.
Étendre la période d'expiration d'une subkey
Choisir la subkey, puis utiliser la commande "expire".
Supprimer une subkey
Choisir la subkey, puis "delkey".
Exporter les clefs secrètes
Afin de pouvoir backuper les clefs, il faut pouvoir les exporter. Toujours sur le compte de foo, on commence par lister nos clefs secrètes, en notant "l'armor":
gpg --list-secret-keys
/home/foo/.gnupg/pubring.kbx
----------------------------
sec   nistp256/14692EE589B4006C 2023-05-13 [SC]
      Key fingerprint = 1106 93FE 9A02 4E3F D4B8  7DF9 1469 2EE5 89B4 006C
uid                 [ultimate] Squi squi (Clef primaire de squi squi) <squi@squi.fr>
uid                 [ultimate] Foo User (Foo User Primary Key) <foo@squi.fr>
ssb   nistp256/6031A802EF033CDE 2023-05-13 [E] [expires: 2024-05-12]
ssb   nistp256/B773A978B2013AD4 2023-05-14 [SA] [expires: 2024-05-13]
 
L'armor est le numéro en hexa qui suit l'algo (ici nistp256).
On peut ensuite soit exporter la clef secrète avec toutes ses sous-clefs :
foo@debian:~$ gpg --pinentry-mode loopback --export-secret-keys --armor 14692EE589B4006C > /tmp/foo@squi.fr foo@debian:~$ cat /tmp/foo@squi.fr -----BEGIN PGP PRIVATE KEY BLOCK----- lKUEZF9mPxMIKoZIzj0DAQcCAwRMxBBoux28RyhOlpl9cy5dAJB5xRKU1MP5W7qB PRH6mVOTUv+Pxjnoi/HbXf/EyVdhPuOggpQrw6JaTRd+r1Yy/gcDAiOzPx3sCuE6 /793EcoXv2xooHr3erN4xOvxIIYGCpksx5k9d6CO/2fnZa4qPGMORcGFZVsTdoOw RwbHB4E5BbLbjnVZIcXJuTdMGdbJasG0LUZvbyBVc2VyIChGb28gVXNlciBQcmlt YXJ5IEtleSkgPGZvb0BzcXVpLmZyPoiQBBMTCgA4FiEEEQaT/poCTj/UuH35FGku 5Ym0AGwFAmRfZj8CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQFGku5Ym0 AGxTAQD/awrCNd/MPpuY7AjPxxKssSBILCyWLfj3329+2C2xPJ8A/RqLKZb+DIii 5cjjJyO9fsVDtCGfrQUNgRh6uSdH4niLtDVTcXVpIHNxdWkgKENsZWYgcHJpbWFp cmUgZGUgc3F1aSBzcXVpKSA8c3F1aUBzcXVpLmZyPoiQBBMTCgA4FiEEEQaT/poC Tj/UuH35FGku5Ym0AGwFAmRhIlECGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AA CgkQFGku5Ym0AGy2gQD/anwjX/hd9gzVbhLKLtbkofgIf+WUUeSv40ZYt+ZGLK4A /2ZnX66Hq6IK4aZHJvH6DvXC6TxRhcgVXM5QI/XLxMlinKkEZF9o6BIIKoZIzj0D AQcCAwSrfUAj6fGhyDIt3mfSwwiyaek9/mrn1Le1ibmgU48lFEik3T6qcP17arvP imGBs+/g/MrCrAY4RK0o69vPmh3WAwEIB/4HAwKvVnf+xYp0DP9F3tNxYC18AYma Cnq689NTy1HnzL2KmXYqG7Pqj23Kc9zLEHn6d/UxkN5hZH9JE5h6dvm4jNVO28qf +r8CP57D0H4BTtPViH4EGBMKACYWIQQRBpP+mgJOP9S4ffkUaS7libQAbAUCZF9o 6AIbDAUJAeEzgAAKCRAUaS7libQAbGxbAP4tgQLqcFU4FlJGXXwiAxDEmEDF2c77 XiECZr6TZFOU9QEAjPbikfdZp1S35Qk9XXAXrQ312XSBVajVGX+U/5FHUWmcpQRk YR8iEwgqhkjOPQMBBwIDBF9p9Ola7dq/56Nwzgg6zc7ZXtUPldi5bqxOGtm/o0Su R4O+JENH4o3xUYAzSmpad7L93/ah5yQV1GviD94W6U7+BwMCxhDNaIEqRm7/zn6+ YEY4Hhbd0IuhFlocskh4iNadJw/rkHiOAQy99NVTFDF3+P3hP02jQbGQSWmG1OjP cSUwOuxRHuMXprdHDJyium9kAoj1BBgTCgAmFiEEEQaT/poCTj/UuH35FGku5Ym0 AGwFAmRhHyICGyIFCQHhM4AAgQkQFGku5Ym0AGx2IAQZEwoAHRYhBF9vZhkbUysb CqjACbdzqXiyATrUBQJkYR8iAAoJELdzqXiyATrU7W4A/0S0DpxrFzU7IDOJs0n8 XrnQbzg3Oncc73MbiGCQQ6BHAP4jkQyVzWVZRNGPUyiNRQfc8Hm01GwDlu7W1L05 V82k8L98AP4xQY3m/KL916S1GrlKiqXmhMtcMSTC4DEAgJx8suKhyQEAsHnmKzZ4 mt1k2nA3+YNdlRM5tv+7x+rIJixhch5giV8= =rFNN -----END PGP PRIVATE KEY BLOCK-----
Soit exporter uniquement les subkeys secrète. En effet, on a normalement rarement besoin de toucher à la clef primaire, vu qu'il est conseillé de surtout travailler avec des subkeys.
foo@debian:~$ gpg --pinentry-mode loopback --export-secret-subkeys --armor 14692EE589B4006C > /tmp/foo@squi.fr foo@debian:~$ cat /tmp/foo@squi.fr -----BEGIN PGP PRIVATE KEY BLOCK----- lFoEZF9mPxMIKoZIzj0DAQcCAwRMxBBoux28RyhOlpl9cy5dAJB5xRKU1MP5W7qB PRH6mVOTUv+Pxjnoi/HbXf/EyVdhPuOggpQrw6JaTRd+r1Yy/wBlAEdOVQG0LUZv byBVc2VyIChGb28gVXNlciBQcmltYXJ5IEtleSkgPGZvb0BzcXVpLmZyPoiQBBMT CgA4FiEEEQaT/poCTj/UuH35FGku5Ym0AGwFAmRfZj8CGwMFCwkIBwMFFQoJCAsF FgIDAQACHgECF4AACgkQFGku5Ym0AGxTAQD/awrCNd/MPpuY7AjPxxKssSBILCyW Lfj3329+2C2xPJ8A/RqLKZb+DIii5cjjJyO9fsVDtCGfrQUNgRh6uSdH4niLtDVT cXVpIHNxdWkgKENsZWYgcHJpbWFpcmUgZGUgc3F1aSBzcXVpKSA8c3F1aUBzcXVp LmZyPoiQBBMTCgA4FiEEEQaT/poCTj/UuH35FGku5Ym0AGwFAmRhIlECGwMFCwkI BwMFFQoJCAsFFgIDAQACHgECF4AACgkQFGku5Ym0AGy2gQD/anwjX/hd9gzVbhLK LtbkofgIf+WUUeSv40ZYt+ZGLK4A/2ZnX66Hq6IK4aZHJvH6DvXC6TxRhcgVXM5Q I/XLxMlinKkEZF9o6BIIKoZIzj0DAQcCAwSrfUAj6fGhyDIt3mfSwwiyaek9/mrn 1Le1ibmgU48lFEik3T6qcP17arvPimGBs+/g/MrCrAY4RK0o69vPmh3WAwEIB/4H AwLotTNrRxrKav8639nxuIH1EpDu4Su7gX/8x7+eGbn8TfOZz9pvMjizcjWtqwX3 BOL9/nPW39oSLnn7yc+ktC8H1l6Ptu6RK7y7cf7tg0i1iH4EGBMKACYWIQQRBpP+ mgJOP9S4ffkUaS7libQAbAUCZF9o6AIbDAUJAeEzgAAKCRAUaS7libQAbGxbAP4t gQLqcFU4FlJGXXwiAxDEmEDF2c77XiECZr6TZFOU9QEAjPbikfdZp1S35Qk9XXAX rQ312XSBVajVGX+U/5FHUWmcpQRkYR8iEwgqhkjOPQMBBwIDBF9p9Ola7dq/56Nw zgg6zc7ZXtUPldi5bqxOGtm/o0SuR4O+JENH4o3xUYAzSmpad7L93/ah5yQV1Gvi D94W6U7+BwMCNAdI01JPhXD/XP/3DBnUsoRyHvzmoi8j2L80gp8PbLCLsC2T3n6F 1t+RzFIDGwsHSuUGDFmyIl0M58yV3YCzkhkQA/Y8gXsZAqR8md0sIIj1BBgTCgAm FiEEEQaT/poCTj/UuH35FGku5Ym0AGwFAmRhHyICGyIFCQHhM4AAgQkQFGku5Ym0 AGx2IAQZEwoAHRYhBF9vZhkbUysbCqjACbdzqXiyATrUBQJkYR8iAAoJELdzqXiy ATrU7W4A/0S0DpxrFzU7IDOJs0n8XrnQbzg3Oncc73MbiGCQQ6BHAP4jkQyVzWVZ RNGPUyiNRQfc8Hm01GwDlu7W1L05V82k8L98AP4xQY3m/KL916S1GrlKiqXmhMtc MSTC4DEAgJx8suKhyQEAsHnmKzZ4mt1k2nA3+YNdlRM5tv+7x+rIJixhch5giV8= =YjLn -----END PGP PRIVATE KEY BLOCK-----
!!!!CONTINUER à "OPERATING PUBLIC KEYS"