diff --git a/source/_static/gpg/gpg.conf b/source/_static/gpg/gpg.conf new file mode 100644 index 0000000..e651897 --- /dev/null +++ b/source/_static/gpg/gpg.conf @@ -0,0 +1,62 @@ +# https://github.com/drduh/config/blob/master/gpg.conf +# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html +# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html +# 'gpg --version' to get capabilities +# Use AES256, 192, or 128 as cipher +personal-cipher-preferences AES256 AES192 AES +# Use SHA512, 384, or 256 as digest +personal-digest-preferences SHA512 SHA384 SHA256 +# Use ZLIB, BZIP2, ZIP, or no compression +personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed +# Default preferences for new keys +default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed +# SHA512 as digest to sign keys +cert-digest-algo SHA512 +# SHA512 as digest for symmetric ops +s2k-digest-algo SHA512 +# AES256 as cipher for symmetric ops +s2k-cipher-algo AES256 +# UTF-8 support for compatibility +charset utf-8 +# Show Unix timestamps +fixed-list-mode +# No comments in signature +no-comments +# No version in output +no-emit-version +# Disable banner +no-greeting +# Long hexidecimal key format +keyid-format 0xlong +# Display UID validity +list-options show-uid-validity +verify-options show-uid-validity +# Display all keys and their fingerprints +with-fingerprint +# Display key origins and updates +#with-key-origin +# Cross-certify subkeys are present and valid +require-cross-certification +# Disable caching of passphrase for symmetrical ops +no-symkey-cache +# Enable smartcard +use-agent +# Disable recipient key ID in messages +throw-keyids +# Default/trusted key ID to use (helpful with throw-keyids) +#default-key 0xFF3E7D88647EBCDB +#trusted-key 0xFF3E7D88647EBCDB +# Group recipient keys (preferred ID last) +#group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB +# Keyserver URL +#keyserver hkps://keys.openpgp.org +#keyserver hkps://keyserver.ubuntu.com:443 +#keyserver hkps://hkps.pool.sks-keyservers.net +#keyserver hkps://pgp.ocf.berkeley.edu +# Proxy to use for keyservers +#keyserver-options http-proxy=http://127.0.0.1:8118 +#keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050 +# Verbose output +#verbose +# Show expired subkeys +#list-options show-unusable-subkeys diff --git a/source/tech_conf/gpg/generate_certify.rst b/source/tech_conf/gpg/generate_certify.rst new file mode 100644 index 0000000..97c4138 --- /dev/null +++ b/source/tech_conf/gpg/generate_certify.rst @@ -0,0 +1,46 @@ +Generate Certify Key +==================== + +.. warning:: + + Page a tradire en francais... + +.. warning:: + + No Internet from now on + +Introduction +------------ + +The primary key to generate is the Certify key, which will be used to issue Subkeys for encryption, signature and authentication operations. + +The Certify key should be kept offline at all times and only accessed from a secure environment to revoke or issue Subkeys. Keys can also be generated on the YubiKey itself to avoid duplication, however for usability and durability reasons this guide recommends against doing so. + +Generate a passphrase which will be needed throughout the guide to create Subkeys. The passphrase should be memorized or written down in a secure location, ideally separate from the portable storage device used for key material. + +The passphrase is recommended to consist of only upper case letters and numbers for improved readability. + + +The following command will generate strong passphrases while avoiding ambiguous characters: + +.. code-block:: + + LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \ + tr -d "1IOS5U" | fold -w 30 | head -n10 | \ + sed "-es/./ /"{1..26..5} | cut -c2- | tr " " "-" + + +Example output: + +.. code-block:: + + A4ZK-YRRJ-8WPM-82NY-CX9T-AGKT + PH9Z-HFDX-QDB9-YMMC-GQZB-Z3EV + EC3H-C42G-8E9K-VF7F-ZWT7-BTL6 + B3CA-QCCE-JMNE-VAZG-ZEYD-J3XP + YKP4-M42X-4WWE-WEKR-C3J7-GZYF + ZQWC-E7MN-M7CT-4Y4Z-9QFV-44VY + KY4F-C83Q-BTYQ-V8EM-WGCR-DPZN + GYWQ-WNAC-ERWM-XGAD-6XVD-ZCLD + L8JL-EK8H-Z4ZF-MA93-NND8-FPKA + WM2J-XF7L-QV6D-AWLY-Y2D8-4TQQ \ No newline at end of file diff --git a/source/tech_conf/gpg/index.rst b/source/tech_conf/gpg/index.rst index 5e098d1..9e15672 100644 --- a/source/tech_conf/gpg/index.rst +++ b/source/tech_conf/gpg/index.rst @@ -1,12 +1,15 @@ GPG === +.. note:: + + Une grande partie de ce tutoriel viens de ce repos `github`_. + .. toctree:: - :titlesonly: recomandation preparation - generate_gpg_key + generate_certify # Linux @@ -171,4 +174,6 @@ $ cd $GNUPGHOME rebase older commit ```bash git rebase --exec 'git commit --amend --no-edit -n -S' -i development -``` \ No newline at end of file +``` + +.. _`github`: https://github.com/drduh/YubiKey-Guide \ No newline at end of file diff --git a/source/tech_conf/gpg/preparation.rst b/source/tech_conf/gpg/preparation.rst index 37c532a..99e2ac2 100644 --- a/source/tech_conf/gpg/preparation.rst +++ b/source/tech_conf/gpg/preparation.rst @@ -87,5 +87,44 @@ L'un deux est `Ventoy`_ je ferais un tuto sur celui-ci et comment l'utiliser bie Si vous voulez utiliser `Ventoy`_ il vous suffira juste de faire une copier coller de l'iso dans le bon peripherique. +Le Live boot +------------ + +Maintenant on va donc boot sur l'iso qu'on a preparer. + +configurer le reseau, on va telecharger les paquer necessaire. + +.. code-block:: + + sudo apt update + + sudo apt -y upgrade + + sudo apt -y install \ + wget gnupg2 gnupg-agent dirmngr \ + cryptsetup scdaemon pcscd secure-delete \ + yubikey-personalization + + curl http://ftp.fr.debian.org/debian/pool/main/h/haskell-hopenpgp-tools/hopenpgp-tools_0.23.7-1_amd64.deb -O + + sudo dpkg -i hopenpgp-tools_0.23.7-1_amd64.deb + + sudo apt -y install yubikey-manager + + sudo service pcscd start + + export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX) + + wget -O $GNUPGHOME/gpg.conf https://doc.g3e.fr/_downloads/58a3422798d8fb93fc663cb2bb0b136c/gpg.conf + + grep -ve "^#" $GNUPGHOME/gpg.conf + +.. warning:: + + A partir de maintenant on a plus besoin d'internet + /!\ On peut donc desactiver internet /!\ + + + .. _Verifying authenticity of Debian CDs: https://www.debian.org/CD/verify .. _Ventoy: https://www.ventoy.net/en/index.html \ No newline at end of file