nicolas.boufideline/doc-public
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
doc-public/source/tech_conf/gpg/generate_certify.rst
GnomeZworc e058f1c494 2024-02-18-08 
Signed-off-by: GnomeZworc <nicolas.boufidjeline@g3e.fr>
2024-02-18 21:39:12 +01:00

153 lines
No EOL
4.5 KiB
ReStructuredText
Raw Blame History

Generate Certify Key
====================
.. warning::
Page a tradire en francais...
.. warning::
No Internet from now on
Introduction
------------
The primary key to generate is the Certify key, which will be used to issue Subkeys for encryption, signature and authentication operations.
The Certify key should be kept offline at all times and only accessed from a secure environment to revoke or issue Subkeys. Keys can also be generated on the YubiKey itself to avoid duplication, however for usability and durability reasons this guide recommends against doing so.
Generate a passphrase which will be needed throughout the guide to create Subkeys. The passphrase should be memorized or written down in a secure location, ideally separate from the portable storage device used for key material.
The passphrase is recommended to consist of only upper case letters and numbers for improved readability.
The following command will generate strong passphrases while avoiding ambiguous characters:
.. code-block::
LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
tr -d "1IOS5U" | fold -w 30 | head -n10 | \
sed "-es/./ /"{1..26..5} | cut -c2- | tr " " "-"
Example output:
.. code-block::
A4ZK-YRRJ-8WPM-82NY-CX9T-AGKT
PH9Z-HFDX-QDB9-YMMC-GQZB-Z3EV
EC3H-C42G-8E9K-VF7F-ZWT7-BTL6
B3CA-QCCE-JMNE-VAZG-ZEYD-J3XP
YKP4-M42X-4WWE-WEKR-C3J7-GZYF
ZQWC-E7MN-M7CT-4Y4Z-9QFV-44VY
KY4F-C83Q-BTYQ-V8EM-WGCR-DPZN
GYWQ-WNAC-ERWM-XGAD-6XVD-ZCLD
L8JL-EK8H-Z4ZF-MA93-NND8-FPKA
WM2J-XF7L-QV6D-AWLY-Y2D8-4TQQ
Generate Certify
----------------
On lance gpg en mode expert
.. code-block::
gpg --expert --full-generate-key
Voila la liste des commandes a suivre.
Deja on choisi ECC et on choisi la capaciter 'Certify'
.. code-block::
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
Your selection? 11
Possible actions for this ECC key: Sign Certify Authenticate
Current allowed actions: Sign Certify
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for this ECC key: Sign Certify Authenticate
Current allowed actions: Certify
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? Q
Ensuite on choisi l'algorythme de chiffrement, personnelement je laisse l'option par defaut.
.. code-block::
Please select which elliptic curve you want:
(1) Curve 25519 *default*
(2) Curve 448
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 1
Et ensuite on dois choisir la date d'expiration, personnelement je choisi de facon indefini.
.. code-block::
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Et pour finir on choisi, les infos tel que le nom, l'email ou un commentaire.
.. code-block::
GnuPG needs to construct a user ID to identify your key.
Real name: YubiKey User
Email address: yubikey@example
Comment:
You selected this USER-ID:
"YubiKey User <yubikey@example>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/Users/nicolas.boufidjeline/.gnupg/openpgp-revocs.d/3D98DEB92C1F530B076DA2CBE8091C4510077F5A.rev'
public and secret key created and signed.
pub ed25519/0xE8091C4510077F5A 2024-02-18 [C]
Key fingerprint = 3D98 DEB9 2C1F 530B 076D A2CB E809 1C45 1007 7F5A
uid YubiKey User <yubikey@example>
Puis on copy l'id de la clees et on l'export en variable d'environment
.. code-block::
export KEYID=0xE8091C4510077F5A
Reference in a new issue View git blame Copy permalink