2023-04-13

INDEX

2023-04-13 00:00 - How to Set up GPG and pass
(This was written in an old style, with markdown formatting)

######################################
GPG Keys
######################################
Generate gpg keys and a reference ID (used to find the key)
Also outputs a hex image that can be used to identify
	gpg --expert --full-gen-key
	# Select "9,1" for most secure
	# Select expiration - 2y might be best
	# Set user details: Generates reference ID as "full name <email address>"
	# Set passphrase for private key - this is a password to use the key, for more protection

Show all the keys (and more importantly the IDs) of stored gpg entries
	gpg --list-keys

Export public/private keys using the reference ID
	# Export public key (for verifying and encrypting data)
	gpg --armor --export ID > pub.key

	# Export private key (for signing and decrypting data)
	gpg --armor --export-secret-keys ID > priv.key

These are the default locations for important files
	$GNUPGHOME # Defaults to ~/.gnupg/
	$GNUPGHOME/private-keys-v1.d/ # Contains keys, named by their hex IDs
	$GNUPGHOME/openpgp-recov.d/ # Contains revocation keys to disable public keys (keep secret)

A public key is usually sent to a certificate authority so anyone can read/check it.
You can then send the revocation key similarly to remove tihs key from use.

When you use a private key is asks for a password and keeps you signed in using `gpg-agent`.
	gpgconf --kill gpg-agent # This force signs you out, if needed


######################################
Moving GPG Keys
######################################
If you want to publish your keys to `hkps://keys.openpgp.org` certificate authority, do this
This sends an email to confirm your key.
	# Publish your public key, associated with your email
	gpg --send-keys ID

When using other people's keys you likely want to import them locally
	# Search for a public key using an email or ID
	gpg --search ID
	
	# Import a day (public OR private)
	gpg --import KEY

To disable a public key you export your revocation key and import/publish BOTH
	# Export key
	gpg --armor --gen-revoke ID > revoke.key

######################################
Encrypting Files
######################################
Encrypt a file using a public key - to be decrypted by the associated private key
This lets you send a file that only a specific person can decrypt.
	gpg --recipient ID --armor --encrypt FILE # Outputs "FILE.asc"
	# Can add multiple "--recipient ID" for multiple keypairs/recipients

Can encrypt a file with just a password
	gpg --symmetric FILE
	gpg -c FILE

Decrypt a file, using keys stored in gpg
	gpg --decrypt FILE.asc > FILE

Use your private key to write a signature at the end of a file - proves authenticity
	# Sign the end of a file
	gpg --local-user ID --clearsign FILE

	# Sign AND encrypt a file
	gpg --local-user ID --sign FILE 

Verify a file's integrity by checking its hash, signature and public key ID
	gpg --verify FILE


######################################
Setting up gnupass
######################################
Use a gpg ID to create an encrypted folder `~/.password-store`
Each password is a separate gpg encrypted file
	pass init ID

Can add git version control to passwords - with changes encrypted in the same gpg key.
Things like `git diff` work by using gpg-agent to decrypt the files
	pass git init

These are the default locations for important files
	# To have multiple password stores, change this variable to a different folder
	$PASSWORD_STORE_DIR # Defaults to ~/.password-store/
	
	$PASSWORD_STORE_DIR/.gpg-id # Stores the gpg ID to use for encryption
	$PASSWORD_STORE_DIR/.git/config # Look at this to see the method of decryption

Set the master source of a git repo on some server and use it as a remote password store
	# Make a simple git repo on some remote server
	git init --bare

	# Add a remote origin to your local password store
	pass git remote add origin ssh://USER@IP:/FOLDER

	# Manage remote passwords
	git push
	git pull

######################################
Using gnupass
######################################
Add a password and give it a label - just prompts for the password
	pass insert LABEL # e.g. amazon.com

	# Can also sort passwords with a folder structure, as these are just files
	pass insert FOLDER/LABEL # e.g. websites/amazon.com

There are other ways of adding new passwords
	# Multiline password - e.g. PASSWORD,URL,USER,SECRET,PIN
	pass insert -m LABEL # CTRL-D to exit

	# Generate an N length password with no symbols in it
	pass generate --no-symbols LABEL N

Interact with passwords you've created
	# List all password labels
	pass

	# Retrieve a password
	pass LABEL
	pass show LABEL

	# Copy password to clipboard
	pass -c LABEL

	# Edit password
	pass edit LABEL

	# Delete password
	pass rm LABEL



TODO
- Look into gpgtar and its benefits
- The "moving keys around" part is incomplete/incorrect
- What if keys expire?

Further Reading
- https://manpages.org/pass
- https://www.linuxbabe.com/security/a-practical-guide-to-gpg-part-1-generate-your-keypair
- https://medium.com/@chasinglogic/the-definitive-guide-to-password-store-c337a8f023a1
- https://wiki.archlinux.org/title/Pass
- https://web.archive.org/web/20210803213236/https://habd.as/post/moving-gpg-keys-privately/