gpg
Install gpg on macOS:
brew install gnupg pinentry-mac
if required restart gpg-agent with
gpgconf --kill gpg-agent
To create a gpg key in batch mode, create a file named gpg-key-script with
this value:
Key-Type: EDDSA
Key-Curve: Ed25519
Key-Usage: sign auth
Subkey-Type: ECDH
Subkey-Curve: Cv25519
Subkey-Usage: encrypt
Name-Real: your name
Name-Comment: your comment
Name-Email: your@email
Expire-Date: 2y
Next you could do something like:
$ gpg --homedir /salt/gpgkeys --batch --gen-key gen-key-script
To extend the expiration date of a key:
$ gpg --homedir /salt/gpgkeys --edit-key your@email
gpg> expire
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
For example to extend 1 year:
Your selection? 1y
gpg> save
🔗Backup private key
To save the private key to a file:
gpg --homedir /salt/gpgkeys -a --export-secret-keys > private.key
No need to export the public key
To import the pair of keys later just do:
gpg --import private.key
if can't paste the pssphrase:
printf '%s' password | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --import key
🔗rngd (linux)
If you don't have an source of entropy it may take a while to generate the keys,
if you are in a linux system you could install rngd or (rng-tools) and then type:
# rngd -v
Unable to open file: /dev/tpm0
can't open any entropy source
Maybe RNG device modules are not loaded
To start rngd using /dev/urandom, do this:
# cp /usr/lib/systemd/system/rngd.service /etc/systemd/system
Edit /etc/systemd/system/rngd.service and replace the line starting with ExecStart with:
ExecStart=/sbin/rngd -f -r /dev/urandom
Reload systemd:
# systemctl daemon-reload
And restart rngd:
# systemctl restart rngd
🔗using gpg as ssh
You need to install monkeysphere:
$ brew install monkeysphere
To remove password from a subkey "authentication [A]" and convert later to ssh id_rsa:
$ gpg --export-secret-subkey F6C7D705867D430! | gpg --home /tmp/x --import
$ gpg --home /tmp/x --change-passphrase F6C7D705867D430!
$ gpg --home /tmp/x --export-secret-subkey F6C7D705867D430! | openpgp2ssh F6C7D705867D430 > /tmp/naked-id_rsa
Then to add password again to the key:
$ ssh-keygen -f /tmp/naked-id_rsa -p