Gpg: Difference between revisions

From Bitpost wiki
 
(2 intermediate revisions by the same user not shown)
Line 9: Line 9:
   Passphrase: ****
   Passphrase: ****
=== PIN entry in emacs ===
=== PIN entry in emacs ===
Details are [[Emacs#GPG|here]].
It is neckbeard-borked out of the gate.  Fix is [[Emacs#GPG|here]].


=== PIN entry over ssh ===
=== PIN entry over ssh ===
You can in theory decrypt a file over ssh without writing it to disk:
You can in theory decrypt a file over ssh to STDOUT without writing it to disk, but PIN entry fails by default:
  ssh prod-cfg-1 gpg -d my_secrets.gpg
  ssh secretbox gpg -d secretfile.gpg
But default PIN entry over tty is totally fucking broken.  Try:
Two fixes are required to get PIN entry to work:
  emacs .gpg
* Use curses for PIN entry on the secretbox:
[secretbox] emacs ~/.gnupg/gpg-agent.conf
  allow-emacs-pinentry
  allow-loopback-pinentry
  pinentry-program /usr/bin/pinentry-curses
* Tell ssh to use tty:
  ssh -tt secretbox gpg -d secretfile.gpg

Latest revision as of 17:19, 22 April 2021

Create strong key

We want an elliptical curve key. It's baked in! But hidden.

gpg --expert --full-generate-key
 Key kind: (9) ECC and ECC
 Elliptical curve: (1) Curve 25519
 Don't expire (0)
 Real name: Michael Behrns-Miller
 email: m@bitpost.com
 Passphrase: ****

PIN entry in emacs

It is neckbeard-borked out of the gate. Fix is here.

PIN entry over ssh

You can in theory decrypt a file over ssh to STDOUT without writing it to disk, but PIN entry fails by default:

ssh secretbox gpg -d secretfile.gpg

Two fixes are required to get PIN entry to work:

  • Use curses for PIN entry on the secretbox:
[secretbox] emacs ~/.gnupg/gpg-agent.conf
  allow-emacs-pinentry
  allow-loopback-pinentry
  pinentry-program /usr/bin/pinentry-curses
  • Tell ssh to use tty:
ssh -tt secretbox gpg -d secretfile.gpg