Difference between revisions of "Gpg"

From Bitpost wiki
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 9: Line 9:
 
   Passphrase: ****
 
   Passphrase: ****
 
=== PIN entry in emacs ===
 
=== PIN entry in emacs ===
Details are [[Emacs#GPG|here]].
+
It is neckbeard-borked out of the gate.  Fix is [[Emacs#GPG|here]].
  
 
=== PIN entry over ssh ===
 
=== PIN entry over ssh ===
You can in theory decrypt a file over ssh without writing it to disk:
+
You can in theory decrypt a file over ssh to STDOUT without writing it to disk, but PIN entry fails by default:
  ssh prod-cfg-1 gpg -d my_secrets.gpg
+
  ssh secretbox gpg -d secretfile.gpg
But default PIN entry over tty is totally fucking broken.  Try:
+
Two fixes are required to get PIN entry to work:
  emacs .gpg
+
* Use curses for PIN entry on the secretbox:
 +
[secretbox] emacs ~/.gnupg/gpg-agent.conf
 +
  allow-emacs-pinentry
 +
  allow-loopback-pinentry
 +
  pinentry-program /usr/bin/pinentry-curses
 +
* Tell ssh to use tty:
 +
  ssh -tt secretbox gpg -d secretfile.gpg

Latest revision as of 17:19, 22 April 2021

Create strong key

We want an elliptical curve key. It's baked in! But hidden.

gpg --expert --full-generate-key
 Key kind: (9) ECC and ECC
 Elliptical curve: (1) Curve 25519
 Don't expire (0)
 Real name: Michael Behrns-Miller
 email: m@bitpost.com
 Passphrase: ****

PIN entry in emacs

It is neckbeard-borked out of the gate. Fix is here.

PIN entry over ssh

You can in theory decrypt a file over ssh to STDOUT without writing it to disk, but PIN entry fails by default:

ssh secretbox gpg -d secretfile.gpg

Two fixes are required to get PIN entry to work:

  • Use curses for PIN entry on the secretbox:
[secretbox] emacs ~/.gnupg/gpg-agent.conf
  allow-emacs-pinentry
  allow-loopback-pinentry
  pinentry-program /usr/bin/pinentry-curses
  • Tell ssh to use tty:
ssh -tt secretbox gpg -d secretfile.gpg