mirror of
https://github.com/drduh/YubiKey-Guide.git
synced 2024-11-29 10:48:07 +00:00
Passphrase now passed to gpg from stdin via the --passphrase-fd 0 option instead of via the --passphrase option. The latter exposes the passphrase to observation by other processes on the system and the gpg man page includes a disclaimer for it: Don't use this option if you can avoid it. Although the README recommends a single user, ephemeral Debian Live environment, users may choose to ignore that recommendation so it seems best to protect them from themselves where possible.
This commit is contained in:
parent
e218607c1f
commit
32e58e122f
16
README.md
16
README.md
@ -393,7 +393,7 @@ Do not set an expiration date on the Certify key.
|
|||||||
Generate the Certify key:
|
Generate the Certify key:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg --batch --passphrase "$CERTIFY_PASS" \
|
echo "$CERTIFY_PASS" | gpg --batch --passphrase-fd 0 \
|
||||||
--quick-generate-key "$IDENTITY" "$KEY_TYPE" cert never
|
--quick-generate-key "$IDENTITY" "$KEY_TYPE" cert never
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -413,7 +413,7 @@ Use the following command to generate Signature, Encryption and Authentication S
|
|||||||
|
|
||||||
```console
|
```console
|
||||||
for SUBKEY in sign encrypt auth ; do \
|
for SUBKEY in sign encrypt auth ; do \
|
||||||
gpg --batch --pinentry-mode=loopback --passphrase "$CERTIFY_PASS" \
|
echo "$CERTIFY_PASS" | gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \
|
||||||
--quick-add-key "$KEYFP" "$KEY_TYPE" "$SUBKEY" "$EXPIRATION"
|
--quick-add-key "$KEYFP" "$KEY_TYPE" "$SUBKEY" "$EXPIRATION"
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
@ -442,12 +442,12 @@ ssb rsa4096/0xAD9E24E1B8CB9600 2024-01-01 [A] [expires: 2026-05-01]
|
|||||||
Save a copy of the Certify key, Subkeys and public key:
|
Save a copy of the Certify key, Subkeys and public key:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg --output $GNUPGHOME/$KEYID-Certify.key \
|
echo "$CERTIFY_PASS" | gpg --output $GNUPGHOME/$KEYID-Certify.key \
|
||||||
--batch --pinentry-mode=loopback --passphrase "$CERTIFY_PASS" \
|
--batch --pinentry-mode=loopback --passphrase-fd 0 \
|
||||||
--armor --export-secret-keys $KEYID
|
--armor --export-secret-keys $KEYID
|
||||||
|
|
||||||
gpg --output $GNUPGHOME/$KEYID-Subkeys.key \
|
echo "$CERTIFY_PASS" | gpg --output $GNUPGHOME/$KEYID-Subkeys.key \
|
||||||
--batch --pinentry-mode=loopback --passphrase "$CERTIFY_PASS" \
|
--batch --pinentry-mode=loopback --passphrase-fd 0 \
|
||||||
--armor --export-secret-subkeys $KEYID
|
--armor --export-secret-subkeys $KEYID
|
||||||
|
|
||||||
gpg --output $GNUPGHOME/$KEYID-$(date +%F).asc \
|
gpg --output $GNUPGHOME/$KEYID-$(date +%F).asc \
|
||||||
@ -1825,8 +1825,8 @@ export EXPIRATION=2y
|
|||||||
Renew the Subkeys:
|
Renew the Subkeys:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg --batch --pinentry-mode=loopback \
|
echo "$CERTIFY_PASS" | gpg --batch --pinentry-mode=loopback \
|
||||||
--passphrase "$CERTIFY_PASS" --quick-set-expire "$KEYFP" "$EXPIRATION" \
|
--passphrase-fd 0 --quick-set-expire "$KEYFP" "$EXPIRATION" \
|
||||||
$(gpg -K --with-colons | awk -F: '/^fpr:/ { print $10 }' | tail -n "+2" | tr "\n" " ")
|
$(gpg -K --with-colons | awk -F: '/^fpr:/ { print $10 }' | tail -n "+2" | tr "\n" " ")
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user