From c110bb8ec0d4069b7124e9841421fc5910d0c1c3 Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 18 Aug 2024 11:47:11 -0700 Subject: use printf, export keyid, fix link --- README.md | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index b469bb9..4fe4bc3 100644 --- a/README.md +++ b/README.md @@ -348,7 +348,7 @@ This guide recommends a two year expiration for Subkeys to balance security and When Subkeys expire, they may still be used to decrypt with GnuPG and authenticate with SSH, however they can **not** be used to encrypt nor sign new messages. -Subkeys must be renewed or rotated using the Certify key - see [Updating Subkeys](#updating-subkeys). +Subkeys must be renewed or rotated using the Certify key - see [Updating keys](#updating-keys). Set the expiration date to two years: @@ -371,7 +371,7 @@ The following commands will generate a strong passphrase and avoid ambiguous cha ```console export CERTIFY_PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \ tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \ - cut -c2- | tr " " "-" | head -1) ; echo "\n$CERTIFY_PASS\n" + cut -c2- | tr " " "-" | head -1) ; printf "\n$CERTIFY_PASS\n\n" ``` Write the passphrase in a secure location, ideally separate from the portable storage device used for key material, or memorize it. @@ -511,7 +511,7 @@ Generate another unique [Passphrase](#passphrase) (ideally different from the on ```console export LUKS_PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \ tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \ - cut -c2- | tr " " "-" | head -1) ; echo "\n$LUKS_PASS\n" + cut -c2- | tr " " "-" | head -1) ; printf "\n$LUKS_PASS\n\n" ``` This passphrase will also be used infrequently to access the Certify key and should be very strong. @@ -912,8 +912,7 @@ Install the required packages: ```console sudo apt update -sudo apt install -y \ - gnupg gnupg-agent gnupg-curl scdaemon pcscd +sudo apt install -y gnupg gnupg-agent scdaemon pcscd ``` **OpenBSD** @@ -969,7 +968,7 @@ Determine the key ID: ```console gpg -k -KEYID=0xF0F2CFEB04341FB5 +export KEYID=0xF0F2CFEB04341FB5 ``` Assign ultimate trust by typing `trust` and selecting option `5` then `quit`: @@ -1351,14 +1350,6 @@ To launch `gpg-agent` for use by SSH, use the `gpg-connect-agent /bye` or `gpgco Add the following to the shell rc file: -```console -export GPG_TTY="$(tty)" -export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" -gpg-connect-agent updatestartuptty /bye > /dev/null -``` - -On modern systems, `gpgconf --list-dirs agent-ssh-socket` will automatically set `SSH_AUTH_SOCK` to the correct value and is better than hard-coding to `run/user/$UID/gnupg/S.gpg-agent.ssh`, if available: - ```console export GPG_TTY="$(tty)" export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) -- cgit v1.2.3 From d0928bc00798d488f053e49af6896c2ff1d2a60e Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 18 Aug 2024 11:59:50 -0700 Subject: consolidate agent commands --- README.md | 1 + 1 file changed, 1 insertion(+) (limited to 'README.md') diff --git a/README.md b/README.md index 4fe4bc3..596c5fb 100644 --- a/README.md +++ b/README.md @@ -1354,6 +1354,7 @@ Add the following to the shell rc file: export GPG_TTY="$(tty)" export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpgconf --launch gpg-agent +gpg-connect-agent updatestartuptty /bye > /dev/null ``` For fish, `config.fish` should look like this (consider putting them into the `is-interactive` block): -- cgit v1.2.3