Vous êtes ici : Accueil / Projets / Projet interne PauLLA / Clé GPG: signature et chiffrement.

Clé GPG: signature et chiffrement.

Par Llew — Dernière modification 12/09/2013 15:34
Comment créer, truster et signer une clef gpg.

Mesdames, messieurs, (bande de moules©) :

PauLLA étant une association respectable et respectée, participant à divers projets et aussi ne serait-ce que pour la communication entre nous, je me permets de vous soumettre l'idée de clé GPG pour chacun d'entre nous.

Les messages (email) dans un premier temps devront-être signés et chiffrés (lorsque le besoin et/ou l'envie se fera).

A savoir:

-> Taille de clef: 4096 (on va pas lésiner dessus).
-> Type de clef: RSA and RSA
-> Validité: 2 ans (cela me semble honnête)
-> Le champs "Comment" peut être votre pseudo.
-> On mets une vraie passphrase, ie. une phrase de plusieurs mots avec ponctuation, majuscule et espace que l'on retiendra.

Création:

 

$ gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Sat 12 Sep 2015 03:06:15 PM CEST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Foo Bar
Email address: foo@bar.baz
Comment: Baz
You selected this USER-ID:
    "Foo Bar (Baz) <foo@bar.baz>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

gpg: gpg-agent is not available in this session
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 284 more bytes)

gpg: key E504A150 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:  18  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 18u
gpg: next trustdb check due at 2013-11-12
pub   4096R/E504A150 2013-09-12 [expires: 2015-09-12]
      Key fingerprint = 5370 62C5 56B8 FADF C868  2129 B953 7918 E504 A150
uid                  Foo Bar (Baz) <foo@bar.baz>
sub   4096R/6AD5D9AB 2013-09-12 [expires: 2015-09-12]

A ce stade nous avons note clef privée valable 2 ans.

Puis nous l'envoyons sur un serveur de clef:

$ gpg  --keyserver pgp.mit.edu --recv-keys E504A150

On oublie pas de stocker sa clef privée quelque part avec son certificat de révocation que l'on fait tout de suite.
Cela permettra entre autres, de pouvoir révoyer notre clef si celle-ci devient compromise.

$ gpg --gen-revoke E504A150

sec  4096R/E504A150 2013-09-12 Foo Bar (Baz) <foo@bar.baz>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Foo Bar (Baz) <foo@bar.baz>"
4096-bit RSA key, ID E504A150, created 2013-09-12

gpg: gpg-agent is not available in this session
ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: A revocation certificate should follow

iQIfBCABAgAJBQJSMb8+Ah0CAAoJELlTeRjlBKFQRGAQAJPnbu47FvD+RVRxsVj4
my1r1ggdEtXKCO0ncn2iDF/n2hECbLp2BQRylR54d5OHQU0G8KpDFItBuNtUaCYh
K5kilpgpXO049WFOd68b5yOx3efPa+25WDpMnwbXhj7oV2v1V0i3HMQnjIiWnigw
iWdwd5N/X1ou8T0NyRcrVqXn6nP1Ox+l2MYICrDLFJYbUuqO4Y+R2+00EBUITckM
DhOakCn/NCXpzoEqbR8TU73bl4R72u3HwRn4uh0Dhw6DIWw3IPibjV8wHE0GuYHU
nohpoDrVhlmgLnfcBBRnCAMGesex6RTWcP9gDrHudBC1uT03LA75nnnK7YJySRdt
vg6zUoe34d4t1OImeDftdfUOLkLgVyZk7Vzwn0q6lVenIksP5GBKwmYQqKliqSAz
mErPq1yWE4rlFEyV+mYA32zXaRV/kLpTUyx+5/IB1FiIStR/etuLmdBJ2kvMR2JS
NlPgbYrP2S2e+kiAyU0ual44a5V3uE+C8A1nTSK9hC5XduDRDXmr/fJPt7VCUYsF
dbFUWk/QHTyM5UJIKnKMWhrNTuJ9jSTNJU2Xp8bHTOJZCGh39GYnaqtmSTVY0TBt
x/ikmxANZV2at1rB7ys/QLKHQ2sy5lbUXaSYhCam3aTkMxCO66C42cphdKQKUYr0
tIiLjrpY9n9uPB0dfDdZ686+
=7gSo
-----END PGP PUBLIC KEY BLOCK-----

L'autre le besoin s'en fera sentir, on oubliera pas de l'envoyer sur un serveur de clef.

Signer une clef

On edit la clef:

~$ gpg --edit-key E504A150
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/E504A150  created: 2013-09-12  expires: 2015-09-12  usage: SC 
                     trust: ultimate      validity: ultimate
sub  4096R/6AD5D9AB  created: 2013-09-12  expires: 2015-09-12  usage: E  
[ultimate] (1). Foo Bar (Baz) <foo@bar.baz>

Via le mot clef 'help' , vous aurez accès à tout ce qui est possible de faire.
Ce qui nous intéresse particulièrement:
  - trust
  - sign

Trustons

 

gpg> trust
pub  4096R/E504A150  created: 2013-09-12  expires: 2015-09-12  usage: SC 
                     trust: ultimate      validity: ultimate
sub  4096R/6AD5D9AB  created: 2013-09-12  expires: 2015-09-12  usage: E  
[ultimate] (1). Foo Bar (Baz) <foo@bar.baz>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  4096R/E504A150  created: 2013-09-12  expires: 2015-09-12  usage: SC 
                     trust: ultimate      validity: ultimate
sub  4096R/6AD5D9AB  created: 2013-09-12  expires: 2015-09-12  usage: E  
[ultimate] (1). Foo Bar (Baz) <foo@bar.baz>

Signons

 

Plusieurs choix s'offrent à nous, j'en retiendrai 2:

  - lsign afin de signer localement la clef et laisser le choix au proprietaire de celle-ci de publier le fait que l'on est signé sa clef.
  - sign

Dans la plupart des cas, je vous conseille d'employer sign.

gpg> sign

pub  4096R/E504A150  created: 2013-09-12  expires: 2015-09-12  usage: SC 
                     trust: ultimate      validity: ultimate
 Primary key fingerprint: 5370 62C5 56B8 FADF C868  2129 B953 7918 E504 A150

     Guillaume Delpierre (Llew) <gde@llew.in>

This key is due to expire on 2015-09-12.
Are you sure that you want to sign this key with your
key "bla bla bla@bla.bla" (C33F336EA)

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: "bla bla bla@bla.bla"
4096-bit RSA key, ID C33F336EA, created 2011-10-24

On oublie pas ensuite d'envoyer cette clef nouvellement signé et trusté sur un serveur de clef.

Vous n'avez donc plus aucune excuse pour ne pas chiffrer et signer vos emails !