#+TITLE:     GNUPG: Best Practices
#+AUTHOR:    bjoernb
#+EMAIL:     4bewersd@informatik.uni-hamburg.de
#+DATE:      \date{December 3, 2013}
#+DESCRIPTION: Best practices for using GNUPG
#+KEYWORDS: gpg, configuration, key-rollover
#+LANGUAGE:  en
#+LATEX_HEADER: \hypersetup{colorlinks=true}
#+OPTIONS:   H:3 num:t toc:t \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
#+OPTIONS:   TeX:t LaTeX:t skip:nil d:nil todo:t pri:nil tags:not-in-toc toc:nil
#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
#+EXPORT_SELECT_TAGS: export
#+EXPORT_EXCLUDE_TAGS: noexport
#+LINK_UP:   
#+LINK_HOME: 
#+XSLT:

* Cheat Sheet
** Configuration of gpg
   
*** Configuration of GNUPG

**** ~/.gnupg/gpg.conf

    #+BEGIN_SRC 
     # when outputting certificates, view user IDs distinctly from keys:
     fixed-list-mode
     # long keyids are more collision-resistant than short keyids
     keyid-format 0xlong
     # choose the strongest digest:
     personal-digest-preferences SHA512 SHA384 SHA256 SHA224
     # preferences for new keys:
     default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 \
                             AES CAST5 BZIP2 ZLIB ZIP Uncompressed
     # use gpg-agent
     use-agent
     # show which User IDs gpg thinks are bound to keys in the keyring:
     verify-options show-uid-validity
     list-options show-uid-validity
     # for OpenPGP certification, use a strong digest:
     cert-digest-algo SHA256
    #+END_SRC
** Generation of keys and key rollover
*** Generate key

**** gpg =--gen-key=:

      - Choose RSA and RSA
      - Keysize 4096
      - Expires 1y 
       	
      - Real Name: Alice Mustermann
      - Email address: 1musterm@inf
      - Comment: leave empty 
       	
      - Passphrase: type in a strong passphrase

*** Add another uid and set primary uid

**** gpg =--edit-key 0x12345678=:
     
     - adduid 
       
     - Real name: Alice Mustermann
     - Email address: 01musterm@jabber.mafiasi.de
     - Comment: XMPP / DO NOT USE FOR EMAIL 
       
     - save
**** gpg =--edit-key 0x12345678=:

    - uid 3
    - primary
    - save
       
*** Generate revocation certificate

**** gpg =--output revoke-0x12345678.asc --gen-revoke 0x12345678=

     - generate the revocation certificate, so that you can revoke a compromised or lost key
     - keep it in a safe place

*** Key rollover: Sign my new key with my old key

**** Sign key:
     - gpg =--default-key 0x01d12345 --sign-key 0x12345678=
       
**** Upload key to web of trust:       
     - gpg =--send-key 0x12345678=

** Keep your private key secure

*** Storage of private key and revocation certificate
      
**** GFshare
     - share the private key between devices
     - split the key in 5 parts with gfsplit
     - use 1 pen drive for 2 parts of the key
     - use 3 other locations for each 1 part of the key
     - you need 3 parts to reconstruct the key with gfcombine
       
* Sources & Documentation

** Weblinks

     1. [[https://we.riseup.net/riseuplabs\%2Bpaow/openpgp-best-practices][OpenPGP Best Practices]]
     2. [[http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/][Key-Rollover]]
     3. [[http://www.digital-scurf.org/software/libgfshare][libgfshare]]
     4. [[http://orgmode.org/worg/exporters/beamer/tutorial.html][Writing beamer presentations in org-mode]]
     5. [[http://orgmode.org/manual/Beamer-export.html][Org-mode: Beamer Export]]

* License

    \footnotesize{}
     This work is licensed under a Creative Commons Attribution-ShareAlike 4.0:
     - [[http://creativecommons.org/licenses/by-sa/4.0/][http://creativecommons.org/licenses/by-sa/4.0]]/