blob42/trezor-agent
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
0b829636e1
trezor-agent/README-GPG.md
Roman Zolotarev af3f669780 Update README-GPG.md
2017-08-15 19:20:31 +03:00

3.6 KiB
Raw Blame History

Note: the GPG-related code is still under development, so please try the current implementation and please let me know if something doesn't work well for you. If possible:

  • record the session (e.g. using asciinema)
  • attach the GPG agent log from ~/.gnupg/{trezor,ledger}/gpg-agent.log

Thanks!

Installation

First, verify that you have GPG 2.1.11+ installed (Debian, macOS):

$ gpg2 --version | head -n1
gpg (GnuPG) 2.1.15

This GPG version is included in Ubuntu 16.04 and Linux Mint 18.

Update you device firmware to the latest version and install your specific agent package:

$ pip install --user (trezor|keepkey|ledger)_agent

Quickstart

Identity creation

asciicast

In order to use specific device type for GPG indentity creation, use either command:

$ DEVICE=(trezor,ledger) ./scripts/gpg-init "John Doe <john@doe.bit>"

Sample usage (signature and decryption)

asciicast

In order to use specific device type for GPG operations, set the following environment variable to either:

$ export GNUPGHOME=~/.gnupg/{trezor,ledger}

You can use GNU Privacy Assistant (GPA) in order to inspect the created keys and perform signature and decryption operations using:

$ sudo apt install gpa
$ GNUPGHOME=~/.gnupg/trezor gpa

GPA

Git commit & tag signatures:

Git can use GPG to sign and verify commits and tags (see here):

$ git config --local commit.gpgsign 1
$ git config --local gpg.program $(which gpg2)
$ git commit --gpg-sign                      # create GPG-signed commit
$ git log --show-signature -1                # verify commit signature
$ git tag v1.2.3 --sign                      # create GPG-signed tag
$ git tag v1.2.3 --verify                    # verify tag signature

Password manager

First install pass from passwordstore.org and initialize it to use your TREZOR-based GPG identity:

$ export GNUPGHOME=~/.gnupg/trezor
$ pass init "Roman Zeyde <roman.zeyde@gmail.com>"
Password store initialized for Roman Zeyde <roman.zeyde@gmail.com>

Then, you can generate truly random passwords and save them encrypted using your public key (as separate .gpg files under ~/.password-store/):

$ pass generate Dev/github 32
$ pass generate Social/hackernews 32
$ pass generate Social/twitter 32
$ pass generate VPS/linode 32
$ pass
Password Store
├── Dev
│   └── github
├── Social
│   ├── hackernews
│   └── twitter
└── VPS
    └── linode

In order to paste them into the browser, you'd need to decrypt the password using your hardware device:

$ pass --clip VPS/linode
Copied VPS/linode to clipboard. Will clear in 45 seconds.

You can also use the following Qt-based UI for pass:

$ sudo apt install qtpass
$ GNUPGHOME=~/.gnupg/trezor qtpass

Re-generation of an existing GPG identity

asciicast