3.9 KiB
Note: the GPG-related code is still under development, so please try the current implementation and please let me know if something doesn't work well for you. If possible:
- record the session (e.g. using asciinema)
- attach the GPG agent log from
~/.gnupg/{trezor,ledger}/gpg-agent.log
Thanks!
Installation
First, verify that you have GPG 2.1.11+ installed (Debian, macOS):
$ gpg2 --version | head -n1
gpg (GnuPG) 2.1.15
This GPG version is included in Ubuntu 16.04 and Linux Mint 18.
Update you device firmware to the latest version and install your specific agent
package:
$ pip install --user (trezor|keepkey|ledger)_agent
Quickstart
Identity creation
In order to use specific device type for GPG indentity creation, use either command:
$ DEVICE=(trezor,ledger) ./scripts/gpg-init "John Doe <john@doe.bit>"
Sample usage (signature and decryption)
In order to use specific device type for GPG operations, set the following environment variable to either:
$ export GNUPGHOME=~/.gnupg/{trezor,ledger}
You can use GNU Privacy Assistant (GPA) in order to inspect the created keys and perform signature and decryption operations using:
$ sudo apt install gpa
$ GNUPGHOME=~/.gnupg/trezor gpa
Git commit & tag signatures:
Git can use GPG to sign and verify commits and tags (see here):
$ git config --local commit.gpgsign 1
$ git config --local gpg.program $(which gpg2)
$ git commit --gpg-sign # create GPG-signed commit
$ git log --show-signature -1 # verify commit signature
$ git tag v1.2.3 --sign # create GPG-signed tag
$ git tag v1.2.3 --verify # verify tag signature
Password manager
First install pass
from passwordstore.org and initialize it to use your TREZOR-based GPG identity:
$ export GNUPGHOME=~/.gnupg/trezor
$ pass init "Roman Zeyde <roman.zeyde@gmail.com>"
Password store initialized for Roman Zeyde <roman.zeyde@gmail.com>
Then, you can generate truly random passwords and save them encrypted using your public key (as separate .gpg
files under ~/.password-store/
):
$ pass generate Dev/github 32
$ pass generate Social/hackernews 32
$ pass generate Social/twitter 32
$ pass generate VPS/linode 32
$ pass
Password Store
├── Dev
│ └── github
├── Social
│ ├── hackernews
│ └── twitter
└── VPS
└── linode
In order to paste them into the browser, you'd need to decrypt the password using your hardware device:
$ pass --clip VPS/linode
Copied VPS/linode to clipboard. Will clear in 45 seconds.
You can also use the following Qt-based UI for pass
:
$ sudo apt install qtpass
$ GNUPGHOME=~/.gnupg/trezor qtpass
Re-generation of an existing GPG identity
If you've forgotten the timestamp value, but still have access to the public key, then you can retrieve the timestamp with the following command (substitute "john@doe.bit" for the key's address or id):
$ gpg2 --export 'john@doe.bit'|gpg2 --list-packets|grep created|head -n1