auriza · August 28, 2023 12:57
diff --git a/gpg.sh b/gpg.sh
 # GnuPG: an implementation of OpenPGP standard (RFC 4880)
 # ==============================================================================


 # Configuration
 # ------------------------------------------------------------------------------

 mkdir --parents ~/.gnupg
 cat > ~/.gnupg/gpg.conf << EOF
 no-greeting
 no-emit-version
 list-options                show-uid-validity
 verify-options              show-uid-validity
 keyserver                   hkp://pool.sks-keyservers.net
 personal-cipher-preferences AES256
 personal-digest-preferences SHA512
 cert-digest-algo            SHA512
 default-preference-list     SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
 EOF


 # Verify Signature
 # ------------------------------------------------------------------------------

 # download example file + signature
 wget 'http://releases.ubuntu.com/18.04/SHA256SUMS'
 wget 'http://releases.ubuntu.com/18.04/SHA256SUMS.gpg'

 # verify -> error: public key not found
 gpg --verify SHA256SUMS.gpg SHA256SUMS

 # import those public keys [1]
 gpg --recv-keys FBB75451
 gpg --recv-keys EFE21092

 # list public keys
 gpg --list-keys

 # verify -> good
 gpg --verify SHA256SUMS.gpg SHA256SUMS

 # task: check this file signature 'http://repo.apps.cs.ipb.ac.id/~auriza/BadRAM'


 # Create Keypair
 # ------------------------------------------------------------------------------

 # create key (RSA4096) [2]
 gpg --gen-key

 # list key
 gpg --list-secret-keys
 gpg --list-keys

 # upload public key (can not be deleted, could only be revoked)
 gpg --send-keys KEYID

 # create revocation certificate
 gpg --gen-revoke KEYID > KEYID.rev.asc

 # export secret key
 gpg --armor --export-secret-keys KEYID > KEYID.sec.asc

 # create encrypted backup
 7z a -p KEYID.7z KEYID*.asc
 shred --remove KEYID*.asc

 # task: create keypair and upload the public key to keyserver


 # Sign File
 # ------------------------------------------------------------------------------

 # sign attached (text file)
 gpg --clearsign FILE

 # sign detached (binary file)
 gpg --detach-sign FILE

 # verify signature
 gpg --verify FILE.asc

 # task: send your clear-signed email message to <[email protected]>


 # Encrypt File
 # ------------------------------------------------------------------------------

 # import receiver key
 gpg --search-keys EMAIL

 # encrypt
 gpg --encrypt --recipient EMAIL FILE

 # sign and encrypt
 gpg --sign --encrypt --recipient EMAIL FILE

 # decrypt
 gpg --decrypt FILE.gpg

 # task: send your signed and encrypted email message to <[email protected]>


 # Certify Others Key
 # ------------------------------------------------------------------------------

 # import their key
 gpg --recv-keys KEYIDX

 # check the fingerprint (ask the owner directly)
 gpg --fingerprint KEYIDX

 # sign their key
 gpg --sign-key KEYIDX

 # check your added signature
 gpg --list-sigs KEYIDX

 # send the signed key to them
 gpg --export KEYIDX | gpg --sign --encrypt --recipient EMAILX > KEYIDX.sig.gpg

 # ---

 # X: they import the signed key and upload it
 gpg --decrypt KEYIDX.sig.gpg | gpg --import
 gpg --send-keys KEYIDX

 # task: sign <[email protected]> key and send it to him


 # Mailvelope (Firefox/Chrome extension)
 # ------------------------------------------------------------------------------


 # Key Management
 # ------------------------------------------------------------------------------

 # search public keys
 gpg --search-keys [EMAIL|NAME|KEYID]

 # refresh public keys
 gpg --refresh-keys

 # delete public key
 gpg --delete-keys KEYID

 # delete secret key
 gpg --delete-secret-keys KEYID

 # restore secret key and its trust (ultimate)
 7z e KEYID.7z
 gpg --import KEYID.sec.asc
 gpg --edit-key KEYID trust

 # revoke public key [!]
 gpg --import KEYID.rev.asc
 gpg --send-keys KEYID

 # task: delete your secret key and restore it from backup


 # Subkey Management
 # ------------------------------------------------------------------------------

 # add shorter signing subkey
 gpg --edit-key KEYID addkey                     # RSA (sign only), 2048 bit
 gpg --send-keys KEYID

 # remove primary secret key
 gpg --armor --export-secret-subkeys KEYID > KEYID.ssb.asc
 gpg --delete-secret-keys KEYID
 gpg --import KEYID.ssb.asc


 # ------------------------------------------------------------------------------

 # [1] Keyserver: <https://sks-keyservers.net/status/>
 #       - public  key -> encrypt, verify
 #       - private key -> decrypt, sign, certify

 # [2] Keysize strength: <https://csrc.nist.gov/publications/detail/sp/800-131a/rev-1/final>
 #
 #       RSA       Strength    Lifetime
 #       --------  --------    --------
 #       1024 bit   80 bit     ~2010
 #       2048 bit  112 bit     ~2030
 #       3072 bit  128 bit     ...
 #
 #       rsa2048 -> faster performance : X.509 certificate for server
 #       rsa4096 -> longer key lifetime: OpenPGP and SSH for personal use
 #
 #       speed comparison O(n^3):
 #       $ openssl speed rsa2048 rsa4096

 #                           Asymmetric
 # Strength  Symmetric   RSA         ECC             Hash
 # --------  ---------   ---------   -------------   --------
 #  56-bit   DES
 #  64-bit                                           MD5
 #  80-bit               RSA-1024                    SHA1
 # 112-bit   3DES        RSA-2048                    SHA2-224
 # 128-bit   AES-128     RSA-3072    P-256, X25519   SHA2-256
 # 192-bit   AES-192     RSA-7680    P-384           SHA2-384
 # 256-bit   AES-256     RSA-15360   P-521           SHA2-512
diff --git a/pass.sh b/pass.sh
 # Pass: password store, encrypted by GPG key
 # ==============================================================================


 # init password store
 pass init KEYID


 # insert password
 pass insert PASSNAME

 # generate password
 pass generate PASSNAME LENGTH


 # list password
 pass

 # print password
 pass PASSNAME

 # print password to clipboard
 pass --clip PASSNAME


 # edit password
 pass edit PASSNAME

 # remove password
 pass rm PASSNAME


 # ------------------------------------------------------------------------------


 # TODO:
 # pass insert google/auriza.akbar
 # pass insert google/komdatjarkom2
 # pass insert github/auriza
 # pass insert bni/auriza
 # pass insert mandiri/aur1za
 # pass insert ipb/login
 # pass insert ipb/mail
 # pass insert csipb/ds
 # pass insert csipb/lx
 # pass insert csipb/csadmin
 # pass insert csipb/appsadmin
 # pass insert csipb/himalkom
	# GnuPG: an implementation of OpenPGP standard (RFC 4880)
	# ==============================================================================


	# Configuration
	# ------------------------------------------------------------------------------

	mkdir --parents ~/.gnupg
	cat > ~/.gnupg/gpg.conf << EOF
	no-greeting
	no-emit-version
	list-options show-uid-validity
	verify-options show-uid-validity
	keyserver hkp://pool.sks-keyservers.net
	personal-cipher-preferences AES256
	personal-digest-preferences SHA512
	cert-digest-algo SHA512
	default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
	EOF


	# Verify Signature
	# ------------------------------------------------------------------------------

	# download example file + signature
	wget 'http://releases.ubuntu.com/18.04/SHA256SUMS'
	wget 'http://releases.ubuntu.com/18.04/SHA256SUMS.gpg'

	# verify -> error: public key not found
	gpg --verify SHA256SUMS.gpg SHA256SUMS

	# import those public keys [1]
	gpg --recv-keys FBB75451
	gpg --recv-keys EFE21092

	# list public keys
	gpg --list-keys

	# verify -> good
	gpg --verify SHA256SUMS.gpg SHA256SUMS

	# task: check this file signature 'http://repo.apps.cs.ipb.ac.id/~auriza/BadRAM'


	# Create Keypair
	# ------------------------------------------------------------------------------

	# create key (RSA4096) [2]
	gpg --gen-key

	# list key
	gpg --list-secret-keys
	gpg --list-keys

	# upload public key (can not be deleted, could only be revoked)
	gpg --send-keys KEYID

	# create revocation certificate
	gpg --gen-revoke KEYID > KEYID.rev.asc

	# export secret key
	gpg --armor --export-secret-keys KEYID > KEYID.sec.asc

	# create encrypted backup
	7z a -p KEYID.7z KEYID*.asc
	shred --remove KEYID*.asc

	# task: create keypair and upload the public key to keyserver


	# Sign File
	# ------------------------------------------------------------------------------

	# sign attached (text file)
	gpg --clearsign FILE

	# sign detached (binary file)
	gpg --detach-sign FILE

	# verify signature
	gpg --verify FILE.asc

	# task: send your clear-signed email message to <[email protected]>


	# Encrypt File
	# ------------------------------------------------------------------------------

	# import receiver key
	gpg --search-keys EMAIL

	# encrypt
	gpg --encrypt --recipient EMAIL FILE

	# sign and encrypt
	gpg --sign --encrypt --recipient EMAIL FILE

	# decrypt
	gpg --decrypt FILE.gpg

	# task: send your signed and encrypted email message to <[email protected]>


	# Certify Others Key
	# ------------------------------------------------------------------------------

	# import their key
	gpg --recv-keys KEYIDX

	# check the fingerprint (ask the owner directly)
	gpg --fingerprint KEYIDX

	# sign their key
	gpg --sign-key KEYIDX

	# check your added signature
	gpg --list-sigs KEYIDX

	# send the signed key to them
	gpg --export KEYIDX \| gpg --sign --encrypt --recipient EMAILX > KEYIDX.sig.gpg

	# ---

	# X: they import the signed key and upload it
	gpg --decrypt KEYIDX.sig.gpg \| gpg --import
	gpg --send-keys KEYIDX

	# task: sign <[email protected]> key and send it to him


	# Mailvelope (Firefox/Chrome extension)
	# ------------------------------------------------------------------------------


	# Key Management
	# ------------------------------------------------------------------------------

	# search public keys
	gpg --search-keys [EMAIL\|NAME\|KEYID]

	# refresh public keys
	gpg --refresh-keys

	# delete public key
	gpg --delete-keys KEYID

	# delete secret key
	gpg --delete-secret-keys KEYID

	# restore secret key and its trust (ultimate)
	7z e KEYID.7z
	gpg --import KEYID.sec.asc
	gpg --edit-key KEYID trust

	# revoke public key [!]
	gpg --import KEYID.rev.asc
	gpg --send-keys KEYID

	# task: delete your secret key and restore it from backup


	# Subkey Management
	# ------------------------------------------------------------------------------

	# add shorter signing subkey
	gpg --edit-key KEYID addkey # RSA (sign only), 2048 bit
	gpg --send-keys KEYID

	# remove primary secret key
	gpg --armor --export-secret-subkeys KEYID > KEYID.ssb.asc
	gpg --delete-secret-keys KEYID
	gpg --import KEYID.ssb.asc


	# ------------------------------------------------------------------------------

	# [1] Keyserver: <https://sks-keyservers.net/status/>
	# - public key -> encrypt, verify
	# - private key -> decrypt, sign, certify

	# [2] Keysize strength: <https://csrc.nist.gov/publications/detail/sp/800-131a/rev-1/final>
	#
	# RSA Strength Lifetime
	# -------- -------- --------
	# 1024 bit 80 bit ~2010
	# 2048 bit 112 bit ~2030
	# 3072 bit 128 bit ...
	#
	# rsa2048 -> faster performance : X.509 certificate for server
	# rsa4096 -> longer key lifetime: OpenPGP and SSH for personal use
	#
	# speed comparison O(n^3):
	# $ openssl speed rsa2048 rsa4096

	# Asymmetric
	# Strength Symmetric RSA ECC Hash
	# -------- --------- --------- ------------- --------
	# 56-bit DES
	# 64-bit MD5
	# 80-bit RSA-1024 SHA1
	# 112-bit 3DES RSA-2048 SHA2-224
	# 128-bit AES-128 RSA-3072 P-256, X25519 SHA2-256
	# 192-bit AES-192 RSA-7680 P-384 SHA2-384
	# 256-bit AES-256 RSA-15360 P-521 SHA2-512
	# Pass: password store, encrypted by GPG key
	# ==============================================================================


	# init password store
	pass init KEYID


	# insert password
	pass insert PASSNAME

	# generate password
	pass generate PASSNAME LENGTH


	# list password
	pass

	# print password
	pass PASSNAME

	# print password to clipboard
	pass --clip PASSNAME


	# edit password
	pass edit PASSNAME

	# remove password
	pass rm PASSNAME


	# ------------------------------------------------------------------------------


	# TODO:
	# pass insert google/auriza.akbar
	# pass insert google/komdatjarkom2
	# pass insert github/auriza
	# pass insert bni/auriza
	# pass insert mandiri/aur1za
	# pass insert ipb/login
	# pass insert ipb/mail
	# pass insert csipb/ds
	# pass insert csipb/lx
	# pass insert csipb/csadmin
	# pass insert csipb/appsadmin
	# pass insert csipb/himalkom