Skip to content

Instantly share code, notes, and snippets.

@jrwarwick

jrwarwick/gpg_keyset_gen.sh

Last active October 22, 2021 15:27
Show Gist options
  • Save jrwarwick/70a22e7cb825814c07ec58100705cf9d to your computer and use it in GitHub Desktop.
Save jrwarwick/70a22e7cb825814c07ec58100705cf9d to your computer and use it in GitHub Desktop.
Download ZIP
GPG (PGP) Supplemental Tools: keyset generator SOP script and SecretServer secret template for PGP Keys
Raw
gpg_keyset_gen.sh
#!/usr/bin/bash
DOMAIN="abc.tld"
GPG_USER_ID=${1:-$USER}
echo "RSA, RSA, 4096-bit $(date +%Y.%m.%d)"
echo "Building a keypair for User ID: ${GPG_USER_ID}"
echo "Supply Legal incorporated chartered corporation/company name OR personal legal name, "
echo "with department name in Comment or blank (for personal legal names)."
gpg --gen-key
gpg --list-keys
echo "Standard notice, when prompted: Key is either compromised or abandoned, this revocation was created ex ante. Be advised."
gpg --output REVOKE.${GPG_USER_ID}.${DOMAIN}.pgp.asc --gen-revoke "${GPG_USER_ID}@${DOMAIN}"
gpg --output ${GPG_USER_ID}.${DOMAIN}.secret.pgp.asc --armor --export-secret-key "${GPG_USER_ID}@${DOMAIN}"
gpg --output ${GPG_USER_ID}.${DOMAIN}.public.pgp.asc --armor --export "${GPG_USER_ID}@${DOMAIN}"
gpg --list-keys --fingerprint "${GPG_USER_ID}@${DOMAIN}"
#KEYGRIP can be useful for some ancilliary utilities such as:# gpg-preset-passphrase --preset $KEYGRIP
KEYGRIP=$(gpg2 --fingerprint --fingerprint "${GPG_USER_ID}@${DOMAIN}" | grep fingerprint | tail -1 | sed -e 's/.*=//' -e 's/ //g')
echo "KeyGrip: $KEYGRIP"
ls -lFth
echo "Save it all up to secure corporate secrets repository."
echo "Delete loose copies of REVOKE certificate."
Raw
secret_server_PGP_Key.secret_template.xml
<?xml version="1.0" encoding="utf-8"?>
<!-- https://docs.thycotic.com/ss/10.9.0/secret-templates/list-of-built-in-secret-templates
is conspicuously missing PGP/GPG keys. Here is a reasonable supplement to provide that.
-->
<secrettype xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<name>PGP Key</name>
<active>true</active>
<fields>
<field isexpirationfield="false">
<displayname>Real Name</displayname>
<description>Full, real name of authorized identity. Often a person's legal name, possibly a limited membership privileged department.</description>
<name>Real Name</name>
<mustencrypt>true</mustencrypt>
<isurl>false</isurl>
<ispassword>false</ispassword>
<isnotes>false</isnotes>
<listtype />
<isfile>false</isfile>
<passwordcharacterset />
<passwordlength>10</passwordlength>
<historylength>2147483647</historylength>
<isindexable>true</isindexable>
<editablepermission>2</editablepermission>
<required>false</required>
<fieldslugname>real-name</fieldslugname>
<hideonview>false</hideonview>
</field>
<field isexpirationfield="false">
<displayname>Email Address</displayname>
<description>Primary email address associated with the private key.</description>
<name>Email Address</name>
<mustencrypt>true</mustencrypt>
<isurl>false</isurl>
<ispassword>false</ispassword>
<isnotes>false</isnotes>
<listtype />
<isfile>false</isfile>
<passwordcharacterset />
<passwordlength>10</passwordlength>
<historylength>2147483647</historylength>
<isindexable>true</isindexable>
<editablepermission>2</editablepermission>
<required>false</required>
<fieldslugname>email-address</fieldslugname>
<hideonview>false</hideonview>
</field>
<field isexpirationfield="false">
<displayname>Identity Comment</displayname>
<description>Supplemental detail in key or key-holder identity. Perhaps a nickname, callsign, or title, or if not held by a person, a department, project, agency, or process name.</description>
<name>Comment</name>
<mustencrypt>true</mustencrypt>
<isurl>false</isurl>
<ispassword>false</ispassword>
<isnotes>false</isnotes>
<listtype />
<isfile>false</isfile>
<passwordcharacterset />
<passwordlength>10</passwordlength>
<historylength>2147483647</historylength>
<isindexable>true</isindexable>
<editablepermission>2</editablepermission>
<required>false</required>
<fieldslugname>comment</fieldslugname>
<hideonview>false</hideonview>
</field>
<field isexpirationfield="false">
<displayname>Public Key</displayname>
<description>The PGP public key in an ASCII-armored file.</description>
<name>Public Key</name>
<mustencrypt>true</mustencrypt>
<isurl>false</isurl>
<ispassword>false</ispassword>
<isnotes>false</isnotes>
<listtype />
<isfile>true</isfile>
<passwordcharacterset />
<passwordlength>10</passwordlength>
<historylength>2147483647</historylength>
<isindexable>false</isindexable>
<editablepermission>2</editablepermission>
<required>false</required>
<fieldslugname>public-key</fieldslugname>
<hideonview>false</hideonview>
</field>
<field isexpirationfield="false">
<displayname>Private Key</displayname>
<description>The PGP private key in an ASCII-armored file.</description>
<name>Private Key</name>
<mustencrypt>true</mustencrypt>
<isurl>false</isurl>
<ispassword>false</ispassword>
<isnotes>false</isnotes>
<listtype />
<isfile>true</isfile>
<passwordcharacterset />
<passwordlength>10</passwordlength>
<historylength>2147483647</historylength>
<isindexable>false</isindexable>
<editablepermission>2</editablepermission>
<required>false</required>
<fieldslugname>private-key</fieldslugname>
<hideonview>false</hideonview>
</field>
<field isexpirationfield="false">
<displayname>Private Key Passphrase</displayname>
<description>The passphrase for decrypting the PGP private key.</description>
<name>Private Key Passphrase</name>
<mustencrypt>true</mustencrypt>
<isurl>false</isurl>
<ispassword>true</ispassword>
<isnotes>false</isnotes>
<listtype />
<isfile>false</isfile>
<passwordcharacterset />
<passwordlength>10</passwordlength>
<historylength>2147483647</historylength>
<isindexable>false</isindexable>
<editablepermission>2</editablepermission>
<required>false</required>
<fieldslugname>private-key-passphrase</fieldslugname>
<hideonview>false</hideonview>
</field>
<field isexpirationfield="false">
<displayname>Revocation Certificate</displayname>
<description>Upload this certificate to a public key server in the event of key or passphrase compromise. Having a secure record of the passphrase somewhat obviates the necessity of this certificate.</description>
<name>Revocation Certificate</name>
<mustencrypt>true</mustencrypt>
<isurl>false</isurl>
<ispassword>false</ispassword>
<isnotes>false</isnotes>
<listtype />
<isfile>true</isfile>
<passwordcharacterset />
<passwordlength>-1</passwordlength>
<historylength>2147483647</historylength>
<isindexable>false</isindexable>
<editablepermission>2</editablepermission>
<required>false</required>
<fieldslugname>revocation-certificate</fieldslugname>
<hideonview>false</hideonview>
</field>
<field isexpirationfield="false">
<displayname>Notes</displayname>
<description>Any additional notes.</description>
<name>Notes</name>
<mustencrypt>true</mustencrypt>
<isurl>false</isurl>
<ispassword>false</ispassword>
<isnotes>true</isnotes>
<listtype />
<isfile>false</isfile>
<passwordcharacterset />
<passwordlength>-1</passwordlength>
<historylength>2147483647</historylength>
<isindexable>true</isindexable>
<editablepermission>2</editablepermission>
<required>false</required>
<fieldslugname>notes</fieldslugname>
<hideonview>false</hideonview>
</field>
</fields>
<descriptions>PGP, per RFC 4880. Probably provided by GnuPG software distribution, is an asymmetric cryptographic scheme providing encryption, signing, and verification.</descriptions>
<expirationdays>0</expirationdays>
<secretnamehistorylength>0</secretnamehistorylength>
<imageclass>fa-check-circle-o</imageclass>
<onetimepasswordenabled>false</onetimepasswordenabled>
<onetimepasswordcodelength xsi:nil="true" />
<onetimepassworddurationseconds xsi:nil="true" />
<onetimepasswordhashmode xsi:nil="true" />
<validatepasswordrequirementsoncreate>false</validatepasswordrequirementsoncreate>
<validatepasswordrequirementsonedit>false</validatepasswordrequirementsonedit>
<permissions />
</secrettype>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment