-
-
Save woods/8970150 to your computer and use it in GitHub Desktop.
| Key-Type: 1 | |
| Key-Length: 2048 | |
| Subkey-Type: 1 | |
| Subkey-Length: 2048 | |
| Name-Real: Root Superuser | |
| Name-Email: [email protected] | |
| Expire-Date: 0 |
| # Generate the key | |
| gpg --batch --gen-key gen-key-script |
Originally I had a couple extra steps to use rng-tools to seed entropy from /dev/urandom. Apparently this is a bad idea because it will just feed bytes regardless of whether there's enough entropy. Here's where I got the original idea, and the subsequent discussion of why it's bad.
For new machines, we should generate the keys on our laptops where there's much more entropy to draw from, and then transfer them to the new server, just like we're currently doing with the encrypted data bag secret.
This is awesome, thank you.
I configured libvirt tu use /dev/urandom of the host: https://libvirt.org/formatdomain.html#elementsRng
That way keys generated within the VM should be ok.
Thanks that was really helpful
I got what I needed from : https://www.gnupg.org/documentation/manuals/gnupg-devel/Unattended-GPG-key-generation.html
without creating an actual file:
gpg --batch --gen-key <<EOF
Key-Type: 1
Key-Length: 2048
Subkey-Type: 1
Subkey-Length: 2048
Name-Real: Root Superuser
Name-Email: [email protected]
Expire-Date: 0
EOF
I am getting the following error when running the script:
gpg: agent_genkey failed: No pinentry
gpg: key generation failed: No pinentry
@guillaume130679 https://www.google.com/search?q=gpg%3A+agent_genkey+failed%3A+No+pinentry
…
On Wed, Nov 11, 2020 at 7:07 AM Bluzz44 @.> wrote: @.* commented on this gist. ------------------------------ I am getting the following error when running the script: gpg: agent_genkey failed: No pinentry gpg: key generation failed: No pinentry — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://gist.github.com/8970150#gistcomment-3523891, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAYDQ6S76KYB4LG66SCMLSPJ46NANCNFSM4S3ZFNJA .
This was more of an FYI note, I found how to resolve the issue https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
Not sure what is different, but the code given on that page worked :)
Add %no-protection if you need to generate passwordless keys. This also prevents the pinentry to pop up.
Using Process Substitution can be support indentation
gpg --full-gen-key --batch <(echo "Key-Type: 1"; \
echo "Key-Length: 4096"; \
echo "Subkey-Type: 1"; \
echo "Subkey-Length: 4096"; \
echo "Expire-Date: 0"; \
echo "Name-Real: Root Superuser"; \
echo "Name-Email: [email protected]"; \
echo "%no-protection"; )
Quick question for you, do you know if it's possible to use --batch to create a master key and subsequent subkeys (3 to 4 at a time)?
I want to follow this guide: https://github.com/drduh/YubiKey-Guide and create a script that would create the master key and sub keys at the same time. After some research, I'm left with 'it can only generate 1 subkey' so I'm stuck right now
If you have an idea, could you share it?
Here's a page that describes the options for the gen-key script: http://www.gnupg.org/documentation/manuals/gnupg-devel/Unattended-GPG-key-generation.html