Skip to content

Security

GPG

GPG keys are used to sign packages and repos. For example, yum repos and apt incorporate APIs and handle GPG keys.

The KWallet Manager and GNOME Keyring (Seahorse) applications can also be used to manage GPG keys.

PAM

Pluggable authentication modules form an authentication framework that can be used by "PAM-aware applications". These applications have config files that are found in /etc/pam.d The various pam modules have man pages prefixed with pam_, i.e. "pam_wheel" etc.

Commands

gpg

Generate a public and private ("secret") key pair ("keyring") after displaying interactive prompts to the user, who must enter real name and email address and specify variables like key length, encryption algorithm etc. 

gpg --full-generate-key
gpg --generate-key # (1)

  1. Generate a new keyring using current default parameters.

The rngd daemon found in the rng-tools package can be enabled for additional entropy if needed by the system. 

pacman -S community/rng-tools

The generates a public and private key in ~/.gnupg. The public key, which can be distributed publicly so that people can encrypt messages to the user, is named pubring.kbx More than one master keypair can be generated in this manner, even for the same email address.

Decrypt file 

gpg file.txt

Export GPG public key 

gpg --export --output ~/jdoe.pub

Import another person's public key 

gpg --import jdoe.pub

List available GPG keys 

gpg --list-key

Encrypt a file 

gpg --encrypt -r jdoe@dplaptop.lab.itpro.tv $FILE

Sign $FILE without encrypting it (produces file.asc) 

gpg --clearsign $FILE

Import another person's public key 

gpg --import ~/jdoe.pub

Send keys to $SERVER 

gpg --send-keys keyIDs --keyserver $SERVER

pass

The standard unix password manager, backed by GPG, is a command-line password manager and MFA program.

The first step in using pass is generating a new key pair.

Generate a public and private ("secret") key pair ("keyring") after displaying interactive prompts to the user, who must enter real name and email address and specify variables like key length, encryption algorithm etc. 

gpg --full-generate-key
gpg --generate-key # (1)

  1. Generate a new keyring using current default parameters.

The rngd daemon found in the rng-tools package can be enabled for additional entropy if needed by the system. 

pacman -S community/rng-tools

The generates a public and private key in ~/.gnupg. The public key, which can be distributed publicly so that people can encrypt messages to the user, is named pubring.kbx More than one master keypair can be generated in this manner, even for the same email address.

Display public keys
gpg -k # --list-keys

Unwanted keys can be deleted by specifying the public key: 

gpg --delete-secret-and-public-keys ▒▒▓░░▒▓░▓░▓░▓▒░░▒▒░░░▒▓░▒░▒░▓░▒▒▒▓▒▒▓░▓▒░

Now a password store can be initialized by providing that same email address. This email is stored at ~/.password-store/.gpg-id 

pass init email@example.com

Add password
pass add email

This produces a binary, encrypted file at ~/.password-store/email.gpg. The password can be retrieved, after authenticating with the master password, with the following: 

pass email # (1)

  1. In fact, because this is simply a GPG encrypted file, GPG could be used equivalently. In fact, this appears to be the command executed by the pass shell script. 
    gpg -dq ~/.password-store/email.gpg
Display names of passwords
pass ls # (1)
  1. This command is equivalent to using tree on the password store directory. 
    tree ~/.password-store

Pass can also handle OTP generation for MFA, as long as you can retrieve the OTP URI (beginning with otpauth://). QR code images can be deciphered with zbarimg to retrieve these URIs. 

pass otp add mimecast # (1)

  1. Note that otpauth URLs usually contain an embedded email address, which must match that of the intialized password store. If this identity does not match, an error that read "There is no assurance this key belongs to the named user" is produced .
Resources

Luke Smith video