Table des matières
0 billet(s) pour février 2026
GPG - Plan
GPG - Générer une paire de clefs
GPG - Utilisation basique - exemples
GPG - Limites et réserves à avoir
GPG - Signer une clef - Key signing party
GPG - Publier sa clef sur un serveur
GPG - Toile de confiance - Web of Trust
PGP ou GPG ?
PGP can refer to two things:
- The Pretty Good Privacy software originally written by Phil Zimmermann, and now owned by Symantec.
- The formats for keys, encrypted messages and message signatures defined by that software. These have now been formalised as the OpenPGP standard.
The GNU Privacy Guard (GPG) software is an independent implementation of the OpenPGP standards, so you can use it to exchange encrypted messages with people using other OpenPGP implementations (e.g. Symantec's PGP).
Due to its popularity on Linux systems, it is also fairly common for people to incorrectly use the term “GPG” to refer to the whole OpenPGP cryptography system (e.g. “GPG keys” or “GPG signatures”). It is usually pretty clear what they mean from the context though.
Source : https://askubuntu.com/a/186814
GPG - limites et réserves à avoir
Alternatives
Alternative pour signer :
Alternative pour chiffrer :
Une implémentation moderne de PGP
Limites et problème de GPG
Voir aussi :
| Problème | Solution |
| Surreptitious forwarding attack | Une clef pour signer différente de la clef pour chiffrer |
| PGP Certificate Flooding attacks | (p) Utiliser les clefs en local sans jamais passer par des serveurs de clefs |
| Perte d'anonymat dans l'échange de clefs | Utiliser tor/i2p ou échange de clefs en local |
| Complexe a utiliser | (p) Fournir une documentation ou un outil clef en main |
| Code complexe et donc surface d'attaque trop large | - |
| No forward secrecy | (p) Changer régulièrement les clefs/sous-clefs |
| Metadata - Destinataire du message | Utiliser l'option --hidden-recipient ou --throw-keyids. Ne pas publier cette clef publique |
| Metadata - Version clef et autre | Changer la conf par défaut |
| AFAIL Attack | Ne pas mettre sa clef privée dans un client mail ou alors désactiver HTML |
(p) : Solution partielle
GPG - Générer une paire de clefs
Création des clefs
apt-get install rng-tools
Voir : https://github.com/drduh/YubiKey-Guide - OneRNG Voir aussi clrngd
/etc/default/rng-tools
HRNGDEVICE=/dev/urandom
Trouver une autre solution Voir https://lwn.net/Articles/525459/
service rng-tools restart
gpg2 --expert --gen-key gpg2 --expert --edit-key 86E4065450014 addkey save change-usage save
OU
cat >key-input <<EOF %echo Generating a standard key Key-Type: RSA Key-Length: 4096 Name-Real: ${USER} Name-Email: ${USER}@${HOSTNAME} Expire-Date: 0 %commit %echo Finished creating standard key EOF gpg2 --batch --gen-key key-input
Sauvegarde
Exporter sa clef
Voir :
Voir aussi :
- Paperkey
Clef publique
gpg -a --export 0x50D12DE07663C664 > ~/.gnupg/jean@acme.fr.pub.asc
Clef privée
gpg -a --export-secret-keys 0x50D12DE07663C664 > ~/.gnupg/jean@acme.fr.sec.asc
Uniquement les sous-clefs privées
gpg -a --export-secret-subkeys 0x50D12DE07663C664 > ~/.gnupg/jean@acme.fr.sub.sec.asc
Exporter uniquement une sous-clef spécifique
gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.gpg
Warning: If you forget to add the !, all of your subkeys will be exported.
GPG - connexes
Autres fonctionnalités
Inclure une photo :
Git - Signer ses commits
git config --global commit.gpgsign true
GPG - Config
Voir :
Voir faille de sécu des anciennes versions :
Fichier de conf GPG
Voir :
~/.gnupg/gpg.conf
### DISPLAY # Suppress the initial copyright message no-greeting # Les identifiants de clés courts sont triviaux à usurper ; il est facile de # créer une collision sur les identifiants de clé longs (16 caractères) ; si vous voulez des # identifiants de clé forts, vous voudrez toujours voir l empreinte # both short and long key IDs are insecure # keyid-format 0xlong keyid-format none # use full fingerprint instead with-subkey-fingerprint with-fingerprint # when outputting certificates, view user IDs distinctly from keys: #fixed-list-mode # Display validity of UIDs when verifying signatures. list-options show-uid-validity verify-options show-uid-validity ### EXPORT # N'inclut pas la version de votre GPG en commentaire de vos fichiers # prevent version string from appearing in your signatures/public keys no-emit-version # Lors de l'export d'une clef, exclut les signatures par défaut export-options export-minimal ### PREFER & CYPHERS # http://www.gnupg.org/faq/gnupg-faq.html # remove 3DES and prefer AES256 personal-cipher-preferences AES256 AES192 AES CAST5 # personal-cipher-preferences TWOFISH CAMELLIA256 AES256 # not for creating keys, but signing and encrypting. The most preferred algorithm supported by the recipient. # remove SHA-1 and prefer SHA-512 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 # Prefer better compression methods. personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed # remove SHA-1 and 3DES from cipher preferences of newly created key default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed # use SHA-512 when signing a key cert-digest-algo SHA512 # override recipient key digest preferences # remove SHA-1 and prefer SHA-512 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 # reject SHA-1 signature weak-digest SHA1 # never allow use 3DES disable-cipher-algo 3DES ### KEYSERVERS # Utilisation de hkps ou en passant par Tor #keyserver hkp://keys.gnupg.net #keyserver hkps://hkps.pool.sks-keyservers.net #keyserver hkp://jirk5u4osbsr34t5.onion # Don't use the preferred keyserver of the key, but our keyserver pool # instead. This way we won't use any broken keyservers like pgp.mit.edu # specified by the key. keyserver-options no-honor-keyserver-url ### SYMETRIC ENCRYPTION # use AES256 when symmetric encryption s2k-cipher-algo AES256 # use SHA-512 when symmetric encryption s2k-digest-algo SHA512 # Mangle passphrases for private keys and symmetric encryption by applying a # hash function (s2k-digest-algo) with a salt s2k-count times (default). s2k-mode 3 # mangle password many times as possible when symmetric encryption s2k-count 65011712 ### OTHERS # If you have more than 1 secret key in your keyring, you may want to # uncomment the following option and set your preferred keyid. #default-key 621CC013 # Encrypted file whithout recipient. Prevent data analyse throw-keyids # When verifying a signature made from a subkey, ensure that the cross # certification "back signature" on the subkey is present and valid. # This protects against a subtle attack against subkeys that can sign. # Defaults to --no-require-cross-certification. However for new # installations it should be enabled. require-cross-certification # vim: ft=gpg
Valider la syntaxe du ficher de conf
echo | gpg gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: [don't know]: invalid packet (ctb=0a)
Config de l'agent GPG
Change the pinentry
~/.gnupg/gpg-agent.conf
# pinentry-program /usr/bin/pinentry-tty pinentry-program /usr/bin/pinentry-curses
Reload configuration
gpg-connect-agent reloadagent /bye