Note: the GPG-related code is still under development, so please try the current implementation and please let me know if something doesn't work well for you. If possible:
- record the session (e.g. using asciinema)
- attach the GPG agent log from
~/.gnupg/{trezor,ledger}/gpg-agent.log
Thanks!
First, verify that you have GPG 2.1.11+ installed (Debian, macOS):
$ gpg2 --version | head -n1
gpg (GnuPG) 2.1.15
This GPG version is included in Ubuntu 16.04 and Linux Mint 18.
Update you device firmware to the latest version and install your specific agent package:
$ pip install --user (trezor|keepkey|ledger)_agent
In order to use specific device type for GPG indentity creation, use either command:
$ trezor-gpg init "Roman Zeyde <[email protected]>"
$ ledger-gpg init "Roman Zeyde <[email protected]>"
In order to use specific device type for GPG operations, set the following environment variable to either:
$ export GNUPGHOME=~/.gnupg/{trezor,ledger}
You can use GNU Privacy Assistant (GPA) in order to inspect the created keys and perform signature and decryption operations using:
$ sudo apt install gpa
$ GNUPGHOME=~/.gnupg/trezor gpa
Git can use GPG to sign and verify commits and tags (see here):
$ git config --local commit.gpgsign 1
$ git config --local gpg.program $(which gpg2)
$ git commit --gpg-sign # create GPG-signed commit
$ git log --show-signature -1 # verify commit signature
$ git tag v1.2.3 --sign # create GPG-signed tag
$ git tag v1.2.3 --verify # verify tag signature
First install pass from passwordstore.org and initialize it to use your TREZOR-based GPG identity:
$ export GNUPGHOME=~/.gnupg/trezor
$ pass init "Roman Zeyde <[email protected]>"
Password store initialized for Roman Zeyde <[email protected]>
Then, you can generate truly random passwords and save them encrypted using your public key (as separate .gpg files under ~/.password-store/):
$ pass generate Dev/github 32
$ pass generate Social/hackernews 32
$ pass generate Social/twitter 32
$ pass generate VPS/linode 32
$ pass
Password Store
├── Dev
│ └── github
├── Social
│ ├── hackernews
│ └── twitter
└── VPS
└── linode
In order to paste them into the browser, you'd need to decrypt the password using your hardware device:
$ pass --clip VPS/linode
Copied VPS/linode to clipboard. Will clear in 45 seconds.
You can also use the following Qt-based UI for pass:
$ sudo apt install qtpass
$ GNUPGHOME=~/.gnupg/trezor qtpass
If you've forgotten the timestamp value, but still have access to the public key, then you can retrieve the timestamp with the following command (substitute "[email protected]" for the key's address or id):
$ gpg2 --export '[email protected]' | gpg2 --list-packets | grep created | head -n1
After your main identity is created, you can add new user IDs using the regular GnuPG commands:
$ trezor-gpg init "Foobar" -vv
$ export GNUPGHOME=${HOME}/.gnupg/trezor
$ gpg2 -K
------------------------------------------
sec nistp256/6275E7DA 2017-12-05 [SC]
uid [ultimate] Foobar
ssb nistp256/35F58F26 2017-12-05 [E]
$ gpg2 --edit Foobar
gpg> adduid
Real name: Xyzzy
Email address:
Comment:
You selected this USER-ID:
"Xyzzy"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg> save
$ gpg2 -K
------------------------------------------
sec nistp256/6275E7DA 2017-12-05 [SC]
uid [ultimate] Xyzzy
uid [ultimate] Foobar
ssb nistp256/35F58F26 2017-12-05 [E]
In order to add TREZOR-based subkey to an existing GnuPG identity, use the --subkey flag:
$ gpg2 -k foobar
pub rsa2048/90C4064B 2017-10-10 [SC]
uid [ultimate] foobar
sub rsa2048/4DD05FF0 2017-10-10 [E]
$ trezor-gpg init "foobar" --subkey
In order to enter existing GPG passphrase, I recommend installing and using a graphical Pinentry:
$ sudo apt install pinentry-gnome3
$ sudo update-alternatives --config pinentry
There are 4 choices for the alternative pinentry (providing /usr/bin/pinentry).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/pinentry-gnome3 90 auto mode
1 /usr/bin/pinentry-curses 50 manual mode
2 /usr/bin/pinentry-gnome3 90 manual mode
3 /usr/bin/pinentry-qt 80 manual mode
4 /usr/bin/pinentry-tty 30 manual mode
Press <enter> to keep the current choice[*], or type selection number: 0