diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/DETAILS | 9 | ||||
| -rw-r--r-- | doc/FAQ | 27 | ||||
| -rw-r--r-- | doc/OpenPGP | 9 | ||||
| -rw-r--r-- | doc/gpg.sgml | 10 |
4 files changed, 53 insertions, 2 deletions
diff --git a/doc/DETAILS b/doc/DETAILS index 3007ab3de..0ab83ecdf 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -494,6 +494,15 @@ There is one enhancement used with the old style packet headers: + that this is the last packet. +GNU extensions to the S2K algorithm +=================================== +S2K mode 101 is used to identify these extensions. +After the hash algorithm the 3 bytes "GNU" are used to make +clear that these are extensions for GNU, the next bytes gives the +GNU protection mode - 1000. Defined modes are: + 1001 - do not store the secret part at all + + Usage of gdbm files for keyrings ================================ The key to store the keyblock is it's fingerprint, other records @@ -372,3 +372,30 @@ message and encrypt it again without this option. The option will be removed in 1.1, so better re-encrypt your message now. + Q: How can I used GnuPG in an automated environment? + A: You should use the option --batch and don't use passphrases as + there is usually no way to store it more secure than the secret + keyring itself. The suggested way to create the keys for the + automated envirionment ist: + On a secure machine: + 1. If you want to do automatic signing, create a signing subkey + for your key (edit menu, choose "addkey" and the DSA). + 2. Make sure that you use a passphrase (Needed by the current + implementation) + 3. gpg --export-secret-subkeys --no-comment foo >secring.auto + 4. Copy secring.auto and the public keyring to a test directory. + 5. Cd to this diectory + 6. gpg --homedir . --edit foo + and use "passwd" to remove the passphrase from the subkeys. + You may also want to remove all unused subkeys. + 7. copy secring.auto to a floppy and carry it to the + target box + On the target machine: + 8. Install secring.auto as secret keyring. + 9. Now you can start your new service. It is a good idea to + install some intrusion detection system so that you hopefully + get a notice of an successful intrusion, so that you in turn can + revoke all the subkeys installed on that machine and install new + subkeys. + + diff --git a/doc/OpenPGP b/doc/OpenPGP index c73eee4f8..ba44d87fb 100644 --- a/doc/OpenPGP +++ b/doc/OpenPGP @@ -33,6 +33,15 @@ which can be considered to be in compliance with RFC1991; this format is only created if a special option is active. + GnuPG uses a S2K mode of 101 for GNU extensions to the secret key + protection algorithms. This number is not defined in OpenPGP, but + given the fact that this number is in a range which used at many + other places in OpenPGP for private/experimenat algorithm identifiers, + this should be not a so bad choice. The 3 bytes "GNU" are used + to identify this as a GNU extension - see the file DETAILS for a + definition of the used data formats. + + Some Notes on OpenPGP / PGP Compatibility: ========================================== diff --git a/doc/gpg.sgml b/doc/gpg.sgml index 76f0415bf..ec160679b 100644 --- a/doc/gpg.sgml +++ b/doc/gpg.sgml @@ -27,7 +27,7 @@ --> -<!DOCTYPE RefEntry PUBLIC "-//Davenport//DTD DocBook V3.0//EN" [ +<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN" [ <!entity ParmDir "<parameter>directory</parameter>"> <!entity ParmFile "<parameter>file</parameter>"> <!entity OptParmFile "<optional>&ParmFile;</optional>"> @@ -157,7 +157,7 @@ and the remaining files are the signed stuff. </para></listitem></varlistentry> <varlistentry> -<term>--verify-files <optional><optional><parameter/files/</optional> +<term>--verify-files <optional><parameter/files/</optional></term> <listitem><para> This is a special version of the --verify command which does not work with detached signatures. The command expects the files to bee verified either @@ -431,9 +431,14 @@ are not compatible to OpenPGP. <varlistentry> <term>--export-secret-keys &OptParmNames;</term> +<term>--export-secret-subkeys &OptParmNames;</term> <listitem><para> Same as --export, but does export the secret keys. This is normally not very useful and a security risk. +the second form of the command has the special property to +render the secret part of the primary key useless; this is +a GNU extension to OpenPGP and other implementations can +not be expected to successful import such a key. </para></listitem></varlistentry> @@ -1418,6 +1423,7 @@ constructed by cutting off the extension (".asc" or ".sig") of <term>GNUPGHOME</term> <listitem><para>If set directory used instead of "~/.gnupg".</para></listitem> </varlistentry> +<varlistentry> <term>http_proxy</term> <listitem><para>Only honored when the option --honor-http-proxy is set.</para></listitem> </varlistentry> |