Skip to content

cryptographie cheatsheet

ssh

specify keyfile if custom name is provided

ssh-keygen -f <KEYFILE>

remove passphrase

this will prompt you to enter the keyfile location, the old passphrase, and the new passphrase which can be left blank to have no passphrase

ssh-keygen -p

ssh-keygen -p -P <OLD> -N <NEW> -f <KEYFILE>

Danger

there is also the option to do it in one command but is it not recommend to do it like this bc ~/.bash_historyis logging the passphrase

ssh-keygen -t ed25519 -C "your_email@example.com"

add the public key to the server

cat ~/.ssh/<KEY>.pub
nano ~/.ssh/authorized_keys

disabling password authentification

nano /etc/ssh/sshd_config
PasswordAuthentication no

connection to a server with ssh

ssh user@host

passphrase

a passphrase is an additional security feature for private keys in GPG or SSH. It is entered when the key is created and protects it from unauthorized access.

tls

generate a TLS key pair (ed25519)

using openssl

openssl genpkey -algorithm ed25519 -out privatekey.pem
openssl req -new -x509 -key privatekey.pem -out certificate.pem -days 365

verify a tls certificate

openssl x509 -noout -text -in certificate.pem

mtls (with own ca for reverse proxy)

# create root ca
openssl genrsa -out ca.key 4096
openssl req -new -x509 -key ca.key -out ca.crt -days 7 -subj "/CN=<CHOOSE YOUR FANCY NAME (1)>"

# create server cert
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj "/CN=<DOMAIN.TLD>"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 7

# create client cert
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr -subj "/CN=Client"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 7

# create browser cert
openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile ca.crt

fingerprint

create a fingerprint (GPG, SSH, TLS):

ssh-keygen -lf ~/.ssh/id_ed25519.pub
gpg --fingerprint <Key-ID>
openssl x509 -noout -fingerprint -sha256 -in certificate.pem

password generation with hash

password hashing with bcrypt

sudo apt update
sudo apt install bcrypt
bcrypt -l 10

bcrypt -r
Enter password:
Re-type password:

generate a random password with openssl and hash with bcrypt

openssl rand -base64 18 | bcrypt

generate a random password

openssl rand -base64 18

generate a random secret (token)

openssl rand -hex 64

gpg

generate a key pair

gpg --gen-key

generate a key pair

gpg --full-generate-key

encrypt a file

gpg -e -r recipient@example.com file.txt

decrypt a file

gpg -d file.gpg

export a public key

gpg --export -o public_key.gpg <key ID>

signing a file

gpg --detach-sign file.txt

signing a file

gpg --sign file.txt

verify the signature of a file

gpg --verify file.txt.sig