Difference between revisions of "GnuPG"

From YobiWiki
Jump to navigation Jump to search
m
Line 315: Line 315:
   
 
Stealing and adapting key transition text from https://we.riseup.net/assets/176898/key%20transition
  
Stealing and adapting key transition text from https://we.riseup.net/assets/176898/key%20transition
  +
  +
Mass mailing to those who've signed the old one:
  +
$ gpg --list-sigs 9ad7e3db|grep ^sig|sed 's/.*<//;s/>.*//;/^sig/d'|sort|uniq|tr '\n' ','
   
 
==OpenSSH==
  
==OpenSSH==

Revision as of 01:04, 5 February 2016

Those are personal notes when I decided in 2016 to generate a new key as transition from my previous one (from 2002!).
Daily subkeys are stored on a Yubikey NEO-n and master key is stored offline.

Resources

The steps I followed and which I describe only very briefly here, more to remind how I combined them, came from those excellent resources:

gpg.conf

First step was to refresh a little bit my gpg.conf.
See https://github.com/ioerror/duraconf/raw/master/configs/gnupg/gpg.conf for commented gpg.conf and https://help.riseup.net/en/security/message-security/openpgp/best-practices for the reasons behind. 

no-emit-version
no-comments
keyid-format 0xlong
with-fingerprint
list-options show-uid-validity
verify-options show-uid-validity
use-agent
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/home/phil/.gnupg/keyservers/sks-keyservers.netCA.pem
keyserver-options no-try-dns-srv
keyserver-options no-honor-keyserver-url
keyserver-options include-revoked
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

Some more of my own: 

no-greeting
keyserver-options auto-key-retrieve honor-http-proxy
list-options show-policy-urls show-notations show-keyserver-urls show-uid-validity show-unusable-uids show-unusable-subkeys show-sig-expire
verify-options show-photos show-policy-urls show-notations show-keyserver-urls show-uid-validity show-unusable-uids
utf8-strings
ask-cert-level

Offline storage

Digressing a little bit...

I chose an old SDCard to store the master key offline, but it required a little bit of maintenance because it wasn't mounting automatically:

Making sude partition table was ok: 

$ sudo fdisk /dev/mmcblk0

Checking FS signatures: 

$ sudo wipefs /dev/mmcblk0p1

There was still a mix of FAT and ext2 signatures, so deleting the ext2 signature based on the returned offset: 

$ sudo wipefs -o 0x438 /dev/mmcblk0p1

Formatting 

$ sudo mkfs.vfat /dev/mmcblk0p1
$ sudo fatlabel /dev/mmcblk0p1 GNUPG

Reinserting it to get it mounted automatically, then 

$ cp ~/.gnupg/gpg.conf /media/phil/GNUPG
$ sudo mount --bind /media/phil/GNUPG ~/.gnupg

Entropy

Creating large keys require large entropy.
I like haveged for that: 

$ sudo apt-get install haveged

Creating main key

Idea following https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ is to keep the main key completely offline so if yubikey is lost, there is still some hope. 

$ gpg --expert --gen-key
Please select what kind of key you want:
  (8) RSA (set your own capabilities)
Your selection? 8
Current allowed actions: Sign Certify Encrypt 
Your selection? s
Your selection? e
Current allowed actions: Certify 
Your selection? q
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Key is valid for? (0) 2y
Is this correct? (y/N) y
Real name: Philippe Teuwen
Email address: phil@teuwen.org
Comment: 
You selected this USER-ID:
   "Philippe Teuwen <phil@teuwen.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: key 0x9B554C36544C89BC marked as ultimately trusted
public and secret key created and signed.

Creating revokation certificate

$ gpg --gen-revoke 9B554C36544C89BC > /media/phil/GNUPG/rev-phil_teuwen.org_2016
sec  4096R/0x9B554C36544C89BC 2016-02-04 Philippe Teuwen <phil@teuwen.org>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  3 = Key is no longer used
Your decision? 3
Enter an optional description; end it with an empty line:
>Using revocation certificate that was generated when key was created.
>It is very likely that I have lost access to the private key.
> 
Reason for revocation: Key is no longer used
Using revocation certificate that was generated when key was created. It is very likely that I have lost access to the private key.
Is this okay? (y/N) y

Then printing it on paper

Creating Encryption subkey

Idea following https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ is to create the encryption key out of yubikey and importing it so it can be imported on several yubikey's. 

$ gpg --edit-key 9B554C36544C89BC
gpg> addkey
Please select what kind of key you want:
  (6) RSA (encrypt only)
Your selection? 6
What keysize do you want? (2048) 2048
Please specify how long the key should be valid.
Key is valid for? (0) 2y
Is this correct? (y/N) y
Really create? (y/N) y
pub  4096R/0x9B554C36544C89BC  created: 2016-02-04  expires: 2018-02-03  usage: C   
                               trust: ultimate      validity: ultimate
sub  2048R/0x47B68B62B62C8F88  created: 2016-02-04  expires: 2018-02-03  usage: E   
[ultimate] (1). Philippe Teuwen <phil@teuwen.org>
gpg> save

Just to be sure

$ gpg --export-secret-key 9B554C36544C89BC > /media/phil/GNUPG/9B554C36544C89BC-2016-02-04-47B68B62B62C8F88-secret.pgp
$ gpg --delete-secret-key 9B554C36544C89BC
$ gpg --import < /media/phil/GNUPG/9B554C36544C89BC-2016-02-04-47B68B62B62C8F88-secret.pgp

Yubikey

$ sudo apt-get install yubikey-personalization ykneomgr
$ wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/69-yubikey.rules 
$ wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/70-yubikey.rules 
$ sudo mv *rules /etc/udev/rules.d/
$ sudo chown root.root /etc/udev/rules.d/*yubikey.rules

Insert yubikey NEO-n 

$ ykinfo -a

To keep possibility to use all modes simultaneously: 

$ ykpersonalize -m86
Firmware version 3.3.0 Touch level 1285 Program sequence 1
The USB mode will be set to: 0x86
Commit? (y/n) [n]: y

Creating Signature and Authentication subkeys

Yes default admin PIN is 12345678 and default user PIN is 123456.
We'll change them later. 

$ gpg --edit-key 9B554C36544C89BC
gpg> addcardkey
Please select the type of key to generate:
   (1) Signature key
Your selection? 1
Enter Admin PIN: 12345678
Enter PIN: 123456
Please specify how long the key should be valid.
Key is valid for? (0) 2y
Is this correct? (y/N) y
Really create? (y/N) y
pub  4096R/0x9B554C36544C89BC  created: 2016-02-04  expires: 2018-02-03  usage: C   
                               trust: ultimate      validity: ultimate
sub  2048R/0x47B68B62B62C8F88  created: 2016-02-04  expires: 2018-02-03  usage: E   
sub  2048R/0xAEBAADBEE208E2DD  created: 2016-02-04  expires: 2018-02-03  usage: S   
[ultimate] (1). Philippe Teuwen <phil@teuwen.org>

gpg> addcardkey
Please select the type of key to generate:
   (3) Authentication key
Your selection? 3
Please specify how long the key should be valid.
Key is valid for? (0) 2y
Is this correct? (y/N) y
Really create? (y/N) y
pub  4096R/0x9B554C36544C89BC  created: 2016-02-04  expires: 2018-02-03  usage: C   
                               trust: ultimate      validity: ultimate
sub  2048R/0x47B68B62B62C8F88  created: 2016-02-04  expires: 2018-02-03  usage: E   
sub  2048R/0xAEBAADBEE208E2DD  created: 2016-02-04  expires: 2018-02-03  usage: S   
sub  2048R/0xE5151B7FDCA95A14  created: 2016-02-04  expires: 2018-02-03  usage: A   
[ultimate] (1). Philippe Teuwen <phil@teuwen.org>

Ready to import Encryption subkey?

At this point we should import the encryption key to the yubikey but I got some error: 

gpg: error writing key to card: not supported

Some say to use keyParser.py but I found out gpg2 works. Gpg could work directly with the card (except for the keytocard obviously) but Gpg2 needs sdaemon for that: 

$ sudo apt-get install gnupg2 scdaemon

Yet another quirk: gnupg gave some warnings about locking from FAT but gnupg2 just refuses using FAT, so I add to the gpg.conf of the SD-Card: 

# allow linux to write to FAT disks
lock-never

Encryption key to Yubikey

$ gpg2 --edit-key 9B554C36544C89BC
gpg> toggle
gpg> key 1
sec  4096R/0x9B554C36544C89BC  created: 2016-02-04  expires: 2018-02-03
ssb* 2048R/0x47B68B62B62C8F88  created: 2016-02-04  expires: never     
ssb  2048R/0xAEBAADBEE208E2DD  created: 2016-02-04  expires: never     
                     card-no: 0006 03037217
ssb  2048R/0xE5151B7FDCA95A14  created: 2016-02-04  expires: never     
                     card-no: 0006 03037217
(1)  Philippe Teuwen <phil@teuwen.org>
gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2
gpg> save

Adding UID and photo

Choose a 240x288 picture strongly compressed (I chose jpeg quality 20) to obtain a size < 5kb. 

$ gpg2 --edit-key 9B554C36544C89BC
gpg> adduid
Real name: Philippe Teuwen
Email address: pteuwen@quarkslab.com
Comment: 
You selected this USER-ID:
    "Philippe Teuwen <pteuwen@quarkslab.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

gpg> addphoto
Enter JPEG filename for photo ID: ~/phil20.jpg
pub  4096R/0x9B554C36544C89BC  created: 2016-02-04  expires: 2018-02-03  usage: C   
                               trust: ultimate      validity: ultimate
sub  2048R/0x47B68B62B62C8F88  created: 2016-02-04  expires: 2018-02-03  usage: E   
sub  2048R/0xAEBAADBEE208E2DD  created: 2016-02-04  expires: 2018-02-03  usage: S   
sub  2048R/0xE5151B7FDCA95A14  created: 2016-02-04  expires: 2018-02-03  usage: A   
[ultimate] (1)  Philippe Teuwen <phil@teuwen.org>
[ unknown] (2). Philippe Teuwen <pteuwen@quarkslab.com>
[ unknown] (3)  [jpeg image of size 4266]

gpg> uid 1
gpg> primary
gpg> save

Almost there

Exporting key 

$ gpg --armor --export 9B554C36544C89BC > /media/phil/GNUPG/9B554C36544C89BC.asc

And pushing it to http://www.yobi.be/files/9B554C36544C89BC.asc

Back to the daily .gnupg 

$ sudo umount ~/.gnupg

Changing default PINs 

$ gpg --card-edit
gpg/card> admin
Admin commands are allowed
gpg/card> passwd
gpg: OpenPGP card no. D2760001240102000006030372170000 detected
1 - change PIN
Your selection? 1
Please enter the PIN
   123456
New PIN
   ...              
New PIN
   ...
PIN changed.     

3 - change Admin PIN
Your selection? 3
gpg: 3 Admin PIN attempts remaining before card is permanently locked
Please enter the Admin PIN
   12345678                
New Admin PIN
   ...                    
New Admin PIN
   ...
PIN changed.     

Q - quit
Your selection? q

gpg/card> forcesig
gpg/card> url
URL to retrieve public key: http://www.yobi.be/files/9B554C36544C89BC.asc

gpg/card> fetch
gpg: requesting key 0xAEBAADBEE208E2DD from http server www.yobi.be

gpg/card> quit

$ gpg --card-status
Application ID ...: D2760001240102000006030372170000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: xxxxxxxxx
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : http://www.yobi.be/files/9B554C36544C89BC.asc
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 2
Signature key ....: 67E1 AAA2 46D7 9037 7671  BAD5 AEBA ADBE E208 E2DD
      created ....: 2016-02-04 10:56:03
Encryption key....: 55A5 1FF1 F45A A846 EC12  A5D4 47B6 8B62 B62C 8F88
      created ....: 2016-02-04 10:26:52
Authentication key: 93FE E3BA 0F4D 4461 19E8  1CBE E515 1B7F DCA9 5A14
      created ....: 2016-02-04 10:57:35
General key info..: 
pub  2048R/0xAEBAADBEE208E2DD 2016-02-04 Philippe Teuwen <phil@teuwen.org>
sec#  4096R/0x9B554C36544C89BC  created: 2016-02-04  expires: 2018-02-03
ssb>  2048R/0x47B68B62B62C8F88  created: 2016-02-04  expires: 2018-02-03
                      card-no: 0006 03037217
ssb>  2048R/0xAEBAADBEE208E2DD  created: 2016-02-04  expires: 2018-02-03
                      card-no: 0006 03037217
ssb>  2048R/0xE5151B7FDCA95A14  created: 2016-02-04  expires: 2018-02-03
                      card-no: 0006 03037217

Changing default key in gpg.conf 

default-key  0xF14883379E8DD09F03280E1B9B554C36544C89BC

Last check

$ sudo apt-get install hopenpgp-tools
$ hkt export-pubkeys 'AEBAADBEE208E2DD' | hokey lint

All green \o/

Signing new key with the old one

$ gpg --default-key 9ad7e3db --sign-key 9B554C36544C89BC
Really sign all user IDs? (y/N) y
   (3) I have done very careful checking.
Your selection? (enter `?' for more information): 3
Really sign? (y/N) y

$ gpg --send-key 9B554C36544C89BC

As it's a pool I sent it 10x, rather than waiting them to all sync...

And also for those still using pgp.mit.edu: 

$ gpg --keyserver pgp.mit.edu --send-key 9B554C36544C89BC

Transition

Now let's ask some helpful souls who signed my old key.

Stealing and adapting key transition text from https://we.riseup.net/assets/176898/key%20transition

Mass mailing to those who've signed the old one: 

$ gpg --list-sigs 9ad7e3db|grep ^sig|sed 's/.*<//;s/>.*//;/^sig/d'|sort|uniq|tr '\n' ','

OpenSSH

Using the OpenPGP key and the Yubikey for OpenSSH 

$ sudo apt-get install monkeysphere

We need to specifying the authentication subkey here! 

$ gpgkey2ssh E5151B7FDCA95A14
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeNXjx+2M1F7CuYRMkoHv6iUnXe93JatAjhmh1ciXIrTk/Agc4JEgb9uTxYA3pNe/qXVSrSdAqJu0cUENj30rLvKOliL0MH1TxGDnZ0JSxv0UA/skwapRwiTKgsHHng7gbq1/07eBl0luywLT1E/4sbeZ6cAK9e8JAO9GahiyYnrzt2nXzoVxGYl2AHkHFuCqHEMH/KQuQ8Tba+ZjqpRbjnreuI9tJQ8eWpMjLr2AYuWgAU5GtbWFHJi0WJI/2kYybT7co7Kldoxg8PRvBE/QQPdP811jc06pf4CVgfCGvCWZaslqG5pLy8LneqYciuQuXDCQMlAWniThTPjf5VLhx COMMENT


Paper backup of the secret keys

If you don't trust SD-Card longevity... 

apt-get install paperkey
gpg --export-secret-key key_id | paperkey

GnuPG signing parties

Short GnuPG reference card

GnuPG old notes

Retrieved from "https://wiki.yobi.be/index.php?title=GnuPG&oldid=9912"