Difference between revisions of "GnuPG"
Jump to navigation
Jump to search
m (→Almost there) |
m |
||
| Line 323: | Line 323: | ||
$ gpgkey2ssh E5151B7FDCA95A14 |
$ gpgkey2ssh E5151B7FDCA95A14 |
||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeNXjx+2M1F7CuYRMkoHv6iUnXe93JatAjhmh1ciXIrTk/Agc4JEgb9uTxYA3pNe/qXVSrSdAqJu0cUENj30rLvKOliL0MH1TxGDnZ0JSxv0UA/skwapRwiTKgsHHng7gbq1/07eBl0luywLT1E/4sbeZ6cAK9e8JAO9GahiyYnrzt2nXzoVxGYl2AHkHFuCqHEMH/KQuQ8Tba+ZjqpRbjnreuI9tJQ8eWpMjLr2AYuWgAU5GtbWFHJi0WJI/2kYybT7co7Kldoxg8PRvBE/QQPdP811jc06pf4CVgfCGvCWZaslqG5pLy8LneqYciuQuXDCQMlAWniThTPjf5VLhx COMMENT |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeNXjx+2M1F7CuYRMkoHv6iUnXe93JatAjhmh1ciXIrTk/Agc4JEgb9uTxYA3pNe/qXVSrSdAqJu0cUENj30rLvKOliL0MH1TxGDnZ0JSxv0UA/skwapRwiTKgsHHng7gbq1/07eBl0luywLT1E/4sbeZ6cAK9e8JAO9GahiyYnrzt2nXzoVxGYl2AHkHFuCqHEMH/KQuQ8Tba+ZjqpRbjnreuI9tJQ8eWpMjLr2AYuWgAU5GtbWFHJi0WJI/2kYybT7co7Kldoxg8PRvBE/QQPdP811jc06pf4CVgfCGvCWZaslqG5pLy8LneqYciuQuXDCQMlAWniThTPjf5VLhx COMMENT |
||
| + | |||
| + | |||
| + | == Paper backup of the secret keys == |
||
| + | If you don't trust SD-Card longevity... |
||
| + | apt-get install paperkey |
||
| + | gpg --export-secret-key key_id | paperkey |
||
| + | ==[[GnuPG signing parties]]== |
||
| + | |||
| + | ==[[Short GnuPG reference card]]== |
||
| + | |||
| + | ==[[GnuPG old notes]]== |
||
Revision as of 23:55, 4 February 2016
Those are personal notes when I decided in 2016 to generate a new key as transition from my previous one (from 2002!).
Daily subkeys are stored on a Yubikey NEO-n and master key is stored offline.
Resources
The steps I followed and which I describe only very briefly here, more to remind how I combined them, came from those excellent resources:
- https://help.riseup.net/en/security/message-security/openpgp/best-practices
- http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
- https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
gpg.conf
First step was to refresh a little bit my gpg.conf.
See https://github.com/ioerror/duraconf/raw/master/configs/gnupg/gpg.conf for commented gpg.conf and https://help.riseup.net/en/security/message-security/openpgp/best-practices for the reasons behind.
no-emit-version no-comments keyid-format 0xlong with-fingerprint list-options show-uid-validity verify-options show-uid-validity use-agent keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options ca-cert-file=/home/phil/.gnupg/keyservers/sks-keyservers.netCA.pem keyserver-options no-try-dns-srv keyserver-options no-honor-keyserver-url keyserver-options include-revoked personal-cipher-preferences AES256 AES192 AES CAST5 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Some more of my own:
no-greeting keyserver-options auto-key-retrieve honor-http-proxy list-options show-policy-urls show-notations show-keyserver-urls show-uid-validity show-unusable-uids show-unusable-subkeys show-sig-expire verify-options show-photos show-policy-urls show-notations show-keyserver-urls show-uid-validity show-unusable-uids utf8-strings ask-cert-level
Offline storage
Digressing a little bit...
I chose an old SDCard to store the master key offline, but it required a little bit of maintenance because it wasn't mounting automatically:
Making sude partition table was ok:
$ sudo fdisk /dev/mmcblk0
Checking FS signatures:
$ sudo wipefs /dev/mmcblk0p1
There was still a mix of FAT and ext2 signatures, so deleting the ext2 signature based on the returned offset:
$ sudo wipefs -o 0x438 /dev/mmcblk0p1
Formatting
$ sudo mkfs.vfat /dev/mmcblk0p1 $ sudo fatlabel /dev/mmcblk0p1 GNUPG
Reinserting it to get it mounted automatically, then
$ cp ~/.gnupg/gpg.conf /media/phil/GNUPG $ sudo mount --bind /media/phil/GNUPG ~/.gnupg
Entropy
Creating large keys require large entropy.
I like haveged for that:
$ sudo apt-get install haveged
Creating main key
Idea following https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ is to keep the main key completely offline so if yubikey is lost, there is still some hope.
$ gpg --expert --gen-key Please select what kind of key you want: (8) RSA (set your own capabilities) Your selection? 8 Current allowed actions: Sign Certify Encrypt Your selection? s Your selection? e Current allowed actions: Certify Your selection? q What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Key is valid for? (0) 2y Is this correct? (y/N) y Real name: Philippe Teuwen Email address: phil@teuwen.org Comment: You selected this USER-ID: "Philippe Teuwen <phil@teuwen.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: key 0x9B554C36544C89BC marked as ultimately trusted public and secret key created and signed.
Creating revokation certificate
$ gpg --gen-revoke 9B554C36544C89BC > /media/phil/GNUPG/rev-phil_teuwen.org_2016 sec 4096R/0x9B554C36544C89BC 2016-02-04 Philippe Teuwen <phil@teuwen.org> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 3 = Key is no longer used Your decision? 3 Enter an optional description; end it with an empty line: >Using revocation certificate that was generated when key was created. >It is very likely that I have lost access to the private key. > Reason for revocation: Key is no longer used Using revocation certificate that was generated when key was created. It is very likely that I have lost access to the private key. Is this okay? (y/N) y
Then printing it on paper
Creating Encryption subkey
Idea following https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ is to create the encryption key out of yubikey and importing it so it can be imported on several yubikey's.
$ gpg --edit-key 9B554C36544C89BC
gpg> addkey
Please select what kind of key you want:
(6) RSA (encrypt only)
Your selection? 6
What keysize do you want? (2048) 2048
Please specify how long the key should be valid.
Key is valid for? (0) 2y
Is this correct? (y/N) y
Really create? (y/N) y
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C
trust: ultimate validity: ultimate
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E
[ultimate] (1). Philippe Teuwen <phil@teuwen.org>
gpg> save
Just to be sure
$ gpg --export-secret-key 9B554C36544C89BC > /media/phil/GNUPG/9B554C36544C89BC-2016-02-04-47B68B62B62C8F88-secret.pgp $ gpg --delete-secret-key 9B554C36544C89BC $ gpg --import < /media/phil/GNUPG/9B554C36544C89BC-2016-02-04-47B68B62B62C8F88-secret.pgp
Yubikey
$ sudo apt-get install yubikey-personalization ykneomgr $ wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/69-yubikey.rules $ wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/70-yubikey.rules $ sudo mv *rules /etc/udev/rules.d/ $ sudo chown root.root /etc/udev/rules.d/*yubikey.rules
Insert yubikey NEO-n
$ ykinfo -a
To keep possibility to use all modes simultaneously:
$ ykpersonalize -m86 Firmware version 3.3.0 Touch level 1285 Program sequence 1 The USB mode will be set to: 0x86 Commit? (y/n) [n]: y
Creating Signature and Authentication subkeys
Yes default admin PIN is 12345678 and default user PIN is 123456.
We'll change them later.
$ gpg --edit-key 9B554C36544C89BC
gpg> addcardkey
Please select the type of key to generate:
(1) Signature key
Your selection? 1
Enter Admin PIN: 12345678
Enter PIN: 123456
Please specify how long the key should be valid.
Key is valid for? (0) 2y
Is this correct? (y/N) y
Really create? (y/N) y
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C
trust: ultimate validity: ultimate
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E
sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S
[ultimate] (1). Philippe Teuwen <phil@teuwen.org>
gpg> addcardkey
Please select the type of key to generate:
(3) Authentication key
Your selection? 3
Please specify how long the key should be valid.
Key is valid for? (0) 2y
Is this correct? (y/N) y
Really create? (y/N) y
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C
trust: ultimate validity: ultimate
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E
sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S
sub 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 usage: A
[ultimate] (1). Philippe Teuwen <phil@teuwen.org>
Ready to import Encryption subkey?
At this point we should import the encryption key to the yubikey but I got some error:
gpg: error writing key to card: not supported
Some say to use keyParser.py but I found out gpg2 works. Gpg could work directly with the card (except for the keytocard obviously) but Gpg2 needs sdaemon for that:
$ sudo apt-get install gnupg2 scdaemon
Yet another quirk: gnupg gave some warnings about locking from FAT but gnupg2 just refuses using FAT, so I add to the gpg.conf of the SD-Card:
# allow linux to write to FAT disks lock-never
Encryption key to Yubikey
$ gpg2 --edit-key 9B554C36544C89BC
gpg> toggle
gpg> key 1
sec 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03
ssb* 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: never
ssb 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: never
card-no: 0006 03037217
ssb 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: never
card-no: 0006 03037217
(1) Philippe Teuwen <phil@teuwen.org>
gpg> keytocard
Please select where to store the key:
(2) Encryption key
Your selection? 2
gpg> save
Adding UID and photo
Choose a 240x288 picture strongly compressed (I chose jpeg quality 20) to obtain a size < 5kb.
$ gpg2 --edit-key 9B554C36544C89BC
gpg> adduid
Real name: Philippe Teuwen
Email address: pteuwen@quarkslab.com
Comment:
You selected this USER-ID:
"Philippe Teuwen <pteuwen@quarkslab.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg> addphoto
Enter JPEG filename for photo ID: ~/phil20.jpg
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C
trust: ultimate validity: ultimate
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E
sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S
sub 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 usage: A
[ultimate] (1) Philippe Teuwen <phil@teuwen.org>
[ unknown] (2). Philippe Teuwen <pteuwen@quarkslab.com>
[ unknown] (3) [jpeg image of size 4266]
gpg> uid 1
gpg> primary
gpg> save
Almost there
Exporting key
$ gpg --armor --export 9B554C36544C89BC > /media/phil/GNUPG/9B554C36544C89BC.asc
And pushing it to http://www.yobi.be/files/9B554C36544C89BC.asc
Back to the daily .gnupg
$ sudo umount ~/.gnupg
Changing default PINs
$ gpg --card-edit gpg/card> admin Admin commands are allowed gpg/card> passwd gpg: OpenPGP card no. D2760001240102000006030372170000 detected 1 - change PIN Your selection? 1 Please enter the PIN 123456 New PIN ... New PIN ... PIN changed. 3 - change Admin PIN Your selection? 3 gpg: 3 Admin PIN attempts remaining before card is permanently locked Please enter the Admin PIN 12345678 New Admin PIN ... New Admin PIN ... PIN changed. Q - quit Your selection? q gpg/card> forcesig gpg/card> url URL to retrieve public key: http://www.yobi.be/files/9B554C36544C89BC.asc gpg/card> fetch gpg: requesting key 0xAEBAADBEE208E2DD from http server www.yobi.be gpg/card> quit
$ gpg --card-status Application ID ...: D2760001240102000006030372170000 Version ..........: 2.0 Manufacturer .....: unknown Serial number ....: xxxxxxxxx Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : http://www.yobi.be/files/9B554C36544C89BC.asc Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 2 Signature key ....: 67E1 AAA2 46D7 9037 7671 BAD5 AEBA ADBE E208 E2DD created ....: 2016-02-04 10:56:03 Encryption key....: 55A5 1FF1 F45A A846 EC12 A5D4 47B6 8B62 B62C 8F88 created ....: 2016-02-04 10:26:52 Authentication key: 93FE E3BA 0F4D 4461 19E8 1CBE E515 1B7F DCA9 5A14 created ....: 2016-02-04 10:57:35 General key info..: pub 2048R/0xAEBAADBEE208E2DD 2016-02-04 Philippe Teuwen <phil@teuwen.org> sec# 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 ssb> 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 card-no: 0006 03037217 ssb> 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 card-no: 0006 03037217 ssb> 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 card-no: 0006 03037217
Changing default key in gpg.conf
default-key 0xF14883379E8DD09F03280E1B9B554C36544C89BC
Last check
$ sudo apt-get install hopenpgp-tools $ hkt export-pubkeys 'AEBAADBEE208E2DD' | hokey lint
All green \o/
Signing new key with the old one
$ gpg --default-key 9ad7e3db --sign-key 9B554C36544C89BC Really sign all user IDs? (y/N) y (3) I have done very careful checking. Your selection? (enter `?' for more information): 3 Really sign? (y/N) y
$ gpg --send-key 9B554C36544C89BC
As it's a pool I sent it 10x, rather than waiting them to all sync...
And also for those still using pgp.mit.edu:
$ gpg --keyserver pgp.mit.edu --send-key 9B554C36544C89BC
Transition
Now let's ask some helpful souls who signed my old key.
Stealing and adapting key transition text from https://we.riseup.net/assets/176898/key%20transition
OpenSSH
Using the OpenPGP key and the Yubikey for OpenSSH
$ sudo apt-get install monkeysphere
We need to specifying the authentication subkey here!
$ gpgkey2ssh E5151B7FDCA95A14 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeNXjx+2M1F7CuYRMkoHv6iUnXe93JatAjhmh1ciXIrTk/Agc4JEgb9uTxYA3pNe/qXVSrSdAqJu0cUENj30rLvKOliL0MH1TxGDnZ0JSxv0UA/skwapRwiTKgsHHng7gbq1/07eBl0luywLT1E/4sbeZ6cAK9e8JAO9GahiyYnrzt2nXzoVxGYl2AHkHFuCqHEMH/KQuQ8Tba+ZjqpRbjnreuI9tJQ8eWpMjLr2AYuWgAU5GtbWFHJi0WJI/2kYybT7co7Kldoxg8PRvBE/QQPdP811jc06pf4CVgfCGvCWZaslqG5pLy8LneqYciuQuXDCQMlAWniThTPjf5VLhx COMMENT
Paper backup of the secret keys
If you don't trust SD-Card longevity...
apt-get install paperkey gpg --export-secret-key key_id | paperkey