August 8, 2015 security gpg

GPG Howto

Audience: anyone

Keywords: gpg security privacy encryption

❧❧❧

At one point I thought changing my name might help with privacy, but that was before the Internet. — Olivia Wilde

Have you ever told a secret to a friend? Made a transaction at your bank? Wrote an entry in your diary? Invented a secret handshake? Been to the doctor? Got a "steal" sign from your baseball coach? All of these should be private — between you and the person or thing you’re communicating with. There are two main technical standards for privacy: TLS/SSL and OpenPGP. TLS/SSL are what’s used to secure the forms you fill out on web pages, and handle secure "connections". In this episode we’ll learn all about OpenPGP, AKA Pretty Good Privacy. This is what’s used to encrypt, sign, and verify (prove who the person is) any message or file you write or read. It uses a pair of "keys" to do these jobs.

GPG is the tool we’ll focus on that implements the OpenPGP standard. It’s been around for 20+ years and is the industry standard for encrypting, signing, and verifying the contents and senders of messages and files. It’s also pretty fun to use.

The users of OpenPGP form a club of folks who want to build a "Web Of Trust" (WOT). Anyone can get in; all you need is:

  1. A little knowledge of the gpg tool (which you’ll get here)

  2. Some official identification for yourself

  3. A willingness to meet people to verify their identity and sign their keys

(I hope you’re already using Zsh. If not, see previous episodes to get up to speed.)

Zsh has great command completion for gpg. Make sure you’re tab-ing all the time to auto-complete options and arguments.

Is it worth the effort/trouble?

In order to join certain mailing lists and development groups (fedora), the first thing you may be asked for is your GPG public key.

Some people you work with are going to require that your emails to them be signed.

If you develop and distribute a software package, many of your users may expect to be able to download your public key in order to verify that the software comes from you. (pacman -Qi coreutils). (https://wiki.archlinux.org/index.php/pacman-key) Though it’s more typically just a hash (MD5/SHA1).

Go get some official identification

To make any of this OpenPGP stuff legit, you’re going to need some real ID. Many kids don’t have ready access to a common ID card. But they should.

You absolutely need some sort of official ID. This could be a driver’s licence, identification card (get this from your local DMV; no age requirement), school student-body card, birth certificate/card, social security card. ([ID cards in California](http://www.dmv.ca.gov/dl/dl_info.htm#idcard))

If you don’t think you have a need for a passport, just pick up a state ID card from your DMV. It’s easy and cheap. Too many kids don’t have ID that they can readily show. So go get one.

Commands (not options)

GPG has several commands. They come near the end of the invocation. The ones we’ll care about are:

--gen-key
--gen-revoke
--list-keys    -k
--verify
--encrypt      -e
--decrypt      -d
--sign         -s
--cl(earsign)
--fin(gerprint)

Some later uses:

--fingerprint
--recv-keys
--send-keys
--edit-key

Options alter the way commands behave. Most of the options we can set permanently in our config file. We’ll get to that later. But here are some important ones:

--armor
--recipient   -r

Creating your own key

When creating your keys, you’ll want to ensure that your name is identical to what’s on your ID cards. If you use your middle name or initial on them, type it exactly as it shows on them.

% gpg --gen-key
> 1
> 4096
> 1y
> Your Full Real Name
> you@yourmail.com
> student and hacker
> confirm

Now you need to generate some entropy! Moving your mouse around as instructed might not be enough. Here’s something to run which will speed things up.

% haveged -n 0 | dieharder -g 200 -a

Take a look at your new key!

gpg --list-keys
gpg --list-keys you«tab»

Revocation key

Adding a picture

Your pic should be a JPEG of dimensions 240 wide by 288 tall. Aim for 4 KB in size. If you don’t have a good headshot, use your webcam with a solid background. Capture part of your shoulderblades, and all of your head. Crop it down, and export to a fairly low resolution/quality. I like gimp for this. Tune the size until you get down to ~4KB. (show vid of how to do this)

Now let’s add it.

gpg --edit-key <your-key-ID> addphoto
> /full/path/to/you.jpg
> save

GnuPG will then ask you for the filename of your JPEG image. Specify the complete path.

Configuration

There’s a file in your ~/.gnupg directory called gpg.conf. This contains several settings that affect the way gpg behaves. Here are the settings you’ll want to enable:

% vim ~/.gnupg/gpg.conf
---
keyserver hkp://keys.gnupg.net
no-greeting
keyserver-options auto-key-retrieve
armor
list-options show-photos
photo-viewer "feh --title 'GPG: KeyID 0x%k' %i"
keyid-format long

Upload your key to a key server

Upload your key after once you’re absolutely certain you’ve done this as described. Once a key gets posted, the only way to remove it is with a revocation key.

Getting others' keys

gpg --recv-keys
gpg --import

Get a [well trusted GPG guru’s key](http://pgp.mit.edu/pks/lookup?op=vindex&search=0x9CDD9A214EBA9723). Take a look at that page and note that his keyID is 4EBA9723. Grab it.

gpg --recv-keys 4EBA9723

Now let’s search for someone else’s key. Visit [the GPG search tool](http://pgp.mit.edu/).

Actually, we can do it from the command line:

gpg --sea(rch-keys)

Search for "Richard Stallman". Notice that there are several of them. How do you know which to trust? Head over to his site and note his message:

"to be really sure which key is mine, you need to get my key fingerprint
from me or follow a chain of signatures."

Here’s a security legend: Bruce Schneier

Some people post their pubkeys on their websites. Here are a couple examples:

How to make sense of gpg output

Bruce Schneier no longer keeps his current valid key on a key server. You have to go to his site to download it. Actually, select and copy it from that page and paste it into pubkey.schneier.com.asc.

Now let’s import it. This is essentially the same thing as a --recv-keys does.

gpg --import pubkey.schneier.com.asc

Let’s look at Bruce Schneier’s GPG info:

9A98966F

Notice that both of these luminaries are now using 4096-bit keys. That’s why we bumped ours up, too.

Testing dummy keys

Generate a new user on your system, or partner up with a friend.

Exchanging keys with people you meet

You should only sign keys for persons you meet face-to-face. The goal is to verify their identity, not how good of a person she is. Here’s what you need from them.

Inspecting someone’s key

Check their fingerprint

View their picture. gpg --list-keys --list-options show-photo mde

Key-signing parties

Other tools

Entropy generation (haveged, dieharder): haveged -n 0 | dieharder -g 200 -a

Seahorse key manager GUI

Other cool uses for GPG

  • bitcoin privacy

Terminology

  • Web Of Trust (WOT) — a network of folks who have signed each others' keys

  • subkey — same as a pubkey (public key); pub and priv are each "sub"-keys since it takes them both together to make the "full" key.

  • key server — keys.gnupg.net, pgp.mit.edu

  • PKI — Public Key Infrastructure (the systems, people, and keys that service the WOT)

  • gpg — CLI interface with a lot of options

  • .asc — a plain ASCII file encoding; basically plain readable (not binary) text

  • .sig

  • fingerprint — a long hex string identifying they person/key; view with:

  • keyID — a short version of the fingerprint; these are shown everywhere! eg, 299C28F0

  • signature — the signings of a given key, the more the better

  • signing

  • hkp — Horowitz Key Protocol, eg: hkp://pgp.mit.edu

  • certificate

  • non-repudiation

  • rsa — the only algorithm you’ll want to use

  • base64 — the encoding of ascii you can read