GPG Guide

Guide on creating and using GPG keys

WIP (Ctrl-S's job)

Guide for securely creating a PGP keyset. Currently most available smartcards support a maximum of 2048 bit RSA keys. Some smartcards support longer keys. This guide will use 2048 bit RSA keys for as much security as is currently practical.

Preparation
e.g.
 * Determine where you want to store your secret keys.
 * I suggest in a subfolder on each USB drive.
 * Decide how long you want the keys to remain valid.
 * It is supposed to be possible to increase this time at a later time, bot I don't know how this shit works yet.


 * Command notation quickref:

Buy stuff
You will need:
 * 1X Computer.
 * 1X (boot)USB flash drive 16GB+ (32GB+ USB3+ preferred).
 * 3X (keystore) USB flash drive.
 * 1X Pen/pencil.
 * 3X Pieces of paper.
 * 1+ Smartcard(s) that support PGP/GPG. (e.g. Yubico Yubikey 5 USB authenticator)

Create Ubuntu LiveUSB Environment
Find out what storage devices are connected: e.g.
 * Have a USB flash drive (32GB+ USB3+ preferred).
 * Download latest ubuntu desktop ISO. Available from: https://ubuntu.com/download/desktop
 * Have a ubuntu linux environment to install the liveusb from.
 * Install the drive creation tools:
 * Figure out which device is your flash drive.

Write a persistant Ubuntu LiveUSB Environment to the flash drive

 * 1) Press the windows key on your keyboard to bring up the ubuntu app search screen.
 * 2) type
 * 3) Run the mkusb tool by clicking on it.


 * 1) Choose: i - "Install (make a boot device)".
 * 2) Choose: p - "Persistent live – only Debian and Ubuntu".
 * 3) Select the ubuntu ISO file on your machine.
 * 4) Select the device that matches your USB drive to install onto.
 * 5) Choose just: "usb-pack-efi (default grub from ISO file)"
 * 6) Tell the program how much space to give to the liveUSB ubuntu install for it's own storage, about half of the disk should do (4GB+).
 * 7) Confirm everything is correct, as continuing with incorrect settings may destroy your data.
 * 8) If everything is correct, select "go" and click "go".
 * 9) Wait for the program to write to the USB drive.
 * 10) Choose: "Quit"
 * 11) Choose: "Quit"
 * 12) Press return in the console windows to exit it.

Your USB drive should now be ready to boot from.

Boot liveUSB

 * 1) Have machine powered off.
 * 2) Insert bootable USB drive.
 * 3) Hold F2 while powering on machine until BIOS menun shows up.
 * 4) Choose to boot from the USB drive.
 * 5) Ubuntu bootloader should autoselect persistant liveusb
 * 6) Let machine boot into persistant liveusb
 * 7) Ubuntu desktop environment should be displayed on your computer.

Update liveUSB software
Open a terminal window by pressing the three keys simultaneously: Ctrl-Alt-T Run the following commands: Check how much free space you have: You should see a line containting, and it should have at least 1GB of space free. If this is not the case, you probably did not succeed with the previous steps. This alternative command should show only the disk partition we are interested in:

Enable extra apt repositories: (You will need an internet connection for this part.)

Enable smartcard support. (generic)
(You will need an internet connection for this part.)

This is an example of expected output with a yubikey 5 with values removed for confidentiality:

Remove machine from network

 * Remove all network cables from the machine.
 * Turn off all wifi devices on the machine.
 * Test by running:
 * You should fail to connect.

Generate keys

 * !!! BE OFFLINE !!!

Smartcard PIN codes
A user PIN and an admin PIN
 * You need to set two PIN codes for your smartcard.

(apg is a linux tool to generate random passwords https://linux.die.net/man/1/apg ) The user PIN is required to use the stored keys.
 * Generate a random number to use as a PIN for your smartcard
 * Write down the user PIN code on your paper.

The admin pin is used to edit the card.
 * Write down the admin PIN code on your paper.


 * Store copies of these codes in safe places where you will not lose them and nobody can read them.
 * You will not be able to use the smartcard without the correct code.


 * Change the smartcard's user PIN.


 * Change the smartcard's admin PIN

GPG Secret keys

 * Create master as demonstrated in the following example:
 * This master key should be 4096 bits in size.


 * When asked: "Please select what kind of key you want:"
 * Choose: "(1) RSA and RSA (default)"


 * When asked: What keysize do you want?
 * Choose: 4096


 * When asked: "Please specify how long the key should be valid."
 * Choose: 0 = key does not expire

Select it, and copy the text to the clipboard by right-clicking the highlighted text and choosing "copy".
 * A hexadecimal 'name' for the key you just generated should be displayed in the console.
 * In the example this keyname was

Create subkeys for actual use

 * One subkey for each of: Encrypt, Authenticate, Sign
 * These subkeys should each be 2048 bits in size so they can fit onto all common smartcards.
 * (To create subkeys as shown you must use the  command-line argument)


 * Example of creating subkeys:

Store keys to backup drives

 * !!! BE OFFLINE !!!
 * Create a folder to store our secret keys:


 * Change to the folder where we want to save the keys to:


 * Secret keys:


 * Public keys:


 * Revocation certificate:

Move the key to smartcard

 * !!! BE OFFLINE !!!
 * Insert your smartcard device.
 * Transfer each of the three subkeys to the smartcard (Sign, Encrypt, Authenticate)


 * To add the key to another smartcard, you must import it from the backup.

Erase keys from liveusb

 * !!! BE OFFLINE !!!