GPG Guide

Guide on creating and using GPG keys

WIP (Ctrl-S's job)

Guide for securely creating a PGP keyset. Currently most available smartcards support a maximum of 2048 bit RSA keys. Some smartcards support longer keys. This guide will use 2048 bit RSA keys for as much security as is currently practical.

Preparation
e.g.
 * Determine where you want to store your secret keys.
 * I suggest in a subfolder on each USB drive.
 * Decide how long you want the keys to remain valid.
 * It is supposed to be possible to increase this time at a later time, bot I don't know how this shit works yet.


 * Command notation quickref:

Buy stuff
You will need:
 * 1X Computer.
 * 1X (boot)USB flash drive 16GB+ (32GB+ USB3+ preferred).
 * 3X (keystore) USB flash drive.
 * 1X Pen/pencil.
 * 3X Pieces of paper.
 * 1+ Smartcard(s) that support PGP/GPG. (e.g. Yubico Yubikey 5 USB authenticator)

Create Ubuntu LiveUSB Environment
Find out what storage devices are connected: e.g.
 * Have a USB flash drive (32GB+ USB3+ preferred).
 * Download latest ubuntu desktop ISO. Available from: https://ubuntu.com/download/desktop
 * Have a ubuntu linux environment to install the liveusb from.
 * Install the drive creation tools:
 * Figure out which device is your flash drive.

Write a persistant Ubuntu LiveUSB Environment to the flash drive

 * 1) Press the windows key on your keyboard to bring up the ubuntu app search screen.
 * 2) type
 * 3) Run the mkusb tool by clicking on it.


 * 1) Choose: i - "Install (make a boot device)".
 * 2) Choose: p - "Persistent live – only Debian and Ubuntu".
 * 3) Select the ubuntu ISO file on your machine.
 * 4) Select the device that matches your USB drive to install onto.
 * 5) Choose just: "usb-pack-efi (default grub from ISO file)"
 * 6) Tell the program how much space to give to the liveUSB ubuntu install for it's own storage, about half of the disk should do (4GB+).
 * 7) Confirm everything is correct, as continuing with incorrect settings may destroy your data.
 * 8) If everything is correct, select "go" and click "go".
 * 9) Wait for the program to write to the USB drive.
 * 10) Choose: "Quit"
 * 11) Choose: "Quit"
 * 12) Press return in the console windows to exit it.

Your USB drive should now be ready to boot from.

Boot liveUSB

 * 1) Have machine powered off.
 * 2) Insert bootable USB drive.
 * 3) Hold F2 while powering on machine until BIOS menun shows up.
 * 4) Choose to boot from the USB drive.
 * 5) Ubuntu bootloader should autoselect persistant liveusb
 * 6) Let machine boot into persistant liveusb
 * 7) Ubuntu desktop environment should be displayed on your computer.

Update liveUSB software
Open a terminal window by pressing the three keys simultaneously: Ctrl-Alt-T Run the following commands: Check how much free space you have: You should see a line containting, and it should have at least 1GB of space free. If this is not the case, you probably did not succeed with the previous steps. This alternative command should show only the disk partition we are interested in:

Enable extra apt repositories: (You will need an internet connection for this part.)

Enable smartcard support. (generic)
(You will need an internet connection for this part.)

This is an example of expected output with a yubikey 5 with values removed for confidentiality:

Remove machine from network

 * Remove all network cables from the machine.
 * Turn off all wifi devices on the machine.
 * Test by running:
 * You should fail to connect.

Generate keys

 * !!! BE OFFLINE !!!

GPG Secret keys

 * Create master as demonstrated in the following example:
 * This master key should be 4096 bits in size.


 * When asked: "Please select what kind of key you want:"
 * Choose: "(1) RSA and RSA (default)"


 * When asked: What keysize do you want?
 * Choose: 4096


 * When asked: "Please specify how long the key should be valid."
 * Choose: 0 = key does not expire

Select it, and copy the text to the clipboard by right-clicking the highlighted text and choosing "copy".
 * A hexadecimal 'name' for the key you just generated should be displayed in the console.
 * In the example this keyname was

Create subkeys for actual use

 * One subkey for each of: Encrypt, Authenticate, Sign
 * These subkeys should each be 2048 bits in size so they can fit onto all common smartcards.
 * (To create subkeys as shown you must use the  command-line argument)


 * Example of creating subkeys:

Store keys to backup drives

 * !!! BE OFFLINE !!!
 * Create a folder to store our secret keys:


 * Change to the folder where we want to save the keys to:


 * Secret keys:


 * Public keys:


 * Revocation certificate:


 * SSH public key

Exporting SSH key
How to generate the ssh public key to put onto a remote server.

Reset smartcard to factory settings and erase stored GPG keys

 * ! ONLY TESTED ON Yubikey 5 !
 * ! USE AT OWN RISK !
 * I don't know if doing a factory reset will affect other functions of your smartcard, such as FIDO, FIDO2, PIV, OTP, etc.

Set the smartcard PIN, adminPIN, & reset code
(a-z, A-Z, 0-9, space, etc.)
 * The PIN, AdminPIN, and ResetCode can be alphanumerical passphrases.
 * "PIN" - Day-to-day use.
 * "Admin PIN" - Load new key onto card.
 * "Reset Code" - Reset PIN attempts counter.
 * The Default yubikey "PIN" is "123456"
 * The Default Yubikey "Admin PIN" apin is "12345678"
 * Begin editing the smartcard.


 * Set PIN


 * Set admin PIN (used for installing secret key to card)


 * Set the Recovery Code (Used for resetting retry counter for PIN)

Smartcard PIN codes
A user PIN and an admin PIN
 * You need to set two PIN codes for your smartcard.

(apg is a linux tool to generate random passwords https://linux.die.net/man/1/apg ) The user PIN is required to use the stored keys.
 * Generate a random number to use as a PIN for your smartcard
 * Write down the user PIN code on your paper.

The admin pin is used to edit the card.
 * Write down the admin PIN code on your paper.


 * Store copies of these codes in safe places where you will not lose them and nobody can read them.
 * You will not be able to use the smartcard without the correct code.


 * Change the smartcard's user PIN.


 * Change the smartcard's admin PIN

Reload the secret key and subkeys from the backup file
This is required if you want to prepare more than one smartcard.

Delete GPG keystore

 * Do not do this unless you are sure you have successfully backed up your keys.
 * To install the same key to additional smartcards, it must be reloaded from the file again.
 * It MAY be needed to delete the key from GPG's keystore for reimport?

Set imported secretkey to maximum trust level

 * It is required to set the trust level to ultimate to put it on a smartcard.

Move the key to smartcard

 * !!! BE OFFLINE !!!
 * Insert your smartcard device.
 * Transfer each of the three subkeys to the smartcard (Sign, Encrypt, Authenticate)


 * To add the key to another smartcard, you must import it from the backup.

Erase keys from liveusb

 * !!! BE OFFLINE !!!
 * Remove the GPG keystore as an added precaution.

Setup public key side
Copy and paste the text in the ssh-remote.key file from the earlier steps into the `~/.ssh/authorized_keys` file on the machine you intend to connect to.

Set up key on machine we want to SSH to
Open the authorized_keys for your user account and paste in the SSH key (Created earlier in this guide as "FEEDB00BCODEBEEF-1970JAN01.ssh-remote.key")

Using multiple cards
This command tells GPG to associate keys it has with copies of those keys on a connected smartcard. The same command works on both Linux and Windows. https://github.com/drduh/YubiKey-Guide#using-multiple-keys

WSL (Windows Subsystem for Linux)
Getting SSH to work in WSL. https://github.com/drduh/YubiKey-Guide#using-multiple-keys https://github.com/vuori/weasel-pageant https://github.com/vuori/weasel-pageant/releases Place this line in your .bashrc file Reload the config from the updated file: Add entry to the ~/.ssh/config file: Test if it works: If it is working it will show your key in the list it gives.
 * ! WIP !
 * Download and extract weasel-pagent to somewhere convenient on the windows side.

if you get the erro : chmod 600 ~/.ssh/config

Automating on Windows
Save the following script to a .bat file. (e.g. `C:\scripts\gpg_refresh.bat`)


 * Press the start button on your keyboard to open the start menu.
 * Type "schedule", "Task Scheduler" should appear as a search result in the start menu.
 * Open Task Scheduler.
 * In the section on the right of the window (Under the heading "Actions") select "Create Task".
 * Set the Name to `Check and Update GPG smartcards`
 * Set the description to `Tell GPG to compare its keys against smartcards, and link any that match.`
 * "Name" : "1 hour"
 * "Description" : "1 hour"
 * "Security options" -> "Run whether user is logged on or not" : Selected. (Hides command window when task runs)
 * "Security options" -> "Do not store password. The task will only have access to local computer resources." : Selected. (Prevents requiring user's password to be entered to set up task.)
 * This task must be running using your user account, so that the instance of GPG associated with your account is acted on.
 * "Configure for:": "Windows 10"


 * Click on the "Triggers" tab at the top of the window then click the "New" button
 * In the "New Trigger" window that opens:
 * "Begin the task": `On a schedule`
 * Settings -> "Daily" selected.
 * Settings -> "Start": Set a value in the next hour or so.
 * Settings -> "Recur every" [ ] days: "1"
 * "Advanced setings" -> "Repeat task every": Box checked.
 * "Advanced setings" -> "Repeat task every" : "1 hour"
 * "Advanced setings" -> "for a duration of" : "1 day"
 * "Advanced setings" -> "Expire": Box unchecked. (Never expire)
 * "Advanced setings" -> "Enabled": Box checked.
 * Click "OK" once these settings are set.


 * Click on the "Actions" tab at the top of the window then click the "New" button
 * In the "New Action" window that opens:
 * "Settings` -> "Action": "Start a program"
 * "Settings" -> "Program/script" : The path to the .bat file.
 * Click "OK" once these settings are set.


 * Click "OK" in the "Create Task" window.

https://stackoverflow.com/questions/4249542/run-a-task-every-x-minutes-with-windows-task-scheduler

https://www.howtogeek.com/tips/how-to-run-a-scheduled-task-without-a-command-window-appearing/

Troubleshooting
To kill running background GPG:

To start background GPG:

To inspect connected card(s?):