GPG Guide: Difference between revisions
(Shopping list added) |
No edit summary |
||
Line 20: | Line 20: | ||
* Decide how long you want the keys to remain valid. | * Decide how long you want the keys to remain valid. | ||
* It is supposed to be possible to increase this time at a later time, bot I don't know how this shit works yet. | * It is supposed to be possible to increase this time at a later time, bot I don't know how this shit works yet. | ||
* Command notation quickref: | |||
<syntaxhighlight lang="bash"> | |||
## Double hash symbol(##) This is a comment, just for you to read. | |||
$ nano somefile.txt ## <- Dollar sign ($) That was a command in BASH running as a normal user. | |||
$ sudo nano somefile.txt ## <- That was a regular user using sudo to run a command as root. | |||
# nano somefile.txt ## <- Single hash (#) sign -That was running a command a root. | |||
## (The root account is a superuser with complete authority over the system.) | |||
gpg> help ## <- That was a command inside the gpg program's subshell. | |||
</syntaxhighlight> | |||
Line 115: | Line 125: | ||
== Remove machine from network == | == Remove machine from network == | ||
Remove all network cables from the machine. | * Remove all network cables from the machine. | ||
Turn off all wifi devices on the machine. | * Turn off all wifi devices on the machine. | ||
Test by running: | * Test by running: | ||
<syntaxhighlight lang="bash"> | |||
$ ping 8.8.8.8 | $ ping 8.8.8.8 | ||
You should fail to connect. | </syntaxhighlight> | ||
* You should fail to connect. | |||
== Generate keys == | == Generate keys == | ||
* !!! BE OFFLINE !!! | * !!! BE OFFLINE !!! | ||
=== Smartcard PIN codes === | |||
* You need to set two PIN codes for your smartcard. | |||
<br>A user PIN and an admin PIN | |||
* Generate a random number to use as a PIN for your smartcard | |||
(apg is a linux tool to generate random passwords https://linux.die.net/man/1/apg ) | |||
<syntaxhighlight lang="bash"> | |||
## apg (Password generator program) | |||
## -M N (Use numerals only) | |||
## -m 10 (Minimum 8 characters long) | |||
## -x 10 (Maximum 8 characters long) | |||
$ apg -M N -m 8 -x 8 | |||
</syntaxhighlight> | |||
* Write down the user PIN code on your paper. | |||
<code>User PIN: USER-PIN-HERE</code> | |||
The user PIN is required to use the stored keys. | |||
* Write down the admin PIN code on your paper. | |||
<code>admin PIN: ADMIN-PIN-HERE</code> | |||
The admin pin is used to edit the card. | |||
* Store copies of these codes in safe places where you will not lose them and nobody can read them. | |||
* You will not be able to use the smartcard without the correct code. | |||
* Change the smartcard's user PIN. | |||
<syntaxhighlight lang="bash"> | |||
$ gpg --card-edit | |||
gpg> | |||
## TODO | |||
</syntaxhighlight> | |||
* Change the smartcard's admin PIN | |||
<syntaxhighlight lang="bash"> | |||
$ gpg --card-edit | |||
gpg> | |||
## TODO | |||
</syntaxhighlight>\ | |||
=== GPG Secret keys === | |||
* Create master key: | * Create master key: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
Line 149: | Line 202: | ||
One subkey for each of: Encrypt, Authenticate, Sign | One subkey for each of: Encrypt, Authenticate, Sign | ||
These subkeys should each be 2048 bits in size so they can fit onto all common smartcards. | These subkeys should each be 2048 bits in size so they can fit onto all common smartcards. | ||
<syntaxhighlight lang="bash"> | |||
## TODO | |||
gpg> | |||
</syntaxhighlight> | |||
Line 167: | Line 223: | ||
* Secret keys: | * Secret keys: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
$ gpg --output KEYNAME- | $ gpg --output KEYNAME-DATE.masterkeys.txt --export-secret-keys --armor KEYNAME | ||
$ gpg --output KEYNAME- | $ gpg --output KEYNAME-DATE.subkeys.txt --export-secret-subkeys --armor KEYNAME | ||
</syntaxhighlight> | </syntaxhighlight> | ||
* Public keys: | * Public keys: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
$ gpg --export --armor KEYNAME > KEYNAME-DATE.public.key | |||
</syntaxhighlight> | </syntaxhighlight> | ||
* Revocation | * Revocation certificate: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
$ gpg --output KEYNAME-DATE.revocation-certificate.asc --gen-revoke KEYNAME | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 185: | Line 241: | ||
=== Move the key to smartcard === | === Move the key to smartcard === | ||
* !!! BE OFFLINE !!! | * !!! BE OFFLINE !!! | ||
* Insert your smartcard device. | |||
* Transfer each of the three subkeys to the smartcard (Sign, Encrypt, Authenticate) | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
## | $ gpg --card-edit | ||
gpg>key 1 ## Toggle select for the key at position 1 in the list. | |||
gpg> keytocard # Send the key to the smartcard. | |||
gpg>key 1 ## Toggle select for the key at position 1 in the list. | |||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang="bash"> | |||
$ gpg --card-edit | |||
gpg>key 2 ## Toggle select for the key at position 2 in the list. | |||
gpg> keytocard # Send the key to the smartcard. | |||
gpg>key 2 ## Toggle select for the key at position 2 in the list. | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
$ gpg --card-edit | |||
gpg>key 3 ## Toggle select for the key at position 3 in the list. | |||
gpg> keytocard # Send the key to the smartcard. | |||
gpg>key 3 ## Toggle select for the key at position 3 in the list. | |||
</syntaxhighlight> | |||
* To add the key to another smartcard, you must import it from the backup. | |||
<syntaxhighlight lang="bash"> | |||
$ gpg --import KEYNAME-DATE.masterkeys.txt | |||
$ gpg --import KEYNAME-DATE.subkeys.txt | |||
$ gpg --edit-key KEYNAME | |||
gpg> trust ## Edit the trust level for this key. | |||
gpg> 5 ## Assign ultimate trust to our own key. | |||
gpg> y ## Confirm the trust setting. | |||
</syntaxhighlight> | |||
=== Erase keys from liveusb === | === Erase keys from liveusb === | ||
Line 232: | Line 314: | ||
Yubikey troubleshooting pages: | Yubikey troubleshooting pages: | ||
https://support.yubico.com/support/solutions/articles/15000014892-troubleshooting-gpg-no-such-device- | https://support.yubico.com/support/solutions/articles/15000014892-troubleshooting-gpg-no-such-device- | ||
GPG key import/export: | |||
https://unix.stackexchange.com/questions/184947/how-to-import-secret-gpg-key-copied-from-one-machine-to-another | |||
https://msol.io/blog/tech/back-up-your-pgp-keys-with-gpg/ |
Revision as of 12:03, 12 February 2020
Guide on creating and using GPG keys
WIP (Ctrl-S's job)
Guide for securely creating a PGP keyset.
Currently most available smartcards support a maximum of 2048 bit RSA keys.
Some smartcards support longer keys.
This guide will use 2048 bit RSA keys for as much security as is currently practical.
Preparation
- Determine where you want to store your secret keys.
- I suggest in a subfolder on each USB drive.
e.g.
'/media/ubuntu/keystore01/gpg.ctrl-s.2020-02-12'
'/media/ubuntu/keystore02/gpg.ctrl-s.2020-02-12'
'/media/ubuntu/keystore03/gpg.ctrl-s.2020-02-12'
- Decide how long you want the keys to remain valid.
- It is supposed to be possible to increase this time at a later time, bot I don't know how this shit works yet.
- Command notation quickref:
## Double hash symbol(##) This is a comment, just for you to read.
$ nano somefile.txt ## <- Dollar sign ($) That was a command in BASH running as a normal user.
$ sudo nano somefile.txt ## <- That was a regular user using sudo to run a command as root.
# nano somefile.txt ## <- Single hash (#) sign -That was running a command a root.
## (The root account is a superuser with complete authority over the system.)
gpg> help ## <- That was a command inside the gpg program's subshell.
Buy stuff
You will need:
- 1X Computer.
- 1X (boot)USB flash drive 16GB+ (32GB+ USB3+ preferred).
- 3X (keystore) USB flash drive.
- 1X Pen/pencil.
- 3X Pieces of paper.
- 1+ Smartcard(s) that support PGP/GPG. (e.g. Yubico Yubikey 5 USB authenticator)
Create Ubuntu LiveUSB Environment
- Have a USB flash drive (32GB+ USB3+ preferred).
- Download latest ubuntu desktop ISO. Available from: https://ubuntu.com/download/desktop
- Have a ubuntu linux environment to install the liveusb from.
- Install the drive creation tools:
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:mkusb/ppa
$ sudo apt-get update
$ sudo apt install --install-recommends mkusb mkusb-nox usb-pack-efi
Find out what storage devices are connected:
$ lsblk
- Figure out which device is your flash drive.
e.g. /dev/sdh
Write a persistant Ubuntu LiveUSB Environment to the flash drive
- Press the windows key on your keyboard to bring up the ubuntu app search screen.
- type
mkusb
- Run the mkusb tool by clicking on it.
- Choose: i - "Install (make a boot device)".
- Choose: p - "Persistent live – only Debian and Ubuntu".
- Select the ubuntu ISO file on your machine.
- Select the device that matches your USB drive to install onto.
- Choose just: "usb-pack-efi (default grub from ISO file)"
- Tell the program how much space to give to the liveUSB ubuntu install for it's own storage, about half of the disk should do (4GB+).
- Confirm everything is correct, as continuing with incorrect settings may destroy your data.
- If everything is correct, select "go" and click "go".
- Wait for the program to write to the USB drive.
- Choose: "Quit"
- Choose: "Quit"
- Press return in the console windows to exit it.
Your USB drive should now be ready to boot from.
Boot liveUSB
- Have machine powered off.
- Insert bootable USB drive.
- Hold F2 while powering on machine until BIOS menun shows up.
- Choose to boot from the USB drive.
- Ubuntu bootloader should autoselect persistant liveusb
- Let machine boot into persistant liveusb
- Ubuntu desktop environment should be displayed on your computer.
Update liveUSB software
Open a terminal window by pressing the three keys simultaneously: Ctrl-Alt-T Run the following commands: Check how much free space you have:
$ df -h
You should see a line containting /media/ubuntu/casper-rw
, and it should have at least 1GB of space free.
If this is not the case, you probably did not succeed with the previous steps.
This alternative command should show only the disk partition we are interested in:
$ df -h | grep casper-rw
Enable extra apt repositories: (You will need an internet connection for this part.)
$ sudo add-apt-repository universe
$ sudo add-apt-repository multiverse
## Update installed software:
$ sudo apt update # Update information about what software packages are available.
$ sudo apt upgrade -y # Upgrade to the latest available version of installed packages.
Enable smartcard support. (generic)
(You will need an internet connection for this part.)
$ sudo apt-get install scdaemon # This package does all the smartcard communication!
$ sudo systemctl start pcscd
$ sudo systemctl enable pcscd
$ gpg --card-edit list # Test by looking for connected cards
Remove machine from network
- Remove all network cables from the machine.
- Turn off all wifi devices on the machine.
- Test by running:
$ ping 8.8.8.8
- You should fail to connect.
Generate keys
- !!! BE OFFLINE !!!
Smartcard PIN codes
- You need to set two PIN codes for your smartcard.
A user PIN and an admin PIN
- Generate a random number to use as a PIN for your smartcard
(apg is a linux tool to generate random passwords https://linux.die.net/man/1/apg )
## apg (Password generator program)
## -M N (Use numerals only)
## -m 10 (Minimum 8 characters long)
## -x 10 (Maximum 8 characters long)
$ apg -M N -m 8 -x 8
- Write down the user PIN code on your paper.
User PIN: USER-PIN-HERE
The user PIN is required to use the stored keys.
- Write down the admin PIN code on your paper.
admin PIN: ADMIN-PIN-HERE
The admin pin is used to edit the card.
- Store copies of these codes in safe places where you will not lose them and nobody can read them.
- You will not be able to use the smartcard without the correct code.
- Change the smartcard's user PIN.
$ gpg --card-edit
gpg>
## TODO
- Change the smartcard's admin PIN
$ gpg --card-edit
gpg>
## TODO
\
GPG Secret keys
- Create master key:
$ gpg --full-gen-key
- This master key should be 4096 bits in size
- When asked: "Please select what kind of key you want:"
Choose: "(1) RSA and RSA (default)"
- When asked: What keysize do you want?
- Choose: 4096
- When asked: "Please specify how long the key should be valid."
Choose: 0 = key does not expire
A hexadecimal 'name' for the key you just generated should be displayed in the console. Select it, and copy the text to the clipboard by right-clicking the highlighted text and choosing "copy".
$ gpg --edit-key KEYNAME
Create subkeys for actual use
One subkey for each of: Encrypt, Authenticate, Sign These subkeys should each be 2048 bits in size so they can fit onto all common smartcards.
## TODO
gpg>
Store keys to backup drives
- !!! BE OFFLINE !!!
- Create a folder to store our secret keys:
$ mkdir -vp '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01'
- Change to the folder where we want to save the keys to:
$ cd '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01'
- Secret keys:
$ gpg --output KEYNAME-DATE.masterkeys.txt --export-secret-keys --armor KEYNAME
$ gpg --output KEYNAME-DATE.subkeys.txt --export-secret-subkeys --armor KEYNAME
- Public keys:
$ gpg --export --armor KEYNAME > KEYNAME-DATE.public.key
- Revocation certificate:
$ gpg --output KEYNAME-DATE.revocation-certificate.asc --gen-revoke KEYNAME
Move the key to smartcard
- !!! BE OFFLINE !!!
- Insert your smartcard device.
- Transfer each of the three subkeys to the smartcard (Sign, Encrypt, Authenticate)
$ gpg --card-edit
gpg>key 1 ## Toggle select for the key at position 1 in the list.
gpg> keytocard # Send the key to the smartcard.
gpg>key 1 ## Toggle select for the key at position 1 in the list.
$ gpg --card-edit
gpg>key 2 ## Toggle select for the key at position 2 in the list.
gpg> keytocard # Send the key to the smartcard.
gpg>key 2 ## Toggle select for the key at position 2 in the list.
$ gpg --card-edit
gpg>key 3 ## Toggle select for the key at position 3 in the list.
gpg> keytocard # Send the key to the smartcard.
gpg>key 3 ## Toggle select for the key at position 3 in the list.
- To add the key to another smartcard, you must import it from the backup.
$ gpg --import KEYNAME-DATE.masterkeys.txt
$ gpg --import KEYNAME-DATE.subkeys.txt
$ gpg --edit-key KEYNAME
gpg> trust ## Edit the trust level for this key.
gpg> 5 ## Assign ultimate trust to our own key.
gpg> y ## Confirm the trust setting.
Erase keys from liveusb
- !!! BE OFFLINE !!!
$ rm -rf /.gnupg*
## TODO
Setup public key side
## TODO
Set up key on machine we want to SSH to
## TODO
Sources
Guide to set up Ubuntu on a USB flash drive (Full persistant install to USB drive): https://www.howtogeek.com/howto/14912/create-a-persistent-bootable-ubuntu-usb-flash-drive/
Guide to write Ubuntu installer to USB drive (Does not support software install wituout modifications, see other guide): https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started
Ubuntu download page: https://ubuntu.com/download/desktop
Guides to set up a Yubikey device: https://support.yubico.com/support/solutions/articles/15000006420-using-your-yubikey-with-openpgp https://withinboredom.info/blog/2017/11/18/signing-commits-ssh-with-yubikey-and-windows/
Yubikey troubleshooting pages: https://support.yubico.com/support/solutions/articles/15000014892-troubleshooting-gpg-no-such-device-
GPG key import/export: https://unix.stackexchange.com/questions/184947/how-to-import-secret-gpg-key-copied-from-one-machine-to-another https://msol.io/blog/tech/back-up-your-pgp-keys-with-gpg/