GPG Guide: Difference between revisions

From Bibliotheca Anonoma
m (Added an example of generating a key and subkeys)
m (Add example)
Line 121: Line 121:
</syntaxhighlight>
</syntaxhighlight>


This is an example of expected output with a yubikey 5 with values removed for confidentiality:
<syntaxhighlight lang="bash">
$ gpg --card-edit list


Reader ...........: [REMOVED]
Application ID ...: [REMOVED]
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: [REMOVED]
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card>
</syntaxhighlight>





Revision as of 13:48, 27 February 2020

Guide on creating and using GPG keys

WIP (Ctrl-S's job)


Guide for securely creating a PGP keyset. Currently most available smartcards support a maximum of 2048 bit RSA keys. Some smartcards support longer keys. This guide will use 2048 bit RSA keys for as much security as is currently practical.


Preparation

  • Determine where you want to store your secret keys.
  • I suggest in a subfolder on each USB drive.

e.g.
'/media/ubuntu/keystore01/gpg.ctrl-s.2020-02-12'
'/media/ubuntu/keystore02/gpg.ctrl-s.2020-02-12'
'/media/ubuntu/keystore03/gpg.ctrl-s.2020-02-12'

  • Decide how long you want the keys to remain valid.
  • It is supposed to be possible to increase this time at a later time, bot I don't know how this shit works yet.
  • Command notation quickref:
## Double hash symbol(##) This is a comment, just for you to read.
$ nano somefile.txt ## <- Dollar sign ($) That was a command in BASH running as a normal user.
$ sudo nano somefile.txt ## <- That was a regular user using sudo to run a command as root.
# nano somefile.txt ## <- Single hash (#) sign -That was running a command a root.
## (The root account is a superuser with complete authority over the system.)
gpg> help ## <- That was a command inside the gpg program's subshell.


Buy stuff

You will need:

  • 1X Computer.
  • 1X (boot)USB flash drive 16GB+ (32GB+ USB3+ preferred).
  • 3X (keystore) USB flash drive.
  • 1X Pen/pencil.
  • 3X Pieces of paper.
  • 1+ Smartcard(s) that support PGP/GPG. (e.g. Yubico Yubikey 5 USB authenticator)


Create Ubuntu LiveUSB Environment

  • Have a USB flash drive (32GB+ USB3+ preferred).
  • Download latest ubuntu desktop ISO. Available from: https://ubuntu.com/download/desktop
  • Have a ubuntu linux environment to install the liveusb from.
  • Install the drive creation tools:
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:mkusb/ppa
$ sudo apt-get update
$ sudo apt install --install-recommends mkusb mkusb-nox usb-pack-efi

Find out what storage devices are connected:

$ lsblk
  • Figure out which device is your flash drive.

e.g. /dev/sdh


Write a persistant Ubuntu LiveUSB Environment to the flash drive

  1. Press the windows key on your keyboard to bring up the ubuntu app search screen.
  2. type mkusb
  3. Run the mkusb tool by clicking on it.
  1. Choose: i - "Install (make a boot device)".
  2. Choose: p - "Persistent live – only Debian and Ubuntu".
  3. Select the ubuntu ISO file on your machine.
  4. Select the device that matches your USB drive to install onto.
  5. Choose just: "usb-pack-efi (default grub from ISO file)"
  6. Tell the program how much space to give to the liveUSB ubuntu install for it's own storage, about half of the disk should do (4GB+).
  7. Confirm everything is correct, as continuing with incorrect settings may destroy your data.
  8. If everything is correct, select "go" and click "go".
  9. Wait for the program to write to the USB drive.
  10. Choose: "Quit"
  11. Choose: "Quit"
  12. Press return in the console windows to exit it.

Your USB drive should now be ready to boot from.


Boot liveUSB

  1. Have machine powered off.
  2. Insert bootable USB drive.
  3. Hold F2 while powering on machine until BIOS menun shows up.
  4. Choose to boot from the USB drive.
  5. Ubuntu bootloader should autoselect persistant liveusb
  6. Let machine boot into persistant liveusb
  7. Ubuntu desktop environment should be displayed on your computer.


Update liveUSB software

Open a terminal window by pressing the three keys simultaneously: Ctrl-Alt-T Run the following commands: Check how much free space you have:

 $ df -h

You should see a line containting /media/ubuntu/casper-rw, and it should have at least 1GB of space free. If this is not the case, you probably did not succeed with the previous steps. This alternative command should show only the disk partition we are interested in:

 $ df -h | grep casper-rw

Enable extra apt repositories: (You will need an internet connection for this part.)

$ sudo add-apt-repository universe
$ sudo add-apt-repository multiverse
## Update installed software:
$ sudo apt update # Update information about what software packages are available.
$ sudo apt upgrade -y # Upgrade to the latest available version of installed packages.


Enable smartcard support. (generic)

(You will need an internet connection for this part.)

$ sudo apt-get install scdaemon # This package does all the smartcard communication!
$ sudo systemctl start pcscd 
$ sudo systemctl enable pcscd
$ gpg --card-edit list # Test by looking for connected cards

This is an example of expected output with a yubikey 5 with values removed for confidentiality:

$ gpg --card-edit list

Reader ...........: [REMOVED]
Application ID ...: [REMOVED]
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: [REMOVED]
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card>


Remove machine from network

  • Remove all network cables from the machine.
  • Turn off all wifi devices on the machine.
  • Test by running:
$ ping 8.8.8.8
  • You should fail to connect.


Generate keys

  • !!! BE OFFLINE !!!

Smartcard PIN codes

  • You need to set two PIN codes for your smartcard.


A user PIN and an admin PIN

  • Generate a random number to use as a PIN for your smartcard

(apg is a linux tool to generate random passwords https://linux.die.net/man/1/apg )

## apg (Password generator program)
## -a 1 (Use supplied parameters)
## -M N (Use numerals only)
## -m 10 (Minimum 8 characters long)
## -x 10 (Maximum 8 characters long)
$ apg -a 1 -M N -m 8 -x 8
86187171
65856553
45100116
18826756
02283057
10274420
  • Write down the user PIN code on your paper.

User PIN: USER-PIN-HERE
The user PIN is required to use the stored keys.

  • Write down the admin PIN code on your paper.

admin PIN: ADMIN-PIN-HERE
The admin pin is used to edit the card.

  • Store copies of these codes in safe places where you will not lose them and nobody can read them.
  • You will not be able to use the smartcard without the correct code.
  • Change the smartcard's user PIN.
$ gpg --card-edit
gpg/card> admin ## Card admin menu.
gpg/card> passwd ## Change card password(s).
gpg/card> 1 ## 1 - change PIN.
gpg/card> q ## Exit PIN edit submenu.
gpg/card> list ## Display card information.
gpg/card> quit ## Exit GPG.
  • Change the smartcard's admin PIN
$ gpg --card-edit
gpg/card> admin ## Card admin menu.
gpg/card> passwd ## Change card password(s).
gpg/card> 3 ## 3 - change Admin PIN.
gpg/card> q ## Exit PIN edit submenu.
gpg/card> list ## Display card information.
gpg/card> quit ## Exit GPG.


GPG Secret keys

  • Create master as demonstrated in the following example:
$  gpg --full-gen-key
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: fakename
Email address: [email protected]
Comment: fake person comment
You selected this USER-ID:
    "fakename (fake person comment) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key BEBEAAF16847B703 marked as ultimately trusted
gpg: directory '/home/pi/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/pi/.gnupg/openpgp-revocs.d/196CBE3A87E329179CC27B5CBEBEAAF16847B703.rev'
public and secret key created and signed.

pub   rsa4096 2020-02-12 [SC]
      196CBE3A87E329179CC27B5CBEBEAAF16847B703
uid                      fakename (fake person comment) <[email protected]>
sub   rsa4096 2020-02-12 [E]
  • This master key should be 4096 bits in size.
  • When asked: "Please select what kind of key you want:"
    • Choose: "(1) RSA and RSA (default)"
  • When asked: What keysize do you want?
    • Choose: 4096
  • When asked: "Please specify how long the key should be valid."
    • Choose: 0 = key does not expire
  • A hexadecimal 'name' for the key you just generated should be displayed in the console.

Select it, and copy the text to the clipboard by right-clicking the highlighted text and choosing "copy".

    • In the example this keyname was 196CBE3A87E329179CC27B5CBEBEAAF16847B703


Create subkeys for actual use

  • One subkey for each of: Encrypt, Authenticate, Sign
  • These subkeys should each be 2048 bits in size so they can fit onto all common smartcards.
  • (To create subkeys as shown you must use the --expert command-line argument)
$ gpg --expert --edit-key KEYNAME
  • Example of creating subkeys:
$ gpg --expert --edit-key 196CBE3A87E329179CC27B5CBEBEAAF16847B703
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
sec  rsa4096/BEBEAAF16847B703
     created: 2020-02-12  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/2975948F8F5E65F7
     created: 2020-02-12  expires: never       usage: E
[ultimate] (1). fakename (fake person comment) <[email protected]>

gpg> key 1 ## Selecting the automatically-generated subkey to delete it.

sec  rsa4096/BEBEAAF16847B703
     created: 2020-02-12  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb* rsa4096/2975948F8F5E65F7
     created: 2020-02-12  expires: never       usage: E
[ultimate] (1). fakename (fake person comment) <[email protected]>

gpg> delkey ## Deleting the automatically-generated subkey.
Do you really want to delete this key? (y/N) y

sec  rsa4096/BEBEAAF16847B703
     created: 2020-02-12  expires: never       usage: SC
     trust: ultimate      validity: ultimate
[ultimate] (1). fakename (fake person comment) <[email protected]>

gpg> addkey ## Adding a subkey to "Sign" (1/3)...
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/BEBEAAF16847B703
     created: 2020-02-12  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/203E068632D2C436
     created: 2020-02-12  expires: never       usage: S
[ultimate] (1). fakename (fake person comment) <[email protected]>

gpg> addkey ## Adding a subkey to "Encrypt" (2/3)...
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/BEBEAAF16847B703
     created: 2020-02-12  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/203E068632D2C436
     created: 2020-02-12  expires: never       usage: S
ssb  rsa4096/96F8E1C255A68B9D
     created: 2020-02-12  expires: never       usage: E
[ultimate] (1). fakename (fake person comment) <[email protected]>

gpg> addkey ## Adding a subkey to "Authenticate" (3/3)...
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? a

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/BEBEAAF16847B703
     created: 2020-02-12  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/203E068632D2C436
     created: 2020-02-12  expires: never       usage: S
ssb  rsa4096/96F8E1C255A68B9D
     created: 2020-02-12  expires: never       usage: E
ssb  rsa4096/43685156C4472A6B
     created: 2020-02-12  expires: never       usage: A
[ultimate] (1). fakename (fake person comment) <[email protected]>

gpg>save ## You MUST enter the save command for the keys to be kept!
$ ## Finished creating the subkeys.


Store keys to backup drives

  • !!! BE OFFLINE !!!
  • Create a folder to store our secret keys:
$ mkdir -vp '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01'
  • Change to the folder where we want to save the keys to:
$ cd '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01'


  • Secret keys:
$ gpg --output KEYNAME-DATE.masterkeys.txt --export-secret-keys --armor KEYNAME
$ gpg --output KEYNAME-DATE.subkeys.txt --export-secret-subkeys --armor KEYNAME
  • Public keys:
$ gpg --export --armor KEYNAME > KEYNAME-DATE.public.key
  • Revocation certificate:
$ gpg --output KEYNAME-DATE.revocation-certificate.asc --gen-revoke KEYNAME


Move the key to smartcard

  • !!! BE OFFLINE !!!
  • Insert your smartcard device.
  • Transfer each of the three subkeys to the smartcard (Sign, Encrypt, Authenticate)
$ gpg --card-edit
gpg>key 1 ## Toggle select for the key at position 1 in the list.
gpg> keytocard # Send the key to the smartcard.
gpg>key 1 ## Toggle select for the key at position 1 in the list.
$ gpg --card-edit
gpg>key 2 ## Toggle select for the key at position 2 in the list.
gpg> keytocard # Send the key to the smartcard.
gpg>key 2 ## Toggle select for the key at position 2 in the list.
$ gpg --card-edit
gpg>key 3 ## Toggle select for the key at position 3 in the list.
gpg> keytocard # Send the key to the smartcard.
gpg>key 3 ## Toggle select for the key at position 3 in the list.
  • To add the key to another smartcard, you must import it from the backup.
$ gpg --import KEYNAME-DATE.masterkeys.txt
$ gpg --import KEYNAME-DATE.subkeys.txt
$ gpg --edit-key KEYNAME
gpg> trust ## Edit the trust level for this key.
gpg> 5 ## Assign ultimate trust to our own key.
gpg> y ## Confirm the trust setting.


Erase keys from liveusb

  • !!! BE OFFLINE !!!
$ rm -rf /.gnupg*
## TODO



Setup public key side

## TODO

Set up key on machine we want to SSH to

## TODO


Sources

Guide to set up Ubuntu on a USB flash drive (Full persistant install to USB drive):

https://www.howtogeek.com/howto/14912/create-a-persistent-bootable-ubuntu-usb-flash-drive/

  • Guide to write Ubuntu installer to USB drive (Does not support software install wituout modifications, see other guide):

https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started

  • Ubuntu download page:

https://ubuntu.com/download/desktop

  • Guides to set up a Yubikey device:

https://support.yubico.com/support/solutions/articles/15000006420-using-your-yubikey-with-openpgp

https://withinboredom.info/blog/2017/11/18/signing-commits-ssh-with-yubikey-and-windows/

https://zeos.ca/post/2018/gpg-yubikey5/

  • Yubikey troubleshooting pages:

https://support.yubico.com/support/solutions/articles/15000014892-troubleshooting-gpg-no-such-device-

  • GPG key import/export:

https://unix.stackexchange.com/questions/184947/how-to-import-secret-gpg-key-copied-from-one-machine-to-another

https://msol.io/blog/tech/back-up-your-pgp-keys-with-gpg/