GPG Guide: Difference between revisions
(Boot, update and install packages) |
(Copypaste notes, add formatting) |
||
Line 77: | Line 77: | ||
$ sudo apt upgrade -y # Upgrade to the latest available version of installed packages. | $ sudo apt upgrade -y # Upgrade to the latest available version of installed packages. | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Enable smartcard support. (generic) === | === Enable smartcard support. (generic) === | ||
Line 86: | Line 87: | ||
$ gpg --card-edit list # Test by looking for connected cards | $ gpg --card-edit list # Test by looking for connected cards | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Remove machine from network == | |||
Remove all network cables from the machine. | |||
Turn off all wifi devices on the machine. | |||
Test by running: | |||
$ ping 8.8.8.8 | |||
You should fail to connect. | |||
== Generate keys == | |||
* !!! BE OFFLINE !!! | |||
* Create master key: | |||
<syntaxhighlight lang="bash"> | |||
$ gpg --full-gen-key | |||
</syntaxhighlight> | |||
# This master key should be 4096 bits in size | |||
# When asked: "Please select what kind of key you want:" | |||
Choose: "(1) RSA and RSA (default)" | |||
# When asked: What keysize do you want? | |||
# Choose: 4096 | |||
# When asked: "Please specify how long the key should be valid." | |||
Choose: 0 = key does not expire | |||
A hexadecimal 'name' for the key you just generated should be displayed in the console. | |||
Select it, and copy the text to the clipboard by right-clicking the highlighted text and choosing "copy". | |||
<syntaxhighlight lang="bash"> | |||
$ gpg --edit-key KEYNAME | |||
</syntaxhighlight> | |||
=== Create subkeys for actual use === | |||
One subkey for each of: Encrypt, Authenticate, Sign | |||
These subkeys should each be 2048 bits in size so they can fit onto all common smartcards. | |||
== Store keys to backup drives == | |||
* !!! BE OFFLINE !!! | |||
* Create a folder to store our secret keys: | |||
<syntaxhighlight lang="bash"> | |||
$ mkdir -vp '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01' | |||
</syntaxhighlight> | |||
* Change to the folder where we want to save the keys to: | |||
<syntaxhighlight lang="bash"> | |||
$ cd '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01' | |||
</syntaxhighlight> | |||
* Secret keys: | |||
<syntaxhighlight lang="bash"> | |||
$ gpg --output KEYNAME-20191129.masterkeys.txt --export-secret-keys --armor KEYNAME | |||
$ gpg --output KEYNAME-20191129.subkeys.txt --export-secret-subkeys --armor KEYNAME | |||
</syntaxhighlight> | |||
* Public keys: | |||
<syntaxhighlight lang="bash"> | |||
## TODO | |||
</syntaxhighlight> | |||
* Revocation certs: | |||
<syntaxhighlight lang="bash"> | |||
## TODO | |||
</syntaxhighlight> | |||
=== Move the key to smartcard === | |||
* !!! BE OFFLINE !!! | |||
<syntaxhighlight lang="bash"> | |||
## TODO | |||
</syntaxhighlight> | |||
=== Erase keys from liveusb === | |||
* !!! BE OFFLINE !!! | |||
<syntaxhighlight lang="bash"> | |||
$ rm -rf /.gnupg* | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
## TODO | |||
</syntaxhighlight> | |||
=== Setup public key side === | |||
<syntaxhighlight lang="bash"> | |||
## TODO | |||
</syntaxhighlight> | |||
=== Set up key on machine we want to SSH to === | |||
<syntaxhighlight lang="bash"> | |||
## TODO | |||
</syntaxhighlight> | |||
== Sources == | |||
Guide to set up Ubuntu on a USB flash drive (Full persistant install to USB drive): | |||
https://www.howtogeek.com/howto/14912/create-a-persistent-bootable-ubuntu-usb-flash-drive/ | |||
Guide to write Ubuntu installer to USB drive (Does not support software install wituout modifications, see other guide): | |||
https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started | |||
Ubuntu download page: | |||
https://ubuntu.com/download/desktop | |||
Guides to set up a Yubikey device: | |||
https://support.yubico.com/support/solutions/articles/15000006420-using-your-yubikey-with-openpgp | |||
https://withinboredom.info/blog/2017/11/18/signing-commits-ssh-with-yubikey-and-windows/ | |||
Yubikey troubleshooting pages: | |||
https://support.yubico.com/support/solutions/articles/15000014892-troubleshooting-gpg-no-such-device- |
Revision as of 03:42, 12 February 2020
Guide on creating and using GPG keys
WIP (Ctrl-S's job)
Create Ubuntu LiveUSB Environment
- Have a USB flash drive (32GB+ USB3+ preferred).
- Download latest ubuntu desktop ISO. Available from: https://ubuntu.com/download/desktop
- Have a ubuntu linux environment to install the liveusb from.
- Install the drive creation tools:
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:mkusb/ppa
$ sudo apt-get update
$ sudo apt install --install-recommends mkusb mkusb-nox usb-pack-efi
Find out what storage devices are connected:
$ lsblk
- Figure out which device is your flash drive.
e.g. /dev/sdh
Write a persistant Ubuntu LiveUSB Environment to the flash drive
- Press the windows key on your keyboard to bring up the ubuntu app search screen.
- type
mkusb
- Run the mkusb tool by clicking on it.
- Choose: i - "Install (make a boot device)".
- Choose: p - "Persistent live – only Debian and Ubuntu".
- Select the ubuntu ISO file on your machine.
- Select the device that matches your USB drive to install onto.
- Choose just: "usb-pack-efi (default grub from ISO file)"
- Tell the program how much space to give to the liveUSB ubuntu install for it's own storage, about half of the disk should do (4GB+).
- Confirm everything is correct, as continuing with incorrect settings may destroy your data.
- If everything is correct, select "go" and click "go".
- Wait for the program to write to the USB drive.
- Choose: "Quit"
- Choose: "Quit"
- Press return in the console windows to exit it.
Your USB drive should now be ready to boot from.
Boot liveUSB
- Have machine powered off.
- Insert bootable USB drive.
- Hold F2 while powering on machine until BIOS menun shows up.
- Choose to boot from the USB drive.
- Ubuntu bootloader should autoselect persistant liveusb
- Let machine boot into persistant liveusb
- Ubuntu desktop environment should be displayed on your computer.
Update liveUSB software
Open a terminal window by pressing the three keys simultaneously: Ctrl-Alt-T Run the following commands: Check how much free space you have:
$ df -h
You should see a line containting /media/ubuntu/casper-rw
, and it should have at least 1GB of space free.
If this is not the case, you probably did not succeed with the previous steps.
This alternative command should show only the disk partition we are interested in:
$ df -h | grep casper-rw
Enable extra apt repositories: (You will need an internet connection for this part.)
$ sudo add-apt-repository universe
$ sudo add-apt-repository multiverse
## Update installed software:
$ sudo apt update # Update information about what software packages are available.
$ sudo apt upgrade -y # Upgrade to the latest available version of installed packages.
Enable smartcard support. (generic)
(You will need an internet connection for this part.)
$ sudo apt-get install scdaemon # This package does all the smartcard communication!
$ sudo systemctl start pcscd
$ sudo systemctl enable pcscd
$ gpg --card-edit list # Test by looking for connected cards
Remove machine from network
Remove all network cables from the machine. Turn off all wifi devices on the machine. Test by running: $ ping 8.8.8.8 You should fail to connect.
Generate keys
- !!! BE OFFLINE !!!
- Create master key:
$ gpg --full-gen-key
- This master key should be 4096 bits in size
- When asked: "Please select what kind of key you want:"
Choose: "(1) RSA and RSA (default)"
- When asked: What keysize do you want?
- Choose: 4096
- When asked: "Please specify how long the key should be valid."
Choose: 0 = key does not expire
A hexadecimal 'name' for the key you just generated should be displayed in the console. Select it, and copy the text to the clipboard by right-clicking the highlighted text and choosing "copy".
$ gpg --edit-key KEYNAME
Create subkeys for actual use
One subkey for each of: Encrypt, Authenticate, Sign These subkeys should each be 2048 bits in size so they can fit onto all common smartcards.
Store keys to backup drives
- !!! BE OFFLINE !!!
- Create a folder to store our secret keys:
$ mkdir -vp '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01'
- Change to the folder where we want to save the keys to:
$ cd '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01'
- Secret keys:
$ gpg --output KEYNAME-20191129.masterkeys.txt --export-secret-keys --armor KEYNAME
$ gpg --output KEYNAME-20191129.subkeys.txt --export-secret-subkeys --armor KEYNAME
- Public keys:
## TODO
- Revocation certs:
## TODO
Move the key to smartcard
- !!! BE OFFLINE !!!
## TODO
Erase keys from liveusb
- !!! BE OFFLINE !!!
$ rm -rf /.gnupg*
## TODO
Setup public key side
## TODO
Set up key on machine we want to SSH to
## TODO
Sources
Guide to set up Ubuntu on a USB flash drive (Full persistant install to USB drive): https://www.howtogeek.com/howto/14912/create-a-persistent-bootable-ubuntu-usb-flash-drive/
Guide to write Ubuntu installer to USB drive (Does not support software install wituout modifications, see other guide): https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started
Ubuntu download page: https://ubuntu.com/download/desktop
Guides to set up a Yubikey device: https://support.yubico.com/support/solutions/articles/15000006420-using-your-yubikey-with-openpgp https://withinboredom.info/blog/2017/11/18/signing-commits-ssh-with-yubikey-and-windows/
Yubikey troubleshooting pages: https://support.yubico.com/support/solutions/articles/15000014892-troubleshooting-gpg-no-such-device-