GPG Guide

From Bibliotheca Anonoma
Revision as of 03:48, 12 February 2020 by Ctrl-s (talk | contribs) (Shopping list added)

Guide on creating and using GPG keys

WIP (Ctrl-S's job)


Guide for securely creating a PGP keyset. Currently most available smartcards support a maximum of 2048 bit RSA keys. Some smartcards support longer keys. This guide will use 2048 bit RSA keys for as much security as is currently practical.


Preparation

  • Determine where you want to store your secret keys.
  • I suggest in a subfolder on each USB drive.

e.g.
'/media/ubuntu/keystore01/gpg.ctrl-s.2020-02-12'
'/media/ubuntu/keystore02/gpg.ctrl-s.2020-02-12'
'/media/ubuntu/keystore03/gpg.ctrl-s.2020-02-12'

  • Decide how long you want the keys to remain valid.
  • It is supposed to be possible to increase this time at a later time, bot I don't know how this shit works yet.


Buy stuff

You will need:

  • 1X Computer.
  • 1X (boot)USB flash drive 16GB+ (32GB+ USB3+ preferred).
  • 3X (keystore) USB flash drive.
  • 1X Pen/pencil.
  • 3X Pieces of paper.
  • 1+ Smartcard(s) that support PGP/GPG. (e.g. Yubico Yubikey 5 USB authenticator)


Create Ubuntu LiveUSB Environment

  • Have a USB flash drive (32GB+ USB3+ preferred).
  • Download latest ubuntu desktop ISO. Available from: https://ubuntu.com/download/desktop
  • Have a ubuntu linux environment to install the liveusb from.
  • Install the drive creation tools:
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:mkusb/ppa
$ sudo apt-get update
$ sudo apt install --install-recommends mkusb mkusb-nox usb-pack-efi

Find out what storage devices are connected: 

$ lsblk
  • Figure out which device is your flash drive.

e.g. /dev/sdh


Write a persistant Ubuntu LiveUSB Environment to the flash drive

  1. Press the windows key on your keyboard to bring up the ubuntu app search screen.
  2. type mkusb
  3. Run the mkusb tool by clicking on it.
  1. Choose: i - "Install (make a boot device)".
  2. Choose: p - "Persistent live – only Debian and Ubuntu".
  3. Select the ubuntu ISO file on your machine.
  4. Select the device that matches your USB drive to install onto.
  5. Choose just: "usb-pack-efi (default grub from ISO file)"
  6. Tell the program how much space to give to the liveUSB ubuntu install for it's own storage, about half of the disk should do (4GB+).
  7. Confirm everything is correct, as continuing with incorrect settings may destroy your data.
  8. If everything is correct, select "go" and click "go".
  9. Wait for the program to write to the USB drive.
  10. Choose: "Quit"
  11. Choose: "Quit"
  12. Press return in the console windows to exit it.

Your USB drive should now be ready to boot from.


Boot liveUSB

  1. Have machine powered off.
  2. Insert bootable USB drive.
  3. Hold F2 while powering on machine until BIOS menun shows up.
  4. Choose to boot from the USB drive.
  5. Ubuntu bootloader should autoselect persistant liveusb
  6. Let machine boot into persistant liveusb
  7. Ubuntu desktop environment should be displayed on your computer.


Update liveUSB software

Open a terminal window by pressing the three keys simultaneously: Ctrl-Alt-T Run the following commands: Check how much free space you have: 

 $ df -h

You should see a line containting /media/ubuntu/casper-rw, and it should have at least 1GB of space free. If this is not the case, you probably did not succeed with the previous steps. This alternative command should show only the disk partition we are interested in: 

 $ df -h | grep casper-rw

Enable extra apt repositories: (You will need an internet connection for this part.) 

$ sudo add-apt-repository universe
$ sudo add-apt-repository multiverse
## Update installed software:
$ sudo apt update # Update information about what software packages are available.
$ sudo apt upgrade -y # Upgrade to the latest available version of installed packages.


Enable smartcard support. (generic)

(You will need an internet connection for this part.) 

$ sudo apt-get install scdaemon # This package does all the smartcard communication!
$ sudo systemctl start pcscd 
$ sudo systemctl enable pcscd
$ gpg --card-edit list # Test by looking for connected cards



Remove machine from network

Remove all network cables from the machine. Turn off all wifi devices on the machine. Test by running: $ ping 8.8.8.8 You should fail to connect.


Generate keys

  • !!! BE OFFLINE !!!
  • Create master key:
$ gpg --full-gen-key
  1. This master key should be 4096 bits in size
  1. When asked: "Please select what kind of key you want:"
Choose: "(1) RSA and RSA (default)"
  1. When asked: What keysize do you want?
  2. Choose: 4096
  1. When asked: "Please specify how long the key should be valid."
Choose: 0 = key does not expire

A hexadecimal 'name' for the key you just generated should be displayed in the console. Select it, and copy the text to the clipboard by right-clicking the highlighted text and choosing "copy". 

$ gpg --edit-key KEYNAME

Create subkeys for actual use

One subkey for each of: Encrypt, Authenticate, Sign These subkeys should each be 2048 bits in size so they can fit onto all common smartcards.


Store keys to backup drives

  • !!! BE OFFLINE !!!
  • Create a folder to store our secret keys:
$ mkdir -vp '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01'
  • Change to the folder where we want to save the keys to:
$ cd '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01'


  • Secret keys:
$ gpg --output KEYNAME-20191129.masterkeys.txt --export-secret-keys --armor KEYNAME
$ gpg --output KEYNAME-20191129.subkeys.txt --export-secret-subkeys --armor KEYNAME
  • Public keys:
## TODO
  • Revocation certs:
## TODO


Move the key to smartcard

  • !!! BE OFFLINE !!!
## TODO



Erase keys from liveusb

  • !!! BE OFFLINE !!!
$ rm -rf /.gnupg*

## TODO



Setup public key side

## TODO

Set up key on machine we want to SSH to

## TODO


Sources

Guide to set up Ubuntu on a USB flash drive (Full persistant install to USB drive): https://www.howtogeek.com/howto/14912/create-a-persistent-bootable-ubuntu-usb-flash-drive/

Guide to write Ubuntu installer to USB drive (Does not support software install wituout modifications, see other guide): https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started

Ubuntu download page: https://ubuntu.com/download/desktop

Guides to set up a Yubikey device: https://support.yubico.com/support/solutions/articles/15000006420-using-your-yubikey-with-openpgp https://withinboredom.info/blog/2017/11/18/signing-commits-ssh-with-yubikey-and-windows/

Yubikey troubleshooting pages: https://support.yubico.com/support/solutions/articles/15000014892-troubleshooting-gpg-no-such-device-

Retrieved from "https://wiki.bibanon.org/index.php?title=GPG_Guide&oldid=6292"