'(GPG Howto)
Audience: anyone
Keywords: gpg security privacy encryption
❧❧❧
At one point I thought changing my name might help with privacy, but that was before the Internet. — Olivia Wilde
Have you ever told a secret to a friend? Made a transaction at your bank? Wrote an entry in your diary? Invented a secret handshake? Been to the doctor? Got a "steal" sign from your baseball coach? All of these should be private — between you and the person or thing you’re communicating with. There are two main technical standards for privacy: TLS/SSL and OpenPGP. TLS/SSL are what’s used to secure the forms you fill out on web pages, and handle secure "connections". In this episode we’ll learn all about OpenPGP, AKA Pretty Good Privacy. This is what’s used to encrypt, sign, and verify (prove who the person is) any message or file you write or read. It uses a pair of "keys" to do these jobs.
GPG is the tool we’ll focus on that implements the OpenPGP standard. It’s been around for 20+ years and is the industry standard for encrypting, signing, and verifying the contents and senders of messages and files. It’s also pretty fun to use.
The users of OpenPGP form a club of folks who want to build a "Web Of Trust" (WOT). Anyone can get in; all you need is:
-
A little knowledge of the
gpg
tool (which you’ll get here) -
Some official identification for yourself
-
A willingness to meet people to verify their identity and sign their keys
(I hope you’re already using Zsh. If not, see previous episodes to get up to speed.)
Zsh has great command completion for gpg
. Make sure you’re tab
-ing all the
time to auto-complete options and arguments.
Is it worth the effort/trouble?
In order to join certain mailing lists and development groups (fedora), the first thing you may be asked for is your GPG public key.
Some people you work with are going to require that your emails to them be signed.
If you develop and distribute a software package, many of your users may
expect to be able to download your public key in order to verify that the
software comes from you. (pacman -Qi coreutils
).
(https://wiki.archlinux.org/index.php/pacman-key) Though it’s more typically
just a hash (MD5/SHA1).
Go get some official identification
To make any of this OpenPGP stuff legit, you’re going to need some real ID. Many kids don’t have ready access to a common ID card. But they should.
You absolutely need some sort of official ID. This could be a driver’s licence, identification card (get this from your local DMV; no age requirement), school student-body card, birth certificate/card, social security card. ([ID cards in California](http://www.dmv.ca.gov/dl/dl_info.htm#idcard))
If you don’t think you have a need for a passport, just pick up a state ID card from your DMV. It’s easy and cheap. Too many kids don’t have ID that they can readily show. So go get one.
Commands (not options)
GPG has several commands. They come near the end of the invocation. The ones we’ll care about are:
--gen-key --gen-revoke --list-keys -k --verify --encrypt -e --decrypt -d --sign -s --cl(earsign) --fin(gerprint)
Some later uses:
--fingerprint --recv-keys --send-keys --edit-key
Options alter the way commands behave. Most of the options we can set permanently in our config file. We’ll get to that later. But here are some important ones:
--armor --recipient -r
Creating your own key
When creating your keys, you’ll want to ensure that your name is identical to what’s on your ID cards. If you use your middle name or initial on them, type it exactly as it shows on them.
% gpg --gen-key > 1 > 4096 > 1y > Your Full Real Name > [email protected] > student and hacker > confirm
Now you need to generate some entropy! Moving your mouse around as instructed might not be enough. Here’s something to run which will speed things up.
% haveged -n 0 | dieharder -g 200 -a
Take a look at your new key!
gpg --list-keys
gpg --list-keys you«tab»
Revocation key
Adding a picture
Your pic should be a JPEG of dimensions 240 wide by 288 tall. Aim for 4 KB in
size. If you don’t have a good headshot, use your webcam with a solid
background. Capture part of your shoulderblades, and all of your head. Crop it
down, and export to a fairly low resolution/quality. I like gimp
for this.
Tune the size until you get down to ~4KB. (show vid of how to do this)
Now let’s add it.
gpg --edit-key <your-key-ID> addphoto > /full/path/to/you.jpg > save
GnuPG will then ask you for the filename of your JPEG image. Specify the complete path.
Configuration
There’s a file in your ~/.gnupg
directory called gpg.conf
. This contains
several settings that affect the way gpg
behaves. Here are the settings
you’ll want to enable:
% vim ~/.gnupg/gpg.conf --- keyserver hkp://keys.gnupg.net no-greeting keyserver-options auto-key-retrieve armor list-options show-photos photo-viewer "feh --title 'GPG: KeyID 0x%k' %i" keyid-format long
Upload your key to a key server
Upload your key after once you’re absolutely certain you’ve done this as described. Once a key gets posted, the only way to remove it is with a revocation key.
Getting others' keys
gpg --recv-keys
gpg --import
Get a [well trusted GPG guru’s key](http://pgp.mit.edu/pks/lookup?op=vindex&search=0x9CDD9A214EBA9723). Take a look at that page and note that his keyID is 4EBA9723
. Grab it.
gpg --recv-keys 4EBA9723
Now let’s search for someone else’s key. Visit [the GPG search tool](http://pgp.mit.edu/).
Actually, we can do it from the command line:
gpg --sea(rch-keys)
Search for "Richard Stallman". Notice that there are several of them. How do you know which to trust? Head over to his site and note his message:
"to be really sure which key is mine, you need to get my key fingerprint from me or follow a chain of signatures."
Here’s a security legend: Bruce Schneier
Some people post their pubkeys on their websites. Here are a couple examples:
-
Bruce Schneier: https://www.schneier.com/contact.html
-
Postmodern: http://postmodern.github.io/contact.html
How to make sense of gpg output
Bruce Schneier no longer keeps his current valid key on a key server. You have
to go to his site to download it. Actually, select and copy it from that page
and paste it into pubkey.schneier.com.asc
.
Now let’s import it. This is essentially the same thing as a --recv-keys
does.
gpg --import pubkey.schneier.com.asc
Let’s look at Bruce Schneier’s GPG info:
9A98966F
Notice that both of these luminaries are now using 4096-bit keys. That’s why we bumped ours up, too.
Testing dummy keys
Generate a new user on your system, or partner up with a friend.
Exchanging keys with people you meet
You should only sign keys for persons you meet face-to-face. The goal is to verify their identity, not how good of a person she is. Here’s what you need from them.
Inspecting someone’s key
Check their fingerprint
View their picture. gpg --list-keys --list-options show-photo mde
Key-signing parties
Other tools
Entropy generation (haveged, dieharder): haveged -n 0 | dieharder -g 200 -a
Seahorse key manager GUI
Other cool uses for GPG
-
bitcoin privacy
Terminology
-
Web Of Trust (WOT) — a network of folks who have signed each others' keys
-
subkey — same as a pubkey (public key); pub and priv are each "sub"-keys since it takes them both together to make the "full" key.
-
key server — keys.gnupg.net, pgp.mit.edu
-
PKI — Public Key Infrastructure (the systems, people, and keys that service the WOT)
-
gpg
— CLI interface with a lot of options -
.asc
— a plain ASCII file encoding; basically plain readable (not binary) text -
.sig
-
fingerprint — a long hex string identifying they person/key; view with:
-
keyID — a short version of the fingerprint; these are shown everywhere! eg,
299C28F0
-
signature — the signings of a given key, the more the better
-
signing
-
hkp — Horowitz Key Protocol, eg: hkp://pgp.mit.edu
-
certificate
-
non-repudiation
-
rsa — the only algorithm you’ll want to use
-
base64 — the encoding of ascii you can read