www.bundesbrandschatzamt.de
Babblings about Systems Administration.

Gpg

GNU Privacy Guard (GnuPG or GPG) was first released in 1999. Over the years it found a wide usage not only limited to exchanging encrypted emails. I want to give here a brief introduction how to configure it and where it could be used.

Just to name a few examples:

In this article I try to explain a few scenarios while researching gpg for myself. For example as of this writing you can store gpg keys on a Nitrokey or a Yubikey for a more secure setup.

If you have an older gpg key which was generated with gpg 2.0 you should retire it and replace it with a newer one. Especially if you have a DES key. ECC keys are still pretty new. If you use them for emails people might not be able to verify them as they have to use ECC as well. Plus the USB key cards like Nitrokey and Yubikey are using RSA. So I would recommend using RSA currently.

Some links you might want to follow are at the end of this page. If you want to know more about the history and read some examples on using gpg you might want to search on eBay for “PGP Pretty Good Privacy” by Simson Garfinkel published by OReilly. Yes. It is dated. But it gives a very good introduction for encryption and asymmetric encryption.

You always create a private and a public key. The private one is for you and you send the public key to anybody who wishes to send you something encrypted. Then you can use your private key to decrypt it. Aside from encryption you can as well sign files and messages. Then somebody can use your public key to verify that nobody modified it.

If you start learning about gpg you will read the term subkey. To prove authenticity people around you might sign your public key. That means if you loose your primary key you would have to start over. Here comes the subkey: You use your primary key to create them thus the signatures are inherited by the subkey. So everybody can see that this subkey belongs to you. If you wish to expire a subkey or switch to a new one your chain of verification is still valid. Everybody can see that the new subkey is indeed yours and authentic.

Even though they are called subkeys in fact they are keys on their own. You might think if something is encrypted for you that you could decrypt it with all your subkeys. Sorry but that’s not the case. Only the newest subkey in your public key will get used to encrypt the files. So if you create a new subkey you are not able to open older files you received with them. And you have to publish a new version of your public key. To summarize every one of your keys and subkeys are important if you want to open mails and files in a year or two. Make copies of them and store them somewhere only you can reach them. Like USB keys in a vault. And I am not talking about Yubikey or Nitrokey here. You might even want to print them out as well. But keep in mind that you have to get them back into the computer again. Maybe you trust OCR to scan them. In the 80s we used to have computer magazines with printed computer programs. To make life easier and verify that there are no typos there was a hashsum for every row of that listing. I am in the process of creating a Type-in program for Emacs. You can print your private key and if necessary enter it again and check the hashes for verification. Without that you just have the CRC of the complete key. I don’t know about you but I prefer to proofread only one row.

gpg has a parameter --homedir. Use it to play around with gpg and answer your open questions for yourself. As long as you don’t publish a public key you can do what you want. Create multiple keys in separate directories. Encrypt files. Try to decrypt them. Exchange public keys between the different home folders. This helps a lot to get used to gpg and understand how it is working. And maybe use something like Org Mode and take notes.

Normally if you encrypt something for somebody you are not able to decrypt the message again. This is very useful in countries without democracy. If they capture you and the encrypted message you are unable to decrypt it and you are on your own. All others might want to switch default-recipient-self to on in the ~/.gnupg/gpg.conf file.

creating keys

Before you start get 2 separate USB Keys. Not from the same manufacturer and definitely not from the same batch. That way you avoid having 2 keys going bad at the same time.

More details can be found in the GNU Privacy Handbook.

To create keys you just have to install gpg and run

gpg --homedir ~/.gnupg_private/ --full-generate-key

use “RSA and RSA”, 4096 bits and no expiration.

Find the just created key id by running:

gpg --homedir ~/.gnupg_private/ --list-keys --keyid-format short

Now we have to edit the key and add a subkey:

gpg --homedir ~/.gnupg_private/ --edit-key C88D8822
# addkey
# 6 RSA (encrypt only)
# 3072
# 2y

if you want to add a photo:

convert -resize 240x240 -quality 55 -strip -sampling-factor 4:2:0 -define jpeg:extent=6kb orig.jpeg gpg.jpeg
gpg --homedir ~/.gnupg_private/ --edit-key C88D8822
# addphoto

Now is a good time to do a backup:

gpg --homedir ~/.gnupg_private/ --export-secret-keys --armor yourNOSPAMemail.com >sec-key.asc

These commands transfer the key to the Keycard (eg Yubikey or Nitrokey) and remove them from your homedir:

gpg --homedir ~/.gnupg_private/ --edit-key C88D8822
# list
# select your sub key
# key keyid
# keytocard

Yes. You can generate keys on those keycards. But then they cannot be transfered to a second keycard. You might think it’s more secure that way. But if that keycard stops working you loose access to data. That’s why I prefer to generate them on a computer and transfer them.

With your usb smartcard you want to set the owner:

gpg --edit-card
# admin
# name

If you run your own webserver and domain for your email you can publish the public key on that system without using public key servers:

From this command you get the hash for the filename on the webserver:

gpg --with-wkd-hash --fingerprint fooNOSPAMbar.com

export your public key via

gpg --home-dir ~/.gnupg_private/ --output pubkey --export baronNOSPAMbundesbrandschatzamt.de

On the webserver we have to create a directory structure:

mkdir -p /var/www/html/.well-known/openpgpkey/hu
mkdir /var/www/html/.well-known/openpgpkey/yourdomain
cd /var/www/html/.well-known/openpgpkey/yourdomain/
touch policy
cd /var/www/html/.well-known/openpgpkey/hu/
# take your wkd-hash as a filename and save your exported pubkey file.

This works in smaller setups where keys are seldomly updated. In a company setup you want to look into running your own keyserver like Hockeypuck or OpenPGP-CA. Especially if you are inside the European Union where laws apply with whom to share company data and public key servers are not an option.

And you want to store the url to get the public key for your new key on that NitroKey:

gpg --edit-card
# admin
# url

After inserting the NitroKey to a different computer check that your webserver is configured properly:

gpg --edit-card
# fetch

If you have 2 Nitrokeys with the same gpg keys installed and want to switch to your second Nitrokey:

gpg --list-secret-keys --with-keygrip

Find the keygrip for your key and delete the file:

rm ~/.gnupg/private-keys-v1.d/keygripfile

Now kill your gpg-agent and reread the card status of the 2nd card:

gpgconf --kill gpg-agent
gpg --card-status

After creating the key you should as well generate a revocation file:

gpg --output revoke.asc --gen-revoke mykey

Store everything on those 2 keys as well. Print the private key and the revocation certificate file.

handling uids

With gpgkeys you can have one or more ids. Like email addresses. Especially if you use a Nitrokey you might consider using the same gpg key for private and work related encryption. It’s up to you but I don’t see a problem with it. At first you shouldn’t encrypt anything for your employer without another recipient. On the other hand they can still reach out to you and you re-encrypt it to another recipient. So IMHO there is no reason for your employer to request handing out your private key from you. Nowadays everybody is using Linkedin. So your employer isn’t private anyway. If you want to hide your private account there is an option. The uids are stored in the public key. You can export different public keys. Like one copy with only your private address and one copy with your work address. Of course they still use the same private key fingerprint. But if somebody traces down the fingerprint i am pretty sure he is able to connect the dots anyway.

Just export them and hand them over separately:

gpg --export-options filter-export  --export-filter keep-uid='mbox=foo.barNOSPAMhome.net' --export foo.barNOSPAMhome.net >publickey_home.pub
gpg --export-options filter-export  --export-filter keep-uid='mbox=foo.barNOSPAMwork.com' --export foo.barNOSPAMwork.com >publickey_work.pub

gpg4win

On Windows you might want to install Gpg4win.

After installation of Gpg4Win we have

C:\Program Files (x86)\GnuPG\bin

here we can run

./gpg.exe --edit-card
# fetch

In my setup I run Cygwin. Yes. It has been around for a long time. On smaller devices with less power it is still a better option compared to the Windows Subsystem for Linux (WSL). Cygwin comes with an older version of gpg but we can incorporate the gpg4win version:

mkdir ~/bin
ln -s /cygdrive/c/Program\ Files\ \(x86\)/GnuPG/bin/gpg.exe ~/bin/gpg
export PATH=~/bin/:PATH

GPGTools

On Apple we can use the GPG Suite. As typical for OSX it is self-explanatory.

encrypted files

You got an encrypted file and want to know which key was used?

gpg --pinentry-mode cancel --list-packets file.gpg

This comes especially handy if you retire keys and want to know if you have to re-encrypt a file with your new key.

rpm

In the Linux world you might have seen gpg for signing rpm packages.

If you build rpm packages it might be as easy as having these lines in your ~/.rpmmacros:

# %_topdir    /usr/local/src/debug
%_signature gpg
%_gpg_path /home/baron/.gnupg
%_gpg_name Your Name <fooNOSPAMbarf.com>
%_gpgbin /usr/bin/gpg
%packager Your Name <fooNOSPAMbarf.com>
%_topdir      %(echo $HOME)/rpmbuild
%_smp_mflags  -j3
%__arch_install_post   /usr/lib/rpm/check-rpaths   /usr/lib/rpm/check-buildroot

Emacs

If you live in the Emacs world you can integrate gpg and open gpg encrypted files seamless. Have a look into the EasyPG Assistant manual as well! One use case might be storing secrets in an orgmode file. For that you have to configure a few things in your Emacs configuration file:

(let ((path (shell-command-to-string ". ~/.bashrc >/dev/null; echo -n $GPG_AGENT_INFO")))
              (setenv "GPG_AGENT_INFO" path)
              )

;; Do not use gpg agent when runing in terminal
(if (>= emacs-major-version 25)
(defadvice epg--start (around advice-epg-disable-agent activate)
  (let ((agent (getenv "GPG_AGENT_INFO")))
    (when (not (display-graphic-p))
      (setenv "GPG_AGENT_INFO" nil))
    ad-do-it
    (when (not (display-graphic-p))
      (setenv "GPG_AGENT_INFO" agent)))))

(defun bba-epa-list-packets ()
  "List who can decrypt the current file"
  (interactive)
  (let ((bba-epa-filename (buffer-file-name))
    (bba-epa-packets-buffer (generate-new-buffer "*Packets*")))
    (set-buffer bba-epa-packets-buffer)
    (insert (shell-command-to-string (concat "gpg --list-packets " bba-epa-filename))
    )
 ))

git

Even if you are not a programmer I highly recommend using git source control systems. They are very useful for handling configuration files for your own user and writing documentation as you can always roll back in time. With the right frontend they are easy to use. My preferred one is Magit. In addition you can then use git-secret for storing encrypted files.

With git-secret you are able to not only encrypt files for yourself but share secret files with your team mates or even in an programmatic setup.

Aside from storing gpg encrypted files in git with git-secret you can sign your commits as well.

Anybody could fake your name and email and modify your commit. right? Well. You can sign your commits. Just add a few lines to your ~/.gitconfig:

[user]
        name = Foo Bar
        signingKey = 494958F
[commit]
        gpgSign = true

As you can see if you have different keys you can define which one gets used for your commits if you use the key instead of the email. Of course you can do that as well on a per git repository level instead of globally.

To see the gpg informartion use a special parameter for git log:

git log --show-signature -1

For more details check the git book.

On git servers like github or bitbucket there might be options to allow only gpg signed commits.

Frontends

As a general purpose frontend you can use Gpg4win, GPG Tools Suite. For Linux i can’t give a recommendation as i haven’t used Linux on the Desktop in the last 6 years. You might want to have a look into GnuPG Shell, GPA, KGpg or Seahorse. On iOS IPGMAIL is available.

If you want to decouple your gpg keys from your computer you can use something like YubiKey or Nitrokey.

https://gnupg.org/ftp/blurbs/kernel-recipes-2017-modern-key-management.pdf

Openvpn

for openvpn you could use this:

gpg -d -a < client.openvpn.gpg | sudo openvpn --config /dev/stdin

Have a look into https://acksyn.org/docs/smart-cards-openvpn.html as well.

ssh

requires a subkey with Authentication feature

https://gist.github.com/btcdrak/73f7b54eafbed2a3f10f41375a04cb6d https://www.bootc.net/archives/2013/06/09/my-perfect-gnupg-ssh-agent-setup/

to use gpg for ssh:

add

echo 'enable-ssh-support' >>~/.gnupg/sshcontrol
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpg2 -K --with-keygrip

pick the Keygrip for your key and add it to your ~/.gnupg/sshcontrol.

echo '7AB307BD643959946F188258CFB1D58D2FB09E42' >> ~/.gnupg/sshcontrol

as usual you can now run

ssh-add -L

and add your public key to your authorized_keys files as usual.

summary

As you can see there are a ton of use cases.

If you are into Puppet automation you might want to look into hiera-eyaml-gpg.

For Mail on Mobile i have to try IPGMAIL. Learning is an ongoing process. This applies to GPG as well. So there might be an update coming in the future on this blog.

Links