Tyler Cipriani: pages tagged pgp
Tyler Cipriani
https://tylercipriani.com/tags/pgp/
Tyler Cipriani
ikiwiki
2017-02-14T15:11:05Z
GPG Security things
https://tylercipriani.com/blog/2016/09/02/gpg-subkeys/
Tyler Cipriani
Creative Commons Attribution-ShareAlike License
Copyright © 2017 Tyler Cipriani
2017-02-14T15:11:05Z
2016-09-02T23:29:05Z
<section id="revocation-cert" class="level2">
<h2>Revocation Cert <a href="https://tylercipriani.com/tags/pgp/#revocation-cert">¶</a></h2>
<p>Needed to revoke your key should the master signing/certifying key ever be compromised</p>
<div class="sourceCode" id="cb1" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb1-1" title="1"><span class="ex">gpg</span> --output <span class="dt">\<</span>tyler@tylercipriani.com<span class="dt">\></span>.gpg-revocation-certificate --gen-revoke tyler@tylercipriani.com</a>
<a class="sourceLine" id="cb1-2" title="2"><span class="fu">lpr</span> <span class="dt">\<</span>tyler@tylercipriani.com<span class="dt">\></span>.gpg-revocation-certificate</a>
<a class="sourceLine" id="cb1-3" title="3"><span class="fu">shred</span> --remove <span class="dt">\<</span>tyler@tylercipriani.com<span class="dt">\></span>.gpg-revocation-certificate</a></code></pre></div>
<p>store printed revocation cert in file or safe-deposit box</p>
</section>
<section id="key-backup" class="level2">
<h2>Key backup <a href="https://tylercipriani.com/tags/pgp/#key-backup">¶</a></h2>
<p><a href="http://www.jabberwocky.com/software/paperkey/">Paperkey</a></p>
<p>Download paperkey and its gpg signature</p>
<div class="sourceCode" id="cb2" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb2-1" title="1"><span class="fu">wget</span> -c http://www.jabberwocky.com/software/paperkey/paperkey-1.3.tar.gz</a>
<a class="sourceLine" id="cb2-2" title="2"><span class="fu">wget</span> -c http://www.jabberwocky.com/software/paperkey/paperkey-1.3.tar.gz.sig</a></code></pre></div>
<p>Get David Shaw's public key (0x99242560) from your keyserver of choice</p>
<div class="sourceCode" id="cb3" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb3-1" title="1"><span class="ex">gpg</span> --search-keys <span class="st">'dshaw@jabberwocky.com'</span></a></code></pre></div>
<p>Verify you have downloaded the right paper key and that the level of trust is sufficient for your purposes</p>
<div class="sourceCode" id="cb4" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb4-1" title="1"><span class="ex">gpg</span> --verify Downloads/paperkey-1.3.tar.gz.sig paperkey-1.3.tar.gz</a>
<a class="sourceLine" id="cb4-2" title="2"><span class="ex">gpg</span>: Signature made Thu 03 Jan 2013 09:18:32 PM MST using RSA key ID FEA78A7AA1BC4FA4</a>
<a class="sourceLine" id="cb4-3" title="3"><span class="ex">gpg</span>: Good signature from <span class="st">"David M. Shaw <dshaw@jabberwocky.com>"</span> [unknown]</a>
<a class="sourceLine" id="cb4-4" title="4"><span class="ex">gpg</span>: WARNING: This key is not certified with a trusted signature!</a>
<a class="sourceLine" id="cb4-5" title="5"><span class="ex">gpg</span>: There is no indication that the signature belongs to the owner.</a>
<a class="sourceLine" id="cb4-6" title="6"><span class="ex">Primary</span> key fingerprint: 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560</a>
<a class="sourceLine" id="cb4-7" title="7"> <span class="ex">Subkey</span> fingerprint: A154 3829 812C 9EA9 87F1 4526 FEA7 8A7A A1BC 4FA4</a></code></pre></div>
<p>If you have a good signature from davidExtract and install</p>
<div class="sourceCode" id="cb5" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb5-1" title="1"><span class="fu">tar</span> xvzf paperkey-1.3.tar.gz</a>
<a class="sourceLine" id="cb5-2" title="2"><span class="fu">rm</span> paperkey-1.3.tar.gz</a>
<a class="sourceLine" id="cb5-3" title="3"><span class="bu">cd</span> paperkey-1.3</a>
<a class="sourceLine" id="cb5-4" title="4"><span class="ex">./configure</span></a>
<a class="sourceLine" id="cb5-5" title="5"><span class="fu">make</span></a>
<a class="sourceLine" id="cb5-6" title="6"><span class="fu">sudo</span> make install</a></code></pre></div>
<p>Print you secret key</p>
<div class="sourceCode" id="cb6" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb6-1" title="1"><span class="ex">gpg</span> --export-secret-key tyler@tylercipriani.com <span class="kw">|</span> <span class="ex">paperkey</span> <span class="kw">|</span> <span class="fu">lpr</span></a></code></pre></div>
<p>Store it in your file or safe-deposit-box</p>
</section>
<section id="subkeys" class="level2">
<h2>Subkeys <a href="https://tylercipriani.com/tags/pgp/#subkeys">¶</a></h2>
<p><a href="https://alexcabal.com/creating-the-perfect-gpg-keypair/">Good Resource</a></p>
<p>By default, GnuPG creates a key for signing and an encryption subkey:</p>
<div class="sourceCode" id="cb7" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb7-1" title="1"><span class="ex">gpg</span> --list-keys tyler</a></code></pre></div>
<table>
<tbody>
<tr class="odd">
<td>pub</td>
<td>rsa4096</td>
<td>2014-02-19</td>
<td>[SC]</td>
<td></td>
</tr>
<tr class="even">
<td>6237D8D3ECC1AE918729296FF6DAD285018FAC02</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr class="odd">
<td>uid</td>
<td>[ultimate]</td>
<td>Tyler</td>
<td>Cipriani</td>
<td><tyler@tylercipriani.com></td>
</tr>
<tr class="even">
<td>sub</td>
<td>rsa4096</td>
<td>2014-02-19</td>
<td>[E]</td>
<td></td>
</tr>
<tr class="odd">
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
<p>You can add a new subkey with the command</p>
<div class="sourceCode" id="cb8" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb8-1" title="1"><span class="ex">gpg</span> --edit-key tyler</a>
<a class="sourceLine" id="cb8-2" title="2"><span class="ex">gpg</span><span class="op">></span> addkey</a></code></pre></div>
<p>And then you should see</p>
<div class="sourceCode" id="cb9" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb9-1" title="1"><span class="ex">gpg</span> --list-keys tyler</a></code></pre></div>
<table>
<tbody>
<tr class="odd">
<td>pub</td>
<td>rsa4096</td>
<td>2014-02-19</td>
<td>[SC]</td>
<td></td>
<td></td>
</tr>
<tr class="even">
<td>6237D8D3ECC1AE918729296FF6DAD285018FAC02</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr class="odd">
<td>uid</td>
<td>[ultimate]</td>
<td>Tyler</td>
<td>Cipriani</td>
<td><tyler@tylercipriani.com></td>
<td></td>
</tr>
<tr class="even">
<td>sub</td>
<td>rsa4096</td>
<td>2014-02-19</td>
<td>[E]</td>
<td></td>
<td></td>
</tr>
<tr class="odd">
<td>sub</td>
<td>rsa4096</td>
<td>2016-09-02</td>
<td>[S]</td>
<td>[expires:</td>
<td>2018-09-02]</td>
</tr>
<tr class="even">
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
<p>You can then remove your certification master key (make sure you've gone through the <a href="https://tylercipriani.com/tags/pgp/#key-backup">key backup</a> process before you do this!)</p>
<ol>
<li>Export all your secret subkeys</li>
<li>Remove all your secret keys from your keyring</li>
<li>Reimport only your subkeys</li>
</ol>
<div class="sourceCode" id="cb10" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb10-1" title="1"><span class="ex">gpg</span> --export-secret-subkeys tyler <span class="op">></span> subkeys</a>
<a class="sourceLine" id="cb10-2" title="2"><span class="ex">gpg</span> --delete-secret-key tyler</a>
<a class="sourceLine" id="cb10-3" title="3"><span class="ex">gpg</span> --import subkeys</a>
<a class="sourceLine" id="cb10-4" title="4"><span class="fu">shred</span> --remove subkeys</a></code></pre></div>
<p>Now <code>gpg --list-keys</code> shows a <code>#</code> next to <code>sec#</code> next to my <code>[SC]</code> key. This indicates that the key is no longer accessible.</p>
</section>
GPG Things
https://tylercipriani.com/blog/2015/12/02/gpg/
Tyler Cipriani
Creative Commons Attribution-ShareAlike License
Copyright © 2017 Tyler Cipriani
2017-02-14T15:11:05Z
2015-12-03T00:27:40Z
<section id="get-your-fingerprint" class="level2">
<h2>Get your fingerprint: <a href="https://tylercipriani.com/tags/pgp/#get-your-fingerprint">¶</a></h2>
<div class="sourceCode" id="cb1" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb1-1" title="1"><span class="ex">gpg</span> --list-secret-keys --fingerprint</a></code></pre></div>
</section>
<section id="get-someone-elses-key" class="level2">
<h2>Get someone elses key <a href="https://tylercipriani.com/tags/pgp/#get-someone-elses-key">¶</a></h2>
</section>
<section id="using-email" class="level2">
<h2>Using email <a href="https://tylercipriani.com/tags/pgp/#using-email">¶</a></h2>
<div class="sourceCode" id="cb2" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb2-1" title="1"><span class="ex">gpg2</span> --search-keys EMAIL</a></code></pre></div>
</section>
<section id="using-keyid" class="level2">
<h2>Using keyid <a href="https://tylercipriani.com/tags/pgp/#using-keyid">¶</a></h2>
<div class="sourceCode" id="cb3" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb3-1" title="1"><span class="ex">gpg2</span> --recv-key KEYID</a></code></pre></div>
</section>
<section id="sign-keys" class="level2">
<h2>Sign keys <a href="https://tylercipriani.com/tags/pgp/#sign-keys">¶</a></h2>
<div class="sourceCode" id="cb4" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb4-1" title="1"><span class="ex">gpg2</span> --recv-key KEYID</a>
<a class="sourceLine" id="cb4-2" title="2"><span class="ex">gpg2</span> --sign-key KEYID</a>
<a class="sourceLine" id="cb4-3" title="3"><span class="ex">gpg2</span> --send-key KEYID</a></code></pre></div>
</section>
<section id="photos" class="level2">
<h2>Photos <a href="https://tylercipriani.com/tags/pgp/#photos">¶</a></h2>
</section>
<section id="view-someones-photo" class="level2">
<h2>View someone's photo <a href="https://tylercipriani.com/tags/pgp/#view-someones-photo">¶</a></h2>
<div class="sourceCode" id="cb5" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb5-1" title="1"><span class="ex">gpg</span> --edit-key KEYID showphoto</a></code></pre></div>
</section>
<section id="add-a-photo" class="level2">
<h2>Add a photo <a href="https://tylercipriani.com/tags/pgp/#add-a-photo">¶</a></h2>
<p>Suggested image sizes are 240x288 pixels (GnuPG) or 120x144 pixels (PGP) to make a JPEG of 4K-6K in size. A 1.2 h:w ratio <code>w = h / (144 / 120)</code></p>
<div class="sourceCode" id="cb6" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb6-1" title="1"><span class="ex">gpg</span> --edit-key KEYID addphoto</a></code></pre></div>
</section>
<section id="keysigning-party-etherpad" class="level2">
<h2>Keysigning party etherpad <a href="https://tylercipriani.com/tags/pgp/#keysigning-party-etherpad">¶</a></h2>
</section>
<section id="to-sign-keys" class="level2">
<h2>To Sign keys <a href="https://tylercipriani.com/tags/pgp/#to-sign-keys">¶</a></h2>
<div class="sourceCode" id="cb7" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb7-1" title="1"><span class="ex">gpg2</span> --recv-key KEYID</a>
<a class="sourceLine" id="cb7-2" title="2"><span class="ex">gpg2</span> --sign-key KEYID</a>
<a class="sourceLine" id="cb7-3" title="3"><span class="ex">gpg2</span> --send-key KEYID</a></code></pre></div>
</section>
<section id="script-to-quickly-sign-all-keys" class="level2">
<h2>Script to quickly sign all keys <a href="https://tylercipriani.com/tags/pgp/#script-to-quickly-sign-all-keys">¶</a></h2>
<div class="sourceCode" id="cb8" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb8-1" title="1"> <span class="kw">for</span> <span class="ex">k</span> in <span class="va">$(</span><span class="fu">grep</span> pub ksp-wmf-20160108.txt <span class="kw">|</span> <span class="fu">awk</span> <span class="st">'{print $2}'</span> <span class="kw">|</span> <span class="fu">awk</span> -F <span class="st">'/'</span> <span class="st">'{print $2}'</span><span class="va">)</span><span class="kw">;</span> <span class="kw">do</span></a>
<a class="sourceLine" id="cb8-2" title="2"> <span class="bu">echo</span> <span class="st">"Receiving </span><span class="va">$k</span><span class="st">"</span></a>
<a class="sourceLine" id="cb8-3" title="3"> <span class="ex">gpg2</span> --recv-key <span class="va">$k</span></a>
<a class="sourceLine" id="cb8-4" title="4"> <span class="bu">echo</span> <span class="st">"Signing key </span><span class="va">$k</span><span class="st">"</span></a>
<a class="sourceLine" id="cb8-5" title="5"> <span class="ex">gpg2</span> --sign-key <span class="va">$k</span></a>
<a class="sourceLine" id="cb8-6" title="6"> <span class="bu">echo</span> <span class="st">"Sending key </span><span class="va">$k</span><span class="st">"</span></a>
<a class="sourceLine" id="cb8-7" title="7"> <span class="ex">gpg2</span> --send-key <span class="va">$k</span></a>
<a class="sourceLine" id="cb8-8" title="8"><span class="kw">done</span></a></code></pre></div>
</section>
<section id="if-you-need-a-key-get-help" class="level2">
<h2>IF YOU NEED A KEY, GET HELP!! <a href="https://tylercipriani.com/tags/pgp/#if-you-need-a-key-get-help">¶</a></h2>
</section>
<section id="resources" class="level2">
<h2>Resources <a href="https://tylercipriani.com/tags/pgp/#resources">¶</a></h2>
<p>PGP/GPG Intro</p>
<ul>
<li><a href="https://ssd.eff.org/en/module/introduction-public-key-cryptography-and-pgp">https://ssd.eff.org/en/module/introduction-public-key-cryptography-and-pgp</a></li>
<li><a href="https://ssd.eff.org/en/module/how-use-pgp-mac-os-x">https://ssd.eff.org/en/module/how-use-pgp-mac-os-x</a></li>
</ul>
<p>OpenPGP Best practices</p>
<ul>
<li><a href="https://help.riseup.net/en/gpg-best-practices">https://help.riseup.net/en/gpg-best-practices</a></li>
<li><a href="https://help.riseup.net/en/security/message-security/openpgp/gpg-keys">https://help.riseup.net/en/security/message-security/openpgp/gpg-keys</a></li>
</ul>
<ul>
<li><a href="http://web.monkeysphere.info/monkeysign/">http://web.monkeysphere.info/monkeysign/</a></li>
</ul>
</section>
<section id="wmf-keysigning" class="level2">
<h2>WMF Keysigning <a href="https://tylercipriani.com/tags/pgp/#wmf-keysigning">¶</a></h2>
<p><a href="https://people.wikimedia.org/~faidon/ksp-wmf-20160108.txt">https://people.wikimedia.org/~faidon/ksp-wmf-20160108.txt</a></p>
<div class="sourceCode" id="cb9"><pre class="sourceCode txt"><code class="sourceCode default"><a class="sourceLine" id="cb9-1" title="1">SHA256 Checksum: 52F2 CF39 6A54 6D56 7F55 7138 7264 11BA</a>
<a class="sourceLine" id="cb9-2" title="2"> AEE3 F34E 8880 681C 9A67 75D1 3BBC 74DC [ ]</a>
<a class="sourceLine" id="cb9-3" title="3"> 52F2CF39 6A546D56 7F557138 726411BA AEE3F34E 8880681C 9A6775D1 3BBC74DC</a>
<a class="sourceLine" id="cb9-4" title="4"></a>
<a class="sourceLine" id="cb9-5" title="5"> RIPEMD160 Checksum: BB44 91B6 0A4D 5865 2105 2A4C 19FB 11AD 8BCC C3C3 [ ]</a>
<a class="sourceLine" id="cb9-6" title="6"> BB44 91B6 0A4D 5865 2105 2A4C 19FB 11AD 8BCC C3C3</a></code></pre></div>
</section>
<section id="mutt-problems" class="level2">
<h2>Mutt problems <a href="https://tylercipriani.com/tags/pgp/#mutt-problems">¶</a></h2>
</section>
<section id="cant-query-passphrase-in-batch-mode" class="level2">
<h2>"can't query passphrase in batch mode" <a href="https://tylercipriani.com/tags/pgp/#cant-query-passphrase-in-batch-mode">¶</a></h2>
<p>Uncomment, <code>use agent</code> in <code>~/.gnupg/gpg.conf</code></p>
</section>
<section id="pass-problems" class="level2">
<h2>Pass problems <a href="https://tylercipriani.com/tags/pgp/#pass-problems">¶</a></h2>
</section>
<section id="no-secret-key" class="level2">
<h2>No Secret Key <a href="https://tylercipriani.com/tags/pgp/#no-secret-key">¶</a></h2>
</section>
<section id="problem" class="level2">
<h2>Problem <a href="https://tylercipriani.com/tags/pgp/#problem">¶</a></h2>
<div class="sourceCode" id="cb10" data-org-language="sh"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb10-1" title="1"><span class="ex">gpg</span>: decryption failed: No secret key</a></code></pre></div>
</section>
<section id="solution" class="level2">
<h2>Solution <a href="https://tylercipriani.com/tags/pgp/#solution">¶</a></h2>
<ol>
<li>install <code>pinentry-curses</code></li>
<li><code>~/.gnupg/gpg-agent.conf</code></li>
</ol>
<pre><code>pinentry-program /usr/bin/pinentry
</code></pre>
<ol>
<li><code>gpg-connect-agent reloadagent /bye</code></li>
</ol>
</section>