Difference between revisions of "2013 Project Week:PGP Keysigning"

From NAMIC Wiki
Jump to: navigation, search
Line 37: Line 37:
  
 
* On ''''Linux'''' install '''gnupg''' with you package manager.
 
* On ''''Linux'''' install '''gnupg''' with you package manager.
* On Mac, use the version that comes with Git, or install [The mac link ].
+
* On Mac, use the version that comes with Git, or install [https://www.gpgtools.org/ Mac GPG].
* On Windows , use the version that comes with Git, or install [Gpg4win http://gpg4win.org/download.html].
+
* On Windows , use the version that comes with Git, or install [http://gpg4win.org/download.html Gpg4win].
  
 
====Create an Encrypted USB Drive====
 
====Create an Encrypted USB Drive====
  
Install [Truecrypt link].  Encrypt a USB drive.  This will be used to store the
+
Install [http://www.truecrypt.org/downloads Truecrypt].  Encrypt a USB drive.  This will be used to store the
 
master key, which will not be key on your workstation for everyday use.  For
 
master key, which will not be key on your workstation for everyday use.  For
 
everyday signing and encryption, subkeys will be created from the master
 
everyday signing and encryption, subkeys will be created from the master
Line 65: Line 65:
 
   lock-never
 
   lock-never
  
(Windows):
+
on Windows, the file C:\Users\alice\.gnupg\gpg.conf, for example:
  
 
   use-agent
 
   use-agent

Revision as of 14:15, 7 January 2013

Home < 2013 Project Week:PGP Keysigning

Key Investigators

  • Matt McCormick, Kitware
  • Luis Ibanez, Kitware

Project Description

Objective

  • Hold a PGP Keysigning Party to create a web of trust for signed (trusted) code commits, signed (trusted) email communications, and encrypted data exchange.

Approach, Plan

  • Individuals gather to create their PGP key and sign other's keys
  • Instructions can be found below that follow The Keysigning Party HOWTO.

Progress

Session 1: Install GPG, Create an Encrypted USB Drive, Create Your Keys

Install GPG

The open source implementation of PGP (Pretty Good Encryption) is Gnu Privace Guard (GPG). It can be built from source, or binaries are available across platforms.

  • On 'Linux' install gnupg with you package manager.
  • On Mac, use the version that comes with Git, or install Mac GPG.
  • On Windows , use the version that comes with Git, or install Gpg4win.

Create an Encrypted USB Drive

Install Truecrypt. Encrypt a USB drive. This will be used to store the master key, which will not be key on your workstation for everyday use. For everyday signing and encryption, subkeys will be created from the master key. These keys can be retired and replaced if lost or compromised.

Create Your PGP Keys

Create gpg.conf

In a shell:

 mkdir -p ~/.gnupg

Edit the file ~/.gnupg/gpg.conf (Unix):

 use-agent
 no-default-keyring
 keyring ~/.gnupg/pubring.gpg
 secret-keyring /encrypted_usb/secring.gpg
 #secret-keyring ~/.gnupg/secring.gpg
 # allow linux to write to FAT disks
 lock-never

on Windows, the file C:\Users\alice\.gnupg\gpg.conf, for example:

 use-agent
 no-default-keyring
 keyring C:\Users\alice\.gnupg\pubring.gpg
 secret-keyring M:\secring.gpg
 #secret-keyring C:\Users\alice\.gnupg\secring.gpg
 # allow to write to FAT disks
 lock-never

In a shell (note: depending on the installation, the executable may be gpg instead of gpg2):

 gpg2 --gen-key
 (1) DSA and Elgamal (default)
 ? 1
 keysize? 4096
 0 = key does not expire
 > 0
 Real name: Alice Smith
 Email address: alice.smith@namic.org
 Comment:
 ? O
 (passphrase)

After generating the key, a message will be printed contaning text like:

 gpg: key BF71A174 marked as ultimately trusted

The identifier for the key is then BF71A174. This identifier will be used to edit the key. Next, an identifier with only your name is created.

 $ gpg2 --edit-key BF71A174
 > adduid
 Real name: Alice Smith
 Email address:
 Comment:
 ? O
 > quit
 save? y

Now, we create add signing subkey that expires.

 $ gpg2 --edit-key BF71A174
 > addkey
 (5) RSA (sign only)
 ? 5
 keysize? 4096
 valid for? 1y
 (add Google Calendar reminder to renew the key before it expires)
 > quit
 save? y

We also want to set encryption subkey to expire.

 $ gpg2 --edit-key BF71A174
 > key 1
 > expire
 valid for? 1y
 > quit
 save? y

Generate a revocation certificate, and store it on the encrypted media.

 $ gpg2 -a --gen-revoke BF71A174 > /encrypted_usb/gnupg_revoke_BF71A174.asc
 create for this key? y
 0 = No reason specified
 ? 0
 > Preemptive revocation generated during creation.

Optionally add additional user IDs with the commands adduid, uid, and primary. For more information, type help at the gpg prompt.

Backup public key to encrypted media for convenience.

 $ gpg2 --export BF71A174 > /encrypted_usb/publickey.gpg

Save secret subkeys on local machine.

 $ gpg2 --export-secret-subkeys > .gnupg/secring.gpg

Update gpg.conf with second secret keyring. Uncomment the secret-kring line specifying the local machine and comment the line that specifies the path on the encrypted usb.

 #secret-keyring /encrypted_usb/secring.gpg
 secret-keyring ~/.gnupg/secring.gpg

Share your public key and fingerprint with the Keysigning party organizer (Matt McCormick). Create the fingerprint with

 gpg2 --fingerprint > alice.smith.fingerprint.txt

Send this file to matt _dot_ mccormick _a_ kitware _dot_ com.

Session 2: Verify Others Keys