2013 Project Week:PGP Keysigning
Key Investigators
- Matt McCormick, Kitware
- Luis Ibanez, Kitware
Project Description
Objective
- Hold a PGP Keysigning Party to create a web of trust for signed (trusted) code commits, signed (trusted) email communications, and encrypted data exchange.
Approach, Plan
- Individuals gather to create their PGP key and sign other's keys
- Instructions can be found below that follow The Keysigning Party HOWTO.
Progress
Session 1: Install GPG, Create an Encrypted USB Drive, Create Your Keys
Install GPG
The open source implementation of PGP (Pretty Good Encryption) is Gnu Privace Guard (GPG). It can be built from source, or binaries are available across platforms.
- On 'Linux' install gnupg with you package manager.
- On Mac, use the version that comes with Git, or install [The mac link ].
- On Windows , use the version that comes with Git, or install [Gpg4win http://gpg4win.org/download.html].
Create an Encrypted USB Drive
Install [Truecrypt link]. Encrypt a USB drive. This will be used to store the master key, which will not be key on your workstation for everyday use. For everyday signing and encryption, subkeys will be created from the master key. These keys can be retired and replaced if lost or compromised.
Create Your PGP Keys
Create gpg.conf
In a shell:
mkdir -p ~/.gnupg
Edit the file ~/.gnupg/gpg.conf (Unix):
use-agent no-default-keyring keyring ~/.gnupg/pubring.gpg secret-keyring /encrypted_usb/secring.gpg #secret-keyring ~/.gnupg/secring.gpg # allow linux to write to FAT disks lock-never
(Windows):
use-agent no-default-keyring keyring C:\Users\alice\.gnupg\pubring.gpg secret-keyring M:\secring.gpg #secret-keyring C:\Users\alice\.gnupg\secring.gpg # allow to write to FAT disks lock-never
In a shell (note: depending on the installation, the executable may be gpg instead of gpg2):
gpg2 --gen-key (1) DSA and Elgamal (default) ? 1 keysize? 4096 0 = key does not expire > 0 Real name: Alice Smith Email address: alice.smith@namic.org Comment: ? O (passphrase)
After generating the key, a message will be printed contaning text like:
gpg: key BF71A174 marked as ultimately trusted
The identifier for the key is then BF71A174. This identifier will be used to edit the key. Next, an identifier with only your name is created.
$ gpg2 --edit-key BF71A174 > adduid Real name: Alice Smith Email address: Comment: ? O > quit save? y
Now, we create add signing subkey that expires.
$ gpg2 --edit-key BF71A174 > addkey (5) RSA (sign only) ? 5 keysize? 4096 valid for? 1y (add Google Calendar reminder to renew the key before it expires) > quit save? y
We also want to set encryption subkey to expire.
$ gpg2 --edit-key BF71A174 > key 1 > expire valid for? 1y > quit save? y
Generate a revocation certificate, and store it on the encrypted media.
$ gpg2 -a --gen-revoke BF71A174 > /encrypted_usb/gnupg_revoke_BF71A174.asc create for this key? y 0 = No reason specified ? 0 > Preemptive revocation generated during creation.
Optionally add additional user IDs with the commands adduid, uid, and primary. For more information, type help at the gpg prompt.
Backup public key to encrypted media for convenience.
$ gpg2 --export BF71A174 > /encrypted_usb/publickey.gpg
Save secret subkeys on local machine.
$ gpg2 --export-secret-subkeys > .gnupg/secring.gpg
Update gpg.conf with second secret keyring. Uncomment the secret-kring line specifying the local machine and comment the line that specifies the path on the encrypted usb.
#secret-keyring /encrypted_usb/secring.gpg secret-keyring ~/.gnupg/secring.gpg
Share your public key and fingerprint with the Keysigning party organizer (Matt McCormick). Create the fingerprint with
gpg2 --fingerprint > alice.smith.fingerprint.txt
Send this file to matt _dot_ mccormick _a_ kitware _dot_ com.