Difference between revisions of "2013 Project Week:PGP Keysigning"

From NAMIC Wiki
Jump to: navigation, search
(Created page with '__NOTOC__ <gallery> Image:PW-SLC2013.png|Projects List Image:ScarSeg_EM.png‎| PGP Keysigning. </gallery> ==Key Investigators== * Matt Mc…')
 
Line 27: Line 27:
 
</div>
 
</div>
 
</div>
 
</div>
 +
 +
===Session 1: Install GPG, Create an Encrypted USB Drive, Create Your Keys===
 +
 +
====Install GPG====
 +
 +
The open source implementation of PGP ('''Pretty Good Encryption''') is Gnu
 +
Privace Guard (GPG).  It can be built from source, or binaries are available
 +
across platforms.
 +
 +
* On ''''Linux'''' install '''gnupg''' with you package manager.
 +
* On Mac, use the version that comes with Git, or install [The mac link ].
 +
* On Windows , use the version that comes with Git, or install [Gpg4win http://gpg4win.org/download.html].
 +
 +
====Create an Encrypted USB Drive====
 +
 +
Install [Truecrypt link].  Encrypt a USB drive.  This will be used to store the
 +
master key, which will not be key on your workstation for everyday use.  For
 +
everyday signing and encryption, subkeys will be created from the master
 +
key.  These keys can be retired and replaced if lost or compromised.
 +
 +
====Create Your PGP Keys====
 +
 +
=====Create gpg.conf=====
 +
 +
In a shell:
 +
 +
  mkdir -p ~/.gnupg
 +
 +
Edit the file  '''~/.gnupg/gpg.conf''' (Unix):
 +
 +
  use-agent
 +
  no-default-keyring
 +
  keyring ~/.gnupg/pubring.gpg
 +
  secret-keyring /encrypted_usb/secring.gpg
 +
  #secret-keyring ~/.gnupg/secring.gpg
 +
  # allow linux to write to FAT disks
 +
  lock-never
 +
 +
(Windows):
 +
 +
  use-agent
 +
  no-default-keyring
 +
  keyring C:\Users\alice\.gnupg\pubring.gpg
 +
  secret-keyring M:\secring.gpg
 +
  #secret-keyring C:\Users\alice\.gnupg\secring.gpg
 +
  # allow to write to FAT disks
 +
  lock-never
 +
 +
In a shell (note: depending on the installation, the executable may be gpg
 +
instead of gpg2):
 +
 +
  gpg2 --gen-key
 +
  (1) DSA and Elgamal (default)
 +
  ? 1
 +
  keysize? 4096
 +
  0 = key does not expire
 +
  > 0
 +
  Real name: Alice Smith
 +
  Email address: alice.smith@namic.org
 +
  Comment:
 +
  ? O
 +
  (passphrase)
 +
 +
After generating the key, a message will be printed contaning text like:
 +
 +
  gpg: key BF71A174 marked as ultimately trusted
 +
 +
The identifier for the key is then '''BF71A174'''.  This identifier will be used
 +
to edit the key.  Next, an identifier with only your name is created.
 +
 +
  $ gpg2 --edit-key BF71A174
 +
  > adduid
 +
  Real name: Alice Smith
 +
  Email address:
 +
  Comment:
 +
  ? O
 +
  > quit
 +
  save? y
 +
 +
Now, we create add signing subkey that expires.
 +
 +
  $ gpg2 --edit-key BF71A174
 +
  > addkey
 +
  (5) RSA (sign only)
 +
  ? 5
 +
  keysize? 4096
 +
  valid for? 1y
 +
  (add Google Calendar reminder to renew the key before it expires)
 +
  > quit
 +
  save? y
 +
 +
We also want to set encryption subkey to expire.
 +
 +
  $ gpg2 --edit-key BF71A174
 +
  > key 1
 +
  > expire
 +
  valid for? 1y
 +
  > quit
 +
  save? y
 +
 +
Generate a revocation certificate, and store it on the encrypted media.
 +
 +
  $ gpg2 -a --gen-revoke BF71A174 > /encrypted_usb/gnupg_revoke_BF71A174.asc
 +
  create for this key? y
 +
  0 = No reason specified
 +
  ? 0
 +
  > Preemptive revocation generated during creation.
 +
 +
Optionally add additional user IDs with the commands '''adduid''', '''uid''',
 +
and '''primary'''.  For more information, type '''help''' at the gpg prompt.
 +
 +
Backup public key to encrypted media for convenience.
 +
 +
  $ gpg2 --export BF71A174 > /encrypted_usb/publickey.gpg
 +
 +
Save secret subkeys on local machine.
 +
 +
  $ gpg2 --export-secret-subkeys > .gnupg/secring.gpg
 +
 +
Update gpg.conf with second secret keyring.  Uncomment the secret-kring line
 +
specifying the local machine and comment the line that specifies the path on the
 +
encrypted usb.
 +
 +
  #secret-keyring /encrypted_usb/secring.gpg
 +
  secret-keyring ~/.gnupg/secring.gpg
 +
 +
Share your public key and fingerprint with the Keysigning party organizer (Matt
 +
McCormick).  Create the fingerprint with
 +
 +
  gpg2 --fingerprint > alice.smith.fingerprint.txt
 +
 +
Send this file to matt _dot_ mccormick _a_ kitware _dot_ com.
 +
 +
===Session 2: Verify Others Keys===

Revision as of 14:11, 7 January 2013

Home < 2013 Project Week:PGP Keysigning

Key Investigators

  • Matt McCormick, Kitware
  • Luis Ibanez, Kitware

Project Description

Objective

  • Hold a PGP Keysigning Party to create a web of trust for signed (trusted) code commits, signed (trusted) email communications, and encrypted data exchange.

Approach, Plan

  • Individuals gather to create their PGP key and sign other's keys
  • Instructions can be found below that follow The Keysigning Party HOWTO.

Progress

Session 1: Install GPG, Create an Encrypted USB Drive, Create Your Keys

Install GPG

The open source implementation of PGP (Pretty Good Encryption) is Gnu Privace Guard (GPG). It can be built from source, or binaries are available across platforms.

  • On 'Linux' install gnupg with you package manager.
  • On Mac, use the version that comes with Git, or install [The mac link ].
  • On Windows , use the version that comes with Git, or install [Gpg4win http://gpg4win.org/download.html].

Create an Encrypted USB Drive

Install [Truecrypt link]. Encrypt a USB drive. This will be used to store the master key, which will not be key on your workstation for everyday use. For everyday signing and encryption, subkeys will be created from the master key. These keys can be retired and replaced if lost or compromised.

Create Your PGP Keys

Create gpg.conf

In a shell:

 mkdir -p ~/.gnupg

Edit the file ~/.gnupg/gpg.conf (Unix):

 use-agent
 no-default-keyring
 keyring ~/.gnupg/pubring.gpg
 secret-keyring /encrypted_usb/secring.gpg
 #secret-keyring ~/.gnupg/secring.gpg
 # allow linux to write to FAT disks
 lock-never

(Windows):

 use-agent
 no-default-keyring
 keyring C:\Users\alice\.gnupg\pubring.gpg
 secret-keyring M:\secring.gpg
 #secret-keyring C:\Users\alice\.gnupg\secring.gpg
 # allow to write to FAT disks
 lock-never

In a shell (note: depending on the installation, the executable may be gpg instead of gpg2):

 gpg2 --gen-key
 (1) DSA and Elgamal (default)
 ? 1
 keysize? 4096
 0 = key does not expire
 > 0
 Real name: Alice Smith
 Email address: alice.smith@namic.org
 Comment:
 ? O
 (passphrase)

After generating the key, a message will be printed contaning text like:

 gpg: key BF71A174 marked as ultimately trusted

The identifier for the key is then BF71A174. This identifier will be used to edit the key. Next, an identifier with only your name is created.

 $ gpg2 --edit-key BF71A174
 > adduid
 Real name: Alice Smith
 Email address:
 Comment:
 ? O
 > quit
 save? y

Now, we create add signing subkey that expires.

 $ gpg2 --edit-key BF71A174
 > addkey
 (5) RSA (sign only)
 ? 5
 keysize? 4096
 valid for? 1y
 (add Google Calendar reminder to renew the key before it expires)
 > quit
 save? y

We also want to set encryption subkey to expire.

 $ gpg2 --edit-key BF71A174
 > key 1
 > expire
 valid for? 1y
 > quit
 save? y

Generate a revocation certificate, and store it on the encrypted media.

 $ gpg2 -a --gen-revoke BF71A174 > /encrypted_usb/gnupg_revoke_BF71A174.asc
 create for this key? y
 0 = No reason specified
 ? 0
 > Preemptive revocation generated during creation.

Optionally add additional user IDs with the commands adduid, uid, and primary. For more information, type help at the gpg prompt.

Backup public key to encrypted media for convenience.

 $ gpg2 --export BF71A174 > /encrypted_usb/publickey.gpg

Save secret subkeys on local machine.

 $ gpg2 --export-secret-subkeys > .gnupg/secring.gpg

Update gpg.conf with second secret keyring. Uncomment the secret-kring line specifying the local machine and comment the line that specifies the path on the encrypted usb.

 #secret-keyring /encrypted_usb/secring.gpg
 secret-keyring ~/.gnupg/secring.gpg

Share your public key and fingerprint with the Keysigning party organizer (Matt McCormick). Create the fingerprint with

 gpg2 --fingerprint > alice.smith.fingerprint.txt

Send this file to matt _dot_ mccormick _a_ kitware _dot_ com.

Session 2: Verify Others Keys