2013 Project Week:PGP Keysigning

From NAMIC Wiki
Revision as of 16:19, 7 January 2013 by Matt.mccormick (talk | contribs)
Jump to: navigation, search
Home < 2013 Project Week:PGP Keysigning

Key Investigators

  • Matt McCormick, Kitware
  • Luis Ibanez, Kitware

Project Description

Objective

  • Hold a PGP Keysigning Party to create a web of trust for signed (trusted) code commits, signed (trusted) email communications, and encrypted data exchange.

Approach, Plan

  • Individuals gather to create their PGP key and sign other's keys
  • Instructions can be found below that follow The Keysigning Party HOWTO.

Progress

Session 1: Install GPG, Create an Encrypted USB Drive, Create Your Keys

Install GPG

The open source implementation of PGP (Pretty Good Encryption) is Gnu Privace Guard (GPG). It can be built from source, or binaries are available across platforms.

  • On 'Linux' install gnupg with you package manager.
  • On Mac install Mac GPG.
  • On Windows or install Gpg4win.

Create an Encrypted USB Drive

Install Truecrypt. Encrypt a USB drive. This will be used to store the master key, which will not be key on your workstation for everyday use. For everyday signing and encryption, subkeys will be created from the master key. These keys can be retired and replaced if lost or compromised.

Create Your PGP Keys

Create gpg.conf

In a shell:

 mkdir -p ~/.gnupg

Edit the file ~/.gnupg/gpg.conf (Unix):

 use-agent
 no-default-keyring
 keyserver keyserver.ubuntu.com
 keyring ~/.gnupg/pubring.gpg
 secret-keyring /encrypted_usb/secring.gpg
 #secret-keyring ~/.gnupg/secring.gpg
 # allow linux to write to FAT disks
 lock-never

on Windows, the file C:\Users\alice\.gnupg\gpg.conf, for example:

 use-agent
 no-default-keyring
 keyserver keyserver.ubuntu.com
 keyring C:\Users\alice\.gnupg\pubring.gpg
 secret-keyring M:\secring.gpg
 #secret-keyring C:\Users\alice\.gnupg\secring.gpg
 # allow to write to FAT disks
 lock-never

In a shell (note: depending on the installation, the executable may be gpg instead of gpg2):

 gpg2 --gen-key
 (1) DSA and Elgamal (default)
 ? 1
 keysize? 4096
 0 = key does not expire
 > 0
 Real name: Alice Smith
 Email address: alice.smith@namic.org
 Comment:
 ? O
 (passphrase)

After generating the key, a message will be printed contaning text like:

 gpg: key BF71A174 marked as ultimately trusted

The identifier for the key is then BF71A174. This identifier will be used to edit the key. Next, an identifier with only your name is created.

 $ gpg2 --edit-key BF71A174
 > adduid
 Real name: Alice Smith
 Email address:
 Comment:
 ? O
 > quit
 save? y

Now, we create add signing subkey that expires.

 $ gpg2 --edit-key BF71A174
 > addkey
 (5) RSA (sign only)
 ? 5
 keysize? 4096
 valid for? 1y
 (add Google Calendar reminder to renew the key before it expires)
 > quit
 save? y

We also want to set encryption subkey to expire.

 $ gpg2 --edit-key BF71A174
 > key 1
 > expire
 valid for? 1y
 > quit
 save? y

Generate a revocation certificate, and store it on the encrypted media.

 $ gpg2 -a --gen-revoke BF71A174 > /encrypted_usb/gnupg_revoke_BF71A174.asc
 create for this key? y
 0 = No reason specified
 ? 0
 > Preemptive revocation generated during creation.

Optionally add additional user IDs with the commands adduid, uid, and primary. For more information, type help at the gpg prompt.

Backup public key to encrypted media for convenience.

 $ gpg2 --export BF71A174 > /encrypted_usb/publickey.gpg

Save secret subkeys on local machine.

 $ gpg2 --export-secret-subkeys > .gnupg/secring.gpg

Update gpg.conf with second secret keyring. Uncomment the secret-kring line specifying the local machine and comment the line that specifies the path on the encrypted usb.

 #secret-keyring /encrypted_usb/secring.gpg
 secret-keyring ~/.gnupg/secring.gpg

Share your public key and fingerprint with the Keysigning party organizer (Matt McCormick). Create the fingerprint with

 gpg2 --fingerprint > alice.smith.fingerprint.txt

Send this file to matt _dot_ mccormick _a_ kitware _dot_ com.

Upload your key to the keyserver with:

 gpg2 --send-key BF71A174 

Session 2: Verify Others Keys

Come to the key signing party with a pen. Sheets will be handed out with key fingerprints. Verify your fingerprint on the sheet. After verifying the identify of another person and their fingerprint, have them sign their name next to their fingerprint on the sheet.

Session 3: Digitally sign others keys

First, download their key from the keyserver:

 gpg2 --keyserver keyserver.ubuntu.com --recv-keys <Key_ID>

Get the fingerprint, and verify the key:

 gpg2 --fingerprint <Key_ID>

Sign the key:

 gpg2 --sign-key <Key_ID>

By convention, we send the signed key to its owner, and they upload it to the keyserver. To export the key

 gpg2 --armor --output <Key_ID>.signed-by.<My_Key_ID>.asc --export <Key_ID>

Email them the file <Key_ID>.

If you received a signed version of your key, it can be imported with:

 gpg2 --import <My_Key_ID>.signed-by.<Key_ID>.asc

The signatures can be listed with:

 gpg2 --list-sigs <My_Key_ID>

Send the new signatures with:

 gpg2 --send-keys <My_Key_ID>