[clue-tech] Some thoughts about GnuPG (making my key).

David L. Anselmi anselmi at anselmi.us
Sun Sep 26 18:02:42 MDT 2010


Here's what I did when I made my key.  Of course it's long, so the executive summary:

  - I used a live CD without network connection to generate and handle the master key.
  - I made a password generator to get random passphrases.
  - I made an additional sub-key for signing, so I don't need the master for that.
  - I stored the master key (and a revocation cert) on an encrypted memory card.
  - I transferred just the sub-keys to my laptop for daily use.

David L. Anselmi wrote:
> Hmm... Maybe I don't want the key to ever hit my hard drive.  Nor any OS that's connected to a
> network.  Normally I wouldn't bother with extra paranoia if it's inconvenient but how hard would it
> be to make the key and archive it using a live CD?  And could the key be stored on the live CD that
> created it?  (Well, OK, that last is just showing off.)

So live helper didn't "just work" and I didn't have time to fool with it.  But I did get a key made 
that I'm happy to use to make certs.

I turned off my laptop's wireless and booted the Ubuntu 10.04 live CD.  It had everything I needed 
except a password generator (see below).

I had to configure gpg for the correct signing settings and check the version: [1],[2]  Then I 
generated a key (RSA/RSA, 4096 bits).

I decided to expire the key in 5 years.  It seems reasonable that I should re-evaluate the key, how 
I use it, and the state of gpg by then.

I usually use apg to make "random" passwords.  Debian also has makepasswd and some OTP stuff, and 
I've heard there are others.  But I didn't find any of that on Ubuntu so I wrote my own [3](ain't 
shell great?)  These aren't so easy to remember but they should be more random.

Now gpg needed lots of entropy.  Typing 4 or 5 lines of text seemed to do it for each part of the 
generation but others had more difficulty (running in a VM maybe?)

The current gpg default creates a master RSA key pair that will be used for signing, and a 
subordinate RSA key pair that will be used for encryption.  It looks like this (gpg --list-keys):

   pub   4096R/6D2BDBBB 2010-09-17 [expires: 2015-09-16]
   uid                  David L. Anselmi (Dave) <anselmi at anselmi.us>
   sub   4096R/96FA0E53 2010-09-17 [expires: 2015-09-16]

I don't want to use my master key for anything but certificates (signatures on keys).  This is like 
the X.509 crowd (Verisign, etc) who sign certs with a CA key (certificate authority).  They also use 
a hierarchy, so the root CA only signs other CAs, which sign other certs.  So I had to add a 
"routine" signing key with gpg --edit-keys -> addkey.  The process is the same as gen-key, you just 
select RSA (sign only).  Now I also have this line in list-keys:

   sub   4096R/2B55B320 2010-09-17 [expires: 2015-09-16]

To store my key I got a memory card and used cryptsetup to encrypt it.  Now I have two passwords to 
remember: one for my private keys and one for the memory card.  I made a FAT file system on the 
encrypted card and copied the keyrings to it (public and secret), as well as the gpg.conf and 
trustdb.gpg.  Then I locked it in a "safe" place.

In case my private key gets compromised (or more likely I forget the password), I created a 
revocation certificate for it and stored that (only) on the memory card.  I have some keys that I 
don't use anymore, but I'm not sure I can revoke them.  I should also print the cert and store that 
securely, in case I can't get it off the memory card.

Finally, after unmounting the memory card, I put the public keys and my secret sub-keys 
(--export-secret-subkeys) on a flash drive to import them to my laptop's keyrings.

And that's all there is to it.

Notes:
  1) http://www.apache.org/dev/openpgp.html#sha1
  2) http://www.apache.org/dev/openpgp.html#key-gen-install-latest-gnupg
  3) mkpass ()
     {
       # pass in the desired length
       for i in `seq $1` ; do
         # get random bytes, convert to hex, add 0x since it's hex
         x=$( dd if=/dev/random bs=1 count=1 2>/dev/null | xxd -p )
         x=0x$x
         # there are 93 printable ASCII characters, starting with decimal 33
         x=$(( $x % 93 + 33 ))
         # converting to ASCII is a pain
         printf $(printf \\%03o $x)
       done
       echo
     }

Dave


More information about the clue-tech mailing list