[clue-tech] Some thoughts about GnuPG (making my key).
David L. Anselmi
anselmi at anselmi.us
Sun Sep 26 18:02:42 MDT 2010
Here's what I did when I made my key. Of course it's long, so the executive summary:
- I used a live CD without network connection to generate and handle the master key.
- I made a password generator to get random passphrases.
- I made an additional sub-key for signing, so I don't need the master for that.
- I stored the master key (and a revocation cert) on an encrypted memory card.
- I transferred just the sub-keys to my laptop for daily use.
David L. Anselmi wrote:
> Hmm... Maybe I don't want the key to ever hit my hard drive. Nor any OS that's connected to a
> network. Normally I wouldn't bother with extra paranoia if it's inconvenient but how hard would it
> be to make the key and archive it using a live CD? And could the key be stored on the live CD that
> created it? (Well, OK, that last is just showing off.)
So live helper didn't "just work" and I didn't have time to fool with it. But I did get a key made
that I'm happy to use to make certs.
I turned off my laptop's wireless and booted the Ubuntu 10.04 live CD. It had everything I needed
except a password generator (see below).
I had to configure gpg for the correct signing settings and check the version: [1],[2] Then I
generated a key (RSA/RSA, 4096 bits).
I decided to expire the key in 5 years. It seems reasonable that I should re-evaluate the key, how
I use it, and the state of gpg by then.
I usually use apg to make "random" passwords. Debian also has makepasswd and some OTP stuff, and
I've heard there are others. But I didn't find any of that on Ubuntu so I wrote my own [3](ain't
shell great?) These aren't so easy to remember but they should be more random.
Now gpg needed lots of entropy. Typing 4 or 5 lines of text seemed to do it for each part of the
generation but others had more difficulty (running in a VM maybe?)
The current gpg default creates a master RSA key pair that will be used for signing, and a
subordinate RSA key pair that will be used for encryption. It looks like this (gpg --list-keys):
pub 4096R/6D2BDBBB 2010-09-17 [expires: 2015-09-16]
uid David L. Anselmi (Dave) <anselmi at anselmi.us>
sub 4096R/96FA0E53 2010-09-17 [expires: 2015-09-16]
I don't want to use my master key for anything but certificates (signatures on keys). This is like
the X.509 crowd (Verisign, etc) who sign certs with a CA key (certificate authority). They also use
a hierarchy, so the root CA only signs other CAs, which sign other certs. So I had to add a
"routine" signing key with gpg --edit-keys -> addkey. The process is the same as gen-key, you just
select RSA (sign only). Now I also have this line in list-keys:
sub 4096R/2B55B320 2010-09-17 [expires: 2015-09-16]
To store my key I got a memory card and used cryptsetup to encrypt it. Now I have two passwords to
remember: one for my private keys and one for the memory card. I made a FAT file system on the
encrypted card and copied the keyrings to it (public and secret), as well as the gpg.conf and
trustdb.gpg. Then I locked it in a "safe" place.
In case my private key gets compromised (or more likely I forget the password), I created a
revocation certificate for it and stored that (only) on the memory card. I have some keys that I
don't use anymore, but I'm not sure I can revoke them. I should also print the cert and store that
securely, in case I can't get it off the memory card.
Finally, after unmounting the memory card, I put the public keys and my secret sub-keys
(--export-secret-subkeys) on a flash drive to import them to my laptop's keyrings.
And that's all there is to it.
Notes:
1) http://www.apache.org/dev/openpgp.html#sha1
2) http://www.apache.org/dev/openpgp.html#key-gen-install-latest-gnupg
3) mkpass ()
{
# pass in the desired length
for i in `seq $1` ; do
# get random bytes, convert to hex, add 0x since it's hex
x=$( dd if=/dev/random bs=1 count=1 2>/dev/null | xxd -p )
x=0x$x
# there are 93 printable ASCII characters, starting with decimal 33
x=$(( $x % 93 + 33 ))
# converting to ASCII is a pain
printf $(printf \\%03o $x)
done
echo
}
Dave
More information about the clue-tech
mailing list