Timely link, as I have been reading about Gnupg that last couple of days. I will say that I feel its use is a bit complicated, but I did find a nice guide at Riseup:
This 1999 article makes me feel old fashioned: I still use GnuPG from the command line, as detailed in this privacy manual. I also use encrypted file systems on my laptops, but when I need to communicate with customers and maintain the privacy of their materials, I still use ZIP and GnuPG.
first page: "You must also choose a key size. The size of a DSA key must be between 512 and 1024 bits". Definitely do not follow this guide nowadays :D
For a much more gentle (and illustrated) introduction do public-key encryption, GnuPG and how to use it with email (Thunderbird + Enigmail), see FSF's Email Self-Defense:
The DSA key recommendation is terrible, either go 4096 RSA or Ed25519/Curve25519.
Secondly, use whatever keyring manager your distro has available and that supports your keys and is nice to use. GPA is okay-ish and offers most options.
But there were some important differences. Newer GnuPG versions have simplified how gpg-agent takes the place of ssh-agent. Nowadays, it's enough to create an SSH_AUTH_SOCK environment variable that points to ~/.gnupg/S.gpg-agent.ssh
Also, I found the air-gapped system setup described there and elsewhere to be excessively difficult. Far and away the easiest way to create an air-gapped key generating machine was to install OpenBSD to a USB key (you can boot the mini install image and overwrite the same device). Installing the gpg2 package gives you a complete gnupg environment for interacting with OpenPGP smart cards. By contrast, there were a bunch of packages to install with Ubuntu / Debian.
It was a little hairy to set up in total, but I really love my Yubikey-mediated GPG setup. I also now use password-store for passwords, complete with dmenu integration.
I'm not super happy that the Yubikey 4 isn't 100% open hardware though. If someone has a recommendation for something that is, and supports 4096 bit keys, I'd gladly hear it.
There is NitroKey[0], which seemed to me like a good alternative to Yubikey, but I haven't ordered either yet so I can't say I have first-hand experience. But much luck if you decide to go with it, something I'm looking more and more into, especially since I too use password-store and it would be good having an easier to use setup that is still secure.
Nitrokey claims on their homepage that the firmware of the Storage version of NitroKey can be updated by software. This seems to mean that there's someone out there with a key that can sign arbitrary code that can be loaded as an update and gains access to the crypto material on the device.
I had a look through their instructions and I'm not sure if there is a signing process that happens. You have to enable firmware access from the app, and then it's a bog standard DFU flash to load the new firmware.
Does it require you to perform any physical actions on the dongle? If not, why can't I straightforwardly extract keys if I own the machine the dongle is attached to?
16 comments
[ 3.8 ms ] story [ 75.6 ms ] threadhttps://riseup.net/en/gpg-best-practices
Interesting as a historic artefact, but please don't follow this guide, search for something more recent.
https://emailselfdefense.fsf.org/
Tactical Tech's Security in-a-Box has more detailed, step-by-step, multiple platform guides for the same tools:
https://securityinabox.org/en/guide/thunderbird/windows
https://securityinabox.org/en/guide/thunderbird/linux
https://securityinabox.org/en/guide/thunderbird/os-x
The DSA key recommendation is terrible, either go 4096 RSA or Ed25519/Curve25519.
Secondly, use whatever keyring manager your distro has available and that supports your keys and is nice to use. GPA is okay-ish and offers most options.
But there were some important differences. Newer GnuPG versions have simplified how gpg-agent takes the place of ssh-agent. Nowadays, it's enough to create an SSH_AUTH_SOCK environment variable that points to ~/.gnupg/S.gpg-agent.ssh
Also, I found the air-gapped system setup described there and elsewhere to be excessively difficult. Far and away the easiest way to create an air-gapped key generating machine was to install OpenBSD to a USB key (you can boot the mini install image and overwrite the same device). Installing the gpg2 package gives you a complete gnupg environment for interacting with OpenPGP smart cards. By contrast, there were a bunch of packages to install with Ubuntu / Debian.
It was a little hairy to set up in total, but I really love my Yubikey-mediated GPG setup. I also now use password-store for passwords, complete with dmenu integration.
I'm not super happy that the Yubikey 4 isn't 100% open hardware though. If someone has a recommendation for something that is, and supports 4096 bit keys, I'd gladly hear it.
[0] https://www.nitrokey.com/