16 comments

[ 3.8 ms ] story [ 75.6 ms ] thread
This 1999 article makes me feel old fashioned: I still use GnuPG from the command line, as detailed in this privacy manual. I also use encrypted file systems on my laptops, but when I need to communicate with customers and maintain the privacy of their materials, I still use ZIP and GnuPG.
first page: "You must also choose a key size. The size of a DSA key must be between 512 and 1024 bits". Definitely do not follow this guide nowadays :D
Good ol' times. Wonder if one can make a Google query to get old keys, ripe for cracking
Wow, this is so old (1999) it's terrible. It recommends generating DSA keys.

Interesting as a historic artefact, but please don't follow this guide, search for something more recent.

For a much more gentle (and illustrated) introduction do public-key encryption, GnuPG and how to use it with email (Thunderbird + Enigmail), see FSF's Email Self-Defense:

https://emailselfdefense.fsf.org/

Tactical Tech's Security in-a-Box has more detailed, step-by-step, multiple platform guides for the same tools:

https://securityinabox.org/en/guide/thunderbird/windows

https://securityinabox.org/en/guide/thunderbird/linux

https://securityinabox.org/en/guide/thunderbird/os-x

I'd advise against using this guide.

The DSA key recommendation is terrible, either go 4096 RSA or Ed25519/Curve25519.

Secondly, use whatever keyring manager your distro has available and that supports your keys and is nice to use. GPA is okay-ish and offers most options.

I've been meaning to write up the adventure I had setting up my Yubikey 4 together with GnuPG. Most of my work was cribbed off of this guide: https://www.jfry.me/articles/2015/gpg-smartcard/

But there were some important differences. Newer GnuPG versions have simplified how gpg-agent takes the place of ssh-agent. Nowadays, it's enough to create an SSH_AUTH_SOCK environment variable that points to ~/.gnupg/S.gpg-agent.ssh

Also, I found the air-gapped system setup described there and elsewhere to be excessively difficult. Far and away the easiest way to create an air-gapped key generating machine was to install OpenBSD to a USB key (you can boot the mini install image and overwrite the same device). Installing the gpg2 package gives you a complete gnupg environment for interacting with OpenPGP smart cards. By contrast, there were a bunch of packages to install with Ubuntu / Debian.

It was a little hairy to set up in total, but I really love my Yubikey-mediated GPG setup. I also now use password-store for passwords, complete with dmenu integration.

I'm not super happy that the Yubikey 4 isn't 100% open hardware though. If someone has a recommendation for something that is, and supports 4096 bit keys, I'd gladly hear it.

There is NitroKey[0], which seemed to me like a good alternative to Yubikey, but I haven't ordered either yet so I can't say I have first-hand experience. But much luck if you decide to go with it, something I'm looking more and more into, especially since I too use password-store and it would be good having an easier to use setup that is still secure.

[0] https://www.nitrokey.com/

Nitrokey claims on their homepage that the firmware of the Storage version of NitroKey can be updated by software. This seems to mean that there's someone out there with a key that can sign arbitrary code that can be loaded as an update and gains access to the crypto material on the device.
I had a look through their instructions and I'm not sure if there is a signing process that happens. You have to enable firmware access from the app, and then it's a bog standard DFU flash to load the new firmware.
Does it require you to perform any physical actions on the dongle? If not, why can't I straightforwardly extract keys if I own the machine the dongle is attached to?