Creating strong security habits - Part 2 - PGP
5 min read
This post is continuation of part 1. We will talk about the creation of a PGP key to sign files, encrypt, and use as git commit validation.
Your goal is to create a master PGP key and use only subkeys on your devices. This master key will be kept offline and is only used to generate or revoke new subkeys. This makes more convenient to revoke stolen, lost or compromised devices.
Creating the master key
Is a good practice to use a Linux live cd to create the keys and keep on memory. But if you want you could file shredder GnuPG folder at the final of this tutorial.
Start by creating the master key with the command:
(1) RSA and RSA (default)
What keysize do you want?: 4096
Key is valid for? (0) 5y
Add your full name and email address.
Do not add any comment.
GPG create a default subkey for encryption (E), with the same expiration of the master key.
Now, we will make sure all subkeys have a 2 years expiration. Edit the key expiration date with the command:
gpg --expert --edit-key KEYID
Select the subkey with key command and alter the expiration to 2 years with the expire command.
Now add a sign only subkey:
Select (4) RSA (sign only)
put a 2 year expiration.
You can add new user ids (names and emails) if you wish. Use the command adduid. Select your primary uid.
Add a new authentication only subkey (only appears in the --expert mode):
Select (8) RSA (set your own capabilities).
Enter S to toggle Sign off.
Enter E to toggle Encript off.
Enter A to toggle _Authenticate__ on.
Enter q to continue.
Check the keys:
pub rsa4096 2018-08-05 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx uid sub rsa4096 2018-08-05 sub rsa4096 2018-08-05
We create a master key, with 5-year expiration and subkeys for encryption, sign, and authentication with 2 years expiration.
Generate a revocation certificate
This step is very important. If GPG has generated one. Copy it, if not:
gpg --output KEYID.rev --gen-revoke KEYID
Saving the master key
Now, we will save master and subkeys. Make sure you are on a trusted file system. Like encrypted or offline pendrive. Just remember, any filesystem where this key is saved will be subject to attack, the only thing protecting it is the password you choose.
gpg --export-secret-key --armor --output KEYID.priv.key KEYID gpg --export --armor --output KEYID.pub.key KEYID gpg --export-secret-subkeys --armor --output KEYID.sub.key KEYID
You have 4 files: revocation, public master, private master and private subkeys.
Optional: Save a second copy of the revocation file and public key. I did save an online encrypted (password manager) copy of the revocation file, that way, if compromised or lost I can still revoke the public key from anywhere.
I recommend you make a second offline copy, that way you minimize the chance of key lost. I'm thinking on Blu-ray as good media for cold storage but is a controversy if can last. Looks like m-disc is the best choice for archiving. I plan to buy m-disc and a compatible drive in the near future, for the archiving of all kinds of important digital things.
A pen drive has an estimated life of 10 years, you will need to swap storage before that. Your certificate is valid for 5 years, but we can extend this and re-upload the key.
Importing the subkeys
If you did that on your computer, delete the master key:
gpg --delete-secret-key KEYID
Or better file shredder the GnuPG folder.
Import the subkeys:
gpg --import KEYID.sub.key
Check the result:
gpg --list-secret-keys ---------------------------- sec# 4096R/xxxx 2020-08-04 uid xxxxxxxxxxxx ssb 4096R/xxxx 2020-08-04 ssb 4096R/xxxx 2020-08-04
The # in sec indicates the master key is not present.
Bonus add to Keybase
To share your identity, add it to Keybase
keybase pgp select
This will upload your public key to your profile on keybase.
My profile is https://keybase.io/gcsilva. Best part? There is proof that this domain site is mine, and my twitter account is real, that way you can trust this site and the keybase profile, twitter, and the gpg key are from the same person.
If you need the check or use the public key of any user a simple command as
keybase pgp pull username, or just
keybase pgp pull to update all keys of people you follow.
Keybase is awesome check it out and don't be shy to follow me (adds even more security to the system). I appreciate, thank you.
Finally, the main reason I create a PGP key: Git codesign.
git config --global commit.gpgsign true git config --global user.signingkey KEYID
If you are on Windows:
git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"
Make a test commit and check the sign:
git log --show-signature -1
To improve your security and convenience even further, we could add to your workflow two Yubikey or similar, and move the sub-keys to it.
Unfortunately, this key is expensive and the import of goods in my country more than double the price (you hear me right), as a result I'm not sure if I going to purchase one.