Creating strong security habits - Part 2 - PGP

This post is continuation of part 1. We will talk about the creation of a PGP key to sign files, encrypt, and use as git commit validation.

Your goal is to create a master PGP key and use only subkeys on your devices. This master key will be kept offline and is only used to generate or revoke new subkeys. This makes more convenient to revoke stolen, lost or compromised devices.

Creating the master key

Is a good practice to use a Linux live cd to create the keys and keep on memory. But if you want you could file shredder GnuPG folder at the final of this tutorial.

Start by creating the master key with the command:

 gpg --full-generate-key

Select:

(1) RSA and RSA (default)

What keysize do you want?: 4096

Key is valid for? (0) 5y

Add your full name and email address.

Do not add any comment.

GPG create a default subkey for encryption (E), with the same expiration of the master key.

Now, we will make sure all subkeys have a 2 years expiration. Edit the key expiration date with the command:

gpg --expert --edit-key KEYID

Select the subkey with key command and alter the expiration to 2 years with the expire command.

Now add a sign only subkey:

addkey

Select (4) RSA (sign only)

4096 bit

put a 2 year expiration.

You can add new user ids (names and emails) if you wish. Use the command adduid. Select your primary uid.

Add a new authentication only subkey (only appears in the --expert mode):

Select (8) RSA (set your own capabilities).

Enter S to toggle Sign off.

Enter E to toggle Encript off.

Enter A to toggle _Authenticate__ on.

Enter q to continue.

Save.

Check the keys: gpg --list-keys

pub   rsa4096 2018-08-05 [SC] [expires: 2023-08-04]
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
uid           [ultimate] Giovanni Candido da Silva <xxx@xxxx>
uid           [ultimate] Giovanni Candido da Silva <xxx@xxxx>
sub   rsa4096 2018-08-05 [E] [expires: 2020-08-04]
sub   rsa4096 2018-08-05 [A] [expires: 2020-08-04]
sub   rsa4096 2018-08-05 [S] [expires: 2020-08-04]

We create a master key, with 5-year expiration and subkeys for encryption, sign, and authentication with 2 years expiration.

Generate a revocation certificate

This step is very important. If GPG has generated one. Copy it, if not:

gpg --output KEYID.rev --gen-revoke KEYID

Saving the master key

Now, we will save master and subkeys. Make sure you are on a trusted file system. Like encrypted or offline pendrive. Just remember, any filesystem where this key is saved will be subject to attack, the only thing protecting it is the password you choose.

gpg --export-secret-key --armor --output KEYID.priv.key KEYID
gpg --export --armor --output KEYID.pub.key KEYID
gpg --export-secret-subkeys --armor --output KEYID.sub.key KEYID

You have 4 files: revocation, public master, private master and private subkeys.

Optional: Save a second copy of the revocation file and public key. I did save an online encrypted (password manager) copy of the revocation file, that way, if compromised or lost I can still revoke the public key from anywhere.

I recommend you make a second offline copy, that way you minimize the chance of key lost. I'm thinking on Blu-ray as good media for cold storage but is a controversy if can last. Looks like m-disc is the best choice for archiving. I plan to buy m-disc and a compatible drive in the near future, for the archiving of all kinds of important digital things.

A pen drive has an estimated life of 10 years, you will need to swap storage before that. Your certificate is valid for 5 years, but we can extend this and re-upload the key.

Importing the subkeys

If you did that on your computer, delete the master key:

gpg --delete-secret-key KEYID

Or better file shredder the GnuPG folder.

Import the subkeys:

gpg --import KEYID.sub.key

Check the result:

gpg --list-secret-keys

----------------------------
sec#  4096R/xxxx 2020-08-04
uid                  xxxxxxxxxxxx
ssb   4096R/xxxx 2020-08-04
ssb   4096R/xxxx 2020-08-04

The # in sec indicates the master key is not present.

Bonus add to Keybase

To share your identity, add it to Keybase

keybase pgp select

This will upload your public key to your profile on keybase.

My profile is https://keybase.io/gcsilva. Best part? There is proof that this domain site is mine, and my twitter account is real, that way you can trust this site and the keybase profile, twitter, and the gpg key are from the same person.

If you need the check or use the public key of any user a simple command as keybase pgp pull username, or just keybase pgp pull to update all keys of people you follow.

Keybase is awesome check it out and don't be shy to follow me (adds even more security to the system). I appreciate, thank you.

Git signing

Finally, the main reason I create a PGP key: Git codesign.

git config --global commit.gpgsign true
git config --global user.signingkey KEYID

If you are on Windows:

git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"

Make a test commit and check the sign:

git log --show-signature -1

DONE.

Future

To improve your security and convenience even further, we could add to your workflow two Yubikey or similar, and move the sub-keys to it.

Unfortunately, this key is expensive and the import of goods in my country more than double the price (you hear me right), as a result I'm not sure if I going to purchase one.

Good References: