June 11th Meeting GPG Encryption

28 views
Skip to first unread message

Vincent Brown

unread,
Jun 4, 2019, 3:04:00 PM6/4/19
to NLUG
Just updated the June 11th meeting on Meetup.
Let's explore GPG encryption. Feel free to bring a laptop and we'll have a key-signing party if there are enough people with keys to exchange. If you don't have keys, bring a laptop and we can help you create keys.
As a reminder, we will be in an awesome new location. Vaco's new building is beautiful. There is even more cool AV equipment, and even a bar.
If you are going, please register on Meetup. Vaco uses those registration numbers so they know how much food to buy.
New address is only a block away from the old building and it's posted on Meetup.

Vincent Brown

unread,
Jun 11, 2019, 3:44:32 PM6/11/19
to NLUG
If anyone is interested in the key-signing party part of the evening, feel free to bring your cert fingerprint and ID for verification. Time permitting, we may also be able to help users create keys if you'd like to bring a laptop. 

Vincent Brown

unread,
Jun 11, 2019, 7:33:15 PM6/11/19
to NLUG
If anyone wants to follow along on their laptops, here are the steps I'll be going through:

Combined from:
Leaving out the parts about installing on a live USB and exporting to smartcard/Yubikey. Smartcard export can be done later for those interested.

 $ mkdir ~/Documents/GPG/
 $ cd ~/Documents/GPG/
Create a hardened configuration in the temporary directory with the following options:


 $ gpg --expert --full-gen-key

 Select 8: RSA (set your own capabilities)

 Select E to toggle off the Encrypt capability, which will leave you with only Sign + Certify.

 Set a 4096 bit key size.

 Set the expiration date.

 Setup a UID.

 Setup a passphrase.

 The primary key is generated. Note your new key ID, as you'll be needing it henceforth.


 Export the key ID as a variable (KEYID) for use later:

$ export KEYID=

Add UIDs

 $ gpg --expert --edit-key $KEYID

 Use gpg> adduid to add as many UIDs or e-mail addresses as you need. Once you're done, toggle to gpg> uid <#> and use the gpg> primary command to set the primary UID.

Now we will generate subkeys for each additional capability to be transferred to the main smartcard designated for daily use.

Create the Encrypt key

 gpg> addkey

 Select 6: RSA (encrypt only).

 Set a 4096 bit key size.

 Set the expiration date.

 The first subkey is generated.

Create the Authenticate key

 gpg> addkey

 Select 8: RSA (set your own capabilities)

 Select S and E to toggle off the Sign and Encrypt capabilities.

 Select A to toggle on the Authenticate capability and press Q.

 Set a 4096 bit key size.

 Set the expiration date.

 The second subkey is generated.

Set trust level

By the way, you should probably set the public key to the ultimate trust level.

 gpg> trust

 Select 5 = I trust ultimately.

 gpg> save

Save the key(s) you've been creating.

Add signatures

If you want to sign your new master key with a previous key that you're transitioning from, then the time is now. How else will people know you're not an impostor?

 gpg -u <your_old_keyid> --sign-key $KEYID

Generate revocation certificate

It's a good idea to create a revocation certificate, in case the YubiKey is lost or your private key is somehow compromised.

 $ gpg --output revoke.asc --gen-revoke $KEYID

Backup everything

 $ gpg --armor --output privkey.sec --export-secret-key $KEYID
 $ gpg --armor --output subkeys.sec --export-secret-subkeys $KEYID
 $ gpg --armor --output pubkey.asc --export $KEYID

You can move these private keys plus the revocation certificate someplace safe, like an encrypted partition or offline storage media.





On Tuesday, June 4, 2019 at 2:04:00 PM UTC-5, Vincent Brown wrote:

Vincent Brown

unread,
Jun 11, 2019, 11:11:32 PM6/11/19
to NLUG
We will continue GPG in July. Between now and then feel free to try making a set of keys. If you are interested in Yubikey USB smartcard I showed at the meeting, here is where you can order one.
If you want the one I have with NFC connectivity with your phone get the YubiKey 5 NFC.
Here are a couple keyservers but you can find more on Google. hkps://hkps.pool.sks-keyservers.net & https://pgp.key-server.io.
Kleopatra is the GUI program I was using. It's available for Windows too. Probably Mac also?
OpenKeychain is a great app for Android.
There are a variety of GPG plugins for Outlook, Thunderbird, etc.
Bring keys (or at least ID and fingerprints) next meeting and we'll do a keysigning party again.


On Tuesday, June 4, 2019 at 2:04:00 PM UTC-5, Vincent Brown wrote:
Reply all
Reply to author
Forward
0 new messages