--
- JavaScript Engineer @ Infinum
- Open source fanatic and contributor
- Strong believer in overdoing security
--
- twitter: @andreicek
- site: andrei.im
- PGP (1991.), commercial and closed product, later know as Symantec's software suite of encryption tools
- OpenPGP, a standard that was proposed in 1997. to IETF and accepted
- GnuPG and implementation of OpenPGP standard (the one we'll use today)
- Installing GnuPG
- Encrypting and decrypting
- Signing stuff - what and what not
- GPG keys (sig/enc/auth)
- Hardware (aka. spending a bunch of money)
- Math behind the thing
- Commercial tools and implementations
- SmartCard standard :(
Win/Linux/MacOS/*BSD
- on most systems you might already have it
- install version 2.x.x (! - a bit safer and easier to use)
sudo apt-get install gnupg2
sudo brew install gnupg2
sudo pkg install gnupg2
on Windows systems use Linux on Windows if possible
gpg --gen-key # and follow the interactive setup
tips 'n' tricks for a safer key:
- use RSA (for now)
- 4096 key size
- setup a passphrase, DO NOT skip this
- you can add (and you should) all of your email addresses
- don't. it's better to encrypt, always
- bad guys will be able to verify it's you and see the contents - making you liable
- git commits
- packages on package managers (apt-get, bundler, etc.)
-
verify that the code is yours
-
don't forget to upload your public key to a git service provider of your choosing
git config --global commit.gpgsign true
- Encrypting and decrypting key
- Signing key
- Authorization key (think SSH!)
pub rsa4096 2016-10-02 [SC]
11F34CE458A1481802115140F611EAEFA07D5401
uid [ultimate] Andrei Zvonimir Crnkovic (My GPG key) <[email protected]>
uid [ultimate] Andrei Zvonimir Crnkovic (My GPG key) <[email protected]>
uid [ultimate] Andrei Zvonimir Crnkovic <[email protected]>
sub rsa4096 2016-10-02 [E]
sub rsa2112 2017-11-13 [A]
-
sharing your keys using your website or using a keyserver
- pgp.mit.edu
- Keybase.io (would not recommend)
-
upload your keys
-
fetch your friends keys
-
sign them, and upload them
- anything from a Yubikey 4 lineup + Neo
- prices start from $40 and go up to $60
- you should really buy two (but don't)
- other vendors are fine too! but the tooling is great
- back up all of the keys, both private and public somewhere you trust
- my method: export, gzip, encrypt with openssl, upload to S3 and Google Drive
- second recommended option: store on an encrypted drive!
- once on the device - always on the device
- Change PINs! DO NOT FORGET THIS
- https://github.com/drduh/YubiKey-Guide#configure-smartcard
- once left unattended you don't trust the device
- once another person touched the device you don't trust the device
- never let bad guys see the device or know that you have one
- Problems with GPG Fingerprints, Defcon https://goo.gl/2AUDvU
- My quick guide https://d.andrei.im/gnugpg.html
- The GNU Privacy Handbook https://www.gnupg.org/gph/en/manual.html
- Official Yubikey site https://www.yubico.com/product/yubikey-4-series/
- Setup SSH Auth with your Yubikey https://git.io/vN46b