GPG Kunk-fu

GPG_replace_old_key.md

Goal: replacing a 13 years old (DSA1024) GPG key with a new longer key (RSA4096)

Using master key to create subkeys, and using subkeys to do real work (signing, encryption,...).

Using GPG subkeys

How

• https://alexcabal.com/creating-the-perfect-gpg-keypair
• https://riseup.net/pt/security/message-security/openpgp/gpg-best-practices
• https://github.com/drduh/YubiKey-Guide
• https://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
• https://gist.github.com/ageis/14adc308087859e199912b4c79c4aaa4

Why

• https://wiki.debian.org/Subkeys
• https://incenp.org/notes/2015/using-an-offline-gnupg-master-key.html
• https://alexcabal.com/creating-the-perfect-gpg-keypair/

Creating a new key with a long key size

# RSA, 4096, no expiration
# This will create a master key with a subkey for encryption
gpg --full-gen-key

Creating, trusting and changing usage of a new subkey

gpg --edit-key $NEW_KEY
gpg> addkey
4
4096
0
gpg> key 2
gpg> trust
5
gpg> change-usage
E
A
gpg> save

Signing new key with old

gpg --edit-key $NEW_KEY
gpg> sign $OLD_KEY
gpg> save
`

## Signing old key with new key to make a link between keys

```console
gpg --edit-key $OLD_KEY
gpg> sign $NEW_KEY
gpg> save

Setting digest preferences for keys and subkeys to have SHA1 as last resort

gpg --edit-key $NEW_KEY
gpg> showpref
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> key 2
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> save

gpg --edit-key $OLD_KEY
gpg> showpref
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> key 2
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> save

Configuring default key

In ~/.gnupg/gpg.conf

default-key $NEW_SUBKEY

Adding required identities to new key

gpg --edit-key $NEW_KEY
gpg> uid
gpg> adduid
gpg> uid 2
gpg> trust
5
gpg> save

Backing up new key

# Export public key
gpg --export --armor --output new-pubkey.gpg $NEW_KEY
# Export secret key
gpg --export-secret-keys --armor --output new-secretkey.gpg $NEW_KEY
# Export subkey
gpg --export-secret-subkeys --armor --output new-secret-subkeys.gpg $NEW_KEY
# Export subkey

Save it to secure place.

Generating revocation certificate for new key

gpg --output new-revoke.asc --armor --gen-revoke $NEW_KEY

Save it to secure place.

Publishing all keys

gpg --send-keys $NEW_KEY $OLD_KEY

Additional steps

Removing the masterkey from laptops and keeping the masterkey in a trusted place.

 gpg --delete-secret-keys $NEW_KEY
 gpg --import subkeys.gpg
 # Secret master key should show as sec# (with a #)
 gpg -K $NEW_KEY

In order to sign mails with mutt/neomutt using the subkey, only the subkey should be present in the local store.

gpg --edit-key $NEW_KEY
# List all keys
gpg> key
# Select key to be removed
gpg> key XXXXXXX
gpg> delkey
gpg> save

In mutt/neomutt conf, the $NEW_KEY ID should be documented.

Importing keys

gpg --import $PUB_KEY
gpg --allow-secret-key --import $SECRET_KEY

Signing a keys

gpg --receive-keys $KEY_ID
gpg --edit-key $KEY_ID
gpg> trust
gpg> sign
gpg --send-key $KEY_ID

Links

• https://www.apache.org/dev/openpgp.html
• https://www.apache.org/dev/key-transition.html
• https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/
• https://oguya.ch/posts/2016-04-01-gpg-subkeys/
• http://www.connexer.com/articles/openpgp-subkeys
• https://github.com/pstadler/keybase-gpg-github
• https://wiki.debian.org/Keysigning
• https://wiki.ubuntu.com/KeySigningParty

GPG_singing_party.md

Organising a signing party

This notes are meant to help organising a GPG key signing party.

Overall procedure

• Public keys are sent to the organiser by their owner
• The organiser sends the full list of keys to all attendees
• As different GPG software may use by default a different key server, a list of servers has been agreed to be used to retrieve and push keys (e.g. after signing them) ** https://keys.openpgp.org/ and https://pgp.surfnet.nl/
• All participants print their key details (name, email address, fingerprints, etc) onto small papers (can have quite a few in a single A4 page) using https://keysheet.net/ (or similar)
• During the key signing party, the only thing that people do is exchange these paper slips, verifying every one's passports or ID card as they do.
• After the party, people sign the key (as they see fit, it's not mandatory for everyone to sign everyone) and upload the signed key on the pre-determined servers. See some notes on doing this after this procedure.

Using gpg from the CLI

Export local pub key to a file

gpg --export --armor --output pubkey.gpg <XXXXX>

Downloading and, trusting and signing a remote key and uploading it with the signature ====

• Trust: Usually 4 "I trust fully", obviously depending on the level of trust and verification that was done.
• Only the master key can be used to sign someone else's key, sub keys cannot be used for this.
• While the key is downloaded from one of the servers, the signed key is sent to all the agreed key servers.

gpg --keyserver keys.openpgp.org --receive-keys <YYYYY>
gpg --edit-key <YYYYY>
gpg> trust
gpg> sign
gpg> save
gpg --keyserver keys.openpgp.org --send-keys <YYYYY>
gpg --keyserver pgp.surfnet.nl --send-keys <YYYYY>

Refreshing local keys from key servers

gpg --keyserver keys.openpgp.org --receive-keys <XXXXX>
gpg --keyserver pgp.surfnet.nl --receive-keys <XXXXX>

It's also possible to refresh all keys at once:

gpg --keyserver keys.openpgp.org --refresh-keys 
gpg --keyserver pgp.surfnet.nl --refresh-keys

Links

• https://wiki.debian.org/Keysigning
• https://wiki.ubuntu.com/KeySigningParty