Key-pair Setup - char.blog

# Key-pair Setup Jan 5, 2025 #security We're Going to Explore the Process of Creating a Secure and Versatile PGP Key Pair. OpenPGP Isn't Just an Encryption Tool; It's a Decentralized Identity System That Puts You in Control of Your Digital Presence. ## Initial Setup Begin by Installing the Appropriate Tools for Your OS: - Windows: GPG4Win - Mac: GPGTools - Linux: GnuPG.org This Post Uses Ubuntu and GnuPG. ## Configuring GPG Before Key Creation, Add the Following to Your gpg.conf File: ```conf # enhance privacy no-emit-version no-comments export-options export-minimal # improve key information display keyid-format 0xlong with-fingerprint # show key validity list-options show-uid-validity verify-options show-uid-validity # restrict to strong algorithms personal-cipher-preferences AES256 personal-digest-preferences SHA512 default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed cipher-algo AES256 digest-algo SHA512 cert-digest-algo SHA512 compress-algo ZLIB disable-cipher-algo 3DES weak-digest SHA1 s2k-cipher-algo AES256 s2k-digest-algo SHA512 s2k-mode 3 s2k-count 65011712 ``` ## Leveraging Subkeys We'll Utilize OpenPGP's Subkey Feature to Create a More Secure and Flexible Key Setup. Subkeys Offer Specialized Functions: - Signing - Encrypting - Authentication This Approach Allows for Revoking Individual Subkeys Without Compromising the Master Key if Necessary. ## Master Key Creation Let's Create the Master Key for Our User, Char. This Key Will Certify All Others: ```bash char@rack2:~$ gpg --expert --full-gen-key Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) Your selection? 8 Then you have to select the attributes of this key. Only the capability Certify. Possible actions for a RSA key: Sign Certify Encrypt Authenticate Current allowed actions: Sign Certify Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? s Possible actions for a RSA key: Sign Certify Encrypt Authenticate Current allowed actions: Certify Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? e Possible actions for a RSA key: Sign Certify Encrypt Authenticate Current allowed actions: Certify (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? q ``` Follow the Prompts, Opting for a 4096-bit Key Size for Maximum Security. For the Lifetime of the Key, It Is Always Recommended to Put One. If This Key Is Lost, and It Has Been Sent to a Key Server, It Will Remain There Forever Valid. Put a Duration Up to 2 Years. ```bash RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y Key does not expire at all Is this correct? (y/N) y Let's add details about char's identity: GnuPG needs to construct a user ID to identify your key. Real name: Char Blog Email address: char.blog Comment: You selected this USER-ID: "Char Blog <char.blog>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o ``` A Window Will Appear. It Will Ask You to Fill in a Pass-phrase to Protect the Secret Keys. Choose One Long Enough That You Can Memorise Easily. ## Adding Subkeys With the Master Key in Place, We'll Add Subkeys for: - Authentication (A) - Signing (S) - Encryption (E) List Your Available Keys: ```bash char@rack2:~$ gpg --list-keys /home/char/.gnupg/pubring.gpg -------------------------------- pub rsa4096/12345678 2024-10-15 [C] [expires: 2026-10-15] uid [ultimate] Char Blog <[email protected]> ``` Edit to Add New Subkeys: ```bash char@rack2:~$ gpg --expert --edit-key 12345678 ``` Let's Add an Encryption Key: ```bash gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key Your selection? 8 Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? s Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? q RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y Is this correct? (y/N) y Really create? (y/N) y ``` Repeat for the Authentication and Signing Keys. It'll Look Something Like This: ```bash sec rsa4096/12345678 created: 2024-10-15 expires: 2026-10-15 usage: C trust: ultimate validity: ultimate ssb rsa4096/12345678 created: 2024-10-15 expires: 2026-10-15 usage: E ssb rsa4096/12345678 created: 2024-10-15 expires: 2026-10-15 usage: A ssb rsa4096/12345678 created: 2024-10-15 expires: 2026-10-15 usage: S [ultimate] (1). Char Blog <[email protected]> gpg> save gpg> quit ``` ## Export Master Key Creating a Revocation Cert Is Important in the Event of Theft of the Master Key: ```bash char@rack2:~$ gpg --output 12345678.rev --gen-revoke 12345678 ``` Make Sure to Keep This in a Safe Place (Offline Storage). Now Let's Save All Keys, Delete All Private Keys, Then Import Only the Private Keys for Each Subkey So That the Master Key Is Set as a Stub: ```bash # export all keys char@rack2:~$ gpg --export --armor 12345678 > 12345678.pub.asc char@rack2:~$ gpg --export-secret-keys --armor 12345678 > 12345678.priv.asc char@rack2:~$ gpg --export-secret-subkeys --armor 12345678 > 12345678.sub_priv.asc # delete private keys char@rack2:~$ gpg --delete-secret-key 12345678 # import just the subkeys char@rack2:~$ gpg --import 12345678.sub_priv.asc # check this was successful char@rack2:~$ gpg --list-secret-keys /home/char/.gnupg/secring.gpg sec# rsa4096/12345678 2024-10-15 [C] [expires: 2026-10-15] uid [ultimate] Char Blog <[email protected]> ssb rsa4096/12345678 2024-10-15 [E] [expires: 2026-10-15] ssb rsa4096/12345678 2024-10-15 [S] [expires: 2026-10-15] ssb rsa4096/12345678 2024-10-15 [A] [expires: 2026-10-15] ``` You Can Now Authenticate With SSH, Sign Your GitHub Commits, and Encrypt Your Emails Without Compromising the Master Key. **Don't Forget to Put Your Key Expiry Date(s) in the Calendar**