In the second post of my encryption series, I introduced you to Keybase. It is encryption for the masses. With a little bit of extra effort, we can extend Keybase to work in tandem with GPG. After following this guide, you will have a GPG key, secured on a smart card, that can be used to sign git commits and for SSH authentication. Your GPG signatures will be independently verifiable and cryptographically linked to our online identities and devices. Finally, Keybase will make managing PGP keys simple and help you keep all your public PGP keys in sync and up to date.
Online identity is important. When using PGP encryption, your master private key should be a closely guarded secret. Losing control of this can be catastrophic. A nice way to protect oneself is to keep the master key air-gapped and disconnected. Sign main encryption and signing subkeys with this master key and store those on your encryption device for daily use.
Keybase solves a lot of problems with the PGP "web of trust" model that is messy and never scaled well. Instead of relying on signing other people's keys, Keybase lets users create signed statements connecting their public PGP key with their social media accounts. This social proof makes encryption possible for the average web user. With the recent Facebook security scandal, people may find this method user-friendly and less overwhelming.
I do not claim to be a security researcher or cryptographic expert. However, this guide will walk you through a sane approach to handling online privacy and encryption and should prove to be a good starting point for discussion. Don't hesitate to do your own research and send me comments on what you find.
The basic overview of this approach is as follows:
- Install GPGTools for Mac. If you are using Windows, you are on your own.
- Install Tails on a live USB. Disconnect from the internet and use this machine to create your master PGP key.
- Create and store a master GPG key on the live Tails USB. If you need to make changes to this key, you will have a secure system to do so. Once you are done you can place this master key in a bank safe deposit box or perhaps bury it somewhere in your yard ;)
- Add the signing subkeys and remove the starting one. This will effectively create a new key pair for daily use that has some limitations: You will be unable to add user IDs, generate subkeys, or sign other keys. If you need to do this, use your master key. This enhances your security as if your encryption device is lost or stolen you can simply revoke this subkey and generate a new one.
- Install this onto your encryption device. In this case I am using a Yubikey 4.
- Finally, create a Keybase account. Do not create a key on the website. You will be using the PGP key created in GPG. Install the Keybase app. This will also install the Keybase command line tools.
- Import the PGP key into Keybase.
- Finally add some social proofs in Keybase. Without the private key, you will need to use the Keybase CLI. Simply type
Keybase prove twitter usernameand then tweet out the output for verification.
- If you use Git, set up git commits to be signed and upload your public key to GitHub or GitLab so the service can verify your commits against your PGP key.
- Download GPGTools here
- Install GPGTools. Under Custom, disable GPGMail as we don't need it. I prefer Unibox for email but if you do use Apple Mail you can choose to install it but using OpenPGP for email is outside of the scope of this article.
We will use this to manage our GPG keychains. We will not create the key pair on the Mac though.
Tails is a Linux distribution specifically for those that are concerned about security. We will use it to generate our master PGP keys.
Follow these instructions. Installation is a bit convoluted as you must install an intermediate Tails before the final install. Since you already installed GPGTools you can use it to verify the download. I did this in addition to the BitTorrent download verification.
At this point, you should unplug the network cable while booted into Tails.
Enable the encrypted persistent storage on the tails USB drive. This is where we will store the master GPG key. Use a strong password and write it down. Forget this password and you lose control of your master key and you will have to start over with your online identity. Whenever we need to make changes to the master key or issue or revoke subkeys you will need to boot into the Tails live USB, decrypt this volume and then work with GPG on this secure system.
Open terminal and type these commands. You will be prompted for answers. Here I am just showing the text that I entered. Key size is 4096, the master key never expires because it will be locked away somewhere physically secure (consider your threat model) when setting this. You could set an expiration and extend it later but if you forget to do this you will need to start over. In most cases, an expiring master key is more trouble than it is worth.
Here's an overview of the first few commands:
cd ~/Persistent gpg --full-generate-key 1 4096 0 y
When asked for your full name and email address enter them.
Use an email address you are willing to make public. The email will not be available as plain text publicly but will instead be encoded in your public key. This means anyone who downloads your PGP key from the keyserver will have your email once they add it to their GPG keyring. This is more trouble than it is worth for any spammer looking to harvest addresses so I wouldn't worry at all about that. In my case, I used an email address specifically for this purpose. Don't just pick any email address though because this is how contacts will recognize your key. Leave the comment empty.
O to Okay and enter a secure password to encrypt your private key. I would recommend either using a password manager to generate this password or to use a secure password that you will not forget.
After confirming your password, move your mouse and type gibberish frantically on the keyboard. This will ensure there is plenty of entropy when the key is created.
You can now verify your gpg key. Use the
-K flag to verify secret keys:
First edit your master key:
gpg --expert --edit-key firstname.lastname@example.org
Then, follow this guide starting the "Generate the Subkeys" section to finish creating the daily subkey. Ignore the "Configure GnuPG" step as Tails already has an excellent and secure default configuration. Unless you plan to use this for all email communications or several git identities, you can skip the "Add Identities" section.
Follow the guide to the "Verify the created GnuPG key" as that can be skipped.
Once you are done, you should have your master keys and daily keys exported and stored on your persistent encrypted partition. I would recommend rebooting Tails and verifying that everything has been saved and is working order. Since we didn't choose to make GPG persistent, you will need to re-import the exported keys. You can do this to test both the master key and the signing key. You should try adding a key to the daily key. If it fails, your daily key has been set up correctly.
At this point, you can copy the daily use keys over to a separate flash drive to insert into your main machine. While you could transfer the keys to the Yubikey on your Tails machine, I found this to not work consistently. For that reason, I recommend performing that operation on your daily computer. You should scan your Mac for malware beforehand and you can disable WiFi during the operation to be extra cautious. If the daily use key is ever compromised, you can still revoke it on the secure Tails machine and then generate a new key while still keeping your public key.
On your main machine, disconnect from the network and insert the flash drive that contains only the daily use subkeys (not the Tails USB with the master key).
Open GPG Keychain and import the keys. Set trust to ultimate. You also use the command line for this, but the GUI is fast and simple.
Double click the imported key and set trust to ultimate. You could click on the subkeys tab and verify that you have the three subkeys (encryption, signing, and authentication).
Right now these keys are not yet stubs, and thus you could use them as is to perform GPG operations. However, for some extra physical security, we will move these private subkeys to the smart card.
Before moving the PGP keys to the smart card, you should change the PIN and Admin PIN from their defaults. Enter your cardholder name while you are editing the card. The URL should be a direct link to your PGP public key set it to
https://Keybase.io/<username>/pgp_keys.asc. You may find it easier to set this after performing steps 6 and 7.
Stubs will remain on the machine and you will need to insert the smart card to perform GPG operations such as signing a git commit.
$ gpg --edit-key email@example.com gpg> toggle gpg> key 1 gpg> keytocard Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1 gpg> key 1 gpg> key 2 gpg> keytocard Please select where to store the key: (2) Encryption key Your selection? 2 gpg> key 2 gpg> key 3 gpg> keytocard Please select where to store the key: (3) Authentication key Your selection? 3 gpg> quit
You can now confirm that the private keys have been moved to the Yubikey:
If you see
ssb> the computer now only has a stub for the private key.
You can check the card status:
At this point, you can remove the USB containing your original daily keys and optionally securely erase it. The keys now exist on the Yubikey and thus the intermediate keys no longer serve a purpose. If this were to fall into the wrong hands, you would have to revoke it and generate a new daily key. So for simplicity and peace of mind, securely erasing this USB is the best course of action. You can also reconnect to the network if you took that additional precaution for the key transfer.
Finally, create a Keybase account. Do not create a key on the website. You will be using the PGP key that exists on the smart card. Install the Keybase app. This will also install the Keybase command line tools.
Import the GPG public key into Keybase:
Keybase pgp select
This will import just the public key. When using a smart card it seems that the private key stub cannot be imported to the local Keybase keychain. Therefore, some
Keybase pgp commands will not be available, but this does not really a problem because
gpg can be used instead.
Without the private key, you will need to use the Keybase CLI. Simply type
Keybase prove twitter username and then tweet out the output for verification.
A lot has been accomplished here. You should now have a working PGP private key that exists only on your smart card device and a working Keybase install with your public PGP posted on Keybase.io.
In the fourth and final installment of this encryption series, I will explain:
- How you can now use this new PGP key to sign git commits
- How to import public keys and smart card stubs onto another computer
- Use the smart card for SSH authentication using PIV
If you intend to write the private key to a file on your daily machine, it is best to do so to the RAM. In this way, no traces of the private key will be left on the system hard drive. Doing so is quite simple:
diskutil erasevolume HFS+ 'RAMDisk' `hdiutil attach -nomount ram://2048`
You can now write private keys to the RAMDisk. Once you are done, you can unmount the RAMDisk and shut down the computer (powering off the RAM) to completely erase any trace of the files stored on the RAMDisk volume.