Skip to main content

GPG Keys and Password Management


Preface

GPG has a good encryption algorithm, but terrible key management and no forward security.   If your private key is compromised, then all your old data can be read.  For most people, it is simply unworkable due to the key exchange problems.

I recommend that everyone switch to Signal and WhatsApp for secure messaging and phone calls and when you suspect that something is wrong - your system/keys were compromised, simply create a new account. 

For your passwords, I recommend that you use KeepassX to generate and save unique passwords for all your internet, financial and computer accounts - do not re-use passwords on different services.

Scope

For the real card carrying geek masochists out there, this document briefly explains how to set up GPG with public and private keys, publish your public key to a key server and then configure ‘pass’ the standard Unix password manager.

With 'pass', you can easily generate long passwords, save them using GPG encryption and easily retrieve a password to the clipboard, so that you can paste it into a login dialog.

The advantage of 'pass' over other password managers, is that it is super simple - a Bash script.  Passwords are saved in GPG files, so you can use standard utilities to manage, save and copy your passwords, without being beholden to a 3rd party application.

'Pass' is so simple, that you can run it on any kind of UNIX, including Linux and Apple Mac machines.   The database is encrypted, so it can be safely kept on Dropbox or other free FTP service.  However, it is clunky, so you need to love the command line to like this one!

Another popular alternative is KeepassX, which is compatible with Keepass on Windows. Likewise, you can save the database on Dropbox to make it available on all your devices.  It doesn't need any explanation, since it has a GUI. For those worried about Keepass, see this: http://www.ssi.gouv.fr/fr/produits-et-prestataires/produits-certifies-cspn/certificat_cspn_2010_07.html

That still leaves the initial laptop computer full disk encryption and login passwords which you need before the password manager is running - write those on a piece of paper and keep it in your wallet!

gpg --gen-key

These options are good:
  • RSA and RSA
  • 2048
  • 3y
  • Herman Oosthuysen
  • herman@aeronetworks.ca
  • Don’tForgetYourVeryLongPassPhrase (and save it in KeepassX)

Example:
[herman@f16 ~]$ gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
  (1) RSA and RSA (default)
  (2) DSA and Elgamal
  (3) DSA (sign only)
  (4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
        0 = key does not expire
     <n>  = key expires in n days
     <n>w = key expires in n weeks
     <n>m = key expires in n months
     <n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at Sun 20 Nov 2016 09:27:47 AM GST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
   "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Herman Oosthuysen
Email address: herman@aeronetworks.ca
Comment:
You selected this USER-ID:
   "Herman Oosthuysen <herman@aeronetworks.ca>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 90 more bytes)
.....+++++
..+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...+++++
+++++
gpg: key 6D79E9A8 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2016-11-20
pub   2048R/6D79E9A8 2013-11-21 [expires: 2016-11-20]
     Key fingerprint = 8D3C C541 2E4B E39E 0C59  98AD 8427 2B59 6D79 E9A8
uid                  Herman Oosthuysen <herman@aeronetworks.ca>
sub   2048R/8FDD82DD 2013-11-21 [expires: 2016-11-20]
---

gpg-agent

The agent is usually started on demand by gpg, gpgsm,  gpgconf  or  gpg-
      connect-agent.   Thus there is no reason to start it manually.  In case
      you want to use the included Secure Shell Agent you may start the agent
      using:
        gpg-connect-agent /bye

The usual way to run the agent is from the ~/.xsession file:
        eval $(gpg-agent --daemon)

Example:
$ gpg-agent --daemon
gpg-agent[1543]: a gpg-agent is already running - not starting a new one

Publish your Public key to a key server

First get the public key fingerprint:
$ gpg --fingerprint
/home/herman/.gnupg/pubring.gpg
-------------------------------
pub   2048R/6D79E9A8 2013-11-21 [expires: 2016-11-20]
     Key fingerprint = 8D3C C541 2E4B E39E 0C59  98AD 8427 2B59 6D79 E9A8
uid                  Herman Oosthuysen <herman@aeronetworks.ca>
sub   2048R/8FDD82DD 2013-11-21 [expires: 2016-11-20]

Send the key to a public key server using the fingerprint from above:
$ gpg --keyserver hkp://subkeys.pgp.net --send-key “8D3C C541 2E4B E39E 0C59  98AD 8427 2B59 6D79 E9A8

gpg: sending key 6D79E9A8 to hkp server subkeys.pgp.net

Backup your keys

Save the public key as a text file that you can freely give to other people:
$ gpg --export --armor herman@aeronetworks.ca > herman-publickey.txt

Display the public key for reference:
$ cat  herman-publickey.txt
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)

mQENBFKNmpcBCAC4/AOi1/Fh/6giIb1mNra6XqQdhj5WRuSP39W9QELE4tCZ5Ehu
rRy8vQP9h2AsN6bYGQxCEWPsYzxw71oGcZEyCyo5//+lepidx2DZ9gDp9RzXKN11
EfhJnndvine4nUhDN8SOw3Flhr4Pw52+1XmJLlZHLPHMkWIupOgTnKbhSx6sLtBL
XAhYe19+HAVSXNLkU7XIC6JtV//20/b18pDhmYv5VoKwv9N1rKzRMJfF6uFft1LT
OjNg2D5z4S/955Yy3uJMbUpUz38OlVP2SboIxY8d7YaEMnsZCdj92vYitB9pFr+l
hBWZEvocdrVedoLXXb27NnM/WNtXR3/2o+VDABEBAAG0Kkhlcm1hbiBPb3N0aHV5
c2VuIDxoZXJtYW5AYWVyb25ldHdvcmtzLmNhPokBPgQTAQIAKAUCUo2alwIbAwUJ
BaOagAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQhCcrWW156ag4xwf/dbR5
i9ViYb4AwpdqYAx0WbSwt8geJ+C5TwCrf5wNuHPP7AEUHlhc1ea/7DGm8F3hED34
Q+pR6sLM7NBVLhqwu69z9xCs8uCnqpTF82khkm1dpnUDQc+qTY3rselB6WNUHbeh
B5oUHAzZhUP1E3NBSlvaFS2rtR5xrLX4T0/3YsETR9IkSbPckqAMAiUZv4D2TJoL
Er7XkvvgRBO6HMbl862zTPg3YVxlZBy72e/qMXsE137qBfiOXnUs53zzRaBLrCja
ftGDMKP6DPw1G/EaZpLSGYj3p88h36BSLvyOMIgsAwqgTmvRNXsh5BthgTB3Fm38
OUtI/myQtR3IjqkZC7kBDQRSjZqXAQgA76BdTiFRjJJzcvrV5hE0qsPUVXsWiwbV
eoJ578MJOLAs8X0gWz61DLsMi6r5NdNXa4l5xvbiOSrpPSC/DU2/XCJ43IJcpUTX
ezlVouUh+kpODKa1xRhMpBVdNVajtPMlcKbRBtGF/dFvJ4qcBFvQWeKuomAnaM4r
UXAec0niWKOXWYH5DBFBwVXXRB5GoXDytJVfIhDoiIFz3ljcBp+Vso4GIJGzsUAM
/WmVFVvzQE9eGaib3Pz6008sv7qgq/bIo/7/cP6aKYTE+KMZ2iGYuD1RnQ+yUBFL
eQC+XID8i3OiMRAkRBqDhp6i875/lUBQJDCKL685ZNY8uo5PJlB1jwARAQABiQEl
BBgBAgAPBQJSjZqXAhsMBQkFo5qAAAoJEIQnK1lteemomUEH/RfE6qIuI0hcQStL
wpH+eGM94U/ae/Xq8RVwet0Pz3MxXtnwu2vARIV52NdLDmVY7PwzbumV+XAGLgCz
QYq2H6pab2JRryQrnS4nElR9EOMenp/mYgM9vNdJeD+YK7kSAlnWv9v/I/JO1FLI
KBkArWBCHfDPWTNpLMkCwUz32HIDpbE8I/KKHh5mXpWvGu3XbP5f5iTimEy/1QwP
KorkoEJcdJuAB9ZPgGJ06uXlhlTq3wfiIB2NRteaoNnvTGukXxAl48tcD3jLZR31
6sTJM/TACpu+X7J0kv4sahO92KTd7Otl80yrb8jaXQy1XNvB08Ezgd1Q8pSdRbX3
NdjnwGM=
=hLVh
-----END PGP PUBLIC KEY BLOCK-----

Save your private key in KeepassX, a USB stick or SD card that you always keep in a safe or in your wallet:
$ gpg --export-secret-keys --armor herman@aeronetworks.ca > herman-privatekey.txt

No, I’m not going to display that one...

I keep these files in my ~/.ssh directory and tighten up the permissions:
$ chmod 600 herman-p*

Configure pass

Install dependencies:
# yum install xclip
# yum install xz

Download pass from here:
http://zx2c4.com/projects/password-store/

Untar it:
$ tar -Jxvf pass[tab]

Install it:
# make install

List the keys in the gpg keyring:
$ gpg --list-keys
/home/herman/.gnupg/pubring.gpg
-------------------------------
pub   2048R/6D79E9A8 2013-11-21 [expires: 2016-11-20]
uid                  Herman Oosthuysen <herman@aeronetworks.ca>
sub   2048R/8FDD82DD 2013-11-21 [expires: 2016-11-20]

Initialize the pass store:
$ pass init herman@aeronetworks.ca
mkdir: created directory `/home/herman/.password-store'
Password store initialized for herman@aeronetworks.ca.

Using the password store

Save an existing password:
$ pass insert visa/joe.plumber
supersecretpassword

Retrieve the password to the clipboard:
$ pass -c visa/joe.plumber

Now you can paste the password with Ctrl-V.

Most handily, because Linux has two clip buffers, you can highlight the username above and use middle click to paste it into a dialogue box as well, without having to retype it. So, highlight middle click for the username and ctrl-v for the password.

Multi-line passwords

This feature is not useful, unless you make a little gpg script of your own to retrieve the rest of the data.

Further Examples

From the pass man page:
      Initialize password store
             zx2c4@laptop ~ $ pass init Jason@zx2c4.com
             mkdir: created directory ‘/home/zx2c4/.password-store’
             Password store initialized for Jason@zx2c4.com.

      List existing passwords in store
             zx2c4@laptop ~ $ pass
             Password Store
             ├── Business
             │   ├── some-silly-business-site.com
             │   └── another-business-site.net
             ├── Email
             │   ├── donenfeld.com
             │   └── zx2c4.com
             └── France
                 ├── bank
                 ├── freebox
                 └── mobilephone

             Alternatively, "pass ls".

      Show existing password
             zx2c4@laptop ~ $ pass Email/zx2c4.com
             sup3rh4x3rizmynam3

      Copy existing password to clipboard
             zx2c4@laptop ~ $ pass -c Email/zx2c4.com
             Copied Email/jason@zx2c4.com to clipboard. Will clear in 45 seconds.

      Add password to store
             zx2c4@laptop ~ $ pass insert Business/cheese-whiz-factory
             Enter password for Business/cheese-whiz-factory: omg so much cheese what am i 
             gonna do

      Add multiline password to store
             zx2c4@laptop ~ $ pass insert -m Business/cheese-whiz-factory
             Enter contents of Business/cheese-whiz-factory and press Ctrl+D 

      when finished:
             Hey this is my
             awesome
             multi
             line
             passworrrrrrrrd.
             ^D

      Generate new password
             zx2c4@laptop ~ $ pass generate Email/jasondonenfeld.com 15
             The generated password to Email/jasondonenfeld.com is:
             $(-QF&Q=IN2nFBx

      Generate new alphanumeric password
             zx2c4@laptop ~ $ pass -n generate Email/jasondonenfeld.com 12
             The generated password to Email/jasondonenfeld.com is:
             YqFsMkBeO6di

      Generate new password and copy it to the clipboard
             zx2c4@laptop ~ $ pass -c generate Email/jasondonenfeld.com 19
             Copied Email/jasondonenfeld.com to clipboard. Will clear in 45 seconds.

      Remove password from store
             zx2c4@laptop ~ $ pass remove Business/cheese-whiz-factory
             rm: remove regular file ‘/home/zx2c4/.password-store/Business/cheese- 
             whiz-factory.gpg’? y
             removed ‘/home/zx2c4/.password-store/Business/cheese-whiz-factory.gpg’

Comments

Popular posts from this blog

Parasitic Quadrifilar Helical Antenna

This article was reprinted in OSCAR News, March 2018:  http://www.amsat-uk.org If you want to receive Satellite Weather Pictures , then you need a decent antenna, otherwise you will receive more noise than picture. For polar orbit satellites, one needs an antenna with a mushroom shaped radiation pattern .  It needs to have strong gain towards the horizon where the satellites are distant, less gain upwards where they are close and as little as possible downwards, which would be wasted and a source of noise.  Most satellites are spin stabilized and therefore the antenna also needs circular polarization, otherwise the received signal will flutter as the antennas rotate through nulls. The helical antenna, first proposed by Kraus in 1948, is the natural solution to circular polarized satellite communications.  It is a simple twisted wire - there seems to be nothing to it.  Various papers have been published on helix antennas, so the operation is pretty well understood. Therefore,

Patch Antenna Design with NEC2

The older free Numerical Electromagnetic Code version 2 (NEC2) from Lawrence Livermore Lab assumes an air dielectric.  This makes it hard (but not impossible) for a radio amateur to experiment with Printed Circuit Board Patch antennas and micro strip lines. Air Spaced Patch Antenna Radiation Pattern You could use the free ASAP simulation program , which handles thin dielectrics, you could shell out a few hundred Dollars for a copy of NEC4 , You could buy GEMACS if you live in the USA, or you could add distributed capacitors to a NEC2 model with LD cards (hook up one capacitor in the middle of each element.), but that is far too much money/trouble for most. More information on driving an array antenna can be found here: https://www.aeronetworks.ca/2019/03/driving-quad-patch-array-antenna.htm l Air Dielectric Patch   The obvious lazy solution is to accept the limitation and make an air dielectric patch antenna. An advantage of using air dielectric, is that the antenn

Weather Satellite Turnstile Antennas for the 2 meter Band

NEC2, 2 m band, 146 MHz, Yagi Turnstile Simulation and Build This article describes a Turnstile Antenna for the 2 meter band, 146 MHz amateur satcom, 137 MHz NOAA and Russian Meteor weather satellites.  Weather satellite reception is described here .  A quadrifilar helical antenna is described here .   Engineering, is the art of making what you need,  from what you can get. Radiation Pattern of the Three Element Yagi-Uda Antenna Once one combine and cross two Yagis, the pattern becomes distinctly twisted. The right hand polarization actually becomes visible in the radiation pattern plot, which I found really cool. Radiation Pattern of Six Element Turnstile Antenna Only a true RF Geek can appreciate the twisted invisible inner beauty of a herring bone antenna... Six Element Turnstile Antenna Essentially, it is three crosses on a stick.  The driven elements are broken in the middle at the drive points.  The other elements can go straight throug