Skip to content

OpenPGP.md

Latest commit

 

History

History
115 lines (81 loc) · 4.99 KB

OpenPGP.md

File metadata and controls

115 lines (81 loc) · 4.99 KB

OpenPGP

If you don't have an OpenPGP key already then you will need to create one.

This requires some manual steps as we want to reduce the exposure of the master key.

0 - Prerequisites

You will need:

Notes

MacBook Pro

If your MacBook Pro has a touchbar then, at the time of writing this, you will need an external keyboard and/or mouse. Also keep in mind that you need to be able to plug in 2 USB flash drives at the same time as the keyboard or mouse... Good luck!

The reason for this is that Linux does not have a driver for the SPI keyboard and trackpad that is in the later model MacBook Pros. According to Dunedan/mbp-2016-linux this is now supported in Linux kernel version 5.3.

The current kernel version in Tails (4.19.0-5) is not up to 5.3 yet. It has to at least wait for the Debian unstable kernel version (5.2.17-1) to update to 5.3. Even when Debian supports 5.3, the Tails kernel may not support it.

That means currently not a MacBook Pro with a touchbar (see ) as the keyboard does not work

1 - Download and Install Tails

Follow the Tails installation instructions.

Notes

dd

If using dd rather than Etcher then it may appear like progress stalls. It does this for quite a few minutes so just wait it out.

MacBook Pro

The latest MacBook Pro's prevent you booting from an external drive. You will need to temporarily enable booting from external media.

2 - Enable Tails Persistent Volume

We are going to store the master private key on the same USB that has Tails. To do this we need to:

  1. Boot into Tails.
  2. Enable Tails persistent volume.
  3. Make sure to select GnuPG.
  4. Restart Tails.

3 - Generate OpenPGP Key

We are going to follow the Airgapped Master Key instructions but we will use Ed25519 instead of RSA because fuck RSA.

⚠️ WARNING: Make sure that you double check the time zone of Tails. If you don't then you may end up with a key that is generated in the future. This isn't a big deal but you will have to wait until enough time has passed before you can import the key.

You can also edit the key to add extra identities or a photo if you wish.

You should end up with something like this when you are done:

amnesia@amnesia:~$ gpg --list-secret-keys
/home/amnesia/.gnupg/pubring.kbx
--------------------------------
sec   ed25519/0x21DE1CAE59762A0F 2019-09-28 [C] [expires: 2020-09-27]
      Key fingerprint = 2709 1DEC CC42 4635 4299  569C 21DE 1CAE 5976 2A0F
uid           [ultimate] Jason Pickens <jason.pickens@lightbend.com>
uid           [ultimate] Jason Pickens <jasonpickensnz@gmail.com>
ssb   ed25519/0xC4A8C75C7876F1B5 2019-09-28 [S] [expires: 2020-09-27]
ssb   cv25519/0X3D1C7D5C8E2FF8AE 2019-09-28 [E] [expires: 2020-09-27]
ssb   ed25519/0X7D3DD2E3A364DA82 2019-09-28 [A] [expires: 2020-09-27]

4 - Export

If you haven't already then keep following the Airgapped Master Key instructions and export:

  • Revocation Certificate
  • Public Keys
  • Secret Subkeys (only the subkeys!)

5 - Import

Again keep following the Airgapped Master Key instructions and import:

  • Public Keys
  • Secret Subkeys

Don't forget to trust your new key.

YubiKey

If you are forunate enough to have a YubiKey that has firmware version 5.2.3 or later then you can also import your key onto your YubiKey.

You may even disregard everything above and generate the key on your YubiKey. I wouldn't do this since I take my YubiKey with me and am far more likely to loose it so I don't want my master key on here.