Repository for documentation about doing GPG Keysigning Parties and using GPG in general
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 

2.5 KiB

gpg presentation from Corey Richardson

History

GPG conceived around 1997 for mostly email encryption.

Asymmetric Cryptography

Generate 2 values, a public key and a private key.

There are two things we want to ensure

  • authenticity: are we sure that the person we are talking to is them?
    • certificates
    • signing
  • confidentiality: are we sure they are the only ones who can see it?
    • encryption

Keys

  • public key is public to the wold.
  • private key you keep secret.

Operations

  • sign a message, produces a signature. Anyone with the signature can verify from the public key that the message was signed with the private key.
    • git supports this for signing commits
      • Say you work for a company. If that user didn't sign the software they wrote, it may show that they weren't the one responsible for a regression.
  • encryption, encrypt a value
    • encrypt the message with their public key, and the recipients can decrypt with the private key.

In a key-signing party, you create a set of key pairs first.

Don't use GPG1. Use GPG2

Vanilla Key Creation

Non-bullshit mode

gpg --gen-key # generates a new keypair

Asks for Real name and for an email address

Asks for a password to secure the private key - this secures the key.

Uses RSA by default. Old, works. Substantially slower than modern cryptography

Yubikey

Process - Generate master key (generally used for signing keys and changing expiration dates)

Can have sub-keys for different purposes.

The Yubikey will never release the key. You send data into the Yubikey and it comes out.

There's good instructions here: https://github.com/drduh/YubiKey-Guide#purchase-yubikey

Usage of GPG directly

Sign a file

gpg --sign <filename>

Createes .gpg

Verify a file

gpg --verify <filename>.gpg

Outputs some info.

Encrypt a file

gpg -r <email recipients or keyid> --encrypt <filename>

Creates .gpg file tells us it's encrypted data

Decrypt the file

gpg --decrypt <filename> > <outputfile>

We're piping the data from stdout

Sign Key

This is to sign a key

gpg --recv-keys <keyid>
gpg --sign-key <keyid>

Key Management

Keyservers exist to share GPG keys publicly.

gpg --send-keys <keyid>

Signing Git commits

In ~/.gitconfig

user.signingkey = <keyid>
commit.gpgSign = true

Use commit.gpgSign to always sign by default.

git commit --sign # optionally

Decent Password Managers

  • OnePassword
  • Keepass