[ale] More Key Signing Followup

Jeremy T. Bouse jeremy.bouse at undergrid.net
Thu Dec 15 19:43:05 EST 2011


On 12/15/2011 06:21 PM, Aaron Ruscetta wrote:
[snip]
> ====
> Thoughts on the process of managing PGP keys:
> 
> This my third time around with this gpg key stuff and I continue
> to find everything about this process cryptic (no pun intended),
> confusing, frustrating and a massive time vacuum.
> 
> Admittedly, a lot of my hassles and wasted time this go round
> were errors I introduced by rushing the steps of generating and
> including a new key, but I still ran into lots of problems and
> frustrations outside of trying to fix those broken bits.
> 
[snip]

	Not sure if this would be helpful to others but these are some simple
steps I take in key generation...

KEYTMP=/tmp/gpg-keygen$$
export GNUPGHOME=$KEYTMP
install -d -m 0700 $KEYTMP
cd $KEYTMP
cat >gpg.conf <<EOF
keyserver hkp://pool.sks-keyservers.net
list-options show-policy-urls show-keyserver-urls
import-options import-clean
export-options export-minimal
personal-digest-preferences SHA256
EOF

cat >batch-gpg-key <<EOF
     %echo Generating RSA key
     Key-Type: RSA
     Key-Length: 4096
     Name-Real: John Doe
     Name-Email: user at example.com
     Expire-Date: 0
     Preferences: SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5
ZLIB BZIP2 ZIP Uncompressed
     Keyserver: hkp://pool.sks-keyservers.net
     # Yes this passphrase is stupidly silly so you'll change it later
     Passphrase: abc
     %pubring newkey.pub
     %secring newkey.sec
     %commit
     %echo done with RSA key
EOF
gpg --batch --gen-key batch-gpg-keys
KEYID=$(gpg --with-colons newkey.sec |cut -d: -f5|cut -c9-16)
gpg --import ./newkey.sec
gpg --armor --output key-${KEYID}.asc --export-secret-key $KEYID
gpg --output revoke-${KEYID}.asc --gen-revoke $KEYID

Now you'll have to answer the questions for the revocation certificate
to be generated. I generate it as "Key has been compromised" with now
description so almost straight defaults.

cp key-${KEYID}.asc revoke-${KEYID}.asc /path/to/secure/storage
unset GNUPGHOME
find $KEYTMP -type f |sort -r |xargs shred -vuz
rm -rf $KEYTMP

	After all that is completed you should have the new secret key exported
and the revocation certifcate in /path/to/secure/storage. You can then
'gpg --import' the new key into your keyring and print-out and store the
revocation certificate off-line in a safe location. I would then do a
'gpg --edit-key' to change the passphrase and once verified the secret
key is in your keyring shred the exported file as well.

	While I do make the directory chmod 0700, I also do this on a laptop
off-line with no active network connectivity and don't re-attach it to
the network until I'm finished and the exported secret key file is
shredded as this is the only time I have my private key on the
computer's harddrive and not store on an encrypted USB disk.

	The only change I'll be making to this process soon will be that after
I've imported the secret key into my off-line I would then generate my
signing and encryption sub-keys and move them to the OpenPGP cards
instead of doing an --export-secret-subkeys and then importing into my
sub-key encrypted USB drive.

	You'll also notice I set my preferences to prefer SHA2 and AES over
SHA1 and 3DES which are the bare minimums dictated by RFC4880.

	Regards,
	Jeremy


More information about the Ale mailing list