💾 Archived View for thebackupbox.net › ~epoch › blog › crypto captured on 2024-12-17 at 10:14:15. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-07-09)
-=-=-=-=-=-=-
XMPP OMEMO key: 3A3B795C 07AD3A4D 31790B95 B27F3254 623F3E7A F19BBF25 692872F4 639A7931
use this to generate keys and store encrypted on a flashdrive
follow some of this:
https://gist.github.com/bradfa/e73883a73f3a86e555fc43bf326edaa6
but skip out the parts that require yubikeys
make sure that the terminal you're using is owned by the user you're running gpg as
otherwise it may fuck up when trying to give you a box to ask for a password
make a master key, it only needs Certify capability.
$ gpg --expert --full-generate-key
use type ECC, type 11, curve25519
add a subkey for each of the capabilities (except C probably) I guess
do some of this
$ gpg --output secret-subkeys --export-secret-subkeys YOURPRIMARYKEYID
to put secret parts of only the subkeys into the public partition
make sure to unmount-parts
plug the drive into the places that need keys, mount it
$ gpg --import /mnt/sbhk-public/secret-subkeys
then you can unmount it and put it in a safe or something.
or you might want to make multiple copies of it and store them in separate safe places.
there's not really a point in having separate keys for each machine it seems.
quote from
https://wiki.debian.org/Subkeys
"""
One might be tempted to have one subkey per machine so that you only need to exchange the potentially compromised subkey of that machine. In case of a single subkey used on all machines, it needs to be exchanged on all machines in case of a compromising.
But this only works for signing subkeys. If you have multiple encryption subkeys, gpg is said to encrypt only for the most recent encryption subkey and not for all known and not revoked encryption subkeys.
"""
other references:
https://zeroindexed.com/pgp-encryption-subkeys
https://sammorrowdrums.com/using-pgp-encryption-in-2021
https://emailselfdefense.fsf.org/en/
here's the pgp key I made:
-----BEGIN PGP PUBLIC KEY BLOCK----- mDMEYR9+YxYJKwYBBAHaRw8BAQdAnMBKDKiLvQqChm3GyQ3B1vMAbmthx6j7fNTL u4Sb8Ra0FmVwb2NoQHRoZWJhY2t1cGJveC5uZXSIlQQTFggAPRYhBJ2HksgK0gUL sVa5idN/C5cgoLVbBQJhH35jAhsBBQkSzAMABQsJCAcCBhUKCQgLAgMWAgECHgEC F4AACgkQ038LlyCgtVsEQwD/UMWkw9H3V1Od60cozQwWl6NprRrrASGUqieo/D32 +VAA/2gmd14f7L1nd//mUpiMYQE7ccXyWjXUQiPxvIhO5nwLuDMEYR9+4hYJKwYB BAHaRw8BAQdAWSIO1eZ//SEBtpCoA/E7nemL+fix6bIHxBi7n+qfA9qI9QQYFggA JhYhBJ2HksgK0gULsVa5idN/C5cgoLVbBQJhH37iAhsCBQkSzAMAAIEJENN/C5cg oLVbdiAEGRYIAB0WIQQurelPaMRnd16SQQWynXtQmQ4OtgUCYR9+4gAKCRCynXtQ mQ4OtvvcAQDbJbihXZulg2OqHmRHuH/F49Mk1GGyq/qi70Qo5m3yggEA9PO9lYyW FwSxjcy0BTiCDiYiKDO+ErCu9SwtmOv0swBXKgD+KBKXqVP2HtcfhKwnc2EuFyuO jDBwLvdAszCCVuER+o8BAIYjm/sTKg5OgYtTUCsjKSmyeHfxOyVZfKiSy6mtVIQD uDgEYR9/ARIKKwYBBAGXVQEFAQEHQIa9MKD9aeeGZeMB49OOhxyrCwS6idvwz8BM fZBmxlYGAwEIB4h9BBgWCAAmFiEEnYeSyArSBQuxVrmJ038LlyCgtVsFAmEffwEC GwwFCRLMAwAACgkQ038LlyCgtVu1hwD3Tw35ukbht/pxGnmiJl7TXdV5w+F4Jcpd 6OOvPVuWEwD9EL3zA+Mu5S/StcaiOxm0tjPMLfb+MaDBwVVRprXsPA24MwRhH398 FgkrBgEEAdpHDwEBB0CE1jawOC2sw5tsOriX+dE6e6IYPRzMfcgBxNy6DRiWmoh+ BBgWCAAmFiEEnYeSyArSBQuxVrmJ038LlyCgtVsFAmEff3wCGyAFCRLMAwAACgkQ 038LlyCgtVuq1gEAuKMoKVZb5O7FkCeKYO862zYJjILa4vYFY7YiFqurnvAA/RBE BGuoW5c3o0mvniIyOAOZwcCFlrZs4yR+KQvFRoMJ =Yppk -----END PGP PUBLIC KEY BLOCK-----
here's what it'll look like after you're done:
$ gpg --list-secret-keys
/home/epoch/.gnupg/pubring.kbx
------------------------------
sec# ed25519/0xD37F0B9720A0B55B 2021-08-20 [C] [expires: 2031-08-18]
Key fingerprint = 9D87 92C8 0AD2 050B B156 B989 D37F 0B97 20A0 B55B
uid [ unknown] epoch@thebackupbox.net
ssb ed25519/0xB29D7B50990E0EB6 2021-08-20 [S] [expires: 2031-08-18]
ssb cv25519/0xA21417EA02148649 2021-08-20 [E] [expires: 2031-08-18]
ssb ed25519/0xBFF7C81B266B6EAF 2021-08-20 [A] [expires: 2031-08-18]
I did a small change to my computer so application/pgp-encrypted content-types
are now opened by an appropriate external program. in my case, I'm passing to
mimestart (one of my script) that then checks the config file for a pipeline
to run on the filename passed to it, the pipeline then pops up a terminal
that contains less -f <(gpg -d < %p). to get firefox to recognize this
and launch this when I click on this type of file, I had to use xdg-stuff like:
xdg-mime query default application/pgp-encrypted xdg-mime default ~/.local/share/applications/application_pgp-encrypted.desktop application/pgp-encrypted
where application_pgp-encrypted.desktop (the filename isn't important) was a basic .desktop file like:
[Desktop Entry] Encoding=UTF-8 Version=1.0 Type=Application NoDisplay=true Exec=mimestart %F Name=mimestart Comment=mimestart Mimetype=application/pgp-encrypted
a thing I read while figuring this out
$ git config --global commit.gpgsign true $ git config --global user.signingKey B29D7B50990E0EB6
I pretty much followed these, but, eh.
https://gist.github.com/TimJDFletcher/85fafd023c81aabfad57454111c1564d
https://rabbithole.wwwdotorg.org/2021/03/03/gpg-agent-fwding-over-ssh.html
basic steps are...
have a unix socket created on the remote computer in the place that gnupg expects
it to be.
on the computer with the private keys, there should be a second socket
that a remote gpg could connect to.
$ gpgconf --list-dirs | grep ^agent-extra | cut -d: -f2- /run/user/1000/gnupg/S.gpg-agent.extra
(I'll refer to this value as ${AGENT_EXTRA})
and then on the remote computer do:
$ gpgconf --list-dirs | grep ^agent-socket | cut -d: -f2- /run/user/1000/gnupg/S.gpg-agent
(I'll refer to this value as ${AGENT_SOCKET})
You might as well disable the gpg-agent on the remote hosts with systemd like:
sudo systemctl --global mask gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket
um... may need to delete the remote ${AGENT_SOCKET} before trying the next line:
ssh -R "${AGENT_SOCKET}:${AGENT_EXTRA}" remotehost
You'll know if you do because it'll output an error message the top.
I guess that error message could be caused by the dir not already existing.
You're supposed to be able to prevent the socket from hanging out after you
disconnect by adding
StreamLocalBindUnlink yes
to /etc/ssh/sshd_config
I wanted gpg to ask me for my password with an X11 window, so I had to do:
sudo update-alternatives --config pinentry
and set it as something other than pinentry-tty.
If you want to use the tty version, you will probably want to try something like..
Match host * exec "gpg-connect-agent UPDATESTARTUPTTY /bye"
in your ~/.ssh/config file as I saw suggested in:
https://wiki.archlinux.org/title/GnuPG#Configure_pinentry_to_use_the_correct_TTY
I dunno. That's most of the brain dump of stuff I did to get it working here...
oh yeah. make sure to import your own public key to the remote host.
$ gpg --export -a D37F0B9720A0B55B | ssh remote-host gpg --import
should probably do that /before/ you do any of this other stuff.
someone sent me a signed message containing their XMPP keys so I could verify it was them. Since that was on my phone, I put the whole signed message into a QR code, then scanned it with my desktop's webcam by running zbarcam in a terminal. Copied that text into gpg --verify and it verified, but gpg complained the key was expired. They said they'd updated the expiration date earlier in the year so I looked up how to download updated keys from keyservers.
gpg --refresh-keys
Simple enough, but I won't remember that, so I'm leaving it here as a not to myself, and maybe I'll be less likely to forget it having written it down. Should probably be doing it more often just in case someone pushes a revocation.