Difference between revisions of "GnuPG"
(→gpg-agent: Use proper [['s for testing, actually add the flag for ssh support and not just try to export a variable that doesn't exist.) |
m (→gpg-agent) |
||
Line 85: | Line 85: | ||
== gpg-agent == | == gpg-agent == | ||
− | {{Ic| | + | {{Ic|Gpg-agent}} is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. It can be activated by adding following line in {{ic|~/.gnupg/gpg.conf}}: |
use-agent | use-agent | ||
− | This tells GnuPG to use the agent whenever it needs the password. However, the agent needs to run already. To autostart it, create the following file and make it executable: | + | This tells GnuPG to use the agent whenever it needs the password. However, the agent needs to run already. To autostart it, create the following file and make it executable, and remember to change the envfile path if you changed your $GNUPGHOME: |
{{hc|/etc/profile.d/gpg-agent.sh|2=<nowiki> | {{hc|/etc/profile.d/gpg-agent.sh|2=<nowiki> | ||
− | envfile="$HOME/.gnupg/gpg-agent.env" | + | envfile="$HOME/.gnupg/gpg-agent.env" |
if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then | if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then | ||
eval "$(cat "$envfile")" | eval "$(cat "$envfile")" |
Revision as of 10:21, 27 October 2013
GnuPG can be used to sign and encrypt files or mails.
Contents
Installation
Install gnupg, available in the official repositories.
Environment Variables
GnuPGP
uses the directory pointed to by $GNUPGHOME
to store all of its configuration files. By default $GNUPGHOME
isn't set and your $HOME
is used instead, thus you will find a ~/.gnupg
directory right after the install. You may change this default setting by putting this line in one of your regular startup files
export GNUPGHOME="/path/to/gnupg/directory"
Basic keys management
Create key
- Generate a private key by typing in a terminal:
# gpg --gen-key
You’ll have to answer a bunch of questions but generally, you can accept the defaults.
While having an expiration date for subkeys isn't technically necessary, it is considered good practice. A period of a year is generally good enough for the average user. This way even if you lose access to your keyring, it will allow others to know that it is no longer valid.
- Set expiration date (repeat for both/all subkeys)
# gpg --edit-key 'Your Name' # key [number] # expire # save
- Generate an ASCII version of your public key (e.g. to distribute it by e-mail):
# gpg --armor --output public.key --export 'Your Name'
- Register your key with a public PGP key server, so that others can retrieve your key without having to contact you directly:
# gpg --keyserver hkp://subkeys.pgp.net --send-keys Key Id
Rotating subkeys
If you have set your subkeys to expire after a set time, you will have to create new ones. Do this a few weeks in advanced to allow others to update their keyring.
- Create new subkey (repeat for both signing and encrypting key)
# gpg --edit-key 'Your Name' # addkey
And answer the following questions it asks.
- Save changes
# save
- Update it to a keyserver.
# gpg --keyserver hkp://subkeys.pgp.net --send-keys Key Id
Import key
- Import a public key to your public key ring:
# gpg --import public.key
- Import a private key to your secret key ring:
# gpg --import private.key
List keys
- Keys in your public key ring:
# gpg --list-keys
- Keys in your secret key ring:
# gpg --list-secret-keys
Basic usage
You can use gnupg to encrypt your sensitive documents, but only individual files at a time.
For example, to decrypt a file, use:
# gpg -d secret.tar.gpg
You'll be prompted to enter your passphrase.
If you want to encrypt directories or a whole file-system you should consider using TrueCrypt, though you can always tarball various files and then encrypt them.
Symmetric Encryption
gpg-agent
Gpg-agent
is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. It can be activated by adding following line in ~/.gnupg/gpg.conf
:
use-agent
This tells GnuPG to use the agent whenever it needs the password. However, the agent needs to run already. To autostart it, create the following file and make it executable, and remember to change the envfile path if you changed your $GNUPGHOME:
/etc/profile.d/gpg-agent.sh
envfile="$HOME/.gnupg/gpg-agent.env" if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then eval "$(cat "$envfile")" else eval "$(gpg-agent --daemon --enable-ssh-support --write-env-file "$envfile")" fi export GPG_AGENT_INFO # the env file does not contain the export statement export SSH_AUTH_SOCK # enable gpg-agent for ssh
If you don't want gpg-agent to autostart for all users or just want to keep user daemons in the users own configuration files you can add the following entry to your .xinitrc
:
eval $(gpg-agent --daemon) &
Or, if you don't use an X server, you can also put this into your regular Startup_files. Here is an example using Bash syntax with Ssh support:
gpg-agent --daemon --enable-ssh-support --write-env-file "$HOME/.gnupg/.gpg-agent-info"
Log out of your Xsession and log back in. Check if gpg-agent
is activated
# pgrep agent
Pinentry
Finally, the agent needs to know how to ask the user for the password. This can be set in ~/.gnupg/gpg-agent.conf
The default uses a gtk dialog. To change it to ncurses or qt, set the following in the above file
pinentry-program /usr/bin/pinentry-curses
or
pinentry-program /usr/bin/pinentry-qt4
For more options see man gpg-agent
and info pinentry
.
Keysigning Parties
To allow users to validate keys on the keyservers and in their keyrings (i.e. make sure they are from whom they claim to be), PGP/GPG uses a so-called "Web of Trust". To build this Web of Trust, many hacker events include keysigning parties.
The Zimmermann-Sassaman key-signing protocol is a way of making these very effective. Here you'll find a How-To-article.
Caff
For an easier process of signing keys and sending signatures to the owners after a keysigning party, you can use the tool 'caff'. It can be installed from the AUR with the package caff-svnAUR or bundled together with other useful tools in the package signing-party-svnAUR. Either way, there will be a lot of dependencies installing from the AUR. Alternatively you can install them with
cpanm Any:Moose cpanm GnuPG::Interface
To send the signatures to their owners you need a working MTA. If you don't have already one, install SSMTP.
Smartcards
GnuPG uses scdaemon as an interface to your smartcard reader, please refer to scdaemon
man page for details.
GnuPG only setups
If you do not plan to use other cards but those based on GnuPG, you should check the reader-port
parameter in ~/.gnupg/scdaemon.conf
. The value '0' refers to the first available serial port reader and a value of '32768' (default) refers to the first USB reader.
GnuPG together with OpenSC
If you are using any smartcard with an opensc driver (e.g.: ID cards from some countries) you should pay some attention to GnuPG configuration. Out of the box you might receive a message like this when using gpg --card-status
gpg: selecting openpgp failed: ec=6.108
By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together.
In order to point scdaemon to use pcscd you should remove reader-port
from ~/gnupg/scdaemon.conf
, specify the location to libpcsclite.so library and disable ccid so we make sure that we use pcscd.
~/scdaemon.conf
pcsc-driver /usr/lib/libpcsclite.so card-timeout 5 disable-ccid
Please check man scdaemon
if you do not use OpenSC.
Troubleshooting
Su
When using pinentry
, you must have the proper permisions of the terminal device (e.g. /dev/tty1
) in use. However, with su
(or sudo
), the ownership stays with the original user, not the new one. This means that pinentry will fail, even as root. The fix is to change the permissions of the device at some point before the use of pinentry (i.e. using gpg with an agent). If doing gpg as root, simply change the ownership to root right before using gpg
chown root /dev/ttyN # where N is the current tty
and then change it back after using gpg the first time. The equivalent is likely to be true with /dev/pts/
.
tty
does not seem to alleviate the issue, at least as root. (Please confirm with non-superusers)Agent complains end of file
The default pinentry program is pinentry-gtk-2, which needs a DBus session bus to run properly. See General Troubleshooting#Session permissions for details.
Alternatively you can use the qt pinentry.
# ln -sf /usr/bin/pinentry-qt4 /usr/bin/pinentry