{"id":650,"date":"2018-05-12T08:40:27","date_gmt":"2018-05-12T06:40:27","guid":{"rendered":"https:\/\/blogs.gentoo.org\/mgorny\/?p=650"},"modified":"2018-08-13T18:00:16","modified_gmt":"2018-08-13T16:00:16","slug":"on-openpgp-gnupg-key-management","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/mgorny\/2018\/05\/12\/on-openpgp-gnupg-key-management\/","title":{"rendered":"On\u00a0OpenPGP (GnuPG) key management"},"content":{"rendered":"

Over the\u00a0time, a\u00a0number of\u00a0developers have had problems following the\u00a0Gentoo OpenPGP key policy (GLEP\u00a063<\/a>. In\u00a0particular, the\u00a0key expiration requirements have resulted in\u00a0many developers wanting to replace their key unnecessarily. I’ve been asked to write some instructions on\u00a0managing your OpenPGP key, and\u00a0I’ve decided to go for a\u00a0full blog post with some less-known tips. I\u00a0won’t be getting into detailed explanations how to use GnuPG though \u2014 you may still need to read the\u00a0documentation after all.<\/p>\n

<\/p>\n

Primary key and subkeys<\/h2>\n

An\u00a0OpenPGP key actually consists of\u00a0one or\u00a0more pairs of public and\u00a0private keys \u2014 the\u00a0primary key<\/em> (or\u00a0root key<\/em>, in\u00a0GLEP\u00a063 naming), and\u00a0zero or\u00a0more subkeys<\/em>. Ideally, the\u00a0primary key is only used to create subkeys, UIDs, manipulate them and\u00a0sign other people’s keys. All \u2018non-key\u2019 cryptographic operations are done using subkeys. This reduces the\u00a0wear of the\u00a0primary key, and\u00a0the\u00a0risk of it being compromised.<\/p>\n

If\u00a0you don’t use a\u00a0smartcard, then a\u00a0good idea would be to move the\u00a0private part of\u00a0primary key off-site since you don’t need it for normal operation. However, before doing that please remember to always have a\u00a0revocation certificate<\/em> around. You will need it to\u00a0revoke the\u00a0primary key if\u00a0you lose it. With GnuPG\u00a02.1, removing private keys is trivial. First, list all keys with keygrips<\/em>:<\/p>\n

$ gpg --list-secret --with-keygrip<\/kbd>\n\/home\/you\/.gnupg\/pubring.kbx\n-------------------------------\nsec   rsa2048\/0xBBC7E6E002FE74E8 2018-05-12 [SC] [expires: 2020-05-11]\n      55642983197252C35550375FBBC7E6E002FE74E8\n      Keygrip = B51708C7209017A162BDA515A9803D3089B993F0\nuid                   [ultimate] Example key \nssb   rsa2048\/0xB7BA421CDCD4AF16 2018-05-12 [E] [expires: 2020-05-11]\n      Keygrip = 92230550DA684B506FC277B005CD3296CB70463C<\/samp><\/pre>\n
Note that the\u00a0output may differ depending on\u00a0your settings.  The\u00a0sec<\/samp> entry indicates a\u00a0primary key.  Once you find the\u00a0correct key, just look for a\u00a0file named after its Keygrip<\/samp> in\u00a0~\/.gnupg\/private-keys-v1.d<\/kbd> (e.g. B51708C7209017A162BDA515A9803D3089B993F0.key<\/kbd> here).  Move that file off-site and\u00a0voil\u00e0!<\/p>\n
In\u00a0fact, you can go even further and\u00a0use a\u00a0dedicated off-line system to create and\u00a0manage keys, and\u00a0only transfer appropriate private keys (and\u00a0public keyring updates) to your online hosts.  You can transfer and\u00a0remove any other private key the\u00a0same way, and\u00a0use --export-key<\/kbd> to transfer the\u00a0public keys.<\/p>\n
How many subkeys to use?<\/h2>\n
Create at\u00a0least one signing<\/em> subkey and\u00a0exactly one encryption<\/em> subkey.<\/p>\n
Signing keys<\/em> are used to sign data, i.e. to prove its integrity and\u00a0authenticity.  Using multiple signing subkeys is rather trivial \u2014 you can explicitly specify the\u00a0key to use while creating a\u00a0signature (note that you need to append !<\/kbd> to key-id to force non-default subkey), and\u00a0GnuPG will automatically use the\u00a0correct subkey when verifying the\u00a0signature.  To reduce the\u00a0wear of your main signing subkey, you can create a\u00a0separate signing subkey for Gentoo commits.  Or you can go ever further, and\u00a0have a\u00a0separate signing subkey for each machine you’re using (and\u00a0keep only the\u00a0appropriate key on\u00a0each machine).<\/p>\n
Encryption keys<\/em> are used to encrypt messages.  While technically it is possible to have multiple encryption subkeys, GnuPG does not make that meaningful.  When someone will try to encrypt a\u00a0message to you, it will insist on\u00a0using the\u00a0newest key even if multiple keys are valid.  Therefore, use only one encryption key to avoid confusion.<\/p>\n
There is also a\u00a0third key class: authentication keys<\/em> that can be used in\u00a0place of\u00a0SSH keys.  If you intend to use them, I suggest the\u00a0same rule as\u00a0for SSH keys, that is one key for\u00a0each host holding the\u00a0keyring.  More on\u00a0using GnuPG for SSH below.<\/p>\n
To\u00a0summarize: use one encryption subkey, and\u00a0as\u00a0many signing and\u00a0authentication subkeys as\u00a0you need.  Using more subkeys reduces individual wear of\u00a0each key, and\u00a0makes it easier to assess the\u00a0damage if one of\u00a0them gets compromised.<\/p>\n
When to create a\u00a0new key?<\/h2>\n
One of\u00a0the\u00a0common misconceptions is that you need to create a\u00a0new key when the\u00a0current one expires.  This is not really the\u00a0purpose of\u00a0key expiration \u2014 we use it mostly to automatically rule out dead keys.  There are generally three cases when you want to create a\u00a0new key:<\/p>\n
    \n
  1. if the key is compromised,<\/li>\n
  2. if the\u00a0primary key is irrecoverably lost,<\/li>\n
  3. if the\u00a0key uses really weak algorithm (e.g. short DSA key).<\/li>\n<\/ol>\n
    Most of\u00a0the\u00a0time, you will just decide to prolong the\u00a0primary key and\u00a0subkeys, i.e.\u00a0use the\u00a0--edit-key<\/kbd> option to update their expiration dates.  Note that GnuPG is not very user-friendly there.  To prolong the\u00a0primary key, use expire<\/kbd> command without any\u00a0subkeys selected.  To prolong one or\u00a0more subkeys, select them using key<\/kbd> and\u00a0then use expire<\/kbd>.  Normally, you will want to do this periodically, before<\/em> the\u00a0expiration date to give people some time to\u00a0refresh.  Add it to your calendar as a\u00a0periodic event.<\/p>\n
    $ gpg --edit-key 0xBBC7E6E002FE74E8<\/kbd>\nSecret key is available.\n\nsec  rsa2048\/0xBBC7E6E002FE74E8\n     created: 2018-05-12  expires: 2020-05-11  usage: SC  \n     trust: ultimate      validity: ultimate\nssb  rsa2048\/0xB7BA421CDCD4AF16\n     created: 2018-05-12  expires: 2020-05-11  usage: E   \n[ultimate] (1). Example key <example@example.com>\n\ngpg><\/samp> expire<\/kbd>\nChanging expiration time for the primary key.\nPlease specify how long the key should be valid.\n         0 = key does not expire\n      <n>  = key expires in n days\n      <n>w = key expires in n weeks\n      <n>m = key expires in n months\n      <n>y = key expires in n years\nKey is valid for? (0)<\/samp> 3y<\/kbd>\nKey expires at Tue May 11 12:32:35 2021 CEST\nIs this correct? (y\/N)<\/samp> y<\/kbd>\n\nsec  rsa2048\/0xBBC7E6E002FE74E8\n     created: 2018-05-12  expires: 2021-05-11  usage: SC  \n     trust: ultimate      validity: ultimate\nssb  rsa2048\/0xB7BA421CDCD4AF16\n     created: 2018-05-12  expires: 2020-05-11  usage: E   \n[ultimate] (1). Example key <example@example.com>\n\ngpg><\/samp> key 1<\/kbd>\n\nsec  rsa2048\/0xBBC7E6E002FE74E8\n     created: 2018-05-12  expires: 2021-05-11  usage: SC  \n     trust: ultimate      validity: ultimate\nssb* rsa2048\/0xB7BA421CDCD4AF16\n     created: 2018-05-12  expires: 2020-05-11  usage: E   \n[ultimate] (1). Example key <example@example.com>\n\ngpg><\/samp> expire<\/kbd>\nChanging expiration time for a subkey.\nPlease specify how long the key should be valid.\n         0 = key does not expire\n      <n>  = key expires in n days\n      <n>w = key expires in n weeks\n      <n>m = key expires in n months\n      <n>y = key expires in n years\nKey is valid for? (0)<\/samp> 1y<\/kbd>\nKey expires at Sun May 12 12:32:47 2019 CEST\nIs this correct? (y\/N)<\/samp> y<\/kbd>\n\nsec  rsa2048\/0xBBC7E6E002FE74E8\n     created: 2018-05-12  expires: 2021-05-11  usage: SC  \n     trust: ultimate      validity: ultimate\nssb* rsa2048\/0xB7BA421CDCD4AF16\n     created: 2018-05-12  expires: 2019-05-12  usage: E   \n[ultimate] (1). Example key <example@example.com><\/samp><\/pre>\n
    If\u00a0one of the\u00a0conditions above applies to one of\u00a0your subkeys, or you think that it has reached a\u00a0very high wear, you will want to replace the\u00a0subkey.  While at\u00a0it, make sure that the\u00a0old key is\u00a0either expired or\u00a0revoked (but don’t revoke the\u00a0whole key accidentally!).  If one of\u00a0those conditions applies to your primary key, revoke it and\u00a0start propagating your new key.<\/p>\n
    Please remember to upload your key to key servers after each change (using --send-keys<\/kbd>).<\/p>\n
    To summarize: prolong your keys periodically, rotate subkeys whenever you consider that beneficial but avoid replacing the\u00a0primary key unless really necessary.<\/p>\n
    Using gpg-agent for SSH authentication<\/h2>\n
    If you already have to set up a\u00a0secure store for OpenPGP keys, why not use it for\u00a0SSH keys as\u00a0well?  GnuPG provides ssh-agent emulation which lets you use an\u00a0OpenPGP subkey to authenticate via SSH.<\/p>\n
    Firstly, you need to create a\u00a0new key.  You need to use the\u00a0--expert<\/kbd> option to\u00a0access additional options.  Use addkey<\/kbd> to\u00a0create a\u00a0new key, choose one of\u00a0the\u00a0options with custom capabilities and\u00a0toggle them from the\u00a0default sign<\/em>+<em<encrypt<\/em> to\u00a0authenticate<\/em>:<\/p>\n
    $ gpg --expert --edit-key 0xBBC7E6E002FE74E8<\/kbd>\nSecret key is available.\n\nsec  rsa2048\/0xBBC7E6E002FE74E8\n     created: 2018-05-12  expires: 2020-05-11  usage: SC  \n     trust: ultimate      validity: ultimate\nssb  rsa2048\/0xB7BA421CDCD4AF16\n     created: 2018-05-12  expires: 2020-05-11  usage: E   \n[ultimate] (1). Example key <example@example.com>\n\ngpg><\/samp> addkey<\/kbd>\nPlease select what kind of key you want:\n   (3) DSA (sign only)\n   (4) RSA (sign only)\n   (5) Elgamal (encrypt only)\n   (6) RSA (encrypt only)\n   (7) DSA (set your own capabilities)\n   (8) RSA (set your own capabilities)\n  (10) ECC (sign only)\n  (11) ECC (set your own capabilities)\n  (12) ECC (encrypt only)\n  (13) Existing key\nYour selection?<\/samp> 8<\/kbd>\n\nPossible actions for a RSA key: Sign Encrypt Authenticate \nCurrent allowed actions: Sign Encrypt \n\n   (S) Toggle the sign capability\n   (E) Toggle the encrypt capability\n   (A) Toggle the authenticate capability\n   (Q) Finished\n\nYour selection?<\/samp> s<\/kbd>\n\nPossible actions for a RSA key: Sign Encrypt Authenticate \nCurrent allowed actions: Encrypt \n\n   (S) Toggle the sign capability\n   (E) Toggle the encrypt capability\n   (A) Toggle the authenticate capability\n   (Q) Finished\n\nYour selection?<\/samp> e<\/kbd>\n\nPossible actions for a RSA key: Sign Encrypt Authenticate \nCurrent allowed actions: \n\n   (S) Toggle the sign capability\n   (E) Toggle the encrypt capability\n   (A) Toggle the authenticate capability\n   (Q) Finished\n\nYour selection?<\/samp> a<\/kbd>\n\nPossible actions for a RSA key: Sign Encrypt Authenticate \nCurrent allowed actions: Authenticate \n\n   (S) Toggle the sign capability\n   (E) Toggle the encrypt capability\n   (A) Toggle the authenticate capability\n   (Q) Finished\n\nYour selection?<\/samp> q<\/kbd>\n[...]<\/pre>\n
    Once the key is created, find its keygrip:<\/p>\n
    $ gpg --list-secret --with-keygrip<\/kbd>\n\/home\/mgorny\/.gnupg\/pubring.kbx\n-------------------------------\nsec   rsa2048\/0xBBC7E6E002FE74E8 2018-05-12 [SC] [expires: 2020-05-11]\n      55642983197252C35550375FBBC7E6E002FE74E8\n      Keygrip = B51708C7209017A162BDA515A9803D3089B993F0\nuid                   [ultimate] Example key <example@example.com>\nssb   rsa2048\/0xB7BA421CDCD4AF16 2018-05-12 [E] [expires: 2020-05-11]\n      Keygrip = 92230550DA684B506FC277B005CD3296CB70463C\nssb   rsa2048\/0x2BE2AF20C43617A0 2018-05-12 [A] [expires: 2018-05-13]\n      Keygrip = 569A0C016AB264B0451309775FDCF06A2DE73473<\/samp><\/pre>\n
    This time we’re talking about the\u00a0keygrip of the\u00a0[A]<\/samp> key.  Append that to\u00a0~\/.gnupg\/sshcontrol<\/kbd>:<\/p>\n
    $ echo 569A0C016AB264B0451309775FDCF06A2DE73473 >> ~\/.gnupg\/sshcontrol<\/kbd><\/pre>\n
    The\u00a0final step is to have gpg-agent with --enable-ssh-support<\/kbd> started.  The\u00a0exact procedure here depends on\u00a0the\u00a0environment used.  In\u00a0XFCE, it involves setting a\u00a0hidden configuration option:<\/p>\n
    $ xfconf-query -c xfce4-session -p \/startup\/ssh-agent\/type -n -t string -s gpg-agent<\/kbd><\/pre>\n
    Further reading<\/h2>\n