# encryption keys for epoch XMPP OMEMO key: 3A3B795C 07AD3A4D 31790B95 B27F3254 623F3E7A F19BBF25 692872F4 639A7931 => xmpp:epoch@thebackupbox.net ## my finger daemon => signed-pt ## pgp key plan: * minimize the computers that need a key * desktop and laptop definitely need keys. * mailserver and raspi don't. use this to generate keys and store encrypted on a flashdrive => https://sr.ht/~nytpu/sbhk/ => https://git.thebackupbox.net/sbhk/ (backup stored on my own server) follow some of this: => https://gist.github.com/bradfa/e73883a73f3a86e555fc43bf326edaa6 => backup/pgp-bootable-usb-flash-drive.md (backup stored on my own server) but skip out the parts that require yubikeys ## gpg make sure that the terminal you're using is owned by the user you're running gpg as otherwise it may fuck up when trying to give you a box to ask for a password make a master key, it only needs Certify capability. ``` $ gpg --expert --full-generate-key ``` use type ECC, type 11, curve25519 add a subkey for each of the capabilities (except C probably) I guess do some of this ``` $ gpg --output secret-subkeys --export-secret-subkeys YOURPRIMARYKEYID ``` to put secret parts of only the subkeys into the public partition make sure to unmount-parts plug the drive into the places that need keys, mount it ``` $ gpg --import /mnt/sbhk-public/secret-subkeys ``` then you can unmount it and put it in a safe or something. or you might want to make multiple copies of it and store them in separate safe places. there's not really a point in having separate keys for each machine it seems. quote from => https://wiki.debian.org/Subkeys """ One might be tempted to have one subkey per machine so that you only need to exchange the potentially compromised subkey of that machine. In case of a single subkey used on all machines, it needs to be exchanged on all machines in case of a compromising. But this only works for signing subkeys. If you have multiple encryption subkeys, gpg is said to encrypt only for the most recent encryption subkey and not for all known and not revoked encryption subkeys. """ other references: => https://zeroindexed.com/pgp-encryption-subkeys => https://sammorrowdrums.com/using-pgp-encryption-in-2021 => https://emailselfdefense.fsf.org/en/ here's the pgp key I made: ``` -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEYR9+YxYJKwYBBAHaRw8BAQdAnMBKDKiLvQqChm3GyQ3B1vMAbmthx6j7fNTL u4Sb8Ra0FmVwb2NoQHRoZWJhY2t1cGJveC5uZXSIlQQTFggAPRYhBJ2HksgK0gUL sVa5idN/C5cgoLVbBQJhH35jAhsBBQkSzAMABQsJCAcCBhUKCQgLAgMWAgECHgEC F4AACgkQ038LlyCgtVsEQwD/UMWkw9H3V1Od60cozQwWl6NprRrrASGUqieo/D32 +VAA/2gmd14f7L1nd//mUpiMYQE7ccXyWjXUQiPxvIhO5nwLuDMEYR9+4hYJKwYB BAHaRw8BAQdAWSIO1eZ//SEBtpCoA/E7nemL+fix6bIHxBi7n+qfA9qI9QQYFggA JhYhBJ2HksgK0gULsVa5idN/C5cgoLVbBQJhH37iAhsCBQkSzAMAAIEJENN/C5cg oLVbdiAEGRYIAB0WIQQurelPaMRnd16SQQWynXtQmQ4OtgUCYR9+4gAKCRCynXtQ mQ4OtvvcAQDbJbihXZulg2OqHmRHuH/F49Mk1GGyq/qi70Qo5m3yggEA9PO9lYyW FwSxjcy0BTiCDiYiKDO+ErCu9SwtmOv0swBXKgD+KBKXqVP2HtcfhKwnc2EuFyuO jDBwLvdAszCCVuER+o8BAIYjm/sTKg5OgYtTUCsjKSmyeHfxOyVZfKiSy6mtVIQD uDgEYR9/ARIKKwYBBAGXVQEFAQEHQIa9MKD9aeeGZeMB49OOhxyrCwS6idvwz8BM fZBmxlYGAwEIB4h9BBgWCAAmFiEEnYeSyArSBQuxVrmJ038LlyCgtVsFAmEffwEC GwwFCRLMAwAACgkQ038LlyCgtVu1hwD3Tw35ukbht/pxGnmiJl7TXdV5w+F4Jcpd 6OOvPVuWEwD9EL3zA+Mu5S/StcaiOxm0tjPMLfb+MaDBwVVRprXsPA24MwRhH398 FgkrBgEEAdpHDwEBB0CE1jawOC2sw5tsOriX+dE6e6IYPRzMfcgBxNy6DRiWmoh+ BBgWCAAmFiEEnYeSyArSBQuxVrmJ038LlyCgtVsFAmEff3wCGyAFCRLMAwAACgkQ 038LlyCgtVuq1gEAuKMoKVZb5O7FkCeKYO862zYJjILa4vYFY7YiFqurnvAA/RBE BGuoW5c3o0mvniIyOAOZwcCFlrZs4yR+KQvFRoMJ =Yppk -----END PGP PUBLIC KEY BLOCK----- ``` here's what it'll look like after you're done: ``` $ gpg --list-secret-keys /home/epoch/.gnupg/pubring.kbx ------------------------------ sec# ed25519/0xD37F0B9720A0B55B 2021-08-20 [C] [expires: 2031-08-18] Key fingerprint = 9D87 92C8 0AD2 050B B156 B989 D37F 0B97 20A0 B55B uid [ unknown] epoch@thebackupbox.net ssb ed25519/0xB29D7B50990E0EB6 2021-08-20 [S] [expires: 2031-08-18] ssb cv25519/0xA21417EA02148649 2021-08-20 [E] [expires: 2031-08-18] ssb ed25519/0xBFF7C81B266B6EAF 2021-08-20 [A] [expires: 2031-08-18] ``` ### update, Jan 16th 2023 I did a small change to my computer so application/pgp-encrypted content-types are now opened by an appropriate external program. in my case, I'm passing to mimestart (one of my script) that then checks the config file for a pipeline to run on the filename passed to it, the pipeline then pops up a terminal that contains less -f <(gpg -d < %p). to get firefox to recognize this and launch this when I click on this type of file, I had to use xdg-stuff like: ``` xdg-mime query default application/pgp-encrypted xdg-mime default ~/.local/share/applications/application_pgp-encrypted.desktop application/pgp-encrypted ``` where application_pgp-encrypted.desktop (the filename isn't important) was a basic .desktop file like: ``` [Desktop Entry] Encoding=UTF-8 Version=1.0 Type=Application NoDisplay=true Exec=mimestart %F Name=mimestart Comment=mimestart Mimetype=application/pgp-encrypted ``` => https://unix.stackexchange.com/questions/77136/xdg-open-default-applications-behavior a thing I read while figuring this out ## git commit signing ``` $ git config --global commit.gpgsign true $ git config --global user.signingKey B29D7B50990E0EB6 ``` ## gpg agent forwarding I pretty much followed these, but, eh. => https://gist.github.com/TimJDFletcher/85fafd023c81aabfad57454111c1564d => https://rabbithole.wwwdotorg.org/2021/03/03/gpg-agent-fwding-over-ssh.html basic steps are... have a unix socket created on the remote computer in the place that gnupg expects it to be. on the computer with the private keys, there should be a second socket that a remote gpg could connect to. ``` $ gpgconf --list-dirs | grep ^agent-extra | cut -d: -f2- /run/user/1000/gnupg/S.gpg-agent.extra ``` (I'll refer to this value as ${AGENT_EXTRA}) and then on the remote computer do: ``` $ gpgconf --list-dirs | grep ^agent-socket | cut -d: -f2- /run/user/1000/gnupg/S.gpg-agent ``` (I'll refer to this value as ${AGENT_SOCKET}) You might as well disable the gpg-agent on the remote hosts with systemd like: ``` sudo systemctl --global mask gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket ``` um... may need to delete the remote ${AGENT_SOCKET} before trying the next line: ``` ssh -R "${AGENT_SOCKET}:${AGENT_EXTRA}" remotehost ``` You'll know if you do because it'll output an error message the top. I guess that error message could be caused by the dir not already existing. You're supposed to be able to prevent the socket from hanging out after you disconnect by adding ``` StreamLocalBindUnlink yes ``` to /etc/ssh/sshd_config I wanted gpg to ask me for my password with an X11 window, so I had to do: ``` sudo update-alternatives --config pinentry ``` and set it as something other than pinentry-tty. If you want to use the tty version, you will probably want to try something like.. ``` Match host * exec "gpg-connect-agent UPDATESTARTUPTTY /bye" ``` in your ~/.ssh/config file as I saw suggested in: => https://wiki.archlinux.org/title/GnuPG#Configure_pinentry_to_use_the_correct_TTY I dunno. That's most of the brain dump of stuff I did to get it working here... oh yeah. make sure to import your own public key to the remote host. ``` $ gpg --export -a D37F0B9720A0B55B | ssh remote-host gpg --import ``` should probably do that /before/ you do any of this other stuff. ### gpg refresh keys someone sent me a signed message containing their XMPP keys so I could verify it was them. Since that was on my phone, I put the whole signed message into a QR code, then scanned it with my desktop's webcam by running zbarcam in a terminal. Copied that text into gpg --verify and it verified, but gpg complained the key was expired. They said they'd updated the expiration date earlier in the year so I looked up how to download updated keys from keyservers. ``` gpg --refresh-keys ``` Simple enough, but I won't remember that, so I'm leaving it here as a not to myself, and maybe I'll be less likely to forget it having written it down. Should probably be doing it more often just in case someone pushes a revocation.