Here is the translation of the second part of a series of materials on the protection of the integrity of the code using PGP.
Last time, we sorted out the basics of PGP, and today we will talk about how to create 4096-bit RSA master keys and how to protect them.
RSA keys
â–Ť Checklist
Here are the skills you need to learn after you understand the materials in this section:
- Create a 4096-bit RSA master key (Important).
- Create a backup copy of the master key on paper (Important).
- Selection and addition of suitable identification data to the master key (Important).
Explanations
â–ŤWhat is master key (certification key)
In this and the next sections we will talk about the so-called "master keys" and "subkeys". Considering these kinds of keys, it is important to understand the following:
')
- There is no difference between a master key and subkeys, in the technical sense.
- During the creation of keys, their functional limitations are set, assigning them specific capabilities.
- PGP keys have four possibilities:
- [S] The key can be used to sign data.
- [E] Key can be used for encryption.
- [A] key can be used for authentication.
- The [c] key can be used to certify other keys.
- One key can have several possibilities.
A key that has the ability [C] (certification) is considered a master key, since it is the only key that can be used to work with other keys.
Only the certification key can be used to perform the following actions:
- Adding or withdrawing other keys (plug) with S / E / A capabilities.
- Add, modify, or revoke the identity (UID) associated with a key.
- Setting or changing the expiration date of the key itself or any subkey.
- Signing other people's keys to form a network of trust.
In the free software world, the [C] key is your digital ID. After you have created this key, you need to pay special attention to its protection, and to prevent it from falling into the hands of intruders.
â–Ť Actions performed before creating a master key
Before you create your master key, you need to select your basic identification data and key phrase.
â–ŤBasic Identity
Identification data is a string that uses the same format as the
From
field in emails:
Alice Engineer <alice.engineer@example.org>
You can create new identity sets, revoke old ones and change basic identification data at any time. Since the main identity set is shown when performing all GnuPG operations, you should select and enter your name, and possibly the position, as well as the email address that relates to your professional activity and is most likely to be used to exchange data with using PGP. For example, it can be your work email address, or the one you use to register commits on GitHub.
â–Ť Keyword
The key phrase (also called the phrase-password) is used exclusively for encrypting the private key using a symmetric algorithm while saving this key to disk. If the contents of your
.gnupg
directory ever fall into the hands of an attacker, a good key phrase will be the last line of defense between him and his ability to impersonate you in the network. That is why it is important to use a good key phrase.
A reliable key phrase consists of 3-4 words, and it is desirable that the words from it cannot be found in the dictionary. It should not be a quote from well-known sources (you should not use as the key phrase words from songs, books, advertising slogans of any company). You will use the key phrase quite often, so it must also be such that it is easy for you to remember it and convenient to type from the keyboard.
â–ŤAlgorithm and key durability
GnuPG has been supporting encryption based on elliptic curves for some time, but for now we’ll stick to using RSA keys. Although you can also use the keys of the ED25519, you will probably find software tools and devices that cannot work normally with them.
In addition, you may be asked why the master key is 4096 bits long, if it is widely known that there are enough 2048-bit keys for any needs, and such keys will not lose their relevance for a long time. The reason for using 4096-bit keys mainly relates to the social, and not to the technical sphere. The thing is that other developers may treat you with some distrust if there are fewer bits in your master key than in their master key.
â–ŤCreating a master key
To create a master key, run the following command, placing your data instead of the Alice Engineer conditional user data:
$ gpg --quick-generate-key 'Alice Engineer <alice@example.org>' rsa4096 cert
After executing this command, a dialog box will appear prompting you to enter a password phrase. Then, you may need to move the mouse or press any keys on the keyboard so that the system can accumulate enough entropy to complete the work of the command.
Look at what the command will display. You will see something like the following:
pub rsa4096 2017-12-06 [C] [expires: 2019-12-06] 111122223333444455556666AAAABBBBCCCCDDDD uid Alice Engineer <alice@example.org>
Note the long sequence of characters in the second line. This is the complete imprint of the key just created. Key identifiers can be presented in three different forms:
- A fingerprint is a full 40-character key identifier.
- The long form (long) is the last 16 characters of the fingerprint (AAAABBBBCCCCDDDD).
- Short form (short) - the last 8 characters of the print (CCCCDDDD).
The use of short 8-character key identifiers should be avoided, as they are not unique enough.
At this point, it is recommended to open a text editor, copy the key fingerprint and paste it there. You will need to use it for the next few steps, so it’s convenient to keep it handy.
Backup master key
For emergency key recovery, and especially if you intend to use the trust network and collect key signatures from other developers of the project, you need to create a reliable copy of your private key, transferring it to paper. A paper copy is considered as the last chance to restore the key in case all other backup mechanisms are no longer useful.
The best way to create a copy of a secret key suitable for printing is to use the Paperkey program, which is designed specifically for this purpose. This program is available in all Linux distributions, on a Mac it can be installed using the
brew install paperkey
. Run the following command, replacing
[fpr]
with the full fingerprint of your key:
$ gpg --export-secret-key [fpr] | paperkey -o /tmp/key-backup.txt
The file that is obtained as a result of this command, after printing, is suitable for OCR systems or for manual input, if it becomes necessary to restore the key. This file should be printed, then take a pen and write a key phrase somewhere in the field of a sheet of paper. This is an important step, since the printed key is encrypted with a key phrase, and if you ever change it, then you are guaranteed that you will not be able to remember the original key phrase.
Put the printout with the key phrase written on it in an envelope and put it all in a safe place, preferably - outside your home, for example - in a bank box.
Pay attention to the printer on which you will print a paper backup key. The days when printers were primitive devices connected to parallel ports of computers have passed long ago. Nowadays, printers have full-fledged operating systems, hard drives, integration with cloud services. Since the key data that we send to print is encrypted using a key phrase, the printout can be considered quite a safe operation, however, it’s better to be safe than to overlook it.
â–ŤAdd Identity
If you have several e-mail addresses that you actively use (personal and work addresses, the address used in some kind of open-source project, and so on), you should add them to your master key. You do not need to do this for any addresses that you do not plan to use with PGP (for example, for the address you were given when you were studying somewhere). Below is the command to add credentials to the key. Here
[fpr]
should be replaced with the fingerprint of your key:
$ gpg --quick-add-uid [fpr] 'Alice Engineer <allie@example.net>'
You can view the UIDs already added to the key with the following command:
$ gpg
â–ŤSelect the primary identity set
GnuPG will automatically make the most recently added identity set as primary, so if you need something else, you can use this command:
$ gpg --quick-set-primary-uid [fpr] 'Alice Engineer <alice@example.org>'
Results
From this material, you learned about the roles of PGP keys, how to generate a master key, how to securely back up this key, and how to assign key key identification data. Next time we'll talk about subkeys.
Dear readers! How do you keep backups of your master keys?
