diff --git a/content/post/gpg_best_practices_and_git.md b/content/post/gpg_best_practices_and_git.md index f0a3c2e..558cc99 100644 --- a/content/post/gpg_best_practices_and_git.md +++ b/content/post/gpg_best_practices_and_git.md @@ -1,5 +1,5 @@ --- -title: "OpenPGP Best Practices (and Git)" +title: "OpenPGP: Best Practices (and Git)" date: 2019-02-17 lastmod: 2019-02-22 categories: ["Blog"] diff --git a/content/post/updating_gpg_key.md b/content/post/updating_gpg_key.md new file mode 100644 index 0000000..b530971 --- /dev/null +++ b/content/post/updating_gpg_key.md @@ -0,0 +1,203 @@ +--- +title: "OpenPGP: Updating Key Expiration" +date: 2020-02-17 +lastmod: 2020-02-17 +tags: ["linux"] +categories: ["Blog"] +contentCopyright: false +hideHeaderAndFooter: false +--- +It's a good idea to update your GPG key(s) before they expires. Mine is set to +expire year, from whence I last updated the expiration. Let's explore how this +is done! + + + +{{< admonition info Info >}} +If the reader is unfamiliar with OpenPGP, it's suggested to check out the prior +write-up on this blog: [**OpenPGP Best Practices (and Git)**](/post/gpg_best_practices_and_git/) +{{< /admonition >}} + +# Importing Secret Keys +Personally, my secret (primary) key is not kept on any device. It's stored, and +backed up in encrypted external media devices (_USB, etc._) only to be imported +when keys require editing. + +## Mounting Secure Device (LUKS) +This is done using `cryptsetup` and Linux Unified Key Setup[^1] (LUKS) for +encryption. Plugging in my USB device and mounting it requires only _one_ +additional step. Instead of initially running `mount /dev/sdXN` we first must +"open" the encrypted drive via: +```bash +cryptsetup --type luks open /dev/sdXN encryptedusb +``` +{{< sub >}} +The `encryptedusb` name is a user-specified friendly name that has +no relevance to accessing the drive +{{< /sub >}} + +**Now** the device can be mounted to a directory, but not via the `/dev/sdXN` device +-- rather the `/dev/mapper/encryptedusb` device (_or whatever friendly name you +gave it_). +```bash +mount /dev/mapper/encryptedusb /mnt/media +``` + +## Backing up the Keys +Once the device has been securely mounted, it's a good idea to either export +the keys currently in the keyring **or** back-up the entire `~/.gnupg` +directory. The backup created will be stored on the previously mounted external +media device. + +### GPG Key Export Backup +It's as simple as exporting the secret key, which will also contain your public +key: +```bash +gpg --armor --export-secret-key your@email.address > /mnt/media/some/dir/secretkey.gpg.bak +``` + +### GPG Directory Backup (optional) +This isn't entirely necessary, though it's never a bad idea to create a hard +back-up of the directory -- _just don't forget to remove it after!_ +```bash +cp ~/.gnupg /mnt/media/some/backup/dir/.gnupg.bak +``` +{{< sub >}} +Note: If the `~/.gnupg.bak` directory already exists, the above command will +copy it to `~/gnupg.bak/.gnupg`! +{{< /sub >}} + +## Import and Update Expiration +Now that back-ups have been taken care of, the current keyring can either be +emptied, deleted, or simply worked with. That's up to the user. + +### Import +In any event, the next step ultimately becomes importing the secret (primary) +key: +```bash +gpg --import /mnt/media/some/backup/dir/secretprimarykey.gpg +``` + +Verify the presence of the primary secret key, noting no presence of `sec#` in +the output indicating only a partially stripped secret key, via: +```bash +gpg --list-secret-keys + +-------------------------------- +sec rsa4096 2017-11-21 [SC] [expires: 2021-02-16] +... +``` + +### Update +Updating the primary secret key and all it's subkeys is done via `gpg` in the +following manner: +``` +gpg --edit-key your@email.address + +gpg> key 0 +gpg> expire +... +Key is valid for? (0) 1y +Is this correct? (y/N) y + +gpg> key 1 +gpg> expire +Key is valid for? (0) 1y +Is this correct? (y/N) y + +gpg> key 2 +gpg> expire +Key is valid for? (0) 1y +Is this correct? (y/N) y + +gpg> save +``` + +At this point, it's a good idea to send the key to the keyserver: +```bash +gpg --send-keys your@email.address +# or +gpg --keyserver pgp.mit.edu --send-keys your@email.address +``` + +## Cleanup +Now it's time to export the primary key and it's sub keys to the encrypted +external media device: +```bash +gpg --armor --export-secret-key your@email.address > /mnt/media/some/dir/secretkey.gpg +gpg --armor --export-secret-subkeys your@email.address > /mnt/media/some/dir/secretsubkey.gpg +``` + +Then, delete the primary secret key from your keyring and import **only** the +secret sub-key: +```bash +gpg --delete-secret-keys your@email.address +# reply 'yes' to the prompts as needed +gpg --import /mnt/media/some/dir/secretsubkey.gpg + +``` + +### Verification +Once **only** the secret sub-key has been imported from the previous step, it +should be verified that the primary secret key is **not** in your keychain +(partial stripped key designated via `sec#` in the following): +``` +gpg --list-secret-keys + +-------------------------------- +sec# rsa4096 2017-11-21 [SC] [expires: 2021-02-16] +... +``` +{{< sub >}} +Note: `sec#` is what we are looking for. If it is indicated as only `sec` then +the primary secret key is **still** in the keyring! Repeat the prior steps to +attempt this again should you have to, but do so carefully. +{{< /sub >}} + + +## Unmounting +Lastly, remember to remove any local back-ups of the keyring or keys you stored +on the host! These should _only_ exist on the encrypted external device. + +To unmount the LUKS[^1] encrypted device, it's just one additional step to the +usual `umount`: +```bash +umount /mnt/media +cryptestup --type luks close encryptedusb +``` + +That being done, it is safe to remove the external device! + +# OpenKeychain Export & Import +Provided the reader is on an Android device, it can be mounted onto the local +host using `simple-mtpfs`. + +## Mounting Android Device +First, plug in the Android device via a suitable USB cable to the local host and +set the USB managed option to "File Transfer" on the Android device. After this +the device should be mountable: +```bash +simple-mtpfs -l +1: Google IncNexus/Pixel (MTP) + +simple-mtpfs --device 1 /mnt/android +``` + +## Export Secret Key +Once the device is mounted, we want to export the _partially_ stripped key (_not +the primary key_) to be imported using OpenKeychain on the Android device. The +next steps quote from the [OpenKeychain +FAQ](https://www.openkeychain.org/faq/#how-to-import-an-openkeychain-backup-with-gpg): +```bash +# generate a strong random password +gpg --armor --gen-random 1 20 + +# encrypt key, use password above when asked +gpg --armor --export-secret-keys YOUREMAILADDRESS | gpg --armor --symmetric --output /mnt/android/Downloads/mykey.sec.asc +``` + +Import it in OpenKeychain (_may require deletion in OpenKeychain first -- make +sure **not to revoke and delete!**_) and we're done! + + +[^1]: https://guardianproject.info/archive/luks/