bastian/debyl-site
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'gpg_update_key' into 'master'

Browse Source 
gpg_update_key New write-up on updating a GPG key

See merge request bdebyl/bdebyl-site!7
This commit is contained in:
Bastian de Byl
2020-02-17 22:19:36 +00:00
parent 6bcfa75ff6 71e9032215
commit bae37b8d0d
2 changed files with 204 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
content/post/gpg_best_practices_and_git.md
View File

@@ -1,5 +1,5 @@
---
title: "OpenPGP Best Practices (and Git)"
title: "OpenPGP: Best Practices (and Git)"
date: 2019-02-17
lastmod: 2019-02-22
categories: ["Blog"]

203
content/post/updating_gpg_key.md Normal file
View File

@@ -0,0 +1,203 @@
---
title: "OpenPGP: Updating Key Expiration"
date: 2020-02-17
lastmod: 2020-02-17
tags: ["linux"]
categories: ["Blog"]
contentCopyright: false
hideHeaderAndFooter: false
---
It's a good idea to update your GPG key(s) before they expire. Mine is set to
expire year, from whence I last updated the expiration. Let's explore how this
is done!
<!--more-->
{{< admonition info Info >}}
If the reader is unfamiliar with OpenPGP, it's suggested to check out the prior
write-up on this blog: [**OpenPGP Best Practices (and Git)**](/post/gpg_best_practices_and_git/)
{{< /admonition >}}
# Importing Secret Keys
Personally, my secret (primary) key is not kept on any device. It's stored, and
backed up in encrypted external media devices (_USB, etc._) only to be imported
when keys require editing.
## Mounting Secure Device (LUKS)
This is done using `cryptsetup` and Linux Unified Key Setup[^1] (LUKS) for
encryption. Plugging in my USB device and mounting it requires only _one_
additional step. Instead of initially running `mount /dev/sdXN` we first must
"open" the encrypted drive via:
```bash
cryptsetup --type luks open /dev/sdXN encryptedusb
```
{{< sub >}}
The `encryptedusb` name is a user-specified friendly name that has
no relevance to accessing the drive
{{< /sub >}}
**Now** the device can be mounted to a directory, but not via the `/dev/sdXN` device
-- rather the `/dev/mapper/encryptedusb` device (_or whatever friendly name you
gave it_).
```bash
mount /dev/mapper/encryptedusb /mnt/media
```
## Backing up the Keys
Once the device has been securely mounted, it's a good idea to either export
the keys currently in the keyring **or** back-up the entire `~/.gnupg`
directory. The backup created will be stored on the previously mounted external
media device.
### GPG Key Export Backup
It's as simple as exporting the secret key, which will also contain your public
key:
```bash
gpg --armor --export-secret-key your@email.address > /mnt/media/some/dir/secretkey.gpg.bak
```
### GPG Directory Backup (optional)
This isn't entirely necessary, though it's never a bad idea to create a hard
back-up of the directory -- _just don't forget to remove it after!_
```bash
cp ~/.gnupg /mnt/media/some/backup/dir/.gnupg.bak
```
{{< sub >}}
Note: If the `~/.gnupg.bak` directory already exists, the above command will
copy it to `~/gnupg.bak/.gnupg`!
{{< /sub >}}
## Import and Update Expiration
Now that back-ups have been taken care of, the current keyring can either be
emptied, deleted, or simply worked with. That's up to the user.
### Import
In any event, the next step ultimately becomes importing the secret (primary)
key:
```bash
gpg --import /mnt/media/some/backup/dir/secretprimarykey.gpg
```
Verify the presence of the primary secret key, noting no presence of `sec#` in
the output indicating only a partially stripped secret key, via:
```bash
gpg --list-secret-keys
--------------------------------
sec rsa4096 2017-11-21 [SC] [expires: 2021-02-16]
...
```
### Update
Updating the primary secret key and all it's sub keys is done via `gpg` in the
following manner:
```
gpg --edit-key your@email.address
gpg> key 0
gpg> expire
...
Key is valid for? (0) 1y
Is this correct? (y/N) y
gpg> key 1
gpg> expire
Key is valid for? (0) 1y
Is this correct? (y/N) y
gpg> key 2
gpg> expire
Key is valid for? (0) 1y
Is this correct? (y/N) y
gpg> save
```
At this point, it's a good idea to send the key to the key server:
```bash
gpg --send-keys your@email.address
# or
gpg --keyserver pgp.mit.edu --send-keys your@email.address
```
## Cleanup
Now it's time to export the primary key and it's sub keys to the encrypted
external media device:
```bash
gpg --armor --export-secret-key your@email.address > /mnt/media/some/dir/secretkey.gpg
gpg --armor --export-secret-subkeys your@email.address > /mnt/media/some/dir/secretsubkey.gpg
```
Then, delete the primary secret key from your keyring and import **only** the
secret sub-key:
```bash
gpg --delete-secret-keys your@email.address
# reply 'yes' to the prompts as needed
gpg --import /mnt/media/some/dir/secretsubkey.gpg
```
### Verification
Once **only** the secret sub-key has been imported from the previous step, it
should be verified that the primary secret key is **not** in your keyring
(partial stripped key designated via `sec#` in the following):
```
gpg --list-secret-keys
--------------------------------
sec# rsa4096 2017-11-21 [SC] [expires: 2021-02-16]
...
```
{{< sub >}}
Note: `sec#` is what we are looking for. If it is indicated as only `sec` then
the primary secret key is **still** in the keyring! Repeat the prior steps to
attempt this again should you have to, but do so carefully.
{{< /sub >}}
## Unmounting
Lastly, remember to remove any local back-ups of the keyring or keys you stored
on the host! These should _only_ exist on the encrypted external device.
To un-mount the LUKS[^1] encrypted device, it's just one additional step to the
usual `umount`:
```bash
umount /mnt/media
cryptsetup --type luks close encryptedusb
```
That being done, it is safe to remove the external device!
# OpenKeychain Export & Import
Provided the reader is on an Android device, it can be mounted onto the local
host using `simple-mtpfs`.
## Mounting Android Device
First, plug in the Android device via a suitable USB cable to the local host and
set the USB managed option to "File Transfer" on the Android device. After this
the device should be mountable:
```bash
simple-mtpfs -l
1: Google IncNexus/Pixel (MTP)
simple-mtpfs --device 1 /mnt/android
```
## Export Secret Key
Once the device is mounted, we want to export the _partially_ stripped key (_not
the primary key_) to be imported using OpenKeychain on the Android device. The
next steps quote from the [OpenKeychain
FAQ](https://www.openkeychain.org/faq/#how-to-import-an-openkeychain-backup-with-gpg):
```bash
# generate a strong random password
gpg --armor --gen-random 1 20
# encrypt key, use password above when asked
gpg --armor --export-secret-keys YOUREMAILADDRESS | gpg --armor --symmetric --output /mnt/android/Downloads/mykey.sec.asc
```
Import it in OpenKeychain (_may require deletion in OpenKeychain first -- make
sure **not to revoke and delete!**_) and we're done!
[^1]: https://guardianproject.info/archive/luks/