12

I have been looking for an operational security guide for generating one's asymmetric key pair for (Open)PGP. I have found plenty of technical guides for how to use GnuPG to generate RSA key-pairs, for example, but not much organized content of how to do so securely.

The use case is an average user wishing to use asymmetric encryption for signing, encrypting, and decrypting email and other file types. The threat model for creating the key pair does not include having to fend off three-letter agencies, organized crime, terrorists, or malicious corporations (i.e., there doesn't need to be a step regarding hiring body-guards or getting 24/7 security systems).

I've gleaned from various sources online (including the very helpful GnuPG mailing list & documentation, the Debian Wiki, RiseUp.net, and this guide) the following steps as a general guide, but I am not sure if I am missing something. What else does one need to consider in this scenario?

  1. Find a computer that you think is relatively free of malware
  2. Download a Live Linux distro CD/DVD/USB, and verify its signatures to make sure you are not installing a tainted version
  3. Launch the verified Linux distro
    1. Make sure the distro is completely disconnected from any network connection before proceeding
    2. Configure GnuPG by editing the .gnupg/gpg.conf file to follow the guidelines here
  4. Use GnuPG to create private RSA key, and two subkeys (signing & encrypting)
    1. Set expiration date on (public) sub-key
    2. Create both a paper and digital backup of master private key
    3. Store the backups in two different physical locations, so no single point of failure
    4. Create a revocation certificate for the private master key
    5. Create both a paper and digital backup of the revocation certificate
    6. Store the backups in two different physical locations, so no single point of failure
  5. Strip the master private key from the keychain
  6. Copy over GnuPG keychain without master private key to work computer, personal laptop, etc.
taltman
  • 393
  • 3
  • 8
  • Addendum to the posting of user taltman: Item 4.4: There seems to be a little mistake. Its not possible to generate a revocation certificate for a subkey. I guess tlaltman means the primary key. – carnap Feb 25 '16 at 22:21
  • Thanks for catching that, carnap. I must have read something incorrectly in the above guides. Small correction: it is possible, just not what the average user wants. There is a rare scenario when issuing revoke certificates for sub-keys makes sense: http://www.gossamer-threads.com/lists/gnupg/users/64141 – taltman Feb 28 '16 at 07:40

1 Answers1

3

"Relatively free of malware" is probably not good enough if you're going to run the key generation on the installed OS, and probably irrelevant (to key generation) if you're going to use a LiveOS. (I'm ignoring here the possibility of firmware exploits aka BadBIOS, since your threat model doesn't seem to encompass them, and they're basically impossible to defend against given the current state of things.)

Your process seems mostly reasonable, but keep in mind that even without the master private key, having your crypt & signing subkeys on those other machines does pose some risk. While you can always replace them if they're compromised, that won't prevent someone from decrypting data that was encrypted prior to rotating keys, and they can still sign things as you until you revoke your key (and the verifiers pick up the revocation!).

Also, keep in mind that settings like cert-digest-algo SHA512 may cause interoperability problems with people using significantly older versions of software, particularly old versions of the commercial PGP. If you're not concerned by that, then carry on.

For your paper backups, I'd look at Paperkey, which is written by David Shaw, one of the authors of RFC 4880 (the OpenPGP spec), which strips down the key to the bare components needed to reconstruct it. This means you can print a much smaller key, increasing your likelihood of success when you go to scan+OCR or re-enter your paper backup.

David
  • 15,814
  • 3
  • 48
  • 73