Home > Encryption, GnuPG, OpenPGP, Privacy > Inadvertant data leakage from GnuPG

Inadvertant data leakage from GnuPG


I was recently introduced to a privacy issue when refreshing your OpenPGP keys using GnuPG.  When refreshing your public key ring using a public key server GnuPG will generally use the OpenPGP HTTP Key Protocol (HKP) to synchronize keys.  The problem is that when you do refresh your keys using HKP everyone that you maintain in your public key ring is sent across the Internet unencrypted.  This can allow anyone monitoring your network traffic to receive a complete list of contacts in which you may hope to use OpenPGP.

The fix is quite simple: in your gpg.conf file make sure that your keyserver entries include hkps:// instead of hkp://.  This will force GnuPG to wrap HKP in SSL to keep the key exchange private.

Happy encrypting!

About these ads
Categories: Encryption, GnuPG, OpenPGP, Privacy Tags: , , , , ,
  1. 2013-07-01 at 21:33 EDT

    I had “keyserver keys.gnupg.net”, no leading protocol. I prepended an hkps:// to the host and get “gpgkeys: HTTP fetch error 1: unsupported protocol”. I tried a bunch of other servers and no dice. What did I miss?

    • 2013-07-01 at 23:41 EDT

      Hmm, I wonder if SSL is supported on that server. Try this: keyserver hkps://hkps.pool.sks-keyservers.net.

    • 2013-07-09 at 11:47 EDT

      I got that same error message until I installed the gnupg-curl package.

  2. foo
    2013-07-01 at 23:02 EDT
    • 2013-07-01 at 23:47 EDT

      Oh I like that solution too. I can’t quite tell if it can use SSL to wrap the contents as it’s still possible to do some tracking to the exit nodes. Bonus points if parcimonie can be setup to use a keyserver that is native to Tor, instead of having to use an exit node.

    • 2013-07-01 at 23:53 EDT

      I should also note that parcimonie wouldn’t protect you from obtaining that initial key.

  3. Stephen Smoogen
    2013-07-02 at 12:43 EDT

    My .config is from a long time ago and far far away.. (which generates various warnings about options and such) what is recommended in a modern .config these days?

  1. 2013-07-04 at 09:08 EDT
  2. 2013-07-09 at 01:00 EDT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 223 other followers