Archive

Archive for the ‘OpenPGP’ Category

Secure GnuPG configuration

2013-07-09 3 comments

Someone recently asked what my GPG.conf file looks like since he hadn’t updated his in… years.  Okay, let’s take a look and I’ll try to explain what each setting is and why I feel it is important.  I’m not guaranteeing this as being complete and I welcome input from others.

keyserver-options auto-key-retrieve

This says that if a program needs a public key but it’s not in my keyring that it should automatically reach out to the keyserver (see below) and download it.

use-agent

This says to use the GPG agent. I cannot remember, right now, why this was a good idea. Perhaps it isn’t?

auto-key-locate cert pka ldap hkps://hkps.pool.sks-keyservers.net
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/etc/ssl/certs/sks-keyservers.netCA.pem
keyserver-options no-honor-keyserver-url
keyserver-options auto-key-retrieve

Almost the fun stuff there.  This is just setting up the keyserver that I wish to use (note the use of hkps instead of hkp).

default-preference-list AES AES192 AES256 TWOFISH SHA1 SHA224 SHA256 SHA384 SHA512 Uncompressed ZIP ZLIB BZIP2
personal-cipher-preferences AES256 TWOFISH AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
personal-compress-preferences BZIP2 ZLIB ZIP

Okay, the fun stuff. These are all the algorithms that I wish to use. If you setup your GPG key to advertise these then it will make it easier for others to use the most secure algorithms since they will already know what you can do. The first line just lists all the preferences. The second, third, and fourth lines actually provide the preferences in order of them being used. If you’ll note my preferred cipher is AES with a 256-bit key and my preferred hash (digest) is SHA with a 512-bit key.  There are other options available and a quick

gpg --help

should provide what options are available to you. For instance, my current installation says that its supported algorithms are:

Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I’ve omitted 3DES, MD5, and SHA1 from my preferences due to their weaknesses but I could still use them according to my GnuPG software.

Again, this wasn’t meant to be a strict “thou must do this to be secure” but rather a “this is what I’m doing” sort of thing. I’d appreciate feedback!

Inadvertant data leakage from GnuPG

2013-07-01 10 comments

I was recently introduced to a privacy issue when refreshing your OpenPGP keys using GnuPG.  When refreshing your public key ring using a public key server GnuPG will generally use the OpenPGP HTTP Key Protocol (HKP) to synchronize keys.  The problem is that when you do refresh your keys using HKP everyone that you maintain in your public key ring is sent across the Internet unencrypted.  This can allow anyone monitoring your network traffic to receive a complete list of contacts in which you may hope to use OpenPGP.

The fix is quite simple: in your gpg.conf file make sure that your keyserver entries include hkps:// instead of hkp://.  This will force GnuPG to wrap HKP in SSL to keep the key exchange private.

Happy encrypting!

Categories: Encryption, GnuPG, OpenPGP, Privacy Tags: , , , , ,

Poll Results: Do you use OpenPGP or GnuPG?

2013-03-07 2 comments

So this poll is a bit stale but the information is interesting nonetheless.

So what do these poll results mean, exactly?  Well, scientifically not much.  I mean, I guess we could make some sort of scientific bearing here.  Let’s try:

So of the people responding to the completely voluntary poll on this not-so-well-read blog and felt the need to respond, a vast majority have setup OpenPGP or GnuPG and over half use it on at least a semi-regular basis.  That’s encouraging, really, that of the 72 respondents, 42 of you use your keys somewhat regularly and are protecting yourself.

I wonder about the 10 people that responded that you have keys but never use them.  Why is this?  You’ve come so far to not use the technology that’s been provided!

So this was fun.  Perhaps I’ll find another question to ask where I won’t forget that I asked it.

Categories: GnuPG, OpenPGP, Poll

How PGP actually works…

2013-03-04 1 comment

How PGP actually works...

CC BY-NC xkcd

Categories: OpenPGP Tags: ,

My web of trust

2013-01-26 Leave a comment
Web of Trust built on 26 Jan 2013

Web of Trust – 26 Jan 2013

I created my web of trust graphic (select the graphic to zoom in to see detail) this morning showing the additions from the key-signing event at FUDCon Lawrence.  I’m also working on building the Fedora web of trust and I may do one for Red Hat as well.

If you’d like to create your own web of trust graphic you can follow the instructions on Aaron Toponce’s website.

Categories: GnuPG, OpenPGP Tags: ,

Not a new PGP key

2013-01-11 Leave a comment

Earlier I announced a new PGP key.  The decision was made based on my inability to correctly revoke certain uids on my key.  I finally figured out my problem and have revoked many of the uids on my key that no longer valid or were no longer being used.  So I hope no one wrote off my old key just yet.  I’ve had it for a while and I kinda like it.  You may want to update it from either my website (see top of the page on this site) or via one of the many keyservers.  Sorry for the noise.

New OpenPGP Key

2013-01-11 Leave a comment

I’ve created a new OpenPGP key (0x08CC129D) to replace the one I’ve used for the past few years (0x024BB3D1).  Please update your keyrings as necessary.Nope, I’ve decided to keep my old key and just clean it up a bit.

PGP keysigning and CAcert assertions at FUDCon Lawrence

2012-12-04 Leave a comment

Last year’s OpenPGP key signing and CAcert assertion events at FUDCon Blacksburg were a great success; we hope this year’s events will be just as popular and well attended.  If you are coming to FUDCon Lawrence and would like to participate in the either or both of these events please sign up on the wiki pages.  Additional information will be provided as the event gets closer.  It’s important to sign up for these events early as it will make planning easier for us.

Follow

Get every new post delivered to your Inbox.

Join 202 other followers